Troubleshooting SAML authentication

Use the following information to troubleshoot errors and issues when using SAML 2.0 with QRadar.

Sign on or logout failure

When single sign on or single logout fails, make sure that the QRadar SAML metadata that you uploaded to the Identity Provider matches the latest deployed metadata at https://<yourqradarserverhostname>/console/SAMLMetadata. Also, make sure that you uploaded the root CA, root CA CRL, intermediate CA, intermediate CA CRL files of your selected certificate to the right location of the IDP server's certificate stores. When the provided QRadar_SAML certificate is used, you can download these files at:
http://<yourqradarserverhostname>:9381/root-qradar-ca_ca
http://<yourqradarserverhostname>:9381/QRadarSAML_ca.crt
http://<yourqradarserverhostname>:9381/root-qradar-ca_ca.crl
http://<yourqradarserverhostname>:9381/QRadarSAML_ca.crl
Note: If you are using the provided QRadar_SAML certificate, the above steps are required after you restore QRadar from a backup.

Account not authorized

Certain configuration issues can produce this error: 
This account is not authorized to access QRadar. 
Logout from your SAML identity provider and use an authorized account to login.

If you are using Local authorization, ensure that the NameID in the SAML assertion matches an existing QRadar user name and that the user is deployed.

If you are using User Attribute authorization, ensure that the SAML assertion contains the configured role attribute and security profile attribute with values that match an existing deployed role and security profile in QRadar. When using a role with Admin capabilities, the value of the security profile attribute must be Admin. If the assertion contains a tenant attribute in a multi-tenancy environment, ensure that the value of the attribute matches an existing tenant in QRadar.

Log files

You can diagnose many other issues by using the Identity Provider server logs and the /var/log/qradar.error log.

Restore system login for investigation

To investigate issues with SAML 2.0, you can restore QRadar to use the default system login.

Copy the content of the /opt/qradar/conf/templates/login.conf into /opt/qradar/conf/login.conf

Alternatively, edit the /opt/qradar/conf/login.conf file and change 
ModuleClass=com.q1labs.uiframeworks.auth.configuration.SamlLoginConfiguration
to 
ModuleClass=com.q1labs.uiframeworks.auth.configuration.LocalPasswordLoginConfiguration
Clear the browser cache and login as an Admin user. After you complete your investigation, change the attribute back to SAMLLoginModule and clear the browser cache again.

Unable to reach the QRadar console after logging in with an identity provider

Ensure that the host name for the QRadar console can be resolved by the local DNS server. Also, ensure that your computer can reach the QRadar console by using the host name.

Login or logout failures on the IDP server

Check the IDP server logs to determine if the failures are caused by errors in the CRL revocation checks. If so, import the QRadar_SAML certificate CRLs to the IDP server, or make sure that the IDP server can reach the QRadar console by using an HTTP connection.

Identity provider certificate is expired

When the certificate in the identity providers metadata file is expired, you cannot log in to QRadar, and the following error appears in the /var/log/qradar.error file:
com.q1labs.uiframeworks.auth.saml.metadata.DefaultMetadataServiceImpl: 
[ERROR] NotAfter: <date>
java.security.cert.CertificateExpiredException:  NotAfter:

To resolve this issue, ask your identity provider to update the certificate in the metadata file, and then reconfigure SAML in QRadar to use the new IDP metadata file.

QRadar_SAML certificate is expired

A QRadar system notification is shown when the QRadar_SAML certificate is about to expire.

Before the certificate expires, you must renew it.
  1. On the Admin tab, click Authentication.
  2. Click Authentication Module Settings.
  3. From the Authentication Module list, select SAML 2.0.
  4. Click Renew to renew the QRadar_SAML certificate.
  5. Click Save Authentication Module.

    The QRadar SAML metadata file is automatically downloaded.

  6. Click the links in the tooltip to download the QRadar root CA and intermediate CA certificate, as well as the CRL files.
  7. On the Admin tab, click Deploy Changes.
  8. Send the following files to your IDP server to deploy the changes.
    • QRadar metadata file
    • QRadar root CA certificate
    • QRadar intermediate CA certificate
    • CRL files

Third-party certificate is expired

You do not have to use the QRadar_SAML certificate that is provided with QRadar; you can use your own third-party certificate. When the certificate is about to expire, a QRadar system notification is shown.

Before the third-party certificate expires, you must update the existing certificate or add a new certificate.
  1. On the Admin tab, click Authentication.
  2. Click Authentication Module Settings.
  3. From the Authentication Module list, select SAML 2.0.
  4. Click Add or Update.
  5. Click Save Authentication Module.

    The QRadar SAML metadata file is automatically downloaded.

  6. Click the links in the tooltip to download the QRadar root CA and intermediate CA certificate, as well as the CRL files for the certificate.
  7. On the Admin tab, click Deploy Changes.
  8. Send the following files to your IDP server to deploy the changes.
    • QRadar metadata file
    • QRadar root CA certificate
    • QRadar intermediate CA certificate
    • CRL files