Symantec DLP SAML authentication fails
Article ID: 205291
Updated On:
Products
Issue/Introduction
You are trying to implement SAML authentication in your environment but for users, it is failing.
The Tomcat localhost log has this error message:
21 Sep 2020 12:50:36,770- Thread: 124 WARNING [com.vontu.login.spring.VontuSAMLUserDetailsService] Authentication failed: SAML IDP user id 'xxxxxx' is not found in Enforce
21 Sep 2020 12:50:36,786- Authentication request failed: org.springframework.security.core.userdetails.UsernameNotFoundException: User lookup failed
In the "Enforce Console > System > Login Management > DLP Users > Configure DLP User" page there is no entry in the Single Sign On Mapping field, it is blank.
Environment
Release: 15.7 and later.
Component: Enforce authentication
Cause
A Syntax error in the springSecurityContext.xml file can cause this issue.
Resolution
The problem in this particular instance was that in configuring the springSecurityContext.xml file a capital ‘N’ was used instead of a lowercase ‘n’ for the nameID which caused the mapping to fail.
For example here is the incorrect configuration:
And here is the correct configuration:
Once the syntax has been corrected restart the Symantec DLP Manager service and verify that you can now see in the user's account the SAML Single Sign On Mapping -> User Email field for the user's email:
Additional Information
We can also use the default template (springSecurityContext-SAML) from this location:
<install drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\security\template
- This will ensure no unknown editing damages by using this file.
- Edit this template for SAML authentication as required.
- Rename this file as springSecurityContext.xml
- Place it at <install drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\WEB-INF
- Restart the DLP manager service.
Feedback
