We upgraded to 21.2.1.0.46 and have now have problems to log in with SAML as now we get frequent errors which speak of invalid SAML ID's.
It was working before upgrade and no SAML ID errors were seen on Azure.
In the tomcat log, we see the token begins with a number . The customer is refreshing until he gets a correct token.
2021-09-01 15:23:13 INFO SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:23:20 INFO SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:34:20 INFO SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:48:04 INFO SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:48:53 INFO SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
MS Azure documents the following requirement which is not working on Spectrum 21.2.1 due to a code change.
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
Parameter | Type | Description |
---|---|---|
ID | Required | Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID. |
The code change in question was:
• Symptom:
NetIQ Access Manager SAML IDP is not working with the default authorization requests.
Resolution:
Code changes are made to customize the SAML AuthnRequest to give the required values for IdP. (DE499786, 32597919, 21.2.1)
Release : Spectrum 21.2.1.0.46
SAML integration with Microsoft Azure AD who handle their authentication
To resolve this problem on 21.2.1
1. Navigate to tomcat\conf\fediz_config.xml and add the below line in bold. The order does not matter.
2. restart tomcat
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="samlProtocolType" version="2.0">
<issuer></issuer>
<disableDeflateEncoding>true</disableDeflateEncoding>
<doNotEnforceKnownIssuer>true</doNotEnforceKnownIssuer>
<signRequest>true</signRequest>
<realm>spectrum</realm>
<reply></reply>
<authnRequestBuilder>com.aprisma.spectrum.app.sso.saml2.SAMLPRequestBuilderImpl</authnRequestBuilder>
</protocol>
This was fixed in 21.2.2 as part of US754294 : SAML : Support NetIQ during Spectrum upgrade.