How do I resolve problems signing in to my v4.5x Controller via SAML?
After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. As a result, you may experience problems logging in via SAML to your Controller.
HAVEN'T UPGRADED YET? The Solution section below can help ensure that your users avoid this problem after upgrading.
In this article...
Symptoms
If you recently upgraded a SaaS Controller and use ADFS SAML, you will see a generic 400 error in your Controller UI when trying to log in.
If you have an on-prem Controller, you will see the following error in the Controller server.log:
[#|2018-11-29T15:42:57.360-0800|SEVERE|glassfish 4.1|com.singularity.ee.controller.servlet.SAM
LAuthenticationServlet|_ThreadID=75;_ThreadName=http-listener-1(13);_TimeMillis=1543534977360;
_LevelValue=1000;|Error while processing SAML Authentication Response
com.onelogin.saml2.exception.ValidationError: No name id found in Document.
at com.onelogin.saml2.authn.SamlResponse.getNameIdData(SamlResponse.java:466)
at com.onelogin.saml2.authn.SamlResponse.getNameId(SamlResponse.java:480)
at com.onelogin.saml2.Auth.processResponse(Auth.java:527)
at com.onelogin.saml2.Auth.processResponse(Auth.java:557)
at com.appdynamics.platform.services.auth.impl.resource.SamlAuthenticationResourceImpl.consumeSAMLAuthenticationResponseInternal(SamlAuthenticationResourceImpl.java:206)
at com.appdynamics.platform.services.auth.impl.resource.SamlAuthenticationResourceImpl.consumeSAMLAuthenticationResponse(SamlAuthenticationResourceImpl.java:162)
at com.appdynamics.controller.mds.auth.MdsSamlAuthResourceImpl.consumeSAMLAuthenticationResponse(MdsSamlAuthResourceImpl.java:59)
at com.singularity.ee.controller.servlet.SAMLAuthenticationServlet.doPost(SAMLAuthenticationServlet.java:262)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.lambda$doFilter$0(RequestOriginMarkingFilter.java:37)
at com.appdynamics.platform.RequestOrigin.runAs(RequestOrigin.java:65)Reason
As part of our improvements around SAML 2.0 authentication in the v4.5 release, our SAML implementation now requires a NameID assertion for Microsoft ADFS. If your configuration has not been updated to include this prior to upgrading to v4.5, you may encounter the error above.
Solution
To resolve this, add the NameID as the Outgoing Claim Type in your claim rule. You can map NameID with any unique ID (SAM-Account-Name, email, or UPN etc.). Follow the steps below prior to upgrading your Controller.
1. From your ADFS Console, select the “Relying Party Trusts” folder.
2. Select your trust for AppDynamics and right-click on it.
3. Choose “Edit Claim Issuance Policy…”
4. On the Issuance Transform Rules screen, select your AppDynamics rule and click the “Edit Rule…” button.
5. In the Edit Rule dialog, either add a new unique identifier (e.g., SAM-Account-Name) or edit the existing unique identifier (e.g., SAM-Account-Name) and map it to the Outgoing Claim Type “Name ID.”
- Add a new unique attribute
- Edit an existing attribute
6. Save your work.
7. Test to ensure that the authentication succeeds.
Instructions last updated: 2/27/19
