Cannot single sign on to ZTNA tenant when generic SAML IDP server defined
search cancel

Cannot single sign on to ZTNA tenant when generic SAML IDP server defined

book

Article ID: 369308

calendar_today

Updated On:

Products

Symantec ZTNA Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

ZTNA tenant enabled with an on premise SAML IDP server used for authentication.

Identity Provider used is a generic SAML identity provider, with no SCIM integration.

When users access the ZTNA tenant, a redirect to the IDP server takes place and ensuing login is completed successfully. The corresponding assertion is sent to ZTNA tenant via the browser, but instead of getting the ZTNA portal rendered with a list of available applications, the user is prompted to manually login.

Adding a local user with the same name/email address combination as the SAML assertion nameidentifier fails to address the issue.

Environment

ZTNA.

On premise SAML IDP server.

No SCIM application available for IDP server.

Cause

ZTNA cannot find a matching user when no SCIM service is available for the generic SAML identity provider.

Resolution

Use the ZTNA APIs to manually create SCIM users/groups.

Note that when creating a SCIM user using this approach, the userName value MUST match the name identifier returned within the SAML assertion. This is typically an email address and hence the userName and emails value must both include an email address as shown below.

// Snippet of assertion showing the subject name identifier

<saml:Subject> 
<saml:NameID SPNameQualifier="https://####.luminatesec.com/luminate/saml/####/entityid" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" >[email protected]</saml:NameID> 
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
<saml:SubjectConfirmationData NotOnOrAfter="2024-06-06T10:16:11Z" Recipient="https://bcmdemo504.luminatesec.com/luminate/saml/1ce7dbb4-4fd6-418b-a6a9-16aef51e2ef6/acs" InResponseTo="_1bed520e-b699-4271-b208-e3e7b1f48fbe" /> 
</saml:SubjectConfirmation> 
</saml:Subject>

// Payload POSTed to ZTNA SCIM API endpoint (https://api.####.luminatesec.com/v2/identities/####/scim/users)

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": {
"givenName": "user1",
"familyName": "Manual"
},
"emails": [
{
"value": "[email protected]",
"primary": true
}
],
"userName": "[email protected]",
"displayName": "user1",
"targetWorkstations": [
"Example Workstation"
]
}

 

Powered by Wolken Software