After upgrading to Foglight 6.3 or higher users can no longer authenticate using SAML.
No changes have been made to the SAML configurations on Foglight.
No changes have been implemented in the Identity Provider (IdP).
The following message may be present in the Foglight Management Server (FMS) logs:
ERROR [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com:8443/console/saml2/metadata.xml is not a valid audience for this Response
The URL in the error message may be displayed without a port if Foglight if using the default ports for HTTP (80) or HTTPS (443).
ERROR [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com/console/saml2/metadata.xml is not a valid audience for this Response
CAUSE 1
Changes to how the entityID is determined can impact some configurations.
CAUSE 2
Due to security enhancements introduced in Foglight 7.3.0, default HTTP(S) ports (80 or 443) are no longer included in the SAML entity ID which can cause a mismatch with the configuration in the Identity Provider (IdP).
After the upgrade, verify the value for entityID in the Foglight metadata downloaded from https://fmshost:port/console/saml2/metadata.xml
matches the one configured in the IdP.
For example:
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-01-27T14:14:10Z" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:8443/console/saml2/metadata.xml" ...
If the value is different, update the configuration in the IdP to match the new entityID (this can be case sensitive)
The name in the Foglight metadata can be changed by completing the steps in Change hostname in SAML metadata.xml (4300064).
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center