|Applies To||RSA Product Set: Identity Governance & Lifecycle|
RSA Version/Condition: 7.0
|Issue||When implementing Security Assertion Markup Language (SAML) Single Sign On (SSO) integration in RSA Identity Management & Governance since the SAMLRequest is based on the SAML-2.0-NameID-Transient profile, the SAMLResponse will be transient with the random number in the NameID field which will never match the identity column value in T_Master_Enterprise_User Table, resulting in the failure of SSO.|
The NameID format is as follows:
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
|Resolution||To resolve the issue, follow the steps below.|
|Notes||SAMLPingAuthenticatorImpl class in the source code, has the function to generate the NameID policy based on 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' |
Please make sure that the Identity Provider (IdP) set by the customer in a nameid-format. RSA Identity Management & Governance code looks at that, parses the nameid and locates it in the T_Master_Enterprise_User Table. If the user is there (and not terminated or disabled), it returns as an authentication success.