"Failed SAML attributes login" message trying to access ZTNA Web based application
search cancel

"Failed SAML attributes login" message trying to access ZTNA Web based application

book

Article ID: 417009

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

Unable to Onboard a ZTNA Web Application for one specific user, when other users can access the application without issues.

An "Unauthorized operation" message is rendered on the users browser, with a corresponding message indicating "Failed SAML attributes login" as shown below:

SAML Trace would indicate that we have the appropriate user and group information.

Direct URL its self not working its showing "unauthorised operation" error.

ZTNA admin unable to locate any Logs in SAC portal using request ID.

 

Environment

Cloud SWG.

ZTNA.

Generic SAML with no SCIM.

Cause

SAML IDP server missing a required email attribute.

Resolution

Make sure that SAML IDP server sends the mandatory attributes within the assertion - in this case, the email attribute, with a value that is unique.

Additional Information

After analysing the SAML tracer logs exported at the time of the issue, the following observations were seen:

  • Assertion POSTed into Broadcom ZTNA authentication service at https://mylogin.broadcom.com/default/saml/v1/sp/acs includes a number of attributes including the mandatory email as shown below :
                <saml2:Attribute Name="email"
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                                 >
                    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                          xsi:type="xs:string"
                                          >[email protected]</saml2:AttributeValue>
                </saml2:Attribute>
  • the assertion POSTed to the ZTNA tenant assertion consumer service at https://<tenant_name>.luminatesec.com/luminate/saml/####/acs is missing the email attribute :

               <saml2:Attribute Name="email"
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                                 >
                    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                          xsi:type="xsd:string"
                                          />
                </saml2:Attribute>
  • ZTNA identity service errors out with "failed creating scim user, invalid user details: invalid email format"


The ZTNA authentication service did not find a matching user with the email address and did not forward it as expected.

Powered by Wolken Software