garima_aggarwal Absent Member.
Absent Member.
1558 views

eDirectoty SAML Configuration is not working properly


Hi

I am setting up a new IDM (Version 4.5) Environment having two different nodes. (One is primary and other one is replica, not in cluster).

I am facing issue while setting up the User Application.

Initially, after running RBPM Configuration Utility, i came across one issue

Identity Manager authentication is not correctly configured or Identity Manager to eDirectory SAML communication is not functioning correctly.
Please contact an administrator to correct the problem.


I followed the steps outlined in https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/ and problem is resolved.

Now the situation is, when i do the same RBPM configuration in secondary node. First node stops working and again shows the same message.
If i reconfigure first node, the second node stops working and start giving same message.

I am not able to understand this behavior.

Kindly let me know if you peoples have any workaround for this.

Thanks in Advance.

--Dinesh

Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: eDirectoty SAML Configuration is not working properly

> I followed the steps outlined in
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
> and problem is resolved.


I am glad my article helped you. This is a complicated issue that the
docs do not really address.

> Now the situation is, when i do the same RBPM configuration in secondary
> node. First node stops working and again shows the same message.
> If i reconfigure first node, the second node stops working and start
> giving same message.


So why are you running it again on the second node?

I concede it seems like a thing you would need, but you need to consider
how the SAML stuff works. Which I tried to outline in that series of
articles.

Basically you get the Tree CA to make a private key object and then an
authSamlAffiliate object to store the references to the CA, with some
config stuff.

The public key is written to the configuration object of the UA driver.
(Cn=configuration under the AppConfig container).

The cert is singular, need only one, like a Highlander.

The config is singular, since you only have a single UA driver instance.

> I am not able to understand this behavior.
>
> Kindly let me know if you peoples have any workaround for this.


So the question is, after doing it once, why did it now work.

How specifically are you using these two nodes?
0 Likes
garima_aggarwal Absent Member.
Absent Member.

Re: eDirectoty SAML Configuration is not working properly

geoffc;2450661 wrote:
> I followed the steps outlined in
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
> and problem is resolved.


I am glad my article helped you. This is a complicated issue that the
docs do not really address.

> Now the situation is, when i do the same RBPM configuration in secondary
> node. First node stops working and again shows the same message.
> If i reconfigure first node, the second node stops working and start
> giving same message.


So why are you running it again on the second node?

I concede it seems like a thing you would need, but you need to consider
how the SAML stuff works. Which I tried to outline in that series of
articles.

Basically you get the Tree CA to make a private key object and then an
authSamlAffiliate object to store the references to the CA, with some
config stuff.

The public key is written to the configuration object of the UA driver.
(Cn=configuration under the AppConfig container).

The cert is singular, need only one, like a Highlander.

The config is singular, since you only have a single UA driver instance.

> I am not able to understand this behavior.
>
> Kindly let me know if you peoples have any workaround for this.


So the question is, after doing it once, why did it now work.

How specifically are you using these two nodes?



Hi

After doing all the config on Node 1, i did the configs in node2.

as soon as node 2 configured, node 1 stopped working automatically.

to get the node1 working again, i executed the config utility on node 1 again.

--Dinesh

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectoty SAML Configuration is not working properly

On 2/9/17 3:16 PM, garima aggarwal wrote:
>
> Hi
>
> I am setting up a new IDM (Version 4.5) Environment having two different
> nodes. (One is primary and other one is replica, not in cluster).
>
> I am facing issue while setting up the User Application.
>
> Initially, after running RBPM Configuration Utility, i came across one
> issue
>
> -Identity Manager authentication is not correctly configured or Identity
> Manager to eDirectory SAML communication is not functioning correctly.
> Please contact an administrator to correct the problem.-
>
> I followed the steps outlined in
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
> and problem is resolved.
>
> Now the situation is, when i do the same RBPM configuration in secondary
> node. First node stops working and again shows the same message.
> If i reconfigure first node, the second node stops working and start
> giving same message.
>
> I am not able to understand this behavior.
>
> Kindly let me know if you peoples have any workaround for this.
>
> Thanks in Advance.
>
> --Dinesh
>
>

Greetings,
When you installed the 2nd node of the Identity Applications, what
you select when asked about the MasterKey:

1) Create New

2) Utilize an existing one


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
garima_aggarwal Absent Member.
Absent Member.

