When logging in to RSA Authentication Manager Prime Help Desk Admin Portal (HDAP) as a user with a specific role, the following error displays on the HDAP webpage:
Authentication failed
The RSA AUthentication Manager authentication activity monitor displays Authentication Successful.
In the hdap.log, the following error displays:
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : login()
2020-06-08T20:25:20,097+0200,472949 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean - Start : auth()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
Using token account profile named: HDAPAdmins
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
start :: authenticateUser()
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
URL : http://localhost:8080/auth/authn
2020-06-08T20:25:20,098+0200,472950 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
AuthenticationRequest : Request Type: token, Profile: HDAPAdmins
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.springbeans.AMISClientServiceImp -
authenticateUser <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
2020-06-08T20:25:47,487+0200,500339 [https-jsse-nio-8445-exec-3] DEBUG com.rsa.pso.lap.web.LoginActionBean -
Authentication Failed
In the AMIS auth.log, the following error appears:
2020-06-08T20:25:40,761+0200,com.rsa.ucm.auth,27,INFO ,Setting Authentication token to profile: Profile: [Name=HDAPAdmins]
2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Validate token: 41496241 2020-06-08T20:25:40,765+0200,com.rsa.ucm.auth,27,INFO ,Position for token ===> 1 2020-06-08T20:25:40,778+0200,com.rsa.ucm.auth,27,INFO ,Calling driver validate: ==> 41496241
2020-06-08T20:25:40,779+0200,com.rsa.ucm.auth,27,INFO ,Test to see if user is allowed hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Role enforcement is enabled.. Get roles for user hdapadmin
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,AMIS url from configurations: http://localhost:8080/am8
2020-06-08T20:25:40,780+0200,com.rsa.ucm.auth,27,INFO ,Creating AMISToken @ : http://localhost:8080/am8
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Access container.hasAccess returns false for user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,42,WARN ,Access denied to user hdapadmin
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Begin authentication completion
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,Profile.authenticateOnly=false / Is Authenticated=false
2020-06-08T20:25:47,061+0200,com.rsa.ucm.auth,27,INFO ,End authentication completion
2020-06-08T20:25:47,091+0200,com.rsa.ucm.auth,22,DEBUG,final result ---> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<authenticationResult>
<authenticated>false</authenticated>
<code>-1</code>
<failed>true</failed>
<message>ACCESS DENIED</message>
</authenticationResult>
Role enforcement is enabled as shown in the authentication log. That means that RSA Authentication Manager Integration Service (AMIS) is configured to allow login to HDAP for a specified number of administrative roles. The issue is that the authenticating user's administrative role is not added to the authorized list in AMIS.
To correct the issue,
- Use the steps in View All Administrative Roles Assigned to an Administrator to confirm the user's administrative role(s) from the RSA Authentication Manager Security Console:
Image description
- Confirm that the HDAP Authentication Profile is in the <Primekit_Installation_Directory>/configs/hdap/config/lap.properties file:
...
#This property gives the profile for Token
token.authentication.profile=HDAPAdmins
...
- Check the profile configuration found in step 2. The Auth Profile configuration can be seen in the AMIS <Primekit_Installation_Directory>/configs/amis/authconfig.xml file:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2</include>
</authorizedUsers>
</profile>
- Add the user's administrative role (as it appears in the Security Console) to the list of authorized users. In the example below, the administrative roles of HDA-HelpDesk2, HDA-HelpDesk2, and HDA_Admins are on the list:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,role:HDA-Admins</include>
</authorizedUsers>
</profile>
- A single user ID can be used instead of an administrative role, in case a single user must be authorized. Here, the user hdapadmin is added to the <include> statement:
<profile isDefault="false" name="HDAPAdmins" testAuthenticationToken="false">
<RequireTokenSN>false</RequireTokenSN>
<AMISUrl>${amis.url}</AMISUrl>
<AMISServiceAccount>${amis.service.account}</AMISServiceAccount>
<authorizedUsers inclusionScheme="onlyInclude" enforceRoles="true" >
<include>role:HDA-HelpDesk1,role:HDA-HelpDesk2,user:hdapadmin</include>
</authorizedUsers>
- Restart the AMIS service.