Symantec DLP SAML authentication fails
Article ID: 205291
Updated On:
Products
Issue/Introduction
We are trying to implement SAML authentication in our environment but for users it is failing.
In the Tomcat localhost log we encountered this error message:
21 Sep 2020 12:50:36,770- Thread: 124 WARNING [com.vontu.login.spring.VontuSAMLUserDetailsService] Authentication failed: SAML IDP user id '[email protected]' is not found in Enforce
21 Sep 2020 12:50:36,786- Authentication request failed: org.springframework.security.core.userdetails.UsernameNotFoundException: User lookup failed
In the Enforce console page we checked the user account and found there was no details under the Single Sign On Mapping, it was blank.
Environment
Release : 15.7 and later.
Component : Enforce authentication
Cause
Syntax error in the springSecurityContext.xml file may cause this issue.
Resolution
The problem in this particular instance was that in configuring the springSecurityContext.xml file the use of a capital ‘N’ was used instead of a lower case ‘n’ for the nameID which caused the mapping to fail.
For example here is the incorrect configuration:
and here is the correct configuration:
Once the syntax has been corrected restart the Symantec DLP Manger service and verify now you can see in the user's account the SAML Single Sign On Mapping -> User Email field for the user's email:
Then tested the SAML authentication to confirm if it works as expected.
Additional Information
We can also use the default template (springSecurityContext-SAML) from this location:
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat\webapps\ProtectManager\security\template
- This will ensure no unknown editing damages by using this file.
- Edit this template for SAML authentication as required.
- Rename this file as springSecurityContext.xml
- Place it at C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat\webapps\ProtectManager\WEB-INF
- Restart the DLP manager service.
Feedback
