Users are not redirected back to SAML application after authenticating to the RSA SecurID Access Application Portal during SP-initiated SAML workflow.
4 years ago
Originally Published: 2021-09-15
Article Number
000044263
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
Issue
When a user attempts to access a SAML application configured with the Application Portal using an SP-initiated SAML workflow, they are dropped into the Application Portal after completing authentication rather than redirected back to the SAML application. The messages associated with the user's failed access attempt (see below) point to the user being denied access, but checking the access policy applied to the SAML application in the Cloud Administration Console shows that the user should be given access to the application.

The following message is displayed to the end user in the Application Portal:

Application appears to be improperly configured. Contact your Administrator for assistance.

The URL displayed in the end user's browser looks like:
  
https://portal.sso.example.com/WebPortal/error.html?singlepoint-auth-error=DENY&singlepoint-portal-event=auth-failed&singlepoint-error-message=You+are+not+authorized+to+use+this+IdP+connection.+If+you+think+this+is+in+error%2C+please+see+your+SinglePoint+administrator."

The identity router's symplified.log shows the following message for the user's attempt: 
INFO com.symplified.service.appliance.idp.IdPServlet[91] - Authorization denied by IdP service:
 com.symplified.service.appliance.idp.AssertionCreationException: DENY
 at com.symplified.service.appliance.idp.IdPService.createAssertion(IdPService.java:402)
 at com.symplified.service.appliance.idp.IdPServlet.doPost(IdPServlet.java:78)
 at com.symplified.service.appliance.idp.IdPServlet.doGet(IdPServlet.java:59)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)

 
Cause
This issue can occur when the Request URL the user is redirected with from the SAML app to the Application Portal does not include the idp_id=<Issuer Entity ID> value. The Issuer Entity ID is used by the identity router to determine which application the user is trying to access. This value is configured for a SAML app on the SecurID Access side of the configuration at: Cloud Administration Console > Applications > My Applications > Edit the application > Connection Profile > Issuer Entity ID.

The following are examples of Request URLs that include the idp_id=<Issuer Entity ID> value. 
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>
and 
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>&SAMLRequest=<encoded AuthnRequest>

To check whether or not the idp_id=<Issuer Entity ID> value is being included in the Request URL, a capture of the browser traffic can be done while recreating the issue. Once the browser traffic has been captured, look for the Request URL that the user is redirected with from the SAML app to the Application Portal to see if the idp_id=<Issuer Entity ID> is included in it.

 
Resolution
Configure the SAML Service Provider to include the idp_id=<Issuer Entity ID> in the Request URL.
Workaround
If the SAML Service Provider cannot be configured to include the idp_id=<Issuer Entity ID> value in the Request URL, then the application can be attempted to be configured using an IdP-initiated SAML workflow. With an IdP-initiated workflow, users would access the SAML application by browsing to the Application Portal first rather than the SAML app. Users can either log into the Application Portal and click on the SAML application to be redirected to it, or alternatively, users can use the Cloud Administration Console > Applications > My Applications > Edit the application > Connection Profile > Identity Provider URL when they want to access the application. By using the Identity Provider URL, users would be redirected to the SAML app once they authenticate to the Application Portal and would not have to click the SAML app in the Application Portal.
Notes
To view the identity router's symplified.log, either of the following can be done:
Don't see what you're looking for?