Spectrum integration with SAML fails with error 500
search cancel

Spectrum integration with SAML fails with error 500

book

Article ID: 252950

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

We configured Spectrum with SSO using an Identity Provider (IdP) that support SAML 2.0.

When we try to access OneClick we are redirected to the IdP for authentication, and after successfully authenticate, when redirected back to OneClick home page, we are just getting an error 500.

The tomcat log file shows this message when this occurs.

2024-10-03 08:45:43,772 [https-jsse-nio-443-exec-9] INFO  org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - Issuer url: https://<internal_OKTA_URL>/sso/saml
2024-10-03 08:45:48,179 [https-jsse-nio-443-exec-1] ERROR com.aprisma.spectrum.app.sso.saml2.SamlTomcatSigninHandler - The request was invalid or malformed
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
...
2024-10-03 08:45:48,185 [https-jsse-nio-443-exec-1] ERROR org.apache.cxf.fediz.core.handler.SigninHandler - Federation processing failed: The request was invalid or malformed

In the <SPECROOT>/tomcat/classes/log4j2.xml file we can enable debug for (or add and enable if not present) these three lines. If the fediz entry isn't present, add it below the authenticator entry.

  • <Logger name="com.aprisma.tomcat" level="info"></Logger>
  • <Logger name="org.apache.catalina.authenticator" level="info"></Logger>
  • <Logger name="org.apache.cxf.fediz" level="info"></Logger>

 Set all three from info (default) to debug as follows, save the file changes and restart tomcat.

  • <Logger name="com.aprisma.tomcat" level="debug"></Logger>
  • <Logger name="org.apache.catalina.authenticator" level="debug"></Logger>
  • <Logger name="org.apache.cxf.fediz" level="debug"></Logger>

Reproduce the issue and we should see the following in the tomcat log when the SAML log in fails.

2024-10-03 09:00:07,906 [https-jsse-nio-443-exec-3] DEBUG org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator - Assertion does not contain unique subject provider identifier https://<OneClickHostName>/spectrum/ in the audience restriction conditions
2024-10-03 09:00:07,906 [https-jsse-nio-443-exec-3] DEBUG org.apache.cxf.fediz.core.processor.SAMLProcessorImpl - SAML token security failure
org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure

Environment

All supported DX NetOps Spectrum releases integrated with SAML2

Cause

The SAML provider Audience Restriction URL value and the <SPECROOT>tomcat/conf/fediz_config.xml file audienceItem URL value do not match.

Resolution

Ensure all OneClick URLs set in the <SPECROOT>tomcat/conf/fediz_config.xml, and set in the SAML providers Audience Restriction URL value match.

In this instance the SAML provider URLs were set correctly. The OneClick fediz_config.xml file did not have the host name set properly. Setting the correct hostname in the file that matches the provider config and restarting OneClick tomcat resolved the problem.

See the SAML2 Authentication in DX NetOps Spectrum documentation topic for additional information.

Powered by Wolken Software