Symantec DLP SAML authentication fails
search cancel

Symantec DLP SAML authentication fails

book

Article ID: 205291

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You are trying to implement SAML authentication in your environment but for users, it is failing. 

The Tomcat localhost log has this error message:

21 Sep 2020 12:50:36,770- Thread: 124 WARNING [com.vontu.login.spring.VontuSAMLUserDetailsService] Authentication failed: SAML IDP user id 'xxxxxx' is not found in Enforce
21 Sep 2020 12:50:36,786- Authentication request failed: org.springframework.security.core.userdetails.UsernameNotFoundException: User lookup failed

In the "Enforce Console > System > Login Management > DLP Users > Configure DLP User" page there is no entry in the Single Sign On Mapping field, it is blank.

Environment

Component: Enforce authentication

Cause

A Syntax error in the springSecurityContext.xml file can cause this issue. 

Resolution

The problem in this particular instance was that in configuring the springSecurityContext.xml file a capital ‘N’ was used instead of a lowercase ‘n’ for the nameID which caused the mapping to fail.

For example here is the incorrect configuration: 

And here is the correct configuration: 

Once the syntax has been corrected restart the Symantec DLP Manager service and verify that you can now see in the user's account the SAML Single Sign On Mapping -> User Email field for the user's email: 

Also ensure that only one method for SAML user mapping/lookup is utilized. The default template sprintSecurityContext.xml states the following
"User accounts are mapped by either NameID or user attributes returned from IDP" 

Only one of the following sections should remain active, the other should be commented out:

1:
    <bean class="com.symantec.dlp.login.spring.SymantecSAMLUserDetailsService" id="userLookupService">
        <property name="userAttributes">
            <set>
                <value>UserName</value>
                <value>EmailAddress</value>
               <value>EmployeeID</value>

            </set>

2:
<property name="nameID" value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />


Example - commenting out userAttributes:



 

Additional Information

We can also use the default template (springSecurityContext-SAML) from this location:

<install drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\security\template

  • This will ensure no unknown editing damages by using this file.
  • Edit this template for SAML authentication as required.
  • Rename this file as springSecurityContext.xml
  • Place it at <install drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\WEB-INF
  • Restart the DLP manager service.
Powered by Wolken Software