Troubleshooting
Problem
You configured enterprise SAML authentication in your environment, but when you try to authenticate with SAML, all your roles (in IAM) disappear and you get error: "exception": User does not have any roles"unauthorized_error StatusCode: 401 while trying to access ICN.
If you authenticate with enterprise LDAP your roles will be the one expected, and you can access ICN without any issue.
If you authenticate with enterprise LDAP your roles will be the one expected, and you can access ICN without any issue.
To reproduce the issue, you can perform the following steps:
1. Remove your user from Zen to have a fresh clear start.
2. Log in to ICN using LDAP. Everything works.
3. Looking at Zen you can see that the user was created and has the correct roles.
4. Then, you log out of ICN/Zen with the LDAP user.
5.You login by using SAML authentication and the same user you had previously used for the LDAP login
6. The login fails with an error indicating missing role
7. Looking into Zen, you see that the user still exists, but all roles are gone.
As a second test:
1. You remove the user from Zen.
2. Login using SAML authentication and this user.
3. You receive an error message: Sorry, we could not verify your credentials." signin_fail
4. Looking into Zen, the user was not created and does not exist.
Symptom
Cause
Check whether the SAML response has valid group as attributes.
SAML Registration that uses IDP API is missing (if you have configured SAML using cloudctl).
SAML Registration that uses IDP API is missing (if you have configured SAML using cloudctl).
If you have SAML registration using Platform UI or V3 API then, there is no need of separate registration
Environment
- Product Version: CP4Automation 21.0.3
- IBM Cloud Pak Foundational services: CS 3.20
- Cloud Platform: VSphere
- Red Hat OpenShift Version: RHOCP 4.8
Resolving The Problem
To resolve this issue you need to create the missing SAML configuration through API and not through Zen Admin UI.
You can follow the steps as instructed in the IBM Documentation about the SSO configuration
`curl -k -X POST 'https://hive-etat-iam-test.intranet.etat.lu/idprovider/v3/auth/idsource' --header 'Content-Type: application/json' --header 'Authorization: Bearer <token>' --resolve hive-etat-iam-test.intranet.etat.lu:443:10.115.137.129 --data-raw '{ "name": "idp_saml_ad", "description": "SAML AD configuration", "protocol": "saml", "type": "default", "idp_config": { "token_attribute_mappings": { "sub":"UserName", "given_name":"GivenName", "family_name":"Sn", "groups":"groups", "email":"Email" }, "idp_metadata": "<Base_64_IDP_Metadata_XML_file>" }, "ldap_config": { "ldap_id": "cp4ba-prod-5375" }, "jit": false }'`
You can follow the steps as instructed in the IBM Documentation about the SSO configuration
- Make sure SAML response has valid group returned.
- If you are onboard LDAP group to ZEN console and if your SAML use same LDAP as IDP, make sure to associate the LDAP using SAML using API or from UI.
- IBM supports v2 or v3 API or UI way. For V3/UI configuration and registration both can be done on shot.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRV9V","label":"IBM Cloud Pak foundational services"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
IBM Cloud Pak Foundational Services; Cloud Pak for Business Automation; IAM; Common services, Enterprise SAML;
Was this topic helpful?
Document Information
Modified date:
27 September 2022
UID
ibm16695801