SAML Authentication has been enabled for Service Desk Manager by implementing the following link: Enable SAML Authentication for CA SDM
Service Desk Manager is redirected to the Microsoft login page but after entering the credentials the SDM homepage is shown to enter username and password and does not allow to authenticate via SAML.
Release : 17.3
The following items must be reviewed:
1. The federation.properties file under NX_ROOT\bopcfg\www\CATALINA_BASE\shared\resources\federation.properties
Ensure the values are set in the following way:
federation.trustedissuers.issuer=<paste here the value from Azure> Enterprise Application > <Application name> > Single sign-on > Item 4 > Login URL > change /saml2 to/wsfed>
federation.trustedissuers.thumbprint=<paste here the value from Azure> Enterprise Application > <Application name> > Single sign-on > Item 3 > Thumbprint>
federation.trustedissuers.friendlyname=<paste here the value from Azure> Enterprise Application > <Application name> > Single sign-on > Item 4 > Azure ID Identifier>
federation.audienceuris=https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe|https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
federation.realm=https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
federation.enableManualRedirect=false
federation.reply=https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
Note: ensure there is no uppercase in the value set for federation.enableManualRedirect
2. SDM uses the claims “name” to validate the user (userid of ca_contact and EEM if applicable). The screenshot below shows the information passed from Microsoft to SDM:
In the example above, the claims name [email protected] is passed to the SDM server to check if the user exists in SDM (userid in ca_contact and in EEM)
XXXX represents the actual text which has been redacted in the above screencap due to security concerns.
Review the following:
2.1 That [email protected] userid exists in ca_contact.
You can run the following query to confirm:
Select userid,* from ca_contact where userid = '[email protected]'
The result should show 1 row.
2.2 If using EEM: That [email protected] Principal Name exists in EEM.
Example:
2.3 In Azure, the User Principal Name is [email protected] for your user
Example: