A previously working SAML Single Sign-On (SSO) configuration in DX UIM has stopped working after upgrading from UIM 23.4CU4 to CU6. 

Before the upgrade SSO login to OC and Asmin Console using SAML SSO was working fine. 

After the upgrade when you click on Sigle Sign-on you get the following error: 

<wasp_ip/hostname>:port says
Error connecting to Identity Provider

• DX UIM 23.4.5 (CU5) and Later
• SAML SSO with Kerberos Authentication enabled and with assertion encrypted

This issue appears after upgrade to DX UIM 23.4.CU5 due the Open SAML framework upgrade and changes introduced. 

In environments with Kerberos authentication and where the IDP's PING FEDERATE sends the assertion encrypted the following issues occur after the upgrade to CU5:  

• In Kerberos enabled Environments, the SAML Framework changes cause that /samlsso/saml/web/idpOperations/ssoLoginUrlCheckAPI is now internally invoking a HTTP GET call on IDP login resource. This returns a 401 as the server is not carrying the Kerberos identity from the browser.
  
  
• Due to the the SAML Framework upgrade UIM now requires to add decryption credentials explicitly to the RelyingParty. If the IDP seconds encrypted assertion this causes the Provider to fail to decrypt the Assertion payload. 

The attached samlsso.war patched file includes the fixes for the 2 issues:

With the fix: 

• ssoLoginUrlCheck now checks the availability of the IDP using PING instead of HTTP calls. This makes sure IDP is up before we redirect user for authentication.
  
  
• An explicit decryption credentials added to the RelyingParty for decrypting assertion.

Steps to deploy the fix: 

1. Deactivate wasp.

2. Backup [Nimsoft\probes\service\wasp\webapps\samlsso.war] file and [Nimsoft\probes\service\wasp\webapps\samlsso] folder.

3. Delete both [Nimsoft\probes\service\wasp\webapps\samlsso.war] file and [Nimsoft\probes\service\wasp\webapps\samlsso] folder.

4. Copy the attached samlsso.war to the folder [Nimsoft\probes\service\wasp\webapps]

5. Include below property at the end of the file [Nimsoft\probes\service\wasp\conf\samlsso\samlssoConfig.properties] and save the file before activating wasp probe. 

saml.idp.authentication.local.login.disabled=false

6. Activate the wasp probe.

7. Validate SAML SSO workflow.

Notes:

• This issue does not surface if the IDP does not use Kerberos and if the IDP does not sends the assertion encrypted. However, with the changes, SSO will succeeds in all cases and configurations. 
  
  
• The fix is valid for being deployed in DX UIM 23.4.6 (CU6) only. If running into this issue while using CU5 or CU7, open a case with Broadcom support to request the correspondent fix. 
  
  
• This fix will be merged into DX UIM 23.4.8 (CU8) 

Future Enhancement DX UIM 23.4 CU8:

In DX UIM 23.4 CU8, a new configuration flag in Admin and Operator Consoles will administrators to completely disable the local login page. While IDP-initiated login is currently supported, this update will ensure that unauthenticated users are no longer defaulted to the local sign-in form.

This enhancement will effectively prevent users from bypassing SAML SSO, ensuring a secure and unified access flow.