SAML Authentication Issues in Spectrum
search cancel

SAML Authentication Issues in Spectrum

book

Article ID: 267623

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

We are communicating with SAML services, but are receiving an authentication error. For example does a user group have to also be in the IdP? 

 

Environment

Release : 22.2.x / 22.3.x

Cause

IDP configuration

Resolution

The output is showing the NameID as a user:

   >@user.com</saml:NameID>

Verify in the IDP confignameuration that the configuration is set to UserName and not something else.

If you are configuring groups make sure this entry is set to "memberOf" instead of "roles"

 <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            Name="roles"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

 

 

Additional Information

------- When using KeyCloak as an IDP Provider ---------

When using the IDP Provider KeyCloak default option defines a NameID Policy Format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

From the KeyCloak IDP configuration page, "Force Name ID format" needs to be unchecked, so that it defaults to UserName.

Powered by Wolken Software