SAML Authentication Stops Working After Upgrade to 6.0.17.x (KBA9738)
KBA
KBA# 9738
Issue
After upgrading to Continuous Data Engine version 6.0.17.x, SAML Authentication stops working. Example errors:
An error occurred. Contact your administrator for more information. Error details Activity ID: d7d1e570-ad9a-4c72-6481-1080090000dd Relying party: Delphix-422a5dce-0cc2-16b3-aa1a-44d1e7cb3fcf Error details: MSIS3110: Cannot find AssertionConsumerService configured on the relying party trust 'microsoft:identityserver:422a5dce-0cc2-16b3-aa1a-44d1e7cb3fcf' that matches the request parameters: AssertionConsumerServiceIndex=, AssertionConsumerServiceUrl='https://<engine>/sso/response', ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'. Node name: ecb72bad-b8c8-4882-8282-30de4b44646a Error time: Fri, 25 Nov 2022 15:34:59 GMT Cookie: enabled User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
AADSTS750032: SAML protocol response cannot be sent via bindings other than HTTP POST. Requested binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
In 6.0.17.x, Spring SAML was upgraded. This latest Spring SAML will use a redirect if the HTTP-Redirect element is present in the SAML metadata XML.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.17.0, 6.0.17.1, 6.0.17.2
Resolution
To resolve this issue, remove the following element from the SAML metadata XML:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="..."/>
This resolution works for both ADFS and Azure AD.