Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033795 - RSA Identity Management & Governance AuthRequest asking for a transient ID in SAML SSO integration

Document created by RSA Customer Support

on Jan 3, 2017•Last modified by RSA Customer Support on Mar 1, 2018

Version 5Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number	000033795
Applies To	RSA Product Set: Identity Governance & Lifecycle RSA Version/Condition: 7.0
Issue	When implementing Security Assertion Markup Language (SAML) Single Sign On (SSO) integration in RSA Identity Management & Governance since the SAMLRequest is based on the SAML-2.0-NameID-Transient profile, the SAMLResponse will be transient with the random number in the NameID field which will never match the identity column value in T_Master_Enterprise_User Table, resulting in the failure of SSO. The NameID format is as follows: <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
Resolution	To resolve the issue, follow the steps below. Log into the RSA Identity Management & Governance User Interface. Navigate to Admin > System and click on the Authentication tab. Select the SSO Authentication Source. Update the SAMLAuthenticatorClass value com.aveksa.server.authentication.SAMLPingAuthenticatorImpl. By default the value is set as com.aveksa.server.authentication.SAMLAuthenticatorImpl. Restart the application. After the restart, the SAMLRequest will be built on the correct profile and will create a SAMLResponse with the UnifiedUserColumn value into the NameID field. Below is an example USER_ID using the configuration described above. Note that the java class name is case sensitive.
Notes	SAMLPingAuthenticatorImpl class in the source code, has the function to generate the NameID policy based on 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' Please make sure that the Identity Provider (IdP) set by the customer in a nameid-format. RSA Identity Management & Governance code looks at that, parses the nameid and locates it in the T_Master_Enterprise_User Table. If the user is there (and not terminated or disabled), it returns as an authentication success.

Attachments

Outcomes

0 Comments

Recommended Content