Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version 5

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
Table of Contents
maxlevel2

...

Note
titleNote

Starting with Java 1.8.0_162, JCE unlimited policy is enabled by default.  You no longer need to install the policy file in the JRE or set the security property crypto.policy.

Debugging

The saml.log.level property can be configured in the uc.properties to enable debug logging for the SAML framework. However, as a best practice, saml.log.level should remain at INFO under normal operation.

...

An administrator can turn on/off and configure SAML Single Sign-On through the user interface.

Note
titleNote

Each Universal Controller cluster node maintains its own Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes.

The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node.

Step 1

From the Administration navigation pane, select Configuration > Single Sign-On Settings. The Single Sign-On Settings page displays.
 
Image RemovedImage Added

Step 2

Enter / select your Single Sign-On Settings, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

Step 3

Click the Update button.

...

Universal Controller Uninitialized

While the Universal Controller web application is initializing, the user login flow cannot proceed. Any users attempting to authenticate with SAML at this time receive the following error:
 
Universal Controller is being initialized. Please try again later.

User Account Not Found

Any SAML-authenticated user who cannot be linked to a user account in the Universal Controller database is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' not synchronized with a Universal Controller account.

User Account Not Active

Any SAML-authenticated user linked to a Universal Controller user account that is not Active is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' is synchronized with an inactive Universal Controller account.

Login Method

Any SAML authenticated user linked to a Universal Controller user account that is not designated to use Single Sign-On login method is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' is not permitted to use Single Sign-On login method.

User Account Locked

Any SAML-authenticated user linked to a Universal Controller user account that is locked is prohibited from accessing the application and receives the following error:
 
User account 'username' is locked. Please check with your administrator.

No Web Browser Access

Any SAML-authenticated user linked to a Universal Controller user account designated with the Single Sign-On login method, but without Web Browser Access, is prohibited from accessing the application and receives the following error:
 
User 'username' not permitted to login through the web browser. Please check with your administrator.

Authentication Statement Too Old

If users already are authenticated with their Identity Provider, depending on how long their Identify Provider allows them to stay authenticated, they could experience an "Error validating SAML message" authentication error when signing into the Universal Controller through single sign-on.
 
If users are experiencing this error, search the uc.log for the following message:
 

Panel

 
Upon confirming the presence of the above message, review property saml.maxAuthenticationAge and adjust accordingly.
 
This property allows you to set the maximum time between a user's authentication and processing of an authentication statement, which by default is 7200 seconds.