Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Change SSO to change IDP Config Not working

Go to solution
SurajitP
New Contributor II
New Contributor II

‎11/14/2023 12:40 AM

Hello,

We have SSO Enabled in version 23.4. It is with Ping as IDP. In one of our test environment we wanted to reconfigure IDP to point to a new instance.

I have changed the below: (Attempt 1)

1. Change external Groovy to update IDP entity ID (From mo:idp:nonprop to mo:idp:prep)
2. Update new IDP Metadata file
3. Restart Saviynt App
After the change I see the new IDP ID is not registered and we see 500 on this page.
 
Attempt 2:
After the failure Local authentication is enabled by Saviynt Support, I used the Single Sign On tool to configure SSO. I had to change the SP Entity ID and IDP name, as in the tool, only AlphaNumeric is supported. New IDP envirnment also changed to match SP Entity ID. After SSO Enabled I see we are still redirected to the same page for SSO:
 
 
After this SSO was disabled by Saviynt Support.
 
Attempt 3:
I have rolled back the 2 changes done in 1st Step:
1. Rolled Back Auth Groovy changes (by activating the previous version)
2. Rolledback  IDP Metadata file (IN IDP Config)
3. Restart Saviynt App
 
I am still sent to local authentication. This would tell me since SSO setting is disabled, from the tool, this change is not in affect.
 
Attempt 4: 
Re-validated SSO Setting from Single Sign On Tool, and activated it.
 
Now I am redirected to the same page:
 
 
Question: Where is this URL being picked up now, and how do I enable SSO with the Single Sign On tool, where it does not refer to old config.
 
What steps I am doing wrong.
 
Labels:
0 Kudos
4 REPLIES 4

Go to solution
saikanumuri
Saviynt Employee
Saviynt Employee

‎11/16/2023 10:26 PM

HI @SurajitP 

W.r.t Attempt 2, Are you referring to the new SSO experience under settings on UI? If so, Have you disabled the SSO in the AuthenticationConfig, groovy?

0 Kudos

Go to solution
SurajitP
New Contributor II
New Contributor II

‎11/17/2023 12:09 AM

Hello @saikanumuri  Yes I am talking about the Single Sign On Widget. What I have noticed is once you configure SSO with the Widget EIC switches to Widget Mode.

 

The issue is now fixed. Noticed error in IDP Metadata. It has the <ds:Signature TAG just before the <md:IDPSSO TAG and Saviynt does not like it. 'Signature block is used to provide the integrity of the supplied metadata'. But Saviynt was unable to parse IDP metadata because of this element. After the element was removed from IDP Metadata it started working.

The issue was not around moving to the SSO Widget.

These are few observations around the SSO Widget:

  1. After SSO configuration activated IDP Metadata and SP Metadata are placed /saviynt_shared/security/SAML/active/ here.
  2. From UI these files are not accessible. So if IDP needs a copy of SP metadata for reference Support ticket needs to be raised.
  3. IDP Metadata is awlays saved as IDPName_idp.com and SP Metadata is saved as SP_EntityID_sp.xml
  4. Once you switch to widget mode cannot go back to the previous way (Managing to IDP Configuration and Auth Groovy)
0 Kudos

Go to solution
Dave
Community Manager
Community Manager

‎01/31/2024 08:52 AM

@SurajitP - Do you still need assistance with this matter?  

0 Kudos

Go to solution
SurajitP
New Contributor II
New Contributor II

‎01/31/2024 08:57 AM

Thanks @Dave  This got fixed, I provided resolution steps above and now Accepted that as Solution

Copyright © 2024 Khoros, LLC