Article Content
Article Number | 000033795 |
Applies To | RSA Product Set: Identity Governance & Lifecycle RSA Version/Condition: 7.0 |
Issue | When implementing Security Assertion Markup Language (SAML) Single Sign On (SSO) integration in RSA Identity Management & Governance since the SAMLRequest is based on the SAML-2.0-NameID-Transient profile, the SAMLResponse will be transient with the random number in the NameID field which will never match the identity column value in T_Master_Enterprise_User Table, resulting in the failure of SSO. The NameID format is as follows: <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> |
Resolution | To resolve the issue, follow the steps below.
|
Notes | SAMLPingAuthenticatorImpl class in the source code, has the function to generate the NameID policy based on 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' Please make sure that the Identity Provider (IdP) set by the customer in a nameid-format. RSA Identity Management & Governance code looks at that, parses the nameid and locates it in the T_Master_Enterprise_User Table. If the user is there (and not terminated or disabled), it returns as an authentication success. |