Logins using the department assigned as the SAML key cannot login when users are AE only users
search cancel

Logins using the department assigned as the SAML key cannot login when users are AE only users

book

Article ID: 255328

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

In setting up SAML, the customer used an existing department as the department key in UC_SAML_SETTINGS.

The problem with doing this was all of their users were currently set with this department and using LDAP as their login method. No one was yet set up with SAML logins.

The customer also did not know or have access to the credentials for the UC user. 

 

Environment

Release : 21.0.x

Cause

When the department key is added to UC_SAML_SETTINGS, any existing user associated with that department can ONLY log in via SAML moving forward.
This customer had no other departments defined.

Resolution

The department specified for SAML must be unique - it cannot be used by any other users, it is only for the SAML logins. 

It is supported to have SAML, AE, and LDAP authentication - the key is the department. 

For instance, SAML users have the department SSOadmins, LDAP users would have the Domain as the department name, ie LDAP.net, and all other AE logins would have their own departments. 

To resolve the above mentioned problem, log into client 0 as an AE user (not the SAML or LDAP department).

Reset UC_SYSTEM_SETTINGS : SAML  to   N   in order to allow users to log in to AWI with their LDAP or Automic user.

If you are unable to log into Automic because all users have been affected by the above change, please open a case with support and we will assist in resetting the value. 

To reset this via a SQL statement (no access via UC user) send the following SQL statement (SQL Server only, DBA can adjust for other databases appropriately)

update ovw set ovw_value1 = 'N' where ovw_vvalue = 'SAML' and ovw_oh_idnr in (select oh_idnr from oh where oh_name = 'UC_SYSTEM_SETTINGS')

then restart Automic.

Additional Information

This only happened because all of their users belonged to a single department. When this department was used for the SAML settings, all access for this department could only happen via a SAML login. 

Always validate/test the SAML setup in an environment where you have access to either the UC user or another admin user for client 0 that has a different department than is being used for SAML.