Re: eDirectoty SAML Configuration is not working properly

stevewdj;2450671 wrote:
On 2/9/17 3:16 PM, garima aggarwal wrote:
>
> Hi
>
> I am setting up a new IDM (Version 4.5) Environment having two different
> nodes. (One is primary and other one is replica, not in cluster).
>
> I am facing issue while setting up the User Application.
>
> Initially, after running RBPM Configuration Utility, i came across one
> issue
>
> -Identity Manager authentication is not correctly configured or Identity
> Manager to eDirectory SAML communication is not functioning correctly.
> Please contact an administrator to correct the problem.-
>
> I followed the steps outlined in
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
> and problem is resolved.
>
> Now the situation is, when i do the same RBPM configuration in secondary
> node. First node stops working and again shows the same message.
> If i reconfigure first node, the second node stops working and start
> giving same message.
>
> I am not able to understand this behavior.
>
> Kindly let me know if you peoples have any workaround for this.
>
> Thanks in Advance.
>
> --Dinesh
>
>

Greetings,
When you installed the 2nd node of the Identity Applications, what
you select when asked about the MasterKey:

1) Create New

2) Utilize an existing one


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus





Hi Steven

Create New option i selected while installing 2nd node of Identity Applications.


--Dinesh
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectoty SAML Configuration is not working properly

On 2/9/17 11:26 PM, garima aggarwal wrote:
>
> stevewdj;2450671 Wrote:
>> On 2/9/17 3:16 PM, garima aggarwal wrote:
>>>
>>> Hi
>>>
>>> I am setting up a new IDM (Version 4.5) Environment having two

>> different
>>> nodes. (One is primary and other one is replica, not in cluster).
>>>
>>> I am facing issue while setting up the User Application.
>>>
>>> Initially, after running RBPM Configuration Utility, i came across

>> one
>>> issue
>>>
>>> -Identity Manager authentication is not correctly configured or

>> Identity
>>> Manager to eDirectory SAML communication is not functioning

>> correctly.
>>> Please contact an administrator to correct the problem.-
>>>
>>> I followed the steps outlined in
>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
>>> and problem is resolved.
>>>
>>> Now the situation is, when i do the same RBPM configuration in

>> secondary
>>> node. First node stops working and again shows the same message.
>>> If i reconfigure first node, the second node stops working and start
>>> giving same message.
>>>
>>> I am not able to understand this behavior.
>>>
>>> Kindly let me know if you peoples have any workaround for this.
>>>
>>> Thanks in Advance.
>>>
>>> --Dinesh
>>>
>>>

>> Greetings,
>> When you installed the 2nd node of the Identity Applications, what
>> you select when asked about the MasterKey:
>>
>> 1) Create New
>>
>> 2) Utilize an existing one
>>
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
>
>
>
> Hi Steven
>
> Create New option i selected while installing 2nd node of Identity
> Applications.
>
>
> --Dinesh
>
>

Greetings Dinesh,
That is root of your issue. The MasterKey is utilized as part of
creating the SAML. Because you did not utilize the MasterKey from node
#1 while installing node #2 they are completely different.

At this point, you will have to uninstall node #2 completely. Then
install it again, but this time select to use an existing MasterKey and
use the value from node #1

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
garima_aggarwal Absent Member.
Absent Member.

Re: eDirectoty SAML Configuration is not working properly

stevewdj;2450763 wrote:
On 2/9/17 11:26 PM, garima aggarwal wrote:
>
> stevewdj;2450671 Wrote:
>> On 2/9/17 3:16 PM, garima aggarwal wrote:
>>>
>>> Hi
>>>
>>> I am setting up a new IDM (Version 4.5) Environment having two

>> different
>>> nodes. (One is primary and other one is replica, not in cluster).
>>>
>>> I am facing issue while setting up the User Application.
>>>
>>> Initially, after running RBPM Configuration Utility, i came across

>> one
>>> issue
>>>
>>> -Identity Manager authentication is not correctly configured or

>> Identity
>>> Manager to eDirectory SAML communication is not functioning

>> correctly.
>>> Please contact an administrator to correct the problem.-
>>>
>>> I followed the steps outlined in
>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
>>> and problem is resolved.
>>>
>>> Now the situation is, when i do the same RBPM configuration in

>> secondary
>>> node. First node stops working and again shows the same message.
>>> If i reconfigure first node, the second node stops working and start
>>> giving same message.
>>>
>>> I am not able to understand this behavior.
>>>
>>> Kindly let me know if you peoples have any workaround for this.
>>>
>>> Thanks in Advance.
>>>
>>> --Dinesh
>>>
>>>

>> Greetings,
>> When you installed the 2nd node of the Identity Applications, what
>> you select when asked about the MasterKey:
>>
>> 1) Create New
>>
>> 2) Utilize an existing one
>>
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
>
>
>
> Hi Steven
>
> Create New option i selected while installing 2nd node of Identity
> Applications.
>
>
> --Dinesh
>
>

Greetings Dinesh,
That is root of your issue. The MasterKey is utilized as part of
creating the SAML. Because you did not utilize the MasterKey from node
#1 while installing node #2 they are completely different.

