Clarity

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

16.1.0 Upgrade breaks SSO/SAML

  • 1.  16.1.0 Upgrade breaks SSO/SAML

    Posted Nov 17, 2022 03:14 PM
    Good Evening,

    This is a strange one, but we've reproduced it in two environments now so we think something is amiss.

    Both systems were 16.0.3 Patch 1, load balanced and employed SSO/SAML for logon. In 16.0.3.1 this worked fine. After upgrading to 16.1.0 all logon attempts result in the logout page being displayed. We reverted to 16.0.3.1 and tried again on just a single server and all was OK. We then upgraded that server again (without applying the csk content pack) and the immediate logout happened again.

    We see a new entry called ppmbroker in the properties file, but the documentation makes no mention of this, and we were wondering if we need to configure this somehow.

    As this has happened on two environments and reversion to 16.0.3.1 clears the problem it looks like 16.1.0 treats SSO/SAML a bit differently.

    Any ideas?

    As always any and all suggestions gratefully received.

    Paul


  • 2.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Broadcom Employee
    Posted Nov 17, 2022 03:20 PM
    Hi Paul,

    This is very strange and we would like to review via support case, ppm_broker is not in use at this moment but provided for future implementations. If you haven't raised the ticket please do so

    ------------------------------
    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division
    Broadcom
    ------------------------------

    Original Message


  • 3.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Broadcom Employee
    Posted Nov 17, 2022 06:57 PM

    Paul, the SAML issue should not be related to the new service. I agree with Suman, this behavior is not expected and needs a Support case.

    In addition to what he said on ppmbroker please check the KB we just posted Microservice ppmbroker service in 16.1.0 On Premise. PPMBroker is a new service so we will keep adding new functionality in future as well as he stated. We are also working to add this in the documentation and it will be done soon.



    ------------------------------
    Nika Hadzhikidi
    Sr Principal Support Engineer
    Broadcom
    ------------------------------

    Original Message


  • 4.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Posted Nov 18, 2022 03:27 AM
    Hi there, We'll be raising a case for this. Thanks for the responses - and thanks too for the link to the ppmbroker details.

    Paul
    Original Message


  • 5.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Broadcom Employee
    Posted Nov 18, 2022 07:26 AM
    Hi Paul

    We have changed SSO infrastructure a little in 16.1 and I have documented the changes in KB and we will have the change and impact guide documented too in an hour's time 

    Apologies for the inconvenience

    ------------------------------
    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division
    Broadcom
    ------------------------------

    Original Message


  • 6.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Broadcom Employee
    Posted Nov 18, 2022 10:02 AM
    Paul - Our change impact guide is also updated. Thanks you for testing 16.1 and the feedback. 


    ------------------------------
    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division
    Broadcom
    ------------------------------

    Original Message


  • 7.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Posted Nov 18, 2022 04:34 PM
    Hi there,

    Many thanks for the swift response. we'll explore options. 16.1.0 has some very significant improvements around allocations and availability in the New UX and those work fine. I'll update this thread with findings around the current SSO/SAML problem.

    All the best,

    Paul
    Original Message


  • 8.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Broadcom Employee
    Posted Nov 21, 2022 03:55 AM
    You are welcome Paul, let me know how your testing goes. And yes there are lot of interesting features in 16.1

    ------------------------------
    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division
    Broadcom
    ------------------------------

    Original Message


  • 9.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Posted Nov 21, 2022 05:00 AM
    Hi Suman,

    Things are working again after updating the new field in the NSA after following the steps in KB https://knowledge.broadcom.com/external/article/254602

    Thanks again,

    Paul
    Original Message


  • 10.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Broadcom Employee
    Posted Nov 21, 2022 05:04 AM
    Perfect thank you Paul.

    ------------------------------
    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division
    Broadcom
    ------------------------------

    Original Message


  • 11.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Posted Dec 04, 2022 04:18 AM
    Apologies for revisiting this issue. Yesterday we tried to upgrade production and it failed. The error we see in the logs is:


    The blanked out IP and Load Balancer addresses are correct, and everything was working in 16.0.3.1. We made the same change that we made in the lower environments as detailed in the article referenced above but we couldn't log in - we were constantly directed to the logout page.

    Unfortunately there is no way to disable the bookmarking in 16.1.0 (like there was in 16.0.3.1) so we had to rollback.

    Does anyone have a clue what the above error means? A search with Google mentioned a mismatch around the Entity ID but that's not the case here, and it was working fine in 16.0.3.1 (and in 16.1.0 in the 3 lower environments).
    Original Message


  • 12.  RE: 16.1.0 Upgrade breaks SSO/SAML

    Posted Dec 05, 2022 05:01 AM
    We found the cause...

    In Azure the Entity ID started with Clarity... in Clarity itself it starts with clarity and it's obviously case sensitive.
    Original Message