LDAP user pushed to SAML authentication in DX NetOps CA Performance Management (CAPM)
search cancel

LDAP user pushed to SAML authentication in DX NetOps CA Performance Management (CAPM)

book

Article ID: 212972

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

When integrating Performance Management with both SAML2 and LDAP at the same time, there maybe a need to give the LDAP users the link for "local" authentication.

Setting this up appears ok at first sight:

  • SAML users can log in and browse

  • Local users (like admin) can log in and browse

  • LDAP users can log in

However, users cannot browse around. Any click on the PC UI redirects them to the SAML user authentication portal.

The PCService_request.log shows a 302 (redirect) when the user clicks the link (to drill down from the "home" dashboard to an inventory item):

<IP> - - [12/Apr/2021:14:22:12 +0000] "POST /pc/desktop/pagedata?pg=2000000&pi=1 HTTP/1.1" 200 3854  "JSESSIONID=node01xxxxxxxxxxxxxxxgsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jxxxxxxxxxxxxxxxxxxxxxxxPX4_6Uc4MS2fbvyelCr" 5
<IP> - - [12/Apr/2021:14:22:13 +0000] "GET /pc/css/CA-Blue/images/iconLoading.gif HTTP/1.1" 200 6243  "JSESSIONID=node01xxxxxxxxxxxxxxxgsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jxxxxxxxxxxxxxxxxxxxxxxxxxxRz6HTz0GFCw9q4wT" 1
<IP> - - [12/Apr/2021:14:22:15 +0000] "GET /pc/desktop/page?pg=sg&GroupID=1413 HTTP/1.1" 302 0  "JSESSIONID=node01xxxxxxxxxxxxxxxgsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jxxxxxxxxxxxxxxxxxxxxxxxxxxRz6HTz0GFCw9q4wT" 2

 

The SSOService.log shows this warning message:

INFO  | qtp1866734216-21         | 2021-04-12 10:19:21,385 | org.apache.cxf.service.factory.ReflectionServiceFactoryBean      
      | Creating Service {http://netqos.com/SingleSignOnWS}SingleSignOnWSSoapService from class com.netqos.singlesignonws.SingleSignOnWSSoap
WARN  | qtp1866734216-21         | 2021-04-12 10:19:21,423 | org.opensaml.saml.common.binding.SAMLBindingSupport              
      | Relay state exceeds 80 bytes: SsoProductCode=pc&SsoRedirectUrl=https://<hostName>:8182/pc/desktop/page?pg=sg&GroupID=1413

Environment

All supported DX NetOps Performance Management releases 20.2 or later

Cause

With SsoConfig SAML2 Re-auth, after X mins, if the user is logged in and External, Portal will try and re-authenticate them against SAML, so their SAML cookies are updated. Normally, since Portal just uses CADefaultCookie until it times out, it sends the user to the logout page.

There is no logic to know whether the user is LDAP vs SAML authenticated in the login token that is stored in CADefaultCookie.  So if SAML2 is on, Portal will treat all External users as SAML for re-authentication.

Resolution

Disable SAML2 re-auth using the SsoConfig utility as per the following:

/opt/CA/PerformanceCenter]# ./SsoConfig
Single Sign-On Configuration Tool
Enter q to quit the program or b to go back to previous menu

SSO Configuration:
1. DX NetOps
Choose an option > 1

SSO Configuration/DX NetOps:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
7. Enable FIPS
8. Performance Center Local Password Authentication
9. Enable or Disable a user account.
Choose an option > 2

SSO Configuration/DX NetOps/SAML2 Authentication:
SAML2 Authentication Enabled: Disabled
Clone Default User Accounts:
Signatures and Encryption Enabled for Communications: Disabled
SAML2 Auto-Reauthentication Enabled: Disabled
SAML2 Auto-Reauthentication Time Period: 0

1. Remote Value
2. Local Override
Choose an option > 1

SSO Configuration/DX NetOps/SAML2 Authentication/Remote Value:
1. SAML2 Authentication Enabled:
2. Clone Default User Accounts:
3. Signatures and Encryption Enabled for Communications:
4. SAML2 Auto-Reauthentication Enabled:
5. SAML2 Auto-Reauthentication Time Period:
Select a Property > 4

Property: SAML2 Auto-Reauthentication Enabled (Remote Value)
Value:
Example: Enabled
Description: This parameter specifies whether passive SAML 2.0 reauthentication is enabled. Users are automatically reauthenticated when the timeout expires. They are not required to log in again, as long as the session persists.
Enter r to reset the value, u to update to new value > u
Enter \q to quit or \b to go back to previous menu
Valid values:
0.  Disabled
1.  Enabled
Choose an option > 0

Additional Information

Further detail on the SsoConfig utility and usage is available in our TechDocs:

TechDocs : DX NetOps CAPM 22.2 : Configure the Basic Security Settings Using the SSO Configuration Tool