ONTAP System Manager is not accessible after renewing the cluster certificate with SAML enabled
Applies to
- ONTAP 9
- OnCommand System Manager
Issue
System Manager SAML authentication fails with a message the username or password is incorrect after renewing the cluster certificate.
Errors similar to the following may be seen in the cluster's apache_error log:
[Wed Apr 14 19:54:34.665695 2021 +0000] [dot:error] [pid 21325:tid 34376587776] [client xx.xx.xx.xx:60901] [vserver ID 4294967295] [service security] Denied access to user '<saml_user>', application 'http', auth method 'cert'.
[Wed Apr 14 19:54:34.665713 2021 +0000] [authz_core:error] [pid 21325:tid 34376587776] [client xx.xx.xx.xx:60901] AH01631: user <saml_user>: authorization failure for "/security/login":
Errors similar to the following may be seen in the cluster's shibd log
0000000a.014b5c68 035e5b72 Sat Oct 12 2024 05:21:31 -04:00 [kern_shibd:info:31296] ERROR XMLTooling.CredentialResolver.File [2] [default]: unable to stat local resource (/mroot/etc/vserver_4294967295/certificates/ssl/server/<serial number>/server.key)
0000000a.014b5c69 035e5b72 Sat Oct 12 2024 05:21:31 -04:00 [kern_shibd:info:31296] ERROR XMLTooling.CredentialResolver.File [2] [default]: unable to stat local resource (/mroot/etc/vserver_4294967295/certificates/ssl/server/<serial number>/server.crt)
When checking SAML on the cluster, there is no entry:
cluster1::> security saml-sp show
This table is currently empty.
Note: Cluster logs can be downloaded using the SPI. See KB How to manually collect logs and copy files from a clustered Data ONTAP storage system for more information.