ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SAML SSO configuration fails in DX NetOps Performance Management

book

Article ID: 226893

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

I set up SAML authentication in our development environment. This is what's happening:

  1. Redirection to the IDP works.
  2. Login to the IDP works
  3. Redirection back to Performance Center results in PC displaying:  "Error Authenticating: SAML Authentication Failed". See screen shot below.
  4. In the sso/logs/wrapper-20211022.log I only see these messages logged.

ERROR | qtp1867272179-21         | 2021-10-22 09:08:37,495 | common.sso.saml2.UserAssertionService
Receive StatusCode: urn:oasis:names:tc:SAML:2.0:status:Responder. Message:

Cause

This error message seen in the SSOService.log files reveals the cause. It's only seen when debug for SAML is enabled (see Additional Information section below).

urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy

Environment

All supported DX NetOps Performance Management releases

Resolution

The "Name ID Format" setting in the IDP needs to be set to "username".

Additional Information

Enabling debug for SAML2 issues.

  1. Go to http://<PC_Hostname>:8381/sso/webservices/admin/debug
  2. Log in using the default admin user and it's password.
    1. Click on Logs
    2. Click on Runtime Configuration
  3. In the "Add/Update a logging category" fields:
    1. In Category Name add "common.saml2". Description can be left blank. Set Level to DEBUG. Hit the Add button.
    2. In Category Name add "common.sso.saml2". Description can be left blank. Set Level to DEBUG. Hit the Add button.
  4. Reproduce the attempted SAML login that fails.
  5. Logging will be written to the SSO Service SSOService.log and wrapper-<date>.log files in the (default path) /opt/CA/PerformanceCenter/sso/logs. Review those logs or share them with support for analysis.