At this point, you will have to uninstall node #2 completely. Then
install it again, but this time select to use an existing MasterKey and
use the value from node #1

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus



Hi Steven

As suggested, i followed the steps. However, the issue still exist.


--Dinesh

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectoty SAML Configuration is not working properly

On 2/11/17 5:16 PM, garima aggarwal wrote:
>
> stevewdj;2450763 Wrote:
>> On 2/9/17 11:26 PM, garima aggarwal wrote:
>>>
>>> stevewdj;2450671 Wrote:
>>>> On 2/9/17 3:16 PM, garima aggarwal wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> I am setting up a new IDM (Version 4.5) Environment having two
>>>> different
>>>>> nodes. (One is primary and other one is replica, not in cluster).
>>>>>
>>>>> I am facing issue while setting up the User Application.
>>>>>
>>>>> Initially, after running RBPM Configuration Utility, i came across
>>>> one
>>>>> issue
>>>>>
>>>>> -Identity Manager authentication is not correctly configured or
>>>> Identity
>>>>> Manager to eDirectory SAML communication is not functioning
>>>> correctly.
>>>>> Please contact an administrator to correct the problem.-
>>>>>
>>>>> I followed the steps outlined in
>>>>>
>>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
>>>>> and problem is resolved.
>>>>>
>>>>> Now the situation is, when i do the same RBPM configuration in
>>>> secondary
>>>>> node. First node stops working and again shows the same message.
>>>>> If i reconfigure first node, the second node stops working and

>> start
>>>>> giving same message.
>>>>>
>>>>> I am not able to understand this behavior.
>>>>>
>>>>> Kindly let me know if you peoples have any workaround for this.
>>>>>
>>>>> Thanks in Advance.
>>>>>
>>>>> --Dinesh
>>>>>
>>>>>
>>>> Greetings,
>>>> When you installed the 2nd node of the Identity Applications, what
>>>> you select when asked about the MasterKey:
>>>>
>>>> 1) Create New
>>>>
>>>> 2) Utilize an existing one
>>>>
>>>>
>>>> --
>>>> Sincerely,
>>>> Steven Williams
>>>> Principal Enterprise Architect
>>>> Micro Focus
>>>
>>>
>>>
>>>
>>> Hi Steven
>>>
>>> Create New option i selected while installing 2nd node of Identity
>>> Applications.
>>>
>>>
>>> --Dinesh
>>>
>>>

>> Greetings Dinesh,
>> That is root of your issue. The MasterKey is utilized as part of
>> creating the SAML. Because you did not utilize the MasterKey from node
>> #1 while installing node #2 they are completely different.
>>
>> At this point, you will have to uninstall node #2 completely. Then
>> install it again, but this time select to use an existing MasterKey and
>> use the value from node #1
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
>
> Hi Steven
>
> As suggested, i followed the steps. However, the issue still exist.
>
>
> --Dinesh
>
>

Greetings,

1) You have to get #1 working
2) Stop #1
3) Install #2 and select to utilize the masterkey
4) Start #1 -> This should start successfully
5) Start #2 -> This should start successfully


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
garima_aggarwal Absent Member.
Absent Member.

Re: eDirectoty SAML Configuration is not working properly

stevewdj;2450810 wrote:
On 2/11/17 5:16 PM, garima aggarwal wrote:
>
> stevewdj;2450763 Wrote:
>> On 2/9/17 11:26 PM, garima aggarwal wrote:
>>>
>>> stevewdj;2450671 Wrote:
>>>> On 2/9/17 3:16 PM, garima aggarwal wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> I am setting up a new IDM (Version 4.5) Environment having two
>>>> different
>>>>> nodes. (One is primary and other one is replica, not in cluster).
>>>>>
>>>>> I am facing issue while setting up the User Application.
>>>>>
>>>>> Initially, after running RBPM Configuration Utility, i came across
>>>> one
>>>>> issue
>>>>>
>>>>> -Identity Manager authentication is not correctly configured or
>>>> Identity
>>>>> Manager to eDirectory SAML communication is not functioning
>>>> correctly.
>>>>> Please contact an administrator to correct the problem.-
>>>>>
>>>>> I followed the steps outlined in
>>>>>
>>>>

>> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/
>>>>> and problem is resolved.
>>>>>
>>>>> Now the situation is, when i do the same RBPM configuration in
>>>> secondary
>>>>> node. First node stops working and again shows the same message.
>>>>> If i reconfigure first node, the second node stops working and

>> start
>>>>> giving same message.
>>>>>
>>>>> I am not able to understand this behavior.
>>>>>
>>>>> Kindly let me know if you peoples have any workaround for this.
>>>>>
>>>>> Thanks in Advance.
>>>>>
>>>>> --Dinesh
>>>>>
>>>>>
>>>> Greetings,
>>>> When you installed the 2nd node of the Identity Applications, what
>>>> you select when asked about the MasterKey:
>>>>
>>>> 1) Create New
>>>>
>>>> 2) Utilize an existing one
>>>>
>>>>
>>>> --
>>>> Sincerely,
>>>> Steven Williams
>>>> Principal Enterprise Architect
>>>> Micro Focus
>>>
>>>
>>>
>>>
>>> Hi Steven
>>>
>>> Create New option i selected while installing 2nd node of Identity
>>> Applications.
>>>
>>>
>>> --Dinesh
>>>
>>>

>> Greetings Dinesh,
>> That is root of your issue. The MasterKey is utilized as part of
>> creating the SAML. Because you did not utilize the MasterKey from node
>> #1 while installing node #2 they are completely different.
>>
>> At this point, you will have to uninstall node #2 completely. Then
>> install it again, but this time select to use an existing MasterKey and
>> use the value from node #1
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
>
> Hi Steven
>
> As suggested, i followed the steps. However, the issue still exist.
>
>
> --Dinesh
>
>

Greetings,

1) You have to get #1 working
2) Stop #1
3) Install #2 and select to utilize the masterkey
4) Start #1 -> This should start successfully
5) Start #2 -> This should start successfully


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus


Hi Steven

This fix worked for me.

Thanks a lot for your support.

--Dinesh

0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectoty SAML Configuration is not working properly


> That is root of your issue. The MasterKey is utilized as part of
> creating the SAML. Because you did not utilize the MasterKey from node
> #1 while installing node #2 they are completely different.


That is very interesting. In the old 4.0x days I do not recall a step
requiring using the Master Key to setup the SAML to eDir federation. Is
this a new step in 4.5?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectoty SAML Configuration is not working properly

On 2/13/17 10:11 AM, Geoffrey Carman wrote:
>
>> That is root of your issue. The MasterKey is utilized as part of
>> creating the SAML. Because you did not utilize the MasterKey from node
>> #1 while installing node #2 they are completely different.

>
> That is very interesting. In the old 4.0x days I do not recall a step
> requiring using the Master Key to setup the SAML to eDir federation. Is
> this a new step in 4.5?
>

Greetings Geoffrey,

1) The MasterKey has been a requirement since Clustering was added.

2) This has been a requirement with Enterprise SSO support since it was
added in the 370 release.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectoty SAML Configuration is not working properly

On 2/13/2017 8:06 PM, Steven Williams wrote:
> On 2/13/17 10:11 AM, Geoffrey Carman wrote:
>>
>>> That is root of your issue. The MasterKey is utilized as part of
>>> creating the SAML. Because you did not utilize the MasterKey from node
>>> #1 while installing node #2 they are completely different.

>>
>> That is very interesting. In the old 4.0x days I do not recall a step
>> requiring using the Master Key to setup the SAML to eDir federation. Is
>> this a new step in 4.5?
>>

> Greetings Geoffrey,
>
> 1) The MasterKey has been a requirement since Clustering was added.
>
> 2) This has been a requirement with Enterprise SSO support since it was
> added in the 370 release.


I understand about the MasterKey for clustering. But what I mean is,
when I read how to setup the eDir federation via SAML from say, the 4.02
docs:
https://www.netiq.com/documentation/idm402/install/data/bfcbqsb.html

I see no reference to using the MasterKey in this step.

Where was it used before? I guess when you had the chance to import the
master key? Except you always did the SSO after that? And in the 4.5
case, you set up SAML when you run configupdate.sh after this I thought.
Interesting.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.