-
标题
SAML authentication not working after upgrade to Foglight 6.3 or higher -
说明
After upgrading to Foglight 6.3 or higher users can no longer authenticate using SAML.
No changes have been made to the SAML configurations on Foglight.
No changes have been implemented in the Identity Provider (IdP).
The following message may be present in the Foglight Management Server (FMS) logs:
ERROR [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com:8443/console/saml2/metadata.xml is not a valid audience for this Response
The URL in the error message may be displayed without a port if Foglight if using the default ports for HTTP (80) or HTTPS (443).
ERROR [http-exec-43] com.onelogin.saml2.authn.SamlResponse - https://foglight.yourdomain.com/console/saml2/metadata.xml is not a valid audience for this Response
The URLs in the error message may have differences with upper and lowercase letters.
ERROR [http-exec-1] com.onelogin.saml2.authn.SamlResponse - The response was received at https://foglight.yourdomain.com/console/saml2/saml_assertion_consumer instead of https://Foglight.yourdomain.com/console/saml2/saml_assertion_consumer
-
原因
CAUSE 1
Changes to how the entityID hostname is determined can impact some configurations.
CAUSE 2
Due to security enhancements introduced in Foglight 7.3.0, default HTTP(S) ports (80 or 443) are no longer included in the SAML identifying endpoints which can cause a mismatch with the configuration in the Identity Provider (IdP).
Changes could also impact some Identity Providers if there is mismatch in other settings such as using uppercase letters for the Foglight URLs or specifying a different protocol (HTTP or HTTPS).
-
解决办法
After the upgrade, verify the values for in the Foglight metadata downloaded from
https://fmshost:port/console/saml2/metadata.xmlmatch the ones configured in the Identity Provider.For example:
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-01-27T14:14:10Z" cacheDuration="PT604800S" entityID="https://foglight.yourdomain.com:8443/console/saml2/metadata.xml" ...
...
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://foglight.yourdomain.com:8443/console/saml2/saml_assertion_consumer" index="1"/>If the values are different, update the configuration in the IdP to match the new ones (this can be case sensitive).