SAML authentication fails due to missing IDP claim rule
Applies to
- ONTAP System Manager 9.3 and later
- Security Assertion Markup Language (SAML)
Issue
Missing Claim Rule on IDP server
Web UI error:
SAML Service Provider
Authorization Failed
The SAML service provider did not identify the user that was authenticated. Ensure that the SAML identity provider is configured to include in its assertion a"uid" attribute (SAML name "urn:oid:0.9.2342.19200300.100.1.1")
whose value matches the service provider user name.
Authorization failed for the resource at "/sysmgr/v4/"
- shibd.log
00000030.000364d4 073533eb Tue Nov 17 2020 10:59:01 -05:00 [kern_shibd:info:59302] INFO Shibboleth.SessionCache [2] [default]: new session created: ID (_1332a6e542c63d998c814449375e85a1) IdP (http://adfs2/adfs/services/trust) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (adfs_server_name)
00000030.000364d5 073533eb Tue Nov 17 2020 10:59:01 -05:00 [kern_shibd:info:59302] INFO Shibboleth-TRANSACTION [2] [default]: New session (ID: _1332a6e542c63d998c814449375e85a1) with (applicationId: default) for principal from (IdP: http://adfs2/adfs/services/trust) at (ClientAddress: adfs_server_name) with (NameIdentifier: domain_user_name) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _6dbb8609-35be-4ee6-8b0d-62979a22566f)
00000030.000364d6 073533eb Tue Nov 17 2020 10:59:01 -05:00 [kern_shibd:info:59302] INFO Shibboleth-TRANSACTION [2] [default]: Cached the following attributes with session (ID: _1332a6e542c63d998c814449375e85a1) for (applicationId: default) {
00000030.000364d7 073533eb Tue Nov 17 2020 10:59:01 -05:00 [kern_shibd:info:59302] INFO Shibboleth-TRANSACTION [2] [default]: }