|Applies To||RSA Product Set: Identity Governance and Lifecycle|
RSA Version/Condition: 7.0
|Issue||When implementing Security Assertion Markup Language (SAML) Single Sign On (SSO) integration in RSA Via Lifecycle and Governance since the SAMLRequest is based on the "SAML-2.0-NameID-Transient" profile, the SAMLResponse will be 'transient' with the random number in the NameID field which will never match the identity column value in T_Master_Enterprise_User Table, resulting in the failure of SSO.|
Below is the NameID format:
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
|Resolution||To resolve the issue, follow the steps below.|
|Notes||SAMLPingAuthenticatorImpl class in the source code, has the function to generate the NameID policy based on 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' |
Please make sure that the Identity Provider (IdP) set by Customer in a nameid-format. RSA Via Lifecycle and Governance code looks at that, parses the nameid and locates it in the T_Master_Enterprise_User Table. If the user is there (and not terminated or disabled), it returns as an authentication success.