DLP SSO: General Troubleshooting
search cancel

DLP SSO: General Troubleshooting

book

Article ID: 259362

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Troubleshooting SSO Authentication.  

 

 

Resolution

After implementing SSO, users are still having trouble authenticating.  Start by restarting the manager service, attempting a login and review the localhost log.  As spring is initialized during the Manager service startup, you may see an error with the springSecurityContext.xml which might prevent any user from logging in.  That must be addressed first. 

 

If no errors are present during startup, see the logs when the user attempts to authenticate.  We should see an outbound request, and an inbound request.  should look similar to the following

A normal successful login:

06 Feb 2023 14:05:12,691- Thread: 129 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] AuthNRequest;SUCCESS;x.x.x.x;https://server/ProtectManager/saml/metadata;http://idp.fqdn.tld/adfs/services/trust;;;
...
06 Feb 2023 14:05:15,749- Thread: 132 INFO [com.symantec.dlp.login.spring.SymantecSAMLUserDetailsService] User 'Nathan' is authenticated via SAML authentication
06 Feb 2023 14:05:15,750- Thread: 132 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] AuthNResponse;SUCCESS;x.x.x.x;https://server/ProtectManager/saml/metadata;http://idp.fqdn.tld/adfs/services/trust;[email protected];;
06 Feb 2023 14:05:16,144- Thread: 134 INFO- Thread: 137 INFO [com.vontu.manager] [Nathan] logged on

 

No errors but users get an "unauthorized page":

If an authentication attempt shows "successful" as seen above, but the user sees an "unauthorized" page, they have configured the wrong URL in the IdP.  SSO is working normally but you are redirected to a page that doesn't actually exist or the user doesn't have access to.  Manually adjust the URL in the browser to https://server/ProtectManager/ and see if you are able to see the console normally.  Customer will have to correct the bad URL in the IdP.

 

 

IdP claim mapping error:

06 Feb 2023 13:31:28,207- Thread: 135 SEVERE [com.symantec.dlp.login.spring.SymantecSAMLUserDetailsService] SAML authentication failed: required user attribute 'userID' was not found in credential.

User is missing attributes in the directory service.  In this example, I have mapped the SSO attribute "userID" to the AD attribute "EmployeeID".  This means that the user is missing the EmployeeID in the directory service the IdP is integrated with

To see what mappings are being used, check the IdP claims, there should be a configured "incoming claim" and "outgoing claim".  The "outgoing claim" will be what DLP is expecting, the "incoming claim" is what the directory service has configured for the user.

 

 

Typo in DLP for configured user:

06 Feb 2023 14:05:15,750- Thread: 132 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] AuthNResponse;SUCCESS;x.x.x.x;https://server/ProtectManager/saml/metadata;http://idp.fqdn.tld/adfs/services/trust;[email protected];;
06 Feb 2023 14:05:15,751- Thread: 130 INFO [com.symantec.dlp.login.spring.SymantecLoginAuditLogger] Unsuccessful login attempt for user {"sAMAccountName":"nathan","userID":"02"} at IP address: x.x.x.x

Complete SSO attempt but configured but with a typo.  In this case Enforce is configured with the SSO mapping sAMAccountName "Nathan", but the configured directory service used by the IdP responded with "nathan" as the sAMAccountName.  DLP is case sensitive. 

 

Mismatched NameID format:

06 Feb 2023 13:54:27,653- Thread: 129 INFO [org.springframework.security.saml.log.SAMLDefaultLogger] AuthNResponse;FAILURE;x.x.x.x;https://server/ProtectManager/saml/metadata;http://idp.fqdn.tld/adfs/services/trust;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Requester, status message is null
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
        at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
        ...
        ...
        ...

06 Feb 2023 13:54:27,667- Thread: 129 INFO [com.symantec.dlp.login.spring.SymantecLoginAuditLogger] Unsuccessful login attempt for user null at IP address: x.x.x.x

 

The IdP is trying to use the wrong NameID format or no nameID sent back in the SAML response.  This indicates a mismatch in the configured DLP nameID and what the IdP responded with.  In this case I have DLP configured with NameID-format:emailAddress but the IdP is configured with "Unspecified".

 

 

 

Additional Information

If needed, FINE logs can be obtained by adding/changing the following classes in the ManagerLogging.properties file on the enforce server

 

org.apache.juli.FileHandler.level = FINE

org.opensaml.level = FINE

Powered by Wolken Software