Users are not redirected back to SAML application after authenticating to the RSA SecurID Access Application Portal during SP-initiated SAML workflow.
Originally Published: 2021-09-15
Article Number
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
Issue
The following message is displayed to the end user in the Application Portal:
Application appears to be improperly configured. Contact your Administrator for assistance.
The URL displayed in the end user's browser looks like:
https://portal.sso.example.com/WebPortal/error.html?singlepoint-auth-error=DENY&singlepoint-portal-event=auth-failed&singlepoint-error-message=You+are+not+authorized+to+use+this+IdP+connection.+If+you+think+this+is+in+error%2C+please+see+your+SinglePoint+administrator."
The identity router's symplified.log shows the following message for the user's attempt:
INFO com.symplified.service.appliance.idp.IdPServlet[91] - Authorization denied by IdP service:
com.symplified.service.appliance.idp.AssertionCreationException: DENY
at com.symplified.service.appliance.idp.IdPService.createAssertion(IdPService.java:402)
at com.symplified.service.appliance.idp.IdPServlet.doPost(IdPServlet.java:78)
at com.symplified.service.appliance.idp.IdPServlet.doGet(IdPServlet.java:59)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
Cause
The following are examples of Request URLs that include the idp_id=<Issuer Entity ID> value.
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>and
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>&SAMLRequest=<encoded AuthnRequest>
To check whether or not the idp_id=<Issuer Entity ID> value is being included in the Request URL, a capture of the browser traffic can be done while recreating the issue. Once the browser traffic has been captured, look for the Request URL that the user is redirected with from the SAML app to the Application Portal to see if the idp_id=<Issuer Entity ID> is included in it.
Resolution
Workaround
Notes
- View the Identity Router System Log from the Cloud Administration Console
- Generate and Download the Identity Router Log Bundle
- View the /var/log/symplified/symplified.log file within the log bundle.
Related Articles
The RSA SecurID Access Cloud Authentication Service rejects signed SP-initiated SAML requests with an HTTP Redirect binding Number of Views Users cannot authenticiate to the RSA SecurID Access Portal or protected applications using Microsoft Integrated Windows A… Number of Views Access policy is not enforced for some users in RSA Cloud Authentication Service Number of Views Authentication error occurs when additional authentication is required for RSA SecurID Access application portal or a prot… Number of Views After Microsoft Windows update and/or GPO changes, administrative users cannot login to RSA Authentication Manager 8.1 Sec… Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
