Troubleshooting
Problem
SAML authentication stopped working on secondary HA node after a failover.
Symptom
After the console was failed over to the secondary HA node, SAML authentication stopped working.
Cause
A common reason of authentication failure after failover is that the SAML configuration is only set-up to include one of the HA nodes.
Diagnosing The Problem
- Log in to your QRadar console CLI.
- Check the parameters Entity ID and AssertionConsumerService in the login.conf file on both the primary and secondary nodes: /opt/qradar/conf/login.conf
- Verify what FQDN or IP address is being used in Entity ID and AssertionConsumerService parameters - is it the host's IP or the Virtual IP (VIP)?
You can use the following example command to check the parameters:
[root@qradar ~]# cat /opt/qradar/conf/login.conf | grep -iE "entity|assertion"
SPEntityID=https://(FQDN of VIP or VIP)/console
AssertionConsumerService=https://(FQDN of VIP or VIP)/console/SAMLSSOAssertionConsumerService
Resolving The Problem
Note: The following steps require a Deploy, which causes a small interruption in event processing during the deployment. If you are not permitted to run a Deploy during office hours, you might need to schedule a time slot to perform these steps.
- Log in to your QRadar console CLI.
- Take a backup of the login configuration file:
cp -v /opt/qradar/conf/login.conf /opt/qradar/conf/login.conf.backup
-
Open the file in the vim editor by using the command,
vim /opt/qradar/conf/login.conf
- Two parameters need to be checked. One is the Entity ID and the other is AssertionConsumerService. If the parameters contain a primary or secondary host IP instead of a VIP, then manually edit the file and replace the incorrect IP with the FQDN of VIP or VIP. This need to be changed on both nodes. Edit these lines:
SPEntityID=https://(FQDN of VIP or VIP)/console AssertionConsumerService=https://(FQDN of VIP or VIP)/console/SAMLSSOAssertionConsumerService
- Save the file: Press Escape, colon (:), and type wq, and press Enter.
- Click Deploy Changes on the deployment banner on the Admin tab.
Example configuration file:
[root@qradar ~]# cat /opt/qradar/conf/login.conf
tenantAttr=*****
SLOService=*****
IDPMetadataFilePath=/opt/qradar/conf/SAMLAuthentication/IDP/*****.xml
AuthRequestBinding=*****
certificateName=*****
RequireSingleSignOut=*****
ModuleClass=com.qilabs.utframeworks.auth.configuration.SamlLoginConfiguration
authorization=local
SPNameIDFormat=*****
AuthRequestSigned=*****
roleAttr=*****
securityProfileAttr=*****
SPEntityID=https://(FQDN of VIP or VIP)/console
AssertionConsumerService=https://(FQDN of VIP or VIP)/console/SAMLSSOAssertionConsumerService
debug=false
NAS-IP-Address=@*****
Result:
SAML authentication is working fine even after the failover.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 March 2023
UID
ibm16560348