-
Titre
SAML authentication not working after upgrade to Foglight 6.3 or higher -
Description
After upgrading to Foglight 6.3 or higher users can no longer authenticate using SAML.
No changes have been made to the SAML configurations on Foglight.
No changes have been implemented in the Identity Provider (IdP).
The following message may be present in the Foglight Management Server (FMS) logs:
ERROR [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com:8443/console/saml2/metadata.xml is not a valid audience for this Response
The URL in the error message may be displayed without a port if Foglight if using the default ports for HTTP (80) or HTTPS (443).
ERROR [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com/console/saml2/metadata.xml is not a valid audience for this Response
-
Cause
CAUSE 1
Changes to how the entityID is determined can impact some configurations.
CAUSE 2
Due to security enhancements introduced in Foglight 7.3.0, default HTTP(S) ports (80 or 443) are no longer included in the SAML entity ID which can cause a mismatch with the configuration in the Identity Provider (IdP).
-
Résolution
After the upgrade, verify the value for entityID in the Foglight metadata downloaded from
https://fmshost:port/console/saml2/metadata.xmlmatches the one configured in the IdP.For example:
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-01-27T14:14:10Z" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:8443/console/saml2/metadata.xml" ...If the value is different, update the configuration in the IdP to match the new entityID (this can be case sensitive)
-
Informations supplémentaires
The name in the Foglight metadata can be changed by completing the steps in Change hostname in SAML metadata.xml (4300064).