This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Announcements
SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
- RSA Community
- :
- Products
- :
- SecurID
- :
- Knowledge Base
- :
- Users are not redirected back to SAML application after authenticating to the RSA SecurID Access App...
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Users are not redirected back to SAML application after authenticating to the RSA SecurID Access Application Portal during SP-initiated SAML workflow.
Article Number
000039869
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
Issue
When a user attempts to access a SAML application configured with the Application Portal using an SP-initiated SAML workflow, they are dropped into the Application Portal after completing authentication rather than redirected back to the SAML application. The messages associated with the user's failed access attempt (see below) point to the user being denied access, but checking the access policy applied to the SAML application in the Cloud Administration Console shows that the user should be given access to the application.
The URL displayed in the end user's browser looks like:
The identity router's symplified.log shows the following message for the user's attempt:
The following message is displayed to the end user in the Application Portal:
Application appears to be improperly configured. Contact your Administrator for assistance.
The URL displayed in the end user's browser looks like:
https://portal.sso.example.com/WebPortal/error.html?singlepoint-auth-error=DENY&singlepoint-portal-event=auth-failed&singlepoint-error-message=You+are+not+authorized+to+use+this+IdP+connection.+If+you+think+this+is+in+error%2C+please+see+your+SinglePoint+administrator."
The identity router's symplified.log shows the following message for the user's attempt:
INFO com.symplified.service.appliance.idp.IdPServlet[91] - Authorization denied by IdP service:
com.symplified.service.appliance.idp.AssertionCreationException: DENY
at com.symplified.service.appliance.idp.IdPService.createAssertion(IdPService.java:402)
at com.symplified.service.appliance.idp.IdPServlet.doPost(IdPServlet.java:78)
at com.symplified.service.appliance.idp.IdPServlet.doGet(IdPServlet.java:59)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
Cause
This issue can occur when the Request URL the user is redirected with from the SAML app to the Application Portal does not include the idp_id=<Issuer Entity ID> value. The Issuer Entity ID is used by the identity router to determine which application the user is trying to access. This value is configured for a SAML app on the SecurID Access side of the configuration at: Cloud Administration Console > Applications > My Applications > Edit the application > Connection Profile > Issuer Entity ID.
The following are examples of Request URLs that include the idp_id=<Issuer Entity ID> value.
To check whether or not the idp_id=<Issuer Entity ID> value is being included in the Request URL, a capture of the browser traffic can be done while recreating the issue. Once the browser traffic has been captured, look for the Request URL that the user is redirected with from the SAML app to the Application Portal to see if the idp_id=<Issuer Entity ID> is included in it.
The following are examples of Request URLs that include the idp_id=<Issuer Entity ID> value.
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>and
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>&SAMLRequest=<encoded AuthnRequest>
To check whether or not the idp_id=<Issuer Entity ID> value is being included in the Request URL, a capture of the browser traffic can be done while recreating the issue. Once the browser traffic has been captured, look for the Request URL that the user is redirected with from the SAML app to the Application Portal to see if the idp_id=<Issuer Entity ID> is included in it.
Resolution
Configure the SAML Service Provider to include the idp_id=<Issuer Entity ID> in the Request URL.
Workaround
If the SAML Service Provider cannot be configured to include the idp_id=<Issuer Entity ID> value in the Request URL, then the application can be attempted to be configured using an IdP-initiated SAML workflow. With an IdP-initiated workflow, users would access the SAML application by browsing to the Application Portal first rather than the SAML app. Users can either log into the Application Portal and click on the SAML application to be redirected to it, or alternatively, users can use the Cloud Administration Console > Applications > My Applications > Edit the application > Connection Profile > Identity Provider URL when they want to access the application. By using the Identity Provider URL, users would be redirected to the SAML app once they authenticate to the Application Portal and would not have to click the SAML app in the Application Portal.
Notes
To view the identity router's symplified.log, either of the following can be done:
- View the Identity Router System Log from the Cloud Administration Console
- Generate and Download the Identity Router Log Bundle
- View the /var/log/symplified/symplified.log file within the log bundle.
Tags (62)
- Access
- Access Failed
- Access Failure
- Access Issue
- Access Not Working
- Accessing Issue
- Bad Config
- Bad Configuration
- Break Fix
- Break Fix Issue
- Broken
- Can't Access
- Cannot Access
- CAS
- Cloud Auth Service
- Cloud Authentication Service
- Config
- Config Error
- Configuration
- Configuration Error
- Configuration Help
- Configuration Issue
- Configuration Problem
- Configured Incorrectly
- Configuring Issue
- Configuring Problem
- Customer Support Article
- Denied
- Denied Access
- Error
- Error Configuring
- Error During Configuration
- Error Message
- Failed To Access
- ID Router
- Identity Provider
- Identity Router
- IdP
- IDR
- Incorrect Configuration
- Issue
- Issue Configuring
- Issues
- KB Article
- Knowledge Article
- Knowledge Base
- Misconfiguration
- Misconfigured
- Problem
- Problem Accessing
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Suite
- SaaS
- SecurID
- SecurID Access
- SecurID Access Cloud
- SecurID Cloud
- SecurID Suite
- Setup Issue
- Software as a Service
- Unable to Access
No ratings
