Configuring SAML Authentication using Azure AD SSO or ADFS for DLP
search cancel

Configuring SAML Authentication using Azure AD SSO or ADFS for DLP

book

Article ID: 236680

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

You want to configure your Symantec Data Loss Prevention (DLP) Enforce Console to use Azure Active Directory (Azure AD) SAML-based Sign-on (SSO). 

Note: The same steps apply to Microsoft Active Directory Federated Services (ADFS)

Note: Refer to general instruction First time setup of SAML authentication in DLP from Article ID: 276055 

Environment

Release : 15.8, 16.x

Resolution

Azure AD SSO is supported since 16.0.1 DLP version

Follow the steps for Setting up authentication with these additional configuration parameters.

Step 2: Add the following element in the SpringSecurityContext.xml file under <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> section.:

<property name="includeScoping" value="false"/>

Step 5: Follow Microsoft's Quickstart: Add an enterprise application and download the SAML Signing Certificate

Import this certificate into the samlKeystore.jks file (default locations below)

keytool -importcert -alias azure -keystore samlKeystore.jks -storepass protect -file azure.cer

[Linux] /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/tomcat/webapps/ProtectManager/security/samlKeystore.jks

[Windows] C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\security\samlKeystore.jks

Step 6. Download the Federation Metadata XML

Rename it to idp-metadata.xml

Copy it to the directory used above dependent on your operating system

Step 7. Restart the Symantec DLP Manager service.

Additional Information

Common errors seen while setting up Azure SSO

AADSTS900236: The SAML authentication request property 'Scoping/ProxyCount' is not supported and must not be set.

Resolution: Verify that you added the <property name="includeScoping" value="false"/> element to the SpringContextSecurity.xml file.

AADSTS50105: Your administrator has configured the application Symantec DLP Enforce Console SSO ('b#######-####-####-####-############') to block users unless they are specifically granted ('assigned') access to the application. The signed in user is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.

Resolution: Follow the steps in Microsoft's Quickstart: Create and assign a user account to add users to the Enterprise Application you created.

 

Powered by Wolken Software