SAML authentication not working after upgrade to Foglight 6.3 or higher (4375312)

After upgrading to Foglight 6.3 or higher users can no longer authenticate using SAML.

No changes have been made to the SAML configurations on Foglight.

No changes have been implemented in the Identity Provider (IdP).

Different errors may be present in the Foglight Management Server (FMS) logs.

Invalid audience:

ERROR   [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com:8443/console/saml2/metadata.xml is not a valid audience for this Response

The URL in the error message may be displayed without a port if Foglight if using the default ports for HTTP (80) or HTTPS (443).

ERROR   [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com/console/saml2/metadata.xml is not a valid audience for this Response

The URLs in the error message may have differences with upper and lowercase letters.

ERROR   [http-exec-1] com.onelogin.saml2.authn.SamlResponse - The response was received at https://foglight.yourdomain.com/console/saml2/saml_assertion_consumer instead of https://Foglight.yourdomain.com/console/saml2/saml_assertion_consumer

Error for invalid issuer in the response:

ERROR   [http-exec-13] com.onelogin.saml2.authn.SamlResponse - Invalid issuer in the Assertion/Response. Was 'IDPENTITY', but expected 'IDPENTITYFOG'

CAUSE 1

Changes to how the entityID hostname is determined can impact some configurations.

CAUSE 2

Due to security enhancements introduced in Foglight 7.3.0, default HTTP(S) ports (80 or 443) are no longer included in the SAML identifying endpoints which can cause a mismatch with the configuration in the Identity Provider (IdP).

Changes could also impact some Identity Providers if there is mismatch in other settings such as using uppercase letters for the Foglight URLs, specifying a different protocol (HTTP or HTTPS) or a different name for the IdP Entity ID in the response.

After the upgrade, verify the values for in the Foglight metadata downloaded from  https://fmshost:port/console/saml2/metadata.xml match the ones configured in the Identity Provider.

For example:
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-01-27T14:14:10Z" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:8443/console/saml2/metadata.xml" ...
...
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://foglight.yourdomain.com:8443/console/saml2/saml_assertion_consumer" index="1"/>

If the values are different, update the configuration in the IdP to match the new ones (this can be case sensitive); in some cases the configuration in Foglight may need to be updated to match the values from the IdP.