SSO SAML integration in Spectrum doesn't work when using Microsoft Entra ID as the IdP
search cancel

SSO SAML integration in Spectrum doesn't work when using Microsoft Entra ID as the IdP

book

Article ID: 443924

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

Users encounter an "Access Denied" error or authentication failure when logging into Spectrum OneClick via SAML SSO.

In some cases, the system creates users with email addresses instead of the expected User ID, or fails to create new users based on group memberships when using Microsoft Entra ID (formerly Azure AD) as the Identity Provider (IdP).

The following errors appear in the OneClick stdout.log or SAML debug logs:

WARN com.aprisma.errorlog - Unable to obtain user attributes DEBUG com.aprisma.tomcat.realm.SecurityRealm - securitySp.getUserRoles returned null ERROR com.aprisma.tomcat.authenticator.Saml2FederationAuthenticator - No SAML groups found in Spectrum ERROR com.aprisma.tomcat.authenticator.Saml2FederationAuthenticator - SAML user #### authentication failed.

Additionally, the SAMLTokenValidator may show attributes being received with long schema URLs (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/memberOf) which prevent correct mapping.

Environment

  • DX NetOps Spectrum 22.3, 24.3, 25.4
  • Microsoft Entra ID (Azure AD)
  • SAML 2.0 Integration

Cause

This issue occurs when the Identity Provider (IdP) is not configured to send the specific attribute names that DX Spectrum requires.

Spectrum expects the username in the primary NameID element and user groups in an attribute specifically named memberOf.

If Entra ID sends the email address in NameID or uses a long URI for the group claim, authentication fails.

Resolution

To resolve this, you must adjust the SAML mapping rules within the Microsoft Entra ID Enterprise Application settings:

  1. Log in to the Entra ID Portal.
  2. Navigate to Enterprise Applications and select your Spectrum OneClick application.
  3. Go to Single sign-on > Attributes & Claims.
  4. Configure the Unique User Identifier (Name ID):
     
    • Ensure the source attribute is set to the user's ID (e.g., user.onpremisessamaccountname or user.employeeid) rather than the email address.
  5. Add or edit the Group Claim:
    • Select Groups assigned to the application or All groups as appropriate for your environment.
    • Set the Source attribute to sAMAccountName.
    • Check the box for Customize the name of the group claim.
    • Set the Name to exactly memberOf. Do not include a namespace or URL.
  6. Save the changes and test the login.

If you continue to experience issues, verify that the group names received from Entra ID match the group names created in Spectrum OneClick exactly (case-sensitive).

For further assistance, see Contact Support. Scroll to the bottom of the page and click on your respective region.

Additional Information

Powered by Wolken Software