NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
SMAX User Discussions
cancel

[SMA-X] Impossible to use SSO

Highlighted
Trusted Contributor.. etravella Trusted Contributor..
Trusted Contributor..

[SMA-X] Impossible to use SSO

Hi the community,

We followed the procedure to install the SSO on a client account on our SMA-X instance, and the fact is that the redirection to the client adfs does not seem to work. This implies that users (with the type FEDERATION) can not connect.

Here are the highlights of our installation:
- we got the url of the xml metadata from the client adfs,
- we downloaded it,
- we put this file in the "/var/vols/itom/itsma/itsma-itsma-global/certificate/samlmeta" directory of our NFS server,
- we have deactivated / reactivated the "idm" pod by modifying the parameter "replicas" (at 0, and after at 1),
- we waited for the "idm" pod to restart,
- we have retrieved the "spring_saml_metadata.xml" file from our SMA-X instance, and sent it to our client,
- the client has integrated this file into his ADFS system (with a single mapping field "email"),
- after that, we added the customer's xml metadata URL in the client's account ("Authentications" tab and "SAML settings"),
- to test the connection via SSO, we have changed the type of a user account in the administration suite (from "DB" to "FEDERATION").

With that, when the user tries to connect to its tenant by this URL:
https: //url_of_our_sma-x: 443/saw/ess?TenantID=123456789
He entered his email address, validated the form, and sees that he is redirected to a URL that points to the account ID:
https://url_of_our_sma-x/idm-service/idm/v0/login?tenant=987654321_db&token=vV2q8jGkXx597Td9vekbn..........

After that, he falls on the second page of authentication with the login and password.

It looks like there is no redirection to the ADFS of the client to check his email address.

Looking at the logs of the "idm" pod, I came across this following error.
Maybe it can help you understand my problem:

 

 

2018-07-18T09:09:56.132906175Z 2018-07-18 09:09:56,132 [https-jsse-nio-8443-exec-4] INFO com.hp.ccue.identity.hpssoImpl.api.HpSsoFilter - VALIDATION: Starting HpSsoFilter validations.

2018-07-18T09:09:56.133249144Z 2018-07-18 09:09:56,132 [https-jsse-nio-8443-exec-4] INFO com.hp.ccue.identity.hpssoImpl.api.HpSsoMultiDomain - Multi domain not supported by configuration. Request =RequestURL is [https://url_of_our_sma-x/idm-service/idm/v0/login]; method [GET]; sessionId [245B4C65506D56D21C95D53F706799E1]; RequestQuery is [NOT EMPTY];

2018-07-18T09:09:56.133577709Z 2018-07-18 09:09:56,133 [https-jsse-nio-8443-exec-4] WARN com.hp.ccue.identity.hpsso.HpSsoValidator - HP SSO authentication failed: [VALIDATION_USER_NOT_AUTHENTICATED: Validation: no SSO cookie on request (not authenticated) - more info: User must login]: initContextFromRequest - no SSO cookie on request (not authenticated).RequestURL is [https://url_of_our_sma-x/idm-service/idm/v0/login]; method [GET]; sessionId [245B4C65506D56D21C95D53F706799E1]; RequestQuery is [NOT EMPTY];

2018-07-18T09:09:56.133595335Z 2018-07-18 09:09:56,133 [https-jsse-nio-8443-exec-4] WARN com.hp.ccue.identity.hpssoImpl.validators.ValidatorsInvoker - VALIDATION: ValidatorsInvoker:runValidators - Validator HP SSO 2.0 Validator finished running with status Status: ID=0MIS4OLv VALIDATION_USER_NOT_AUTHENTICATED: Validation: no SSO cookie on request (not authenticated) - more info: User must login initContextFromRequest - no SSO cookie on request (not authenticated).RequestURL is [https://url_of_our_sma-x/idm-service/idm/v0/login]; method [GET]; sessionId [245B4C65506D56D21C95D53F706799E1]; RequestQuery is [NOT EMPTY];

2018-07-18T09:09:56.133603959Z 2018-07-18 09:09:56,133 [https-jsse-nio-8443-exec-4] INFO com.hp.ccue.identity.hpssoImpl.api.HpSsoFilter - VALIDATION: Finished HpSsoFilter validations. result: Status: ID=0MIS4OLv VALIDATION_USER_NOT_AUTHENTICATED: Validation: no SSO cookie on request (not authenticated) - more info: User must login initContextFromRequest - no SSO cookie on request (not authenticated).RequestURL is [https://url_of_our_sma-x/idm-service/idm/v0/login]; method [GET]; sessionId [245B4C65506D56D21C95D53F706799E1]; RequestQuery is [NOT EMPTY];

2018-07-18T09:09:56.133611178Z 2018-07-18 09:09:56,133 [https-jsse-nio-8443-exec-4] INFO com.hp.ccue.identity.hpssoImpl.api.HpSsoFilter - VALIDATION: Finished HpSsoFilter validations (SSO not passed).

2018-07-18T09:09:56.133628278Z 2018-07-18 09:09:56,133 [https-jsse-nio-8443-exec-4] INFO com.hp.ccue.identity.hpssoImpl.api.HpSsoFilter - VALIDATION: Even though validation failed, calling chain.doFilter()

2018-07-18T09:10:21.905513515Z 2018-07-18 09:10:21,904 [scheduler-2] INFO com.hp.ccue.identity.service.DatabaseUserServiceImpl - Disabled 0 users whose autoUnlockedCounter is bigger than the threshold

 

In advance thank you for your help.

Eric.

4 REPLIES
Outstanding Contributor... lingyanmeng Outstanding Contributor...
Outstanding Contributor...

Re: [SMA-X] Impossible to use SSO

Please try to login with url:

https: //url_of_our_sma-x: 443/saw/ess?TenantID=123456789&AUTH=SAML

With this URL, the system should show the SAML login page instead of suite login page. And the login should work.

Check the doc:

https://docs.microfocus.com/itom/Service_Management_Automation_-_X:2018.05/Log-in-to-the-suite_19895650

Let me know if it helps,

Ling-Yan

 

Trusted Contributor.. etravella Trusted Contributor..
Trusted Contributor..

Re: [SMA-X] Impossible to use SSO

Hi Ling-Yan,

Thank you for your help.

Our instance of SMA-X is on version 2018.02 (no choice to keep this version for the moment to welcome former SAW customers - because of the migration script that only works with version 2018.02).

So, your solution works with the 2018.05 version of SMA-X, and by checking in the 2018.02 documentation, there is no equivalent to what you propose. I still tested, but it does not work. By entering this URL, I come across the first page with only the login to enter, and when I enter it and I validate, I come across the second page with login and password. No redirection to the ADFS.

Eric.

Trusted Contributor.. etravella Trusted Contributor..
Trusted Contributor..

Re: [SMA-X] Impossible to use SSO

To set the SSO, I followed the doc attached to this message.

Eric

Mario Morelli Acclaimed Contributor.
Acclaimed Contributor.

Re: [SMA-X] Impossible to use SSO

Hi 

We have done 2 of these, and they work without a problem.

We also used that document you attached.

And you can completely skip the SMA-X Redirect by using following

https://<SMA-X URL>/saw/ess?TENANTID=<TENANTID>&AUTH=SAML

Can you share your config in back office, how you configured it?