search cancel

Clarity SAML 2.0 Configuration with ADFS


Article ID: 222189


Updated On:


Clarity PPM On Premise


How to configure Clarity SAML 2.0 solution with ADFS?


Configuration issue due to defect DE61113 


Release : 15.9.2, 15.9.3 



  • Login to clarity with administration rights
  • Navigate from Classic UX --> Administration --> General Settings --> System Option 
  • Check the Enable SAML Authentication  under Other Section 

  • Navigate to Clarity Modern UX --> Administration --> Authentication & Keys --> SAML Configuration 
  • Using the Import the metadata provided by ADFS and providing the Configuration Identifier and Configuration Name 


    • Clarity's SAML libraries requires a NameID & Login attribute in the SAML Response from the IDP.
    • The NameID Policy that Clarity sends in the SAML Request is usually urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, then email address coming from ADFS should match with email address in Clarity
    • Clarity SAML needs claim name Login and value must match the username in Clarity.
  • Connect to database and execute the below SQL update and commit 

 value = 'urn:federation:authentication:windows',
 DWH_VALUE = 'urn:federation:authentication:windows'
 ATTRIBUTE = 'sec_req_auth_context';

Note: If this is not done there will be below error in APP Ca Log 

ERROR 2021-08-19 03:47:45,105 [https-jsse-nio2-8443-exec-7] filter.SAMLFilter (clarity:unknown:182198972__C260D3CA-D676-462D-B018-159C66A044A2:saml.filter) Error occurred authenticating with SAMLFilter
java.lang.RuntimeException: Unauthenticated SAML response received: The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder

  • Update Settings in Clarity System Administrator and Follow these steps
    • Log into the Clarity System Administrator by using the following link. The following default login URL is for CSA on servers running Apache Tomcat: http://<hostname>:<port>/niku/nu

Note: If you have multiple server with load balanced setup then you should update http/https Entry URL based on your loadbalancer URL but end point should have /niku/nu protected 

    • Select the relevant server
    • Navigate to the Application tab and select the Use Single Sign-On check box in the Application Instance: app section.

    • Save your changes
    • Navigate to the Security tab and set the value of the token type field to Header. Also update the Logout and Authentication URL. 

    • Save your changes.
    • Restart Clarity services
  • Now try login using the http/https URL mentioned in CSA and application should now authenticate using SSO. 

Additional Information


  • If the Logout URL is updated in CSA as well as in SAML Configuration attribute IDP Single Logout then SAML Configuration IDP Single Logout will be taken as Logout URL  
  • SAML Needs end to end encryption if you are using SSL. SSL Offloading is not supported.
  • If the metadata contains certificates for encryption and certificates for signing. The SAML metadata import looks like it picks off the first X509 certificate it encounters and stores that in the CMN_SEC_CERTS table for a particular SAML configuration. This may not always be correct, especially if the IDP requires that the SAML response is signed and the Clarity SAML libraries need to check the signature. 

The error below can be seen in the app ca log 

ERROR 2021-05-25 17:24:22,103 [http-nio-14001-exec-1] filter.SAMLFilter (clarity:admin:-1:none) Error occured while creating session for user  null Reason: Unauthenticated SAML response received:Signature validation failed. SAML Response rejected


This is tracked as defect DE61113 and workaround is to update the CERT_VALUE of table CMN_SEC_CERTS with the correct certificate directly into the database. The correct certification can be found in the IDP metadata file under tag <KeyDescriptor use="signing"> and use the same certificate to update in table CMN_SEC_CERTS as clarity uses the singing certificate for SAML response 


  • When configuring with ADFS we optionally see an issue as "No name id found in Document" which is caused by not sending the Name ID attribute in the claims. To resolve this on the claims section of ADFS, you need to add the value for Name ID.