search cancel

SAML Authorization Failure

book

Article ID: 213912

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

What logic does Introscope use to match the user group returned in the SAML response to group definition in MOM_INSTALL_HOME/config/domains.xml?

Will it match group names that begin with special characters like "\" and or "#"?

 

APM WebView UI displays error message in web browser: Error occurred during the authorization process. User __MyUserID__ cannot access any domains. Configure the access rules first.

Content of domains.xml:

<grant group="\#MYGROUP Introscope View" permission="read"/>
<grant group="\\#MYGROUP Introscope View" permission="read"/>
<grant group="\\\#MYGROUP Introscope View" permission="read"/>

Message in WebView log:

[INFO] [WebView] SAML user: '__MyUserID__' attributes : {groups=[\#MYGROUP Introscope View]}
[ERROR] [WebView] SAML AutoLogin failed for user __MyUserID__ with Error authenticating SAML user __MyUserID__ in realm SAML Realm: User cannot access any domains. Configure the access rules first.
com.wily.introscope.spec.server.user.LoginFailedException: Error authenticating SAML user __MyUserID__ in realm SAML Realm: User cannot access any domains. Configure the access rules first.
        at com.wily.introscope.server.beans.session.SessionBean.authenticateSamlUser(SessionBean.java:450)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.wily.isengard.messageprimitives.MethodCallUtilities.callInterface(MethodCallUtilities.java:75)
        at com.wily.isengard.messageprimitives.MethodCallUtilities.callInterface(MethodCallUtilities.java:29)
        at com.wily.isengard.messageprimitives.service.MessageService.attemptMethodCall(MessageService.java:183)
        at com.wily.isengard.messageprimitives.service.MessageService.handleMethodCallMessage(MessageService.java:135)
        at com.wily.isengard.messageprimitives.service.MessageService.receiveMessage(MessageService.java:161)
        at com.wily.isengard.postoffice.Mailbox.handleMessage(Mailbox.java:252)
        at com.wily.isengard.postoffice.PostOffice.deliverInternal(PostOffice.java:532)
        at com.wily.isengard.postoffice.PostOffice.access$2(PostOffice.java:478)
        at com.wily.isengard.postoffice.PostOffice$DeliveryItem.run(PostOffice.java:886)
        at com.wily.EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:728)
        at java.lang.Thread.run(Thread.java:745)

Please note the AD group name returned in the SAML response contains "\#" prefix.

Environment

Release : 10.7.0

Component : APM Agents

Resolution

We figured out the problem was due to configuration issue.

introscope.saml.groupsAttributeName=memberOf

 

should have been:

introscope.saml.groupsAttributeName=groups

 

We requested the IDP to change it in the SAML assertion and then forgot to go back get rid of “memberOf”