Portal login doesn't use SAML integration
search cancel

Portal login doesn't use SAML integration

book

Article ID: 265003

calendar_today

Updated On:

Products

CA Performance Management Network Observability

Issue/Introduction

SAML MFA Authentication works great now when I used https://VanityPortalHostName:8182/pc/desktop/page

But users logout of there, and if they use the page to relogin: https://RealPortalHost:8382/sso/sign-in.jsp?SsoProductCode=pc&SignOut=1; they can bypass the MFA.

This is the current setup for SsoConfiguration:

SSO Configuration/DX NetOps/Performance Center:
Web Service Scheme: http
Web Service Host: <realHostName>
Web Service Port: 8481
Web Service Inventory (Version 1): /dm/inventory
Web Service Data Source Admin: /dm/ds
Web Site Scheme: https
Web Site Host: <VanityHostName>
Web Site Port: 8182
Web Site Path: /pc/desktop/page
SMTP Enabled: Enabled
SMTP Server Address: smtp.host.com
SMTP Ports: 25
SMTP SSL: Disabled
Email Reply Address: [email protected]
Email Format: HTML
Enable Emailing Scheduled Reports: Enabled
Enable Archived Scheduled Reports: Disabled
SMTP Username:
SMTP Password:
Web Service Inventory (Version 2): /dm/inventory2
SMTP Authentication: Disabled

The SSO link always reverted to the RealPortalHostName. Is that the issue?

DX NetOps Performance Management Portal web server has both SAML (also known as SAML2) SSO configured along with LDAP SSO.

When the user initially logs in they are directed to SAML MFA and provided Portal access after logging in. When the user logs out there are left at a different URL that provides a new login prompt.

Logging in via that new login prompt allows the user to gain access after authenticating with a valid username and password. But it doesn't use the SAML MFA.

Environment

All supported DX NetOps Performance Management Portal releases

Cause

This is functioning as designed.

Resolution

By design SAML user log out will leave the user at the standard OOTB logout page. Example using HTTPS:

https://PortalHost:8382/sso/sign-in.jsp?SsoProductCode=pc&SignOut=1

Best Practice suggests going back to the proper console port login URL page as a starting point for new login attempts. Example using HTTPS:

https://PortalHostName:8182/pc/desktop/page

A custom logout page URL is not possible at this time. It would be an Enhancement Request (ER).

Additional Information

Enhancement Request DE565019 has been submitted to engineering and Product Management. Additional information about the request and it's status should be directed to your Account Management team.