SAML login unavailable after upgrading to 1.11.x

In some cases, the SAML login option is no longer visible after upgrading to QRadar® Suite Software 1.11.

Symptoms

SAML login is unavailable after upgrading to QRadar Suite Software 1.11.x.

Causes

There is a common services known issue where SAML configured with cloudctl cli is not retained when upgrading IBM Cloud Pak® foundational services from version 3.19.x to version 4.6.x.

Resolving the problem

To resolve this problem, complete the following steps:
  1. Download and run the script provided by common services, as described in known issue.
  2. After the script has run, a new SAML connection named saml appears in the foundational services user interface.
  3. Because the cp-console hostname changes when upgrading IBM Cloud Pak foundational services, you are required to update hostname of common services in your IDP.

    For more information, see Reconfiguring SAML authentication after upgrading to QRadar Suite Software 1.11.11.

  4. Fetch SAML service provider metadata in common services and update this information in your identity provider, as follows:
    1. Log in to the foundational services Cloud Pak console and go to the Identity Providers page, where the newly created saml connection is shown, for example:
      Tip: Information about retrieving the login credentials for foundational services is shown after this procedure.
    2. Click the Actions option (3 dots) on the SAML connection, and click Edit connection.
    3. Scroll down to To Identity provider or click the heading on left navigation pane.
    4. Click on Download metadata.
    5. Upload the metadata to your identity provider.
  5. Verify you can use SAML authentication to log in to QRadar Suite Software V1.11.
  6. Run a script to reconfigure data in the entitlements database, this is required to reference the newly configured identity provider information to avoid unexpected user management behavior: 
    ./cpctl tools update_user_idp_details  --token $(oc whoami -t) --ldap_name <ldap_name> --idp_name <idp_name>
    where <ldap_name> and <idp_name> are specified in the saml connection in the Identify providers page. For more information about the cptcl, see Installing the cpctl utility to access support actions.

Retrieving the login credentials for foundational services

Before you configure your connection, you need the credentials for IBM Cloud Pak foundational services.

Procedure

  1. Log in to your Red Hat® OpenShift® Container Platform cluster by typing either of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <username> -p <password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software. 
    export CP4S_NAMESPACE=<cp4s_namespace>
  3. Retrieve the admin username of the foundational services cluster by running the following command. 
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $CP4S_NAMESPACE | base64 -d | awk '{print $1}'
  4. Retrieve the foundational services cluster admin password by running the following command. 
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $CP4S_NAMESPACE | base64 -d | awk '{print $1}'
  5. Retrieve the foundational services cluster URL by running the following command. 
    oc get routes cp-console -n $CP4S_NAMESPACE -o jsonpath='{.spec.host}' | awk '{print $1}'
  6. In your browser, enter the URL that you retrieved at step 6. From the common web UI drop down, select IBM Provided Credentials (cpadmin), and enter the credentials that you retrieved at step 4 and 5.
  7. Verify that all cp4s namespace pods are at 1/1 Running state by running the following command. 
    oc get pods -n $CP4S_NAMESPACE