When integrating Performance Management with both SAML2 and LDAP at the same time, there maybe a need to give the LDAP users the link for "local" authentication.
Setting this up appears ok at first sight:
However, users cannot browse around. Any click on the PC UI redirects them to the SAML user authentication portal.
The PCService_request.log
shows a 302 (redirect) when the user clicks the link (to drill down from the "home" dashboard to an inventory item):
<IP> - - [12/Apr/2021:14:22:12 +0000] "POST /pc/desktop/pagedata?pg=2000000&pi=1 HTTP/1.1" 200 3854 "JSESSIONID=node01xxxxxxxxxxxxxxxgsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jxxxxxxxxxxxxxxxxxxxxxxxPX4_6Uc4MS2fbvyelCr" 5
<IP>
- - [12/Apr/2021:14:22:13 +0000] "GET /pc/css/CA-Blue/images/iconLoading.gif HTTP/1.1" 200 6243 "JSESSIONID=node01xxxxxxxxxxxxxxx
gsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jxxxxxxxxxxxxxxxxxxxxxxxxxxRz6HTz0GFCw9q4wT" 1<IP>
- - [12/Apr/2021:14:22:15 +0000] "GET /pc/desktop/page?pg=sg&GroupID=1413 HTTP/1.1" 302 0 "JSESSIONID=node01xxxxxxxxxxxxxxx
gsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jxxxxxxxxxxxxxxxxxxxxxxxxxxRz6HTz0GFCw9q4wT" 2
The SSOService.log
shows this warning message:
INFO | qtp1866734216-21 | 2021-04-12 10:19:21,385 | org.apache.cxf.service.factory.ReflectionServiceFactoryBean
| Creating Service {http://netqos.com/SingleSignOnWS}SingleSignOnWSSoapService from class com.netqos.singlesignonws.SingleSignOnWSSoap
WARN | qtp1866734216-21 | 2021-04-12 10:19:21,423 | org.opensaml.saml.common.binding.SAMLBindingSupport
| Relay state exceeds 80 bytes: SsoProductCode=pc&SsoRedirectUrl=https://<hostName>:8182/pc/desktop/page?pg=sg&GroupID=1413
All supported DX NetOps Performance Management releases 20.2 or later
With SsoConfig SAML2 Re-auth, after X mins, if the user is logged in and External, Portal will try and re-authenticate them against SAML, so their SAML cookies are updated. Normally, since Portal just uses CADefaultCookie until it times out, it sends the user to the logout page.
There is no logic to know whether the user is LDAP vs SAML authenticated in the login token that is stored in CADefaultCookie. So if SAML2 is on, Portal will treat all External users as SAML for re-authentication.
Disable SAML2 re-auth using the SsoConfig
utility as per the following:
/opt/CA/PerformanceCenter]# ./SsoConfig
Single Sign-On Configuration Tool
Enter q to quit the program or b to go back to previous menu
SSO Configuration:
1. DX NetOps
Choose an option > 1
SSO Configuration/DX NetOps:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
7. Enable FIPS
8. Performance Center Local Password Authentication
9. Enable or Disable a user account.
Choose an option > 2
SSO Configuration/DX NetOps/SAML2 Authentication:
SAML2 Authentication Enabled: Disabled
Clone Default User Accounts:
Signatures and Encryption Enabled for Communications: Disabled
SAML2 Auto-Reauthentication Enabled: Disabled
SAML2 Auto-Reauthentication Time Period: 0
1. Remote Value
2. Local Override
Choose an option > 1
SSO Configuration/DX NetOps/SAML2 Authentication/Remote Value:
1. SAML2 Authentication Enabled:
2. Clone Default User Accounts:
3. Signatures and Encryption Enabled for Communications:
4. SAML2 Auto-Reauthentication Enabled:
5. SAML2 Auto-Reauthentication Time Period:
Select a Property > 4
Property: SAML2 Auto-Reauthentication Enabled (Remote Value)
Value:
Example: Enabled
Description: This parameter specifies whether passive SAML 2.0 reauthentication is enabled. Users are automatically reauthenticated when the timeout expires. They are not required to log in again, as long as the session persists.
Enter r to reset the value, u to update to new value > u
Enter \q to quit or \b to go back to previous menu
Valid values:
0. Disabled
1. Enabled
Choose an option > 0
Further detail on the SsoConfig utility and usage is available in our TechDocs: