search cancel

SAML Cookie syntax error after Spectrum upgrade to 21.2.1 when using MS Azure for authentication

book

Article ID: 224779

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We upgraded to 21.2.1.0.46 and have now have problems to log in with SAML as now we get frequent errors which speak of invalid SAML ID's.

It was working before upgrade and no SAML ID errors were seen on Azure.

In the tomcat log, we see the token begins with a number .  The customer is refreshing until he gets a correct token.


2021-09-01 15:23:13 INFO  SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:23:20 INFO  SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:34:20 INFO  SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:48:04 INFO  SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2
2021-09-01 15:48:53 INFO  SAMLProcessorImpl:389 - Issuer url: https://login.microsoftonline.com/9ea3d2f7-a925-4dbe-9b0c-b6005d536673/saml2

Environment

Release : Spectrum 21.2.1.0.46
SAML integration with Microsoft Azure AD who handle their authentication

 

Cause

MS Azure documents the following requirement which is not working on Spectrum 21.2.1 due to a code change.

https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

Parameter Type Description
ID Required Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.

The code change in question was:

• Symptom:
 NetIQ  Access Manager SAML IDP is not working with the default authorization requests.
Resolution:
 Code changes are made to customize the SAML AuthnRequest to give the required values for IdP. (DE499786, 32597919, 21.2.1)

 

Resolution

To resolve this problem on 21.2.1 

1. Navigate to tomcat\conf\fediz_config.xml and add the below line in bold.  The order does not matter.

2. restart tomcat

   <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="samlProtocolType" version="2.0">
            <issuer></issuer>
            <disableDeflateEncoding>true</disableDeflateEncoding>
            <doNotEnforceKnownIssuer>true</doNotEnforceKnownIssuer>
            <signRequest>true</signRequest>
            <realm>spectrum</realm>
            <reply></reply>
            <authnRequestBuilder>com.aprisma.spectrum.app.sso.saml2.SAMLPRequestBuilderImpl</authnRequestBuilder>
        </protocol>

     

Additional Information

This was fixed in 21.2.2 as part of US754294 : SAML : Support NetIQ during Spectrum upgrade.

Attachments

Powered by Wolken Software