Clarity SAML 2.0 Configuration with ADFS
search cancel

Clarity SAML 2.0 Configuration with ADFS

book

Article ID: 222189

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

How to configure Clarity SAML 2.0 solution with ADFS?

Environment

Release : 15.9.2, 15.9.3, 16.0.0, 16.0.1, 16.1.0

Component : CLARITY SECURITY INTEGRATION

Cause

Configuration issue due to defect DE61113 (fixed in 16.1.1)

Resolution

  • Login to clarity with administration rights
  • Navigate from Classic UX --> Administration --> General Settings --> System Option 
  • Check the Enable SAML Authentication  under Other Section 

  • Navigate to Clarity Modern UX --> Administration --> Authentication & Keys --> SAML Configuration 
  • Using the Import the metadata provided by ADFS and providing the Configuration Identifier and Configuration Name 

Note:

    • Clarity's SAML libraries requires a NameID & Login attribute in the SAML Response from the IDP.
    • The NameID Policy that Clarity sends in the SAML Request is usually urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, then email address coming from ADFS should match with email address in Clarity
    • Clarity SAML needs claim name Login and value must match the username in Clarity.
  • Connect to database and execute the below SQL update and commit 

UPDATE
 ODF_MULTI_VALUED_LOOKUPS
SET
 value = 'urn:federation:authentication:windows',
 DWH_VALUE = 'urn:federation:authentication:windows'
WHERE
 ATTRIBUTE = 'sec_req_auth_context';

Note: If this is not done there will be below error in APP Ca Log 

ERROR 2021-08-19 03:47:45,105 [https-jsse-nio2-8443-exec-7] filter.SAMLFilter (clarity:unknown:x__x-x-x-x-x:saml.filter) Error occurred authenticating with SAMLFilter
java.lang.RuntimeException: Unauthenticated SAML response received: The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder

  • Update Settings in Clarity System Administrator and Follow these steps
    • Log into the Clarity System Administrator by using the following link. The following default login URL is for CSA on servers running Apache Tomcat: http://<hostname>:<port>/niku/nu

Note: If you have multiple server with load balanced setup then you should update http/https Entry URL based on your loadbalancer URL but end point should have /niku/nu protected 

    • Select the relevant server
    • Navigate to the Application tab and select the Use Single Sign-On check box in the Application Instance: app section.
    • Save your changes
    • Navigate to the Security tab and set the value of the token type field to Header. Also update the Logout and Authentication URL. 
    • Save your changes.
    • Restart Clarity services
  • Now try login using the http/https URL mentioned in CSA and application should now authenticate using SSO. 

Additional Information

Note: 

  • If the Logout URL is updated in CSA as well as in SAML Configuration attribute IDP Single Logout then SAML Configuration IDP Single Logout will be taken as Logout URL  
  • SAML Needs end to end encryption if you are using SSL. SSL Offloading is not supported.
  • If the metadata contains certificates for encryption and certificates for signing. The SAML metadata import looks like it picks off the first X509 certificate it encounters and stores that in the CMN_SEC_CERTS table for a particular SAML configuration. This may not always be correct, especially if the IDP requires that the SAML response is signed and the Clarity SAML libraries need to check the signature. 

The error below can be seen in the app ca log 

ERROR 2021-05-25 17:24:22,103 [http-nio-14001-exec-1] filter.SAMLFilter (clarity:admin:-1:none) Error occured while creating session for user  null Reason: Unauthenticated SAML response received:Signature validation failed. SAML Response rejected

 

This is tracked as defect DE61113 and workaround is to update the CERT_VALUE of table CMN_SEC_CERTS with the correct certificate directly into the database. The correct certification can be found in the IDP metadata file under tag <KeyDescriptor use="signing"> and use the same certificate to update in table CMN_SEC_CERTS as clarity uses the singing certificate for SAML response 


UPDATE CMN_SEC_CERTS
SET CERT_VALUE = '$CERTIFICATE VALUE FROM METADATA'
WHERE ID = '$CERTIFICATE ID OF TABLE CMN_SEC_CERT';

  • When configuring with ADFS we optionally see an issue as "No name id found in Document" which is caused by not sending the Name ID attribute in the claims. To resolve this on the claims section of ADFS, you need to add the value for Name ID.