Federation Manager Release Notes › Known Issues › Partnership and Entity Issues › SAML 1.1 SSO Fails if LDAP Search Specification Uses NameID (101493)

SAML 1.1 SSO Fails if LDAP Search Specification Uses NameID (101493)

Symptom:

SAML 1.1 HTTP-POST and HTTP-Artifact single sign-on can fail if the consumer does not use an LDAP search specification that is compatible with the configuration at the SiteMinder Federation Security Services producer.

In this deployment, Federation Security Services is the producer. The producer uses an LDAP user directory, and the NameID is in the X509 Subject Name format. Federation Manager is the consumer in this network. In the Federation Manager SAML 1.1 Consumer -> Producer partnership, Name ID is selected as the attribute that identifies the user. The NameID setting is configured by selecting the Use Name ID option in the User Identification tab of the Federation Manager UI.

Solution:

For SAML 1.1 single sign-on to work in this deployment, set the LDAP Search Specification setting for the Federation Manager partnership to entrydn=%. You can find the LDAP Search Specification setting on the User Identification tab of the Consumer -> Producer partnership wizard. Remember, the Use Name ID option must also be selected on the User Identification tab.