ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

LDAP user pushed to SAML authentication

book

Article ID: 212972

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

We are integrating Performance Management with both SAML2 and LDAP at the same time. The only trick is to give the LDAP users the link for "local" authentication.

We've set this up at CBT and it *seems* ok at first sight:

- SAML users can log in and browse

- Local users (like admin) can log in and browse

- LDAP users can log in - HOWEVER, they cannot browse around. Any click on the PC UI redirects them to the SAML user authentication portal.

 

The PCService_request.log shows a 302 (redirect) when we click the link (to drill down from the "home" dashboard to an inventory item):

161.155.196.77 - - [12/Apr/2021:14:22:12 +0000] "POST /pc/desktop/pagedata?pg=2000000&pi=1 HTTP/1.1" 200 3854  "JSESSIONID=node01o4wocm9b8grng702gsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jt7MY4IyvPdgyjWebF6rcQqxatPX4_6Uc4MS2fbvyelCr" 5
161.155.196.77 - - [12/Apr/2021:14:22:13 +0000] "GET /pc/css/CA-Blue/images/iconLoading.gif HTTP/1.1" 200 6243  "JSESSIONID=node01o4wocm9b8grng702gsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jt7MY4IyvPdgyXPyUIgPWg1eFyeOKRz6HTz0GFCw9q4wT" 1
161.155.196.77 - - [12/Apr/2021:14:22:15 +0000] "GET /pc/desktop/page?pg=sg&GroupID=1413 HTTP/1.1" 302 0  "JSESSIONID=node01o4wocm9b8grng702gsx8xz6v183.node0;CADefaultCookie=7fLY_Er8Nv_728okA08jt7MY4IyvPdgyXPyUIgPWg1eFyeOKRz6HTz0GFCw9q4wT" 2

 

The SSOService.log shows this warning message:

INFO  | qtp1866734216-21         | 2021-04-12 10:19:21,385 | org.apache.cxf.service.factory.ReflectionServiceFactoryBean      
      | Creating Service {http://netqos.com/SingleSignOnWS}SingleSignOnWSSoapService from class com.netqos.singlesignonws.SingleSignOnWSSoap
WARN  | qtp1866734216-21         | 2021-04-12 10:19:21,423 | org.opensaml.saml.common.binding.SAMLBindingSupport              
      | Relay state exceeds 80 bytes: SsoProductCode=pc&SsoRedirectUrl=https://statlab.cbtops.net:8182/pc/desktop/page?pg=sg&GroupID=1413

 

 

 

Cause

With SsoConfig SAML2 Re-auth, after X mins, if the user is logged in and External, we will try and re-auth the user against SAML, so their SAML cookies are updated.   Because normally, PC just uses CADefaultCookie until it times out, and we send user to the logout page.

There is no logic to know user is LDAP vs SAML in the login token we store in CADefaultCookie.  So if SAML2 is on, we treat all External as SAML for re-auth.

Environment

Release : 20.2, 3.7.x

Component : CA Performance Center

Resolution

Disable SAML2 re-auth in SsoConfig

/opt/CA/PerformanceCenter
 PerformanceCenter]# ./SsoConfig
Single Sign-On Configuration Tool
Enter q to quit the program or b to go back to previous menu

SSO Configuration:
1. DX NetOps
Choose an option > 1

SSO Configuration/DX NetOps:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
7. Enable FIPS
8. Performance Center Local Password Authentication
9. Enable or Disable a user account.
Choose an option > 2

SSO Configuration/DX NetOps/SAML2 Authentication:
SAML2 Authentication Enabled: Disabled
Clone Default User Accounts:
Signatures and Encryption Enabled for Communications: Disabled
SAML2 Auto-Reauthentication Enabled: Disabled
SAML2 Auto-Reauthentication Time Period: 0

1. Remote Value
2. Local Override
Choose an option > 1

SSO Configuration/DX NetOps/SAML2 Authentication/Remote Value:
1. SAML2 Authentication Enabled:
2. Clone Default User Accounts:
3. Signatures and Encryption Enabled for Communications:
4. SAML2 Auto-Reauthentication Enabled:
5. SAML2 Auto-Reauthentication Time Period:
Select a Property > 4

Property: SAML2 Auto-Reauthentication Enabled (Remote Value)
Value:
Example: Enabled
Description: This parameter specifies whether passive SAML 2.0 reauthentication is enabled. Users are automatically reauthenticated when the timeout expires. They are not required to log in again, as long as the session persists.
Enter r to reset the value, u to update to new value > u
Enter \q to quit or \b to go back to previous menu
Valid values:
0.  Disabled
1.  Enabled
Choose an option > 0