Symantec Endpoint Encryption uses a web console in order to manage Groups, Policies, and Helpdesk operations, such as obtaining recovery tokens.
In order to make using the web console more seamless, you can use Open ID (OID)
Configure Symantec Endpoint Encryption with a third-party Identity Provider (IdP), such as Siteminder that uses the OpenID Connect protocol and allow administrators to log into the SEE Management Console with OpenID Connect-based secure single-sign-on authentication (without the need to authenticate additional username and passwords).
Symantec Endpoint Encryption 12.0 and above.
Prerequisite
Configuration required on the Open ID Connect Provider Configuration page:
Issuer, Authority, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JWKS URI, and End Session Endpoint.
openid,profile,email.
address:{street_address}
, then while using street_address
for Identity Claim, use the format: address.street_address
.user1@example.com
and the Mapping Attribute user mail value in the Active Directory is user2@example.com
, then the authentication will fail. Both values must be the same for this to work. Reset IIS after successfully saving the changes (via admin command line, you can run "iisreset
" for these changes to take effect.
Scenario 1: Discovery URL is not working and does not populate the details.
Solution: Make sure you are using the proper URL here. Copy and paste, rather than type the URL in.
This is a link that you would obtain from your own OID solution, such as Siteminder.
SEE does not use "oauth-authorization-server
" for the discovery URL. Make sure it is using "openid-configuration
".
For Okta an example may look like the below URL:
https://OKTA-FQDN-HOST-HERE/.well-known/openid-configuration
________________________________________________________________________________________
Scenario 2: Error 400 one redirect URI
When clicking the Single Sign-On button, the page is getting redirected to the wrong page and does not go to the SEE Management Server.
Solution: Check on your OID in your logging to see what the proper URL should be for the SEE Management Server, and make sure this URL is actually being used.
In the SEEMS Configuration Manager, you can check the "Redirect URL" to what it should resolve to.
For example, the following will be displayed for the host "host.example.com", for the redirect URL:https://host.example.com/webconsole/api/account/oidccallback
________________________________________________________________________________________
Scenario 3: I've configured everything correctly, but still, the changes are not taking effect.
Solution: Make sure you restart IIS after making any changes within the OID configuration. OID affects the webserver in significant ways that require the website to be restarted.
Use "iisreset
" as administrator for ease.
"Make sure to restart IIS after modifying authentication settings."
________________________________________________________________________________________
Scenario 4: Everything is configured properly in SEEMS, but it looks like the authentication is failing to recognize me as a valid user at login.
Solution: Check to see if your OID solution has "Zones" enabled.
For example, if you login as an internal user, the system you are accessing the authentication may be from an IP that is not allowed in the OID "Zone".
Work with your OID expert to ensure the machines you are accessing, are allowed within the zones that will enable authentication.
________________________________________________________________________________________
Scenario 5: Unable to login with error about claims and mapped user attributes.
When you click on the "Single Sign-On" button, this will authenticate the current user to the OID solution.
The OID solution in turn will have the user prove their identity. A "Push" request may be provided, and once this is done, the user is authenticated.
At the end of this, the user is then allowed to authenticate. In this case, an error occurs:
"Either the claims are not present or the mapped user-identity attribute value is empty in the IDP."
Solution: If you are seeing this error, check the SEEMS Configuration Manager and look at the "Identity Claim" value.
If this is using a custom claim, try using "email" instead. The "email" attribute is a standard claim that will typically always resolve the user account:
Restart IIS after this is done, and the authentication should work.
For additional help, reach out to Symantec Encryption Support for further guidance.
________________________________________________________________________________________
Scenario 6: SEE Web Console does not prompt for "Re-authentication" after clicking Logout and immediately logging back in.
This is expected behavior and the reason for this is when the OID solution such as SiteMinder, authenticates the user, then it is cached for that user for a certain amount of time.
The user can access the apps and they do not need to re-authenticate Siteminder again as long as the they do this within the cached period of time.
Once the cache for Siteminder clears, the user will then be asked to re-authenticate.
The main thing to be sure about is that the SEEMS Configuration Page has been able to do the "discover" properly.