Can't log in to Operator Console (OC) with SAML SSO configuration: Invalid Credentials
search cancel

Can't log in to Operator Console (OC) with SAML SSO configuration: Invalid Credentials

book

Article ID: 380718

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We are configuring DX UIM SAML single-sign-on with AzureID.

Using this documentation: Configure SAML Single Sign-On in DX UIM

We configured everything correctly, however, we get Invalid credentials at OC. 

 

We analyzed the token that the SSO/SAML Azure AD is sending back to the hub and it is correct. But still cannot log in. 

We can log in with the same LDAP/AD directory user in IM and OC, but not via SSO/SAML.



In the hub log we may see: 

Sep 30 20:05:38:639 [139684501326720] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=##=DOMAIN,##=XX,XX=XXX,XXX=SYS scope:=LDAP_SCOPE_SUBTREE filter:=(&(objectClass=person)(|(userPrincipalName=[email protected]@DOMAIN.CO.COM)(sAMAccountName=[email protected]@DOMAIN.CO.COM)(mail=[email protected]@DOMAIN.CO.COM))) attrs:=displayName, cn, memberOf

Environment

DX UIM 23.4.* 

Cause

The LDAP query is adding an extra domain after the email [email protected]@DOMAIN.CO.COM, So SSO doesn't occur.
The issue might be related to the 'name' property that is mapped in the SAML claims. 

UIM is utilizing this 'name' claim, appending the domain to it, and verifying it against the LDAP, based on the configuration in the filter_user. If the 'name' already has a domain in it, the log in information will be formed by a wrong "double" domain name, so the hub cannot find any user. 

Resolution

To resolve the issue, review and update the 'Name' attribute in the IDP SAML configuration so that the result.