search cancel

Post Upgrade to Clarity 16.1 existing SAML integration doesn't work

book

Article ID: 254602

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

Customer who has SAML configured before 16.1 and haven't filled Signon URL in CSA  are unable to use SSO. 

Steps to Reproduce: 

  1. Ensure SAML 2.0 is configured before upgrading to 16.1 and Signon URL is blank 
  2. Start the upgrade to 16.1 and ensure its successful 
  3. Post upgrade try logging to 16.1 using SAML SSO 

Expected Result: The users should be able to login to clarity using SAML 

Actual Result: The users are unable to login and users are redirected to Authentication Error URL as SAML token is not generated and below error stacks can be seen upon enabling the SAML logger 

INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: start doFilter()
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: sessionId from cookie = null
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: Checking for and processing PPMSSO token
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: samlToken from request parameter: null
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: checking for cookie _clarity_User
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: Checking for and processing direct SAML
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: loading SAML settings from toolkit properties
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: samlResponse from request parameters = null
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: No SAML received, skipping destination validation
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: HttpRequest.getRequestURL() = https://clarity/niku/nu
INFO  2022-11-17 18:52:11,516 [https-openssl-nio2-10.142.174.50-443-exec-60] filter.SAMLFilter (clarity:unknown:-1:none) SAMLFilter: Loading of Classic Clarity detected, direct SAML.
INFO  2022-11-17 19:01:56,063 [WrapperListener_stop_runner] filter.SAMLFilter (none:none:none:none) SAMLFilter destroyed

Environment

16.1

Cause

The architecture of SAML is changed with introduction of SSO Book Marking Feature where a user now can click on any clarity URL bookmarked and if its SSO enabled it will authenticate and ensure that context is not lost. 

Resolution

In order to use bookmark feature and SAML SSO with 16.0.3 and 16.1 please follow the below steps 

Version 16.0.3  - Clarity 16.0.3 has support for SSO_BOOKMARKS feature. This needs to be enabled using a feature toggle in 16.0.3 with command admin toggle-feature SSO_BOOKMARKS 1 and restart clarity 

Version 16.1.x  - SSO_BOOKMARKS feature has been enabled by default and can't be disabled. Follow the below steps to configure the Signon URL in CSA

Sing on URL Examples for Okta and Azure IDP's

Okta

    • Under New UX → Administration → Authentication & Keys → SAML Configurations → Add the column "SSO Service URL".
    • Copy this value and configure this in NSA → Security → Signon URL.

Azure

    • Navigate to Azure Active Directory → Enterprise Applications → Application Created for Clarity.
    • Under properties of this enterprise application, we have a property named "User Access URL", copy this value in notepad.
    • This looks similar to https://myapps.microsoft.com/signin/05d5e6f8-XXXXXX-5ac618626037?tenantId=be9c6c11-XXXX-a04f-4bfe623cd65b,append &RelayState= to this URL.
    • The final URL looks similar to https://myapps.microsoft.com/signin/05d5e6f8-XXXXX-5ac618626037?tenantId=be9c6c11-XXX-a04f-4bfe623cd65b&RelayState= .
    • Add the above URL in the Signon URL under Settings in CSA

Ping IDP

    • Get "SSO Service URL" and "Entity ID" from SAML Configurations. SSO Service URL is in the format https://PINGSERVER/idp/startSSO.ping. URL encode the Entity ID if it's in URL format and append it to SSO Service URL using PartnerSpId as query Parameter. Below is an example.
      SSO Service URL :- https://PINGSERVER/idp/startSSO.ping
      Entity ID :- https://CLARITYSERVER/niku/nu#action:union.samlMetadata
      Appended URL :- https://PINGSERVER/idp/startSSO.ping?PartnerSpId=https%3A%2F%2FCLARITYSERVER%2Fniku%2Fnu%23action%3Aunion.samlMetadata
    • Add the above URL in the Signon URL under Settings in CSA with appending &TargetResource=
    • The final URL will look like this: https://PINGSERVER/idp/startSSO.ping?PartnerSpId=https%3A%2F%2FCLARITYSERVER%2Fniku%2Fnu%23action%3Aunion.samlMetadata&TargetResource=
    • Save and restart the services

Additional Information

Note: There might be other SSO providers where the Signon URL might be named differently, please check with IDP provider and provide the information in CSA in order to ensure SAML SSO is working. 

Attachments