Microsoft Entra Single Sign-On into Veritas Alta Archiving portals fail when the User Principal Name (UPN) does not match the SMTPAddress

book

Article ID: 100048508

calendar_today

Updated On:

Description

Error Message

See internal notes for additional information

 

Notes

A change was made in summer fall 2020 on the backend that caused a logic change in how Veritas Alta Archiving confirmed authenticated users.

Note: The log snippets are from the Authentication Service log.

Prior to the change, the SMTPAddress (emailAddress) of the account was used thus the user.mail claim was sufficient.

11:01:00 (40)    CID=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, appName=EPA

11:01:00 (40)    Valid SAML response in EvaluateConditionsAttributes(..) - CurrentTime:8/25/2020 6:01:00 PM, NotBefore:8/25/2020 5:55:59 PM, NotOnOrAfter:8/25/2020 7:00:59 PM

11:01:00 (40)    cid=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, emailAddress=srogers@veritas.com

Note: Take note of the above line which shows the emailAddress 'srogers@veritas.com being passed in by the end user to be authenticated by Veritas Alta Archiving

 

After the change to the backend code in early fall 2020, the value passed in from the end user can now be compared to both the SMTPAddress and UPN column in the Acct table.

08:51:48 (72)    Load Customer Context for CustomerID - 0a4e2ab5-f4d5-496a-8c83-352c29f622d3
08:51:48 (72)    CID=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, appName=EPA
08:51:48 (72)    Load Customer Context for CustomerID - 0a4e2ab5-f4d5-496a-8c83-352c29f622d3
08:51:48 (72)    Valid SAML response in EvaluateConditionsAttributes(..) - CurrentTime:9/15/2020 3:51:48 PM, NotBefore:9/15/2020 3:46:47 PM, NotOnOrAfter:9/15/2020 4:51:47 PM
08:51:48 (72)    CID=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, SSOColumnValue=srogers@veritas.com

Note: The above line shows 'SSOColumnValue' as opposed to 'emailAddress' field.

 

Cause

This can occur as a result of a missing claim UPN in the Microsoft Entra SAML-based Sign-on

 

Resolution

Create a UPN claim in Azure SSO.

  1. Logon to Microsoft Entra admin center (https://aad.portal.azure.com)
  2. Navigate to Enterprise applications > (Locate the application created for SSO with Alta Archiving) > Single Sign-On > User Attributes & Claims
  3. Add a new claim:
    • Name: UPN
    • Source Attribute: user.userprincipalname

Ensure that the following 3 required claims are configured:

Claim name Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name user.userprincipalname
UPN user.userprincipalname

Note: Additional claims may be present, such as givenname or surname. Their presence is optional.

 

 

 

 

 

 

Issue/Introduction

Microsoft Entra Single Sign-On (SSO) into Veritas Alta Archiving portals fail and returns to the login screen when the User Principal Name (UPN) does not match the SMTPAddress of the account.

Additional Information

JIRA: CFT-2948
Powered by Wolken Software