IBM Support

QRadar: SAML authentication stopped working on secondary HA node

Troubleshooting


Problem

SAML authentication stopped working on secondary HA node after a failover.

Symptom

After the console was failed over to the secondary HA node, SAML authentication stopped working.

Cause

A common reason of authentication failure after failover is that the SAML configuration is only set-up to include one of the HA nodes.

Diagnosing The Problem

  1. Log in to your QRadar console CLI.
  2. Check the parameters Entity ID and AssertionConsumerService in the login.conf file on both the primary and secondary nodes: /opt/qradar/conf/login.conf
  3. Verify what FQDN or IP address is being used in Entity ID and AssertionConsumerService parameters  - is it the host's IP or the Virtual IP (VIP)?
You can use the following example command to check the parameters: 
[root@qradar ~]# cat /opt/qradar/conf/login.conf | grep -iE "entity|assertion"
SPEntityID=https://(FQDN of VIP or VIP)/console
AssertionConsumerService=https://(FQDN of VIP or VIP)/console/SAMLSSOAssertionConsumerService

Resolving The Problem

Note: The following steps require a Deploy, which causes a small interruption in event processing during the deployment. If you are not permitted to run a Deploy during office hours, you might need to schedule a time slot to perform these steps.
  1. Log in to your QRadar console CLI.
  2. Take a backup of the login configuration file:
    cp -v /opt/qradar/conf/login.conf /opt/qradar/conf/login.conf.backup
  3. Open the file in the vim editor by using the command,
    vim /opt/qradar/conf/login.conf
  4. Two parameters need to be checked. One is the Entity ID and the other is AssertionConsumerService. If the parameters contain a primary or secondary host IP instead of a VIP, then manually edit the file and replace the incorrect IP with the FQDN of VIP or VIP. This need to be changed on both nodes. Edit these lines:
    SPEntityID=https://(FQDN of VIP or VIP)/console
    AssertionConsumerService=https://(FQDN of VIP or VIP)/console/SAMLSSOAssertionConsumerService
  5. Save the file: Press Escape, colon (:), and type wq, and press Enter.
  6. Click Deploy Changes on the deployment banner on the Admin tab.
Example configuration file:
[root@qradar ~]# cat /opt/qradar/conf/login.conf 
tenantAttr=*****
SLOService=*****
IDPMetadataFilePath=/opt/qradar/conf/SAMLAuthentication/IDP/*****.xml 
AuthRequestBinding=*****
certificateName=*****
RequireSingleSignOut=*****
ModuleClass=com.qilabs.utframeworks.auth.configuration.SamlLoginConfiguration
authorization=local
SPNameIDFormat=*****
AuthRequestSigned=*****
roleAttr=*****
securityProfileAttr=*****
SPEntityID=https://(FQDN of VIP or VIP)/console
AssertionConsumerService=https://(FQDN of VIP or VIP)/console/SAMLSSOAssertionConsumerService
debug=false
NAS-IP-Address=@*****

    Result:
    SAML authentication is working fine even after the failover.

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 March 2023

UID

ibm16560348