We configured SAML authentication by integrating the NetOps portal with ADFS. However, the user is unable to log in because the cloning of the user fails.

Error:

Error in SsoService.log:

DX NetOps Performance Management 

 Remote IDP sent a CloneUser definition in the SAML Response and the client was not aware of that.

The issue arises because the Claims are encrypted, preventing the error details from being visible in the browser and not appearing in the previous logs.

To resolve this issue, follow these steps:

1. Enable General Logging in MySQL:

   • Access the server where the NetOps portal is running.
   • Locate the MySQL data directory. This is typically found at /opt/CA/MySql/data/.
   • Enable general logging to capture detailed logs. Open the MySQL command line and execute the following command:
      

     SET GLOBAL general_log = 'ON';

      

      
   • This command enables general logging, which will help capture all queries and logs.

2. Review the Logs:

   • After enabling general logging, review the log file located at /opt/CA/MySql/data/<hostname>.log.
   • Search for any entries related to the SAML authentication process and user cloning errors.

3. Correct the CloneUser Value:

   • Identify the incorrect or missing CloneUser value in the customer remote Identity Provider (iDP) configuration.
   • Update the CloneUser value in the iDP configuration to match the expected format and values required by the NetOps portal.

4. Restart Services:

   • After making the necessary corrections to the IDP configuration, restart the NetOps portal services to apply the changes.

5. Verify the Solution:

   • Attempt to log in again using SAML authentication to ensure that the issue is resolved.
   • Monitor the logs to confirm that the cloning process completes successfully and no further errors are logged.