SAML authentication fails for Cisco DUO with missing uid attribute
- Views:
- 845
- Visibility:
- Public
- Votes:
- 0
- Category:
- oncommand-system-manager
- Specialty:
- om
- Last Updated:
- 2/28/2025, 7:11:06 PM
Applies to
- ONTAP System Manager 9.12.1+
- Cisco DUO
Issue
- Starting with ONTAP 9.12.1, Cisco DUO is a supported IdP.
- When configuring Cisco DUO, System Manager authentication fails with:
The SAML service provider did not identify the user that was authenticated. Ensure that the SAML identity provider is configured to include in its assertion a"uid" attribute (SAML name "urn:oid:0.9.2342.19200300.100.1.1") whose value matches the service provider user name.
Authorization failed for the resource at "/sysmgr/v4/" - The apache-error log from the cluster shows:
[Thu Jul 13 18:24:21.619555 2023 +0000] [dot:error] [pid 47409:tid 34410555392] [client 10.247.250.234:61560] The user authenticated through SAML or OIDC, but the service provider did not provide a user ID needed for authorization.
[Thu Jul 13 18:24:21.619569 2023 +0000] [authz_core:error] [pid 47409:tid 34410555392] [client 10.247.250.234:61560] AH01631: user : authorization failure for "/sysmgr/v4/"