Getting Error while Enabling SAML

book

Article ID: 193937

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

Team,

Currently we have CA APM 10.7.0 SP 3 in our environment, we are currently using LDAP for authentication, We followed https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7/administrating/apm-security/securing-introscope/securing-introscope-using-saml-2-0.html to enable SAML 2.0 for authentication.

We already have <realm active="true" id="LDAP" descriptor="LDAP Realm"> in realms.xml and added this line now <realm descriptor="SAML Realm" id="SAML Realm" active="true" /> so our new realms.xml looks like:

    <realm active="true" id="LDAP" descriptor="LDAP Realm">
    <realm descriptor="SAML Realm" id="SAML Realm" active="true" />

When we restart the EM Server posting this, we are getting the below mentioned error in the logs:

The EM failed to start. XML Error Configuring User Management Service: cvc-complex-type.2.4.a: Invalid content was found starting with element 'realm'. One of '{property}' is expected.CA APM

Please help us in enabling SAML for our authentication. 

Environment

Release : 10.7.0

Component : APM Agents

Resolution

So your realms.xml file is misconfigured.  XML files are parsed from top to bottom.  Lines 3 and 4 (below) are correct syntax wise, BUT, they are in the wrong order.  Below, the property groupMemberQuery is a part of LDAP Realm, but not SAML Realm.  Even though you have LDAP Realm set to false, the parser is reading that groupMemberQuery belongs to SAML and thus fails our parsing.

So all you need to do is swap lines 3 and 4 with each other.  BEFORE is what you have currently configured.  AFTER is what it should look like.  Save it that way and exit and then restart the EM.

BEFORE:

    <realm active="false" id="LDAP" descriptor="LDAP Realm">
    <realm descriptor="SAML Realm" id="SAML Realm" active="true" />
        <property name="groupMemberQuery">

AFTER:

    <realm descriptor="SAML Realm" id="SAML Realm" active="true" />

    <realm active="false" id="LDAP" descriptor="LDAP Realm">
        <property name="groupMemberQuery">