TimWillemstein2 (Customer) asked a question.
The documentation on setting up SSO on RSA IGL are very limited. Is there some more documentation somewhere available how to set it up properly?
For example we are struggling to get the integration working because out of the box there is nowhere to download the SAML configuration for import on the IDP or on our side to configure settings like client id etc.
Any tips and know hows would be appreciated!
In case you haven't seen encountered with this one, this is a guide for configuring SSO for G&L with ID Plus - RSA Governance and Lifecycle - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide | RSA Community
If you are integrating with Entra, here is a config that worked for me
Config in RSA G&L
Thanks Boris, with SAML tracer we were able to establish why it wasn't working. Was related to: "https://community.securid.com/s/article/RSA-Identity-Management-Governance-AuthRequest-asking-for-a-transient-ID-in-SAML-SSO-integration", however we changed the setup on our IDP side without actually changing the class used in the authentication source.
Thanks for sharing the solution.
of others encounter with similar problem, can you share what was changed on the IDP?
I found that RSA IGL SAML takes the NameId from the SAML subject NameId tag and not the NameId as an attribute from the SAML response.
In example I was debugging the RSA logs:
12/05/2024 15:32:05.422 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] SSO SAML - Handle Authentication is progress...
12/05/2024 15:32:05.422 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Logged Out param - null: Saml ID - null : globalLogout - false
12/05/2024 15:32:05.423 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] handleAuthentication receive
12/05/2024 15:32:05.423 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Handling SAML Login Response in progress...
12/05/2024 15:32:05.435 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Current Time : 2024-12-05T15:32:05.435+01:00 , NotOnOrAfter Time :2024-12-05T14:37:03.254Z
12/05/2024 15:32:05.435 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] NotBefore Time : 2024-12-05T14:32:03.254Z
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Determining where to find the user in the assertion
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr name
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values yyyyyyy
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr NameId
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values yyyyyyy
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values view-profile
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values manage-account
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values default-roles-worldline-internal
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values manage-account-links
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values offline_access
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values uma_authorization
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Lookup user: G-xxxxxx-7581-4648-ab1e-xxxxxxx
12/05/2024 15:32:05.452 INFO (default task-8780) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] SSOAuthenticator:getEnterpriseUser(): Using column: userId
12/05/2024 15:32:05.454 ERROR (default task-8780) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] Did not find user with attribute: USER_ID = G-xxxxxx-7581-4648-ab1e-xxxxxxx not found
12/05/2024 15:32:05.455 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] User G-xxxxxx-7581-4648-ab1e-xxxxxxx not found
12/05/2024 15:32:05.455 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] End: NOT_AUTHENTICATED
This request failed since RSA was looking at the NameId in the subject of the saml response and not an attribute in the SAML response named NameId. Hence it ended up trying to use the transient GUID returned id in the subject nameid attribute to identify my user.
Saml Response (partial):
By changing the NameId format in the saml subject on my IDP side, rather than adding it as a attribute value in the response it worked. New saml subject header sample:
I found that RSA IGL SAML takes the NameId from the SAML subject NameId tag and not the NameId as an attribute from the SAML response.
In example I was debugging the RSA logs:
12/05/2024 15:32:05.422 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] SSO SAML - Handle Authentication is progress...
12/05/2024 15:32:05.422 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Logged Out param - null: Saml ID - null : globalLogout - false
12/05/2024 15:32:05.423 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] handleAuthentication receive
12/05/2024 15:32:05.423 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Handling SAML Login Response in progress...
12/05/2024 15:32:05.435 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Current Time : 2024-12-05T15:32:05.435+01:00 , NotOnOrAfter Time :2024-12-05T14:37:03.254Z
12/05/2024 15:32:05.435 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] NotBefore Time : 2024-12-05T14:32:03.254Z
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Determining where to find the user in the assertion
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr name
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values yyyyyyy
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr NameId
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values yyyyyyy
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values view-profile
12/05/2024 15:32:05.436 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values manage-account
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values default-roles-worldline-internal
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values manage-account-links
12/05/2024 15:32:05.437 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values offline_access
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] attr Role
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] values uma_authorization
12/05/2024 15:32:05.438 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] Lookup user: G-xxxxxx-7581-4648-ab1e-xxxxxxx
12/05/2024 15:32:05.452 INFO (default task-8780) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] SSOAuthenticator:getEnterpriseUser(): Using column: userId
12/05/2024 15:32:05.454 ERROR (default task-8780) [com.aveksa.server.authentication.AbstractSSOAuthenticatorImpl] Did not find user with attribute: USER_ID = G-xxxxxx-7581-4648-ab1e-xxxxxxx not found
12/05/2024 15:32:05.455 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] User G-xxxxxx-7581-4648-ab1e-xxxxxxx not found
12/05/2024 15:32:05.455 DEBUG (default task-8780) [com.aveksa.server.authentication.SAMLAuthenticatorImpl] End: NOT_AUTHENTICATED
This request failed since RSA was looking at the NameId in the subject of the saml response and not an attribute in the SAML response named NameId. Hence it ended up trying to use the transient GUID returned id in the subject nameid attribute to identify my user.
Saml Response (partial):
By changing the NameId format in the saml subject on my IDP side, rather than adding it as a attribute value in the response it worked. New saml subject header sample: