It is possible to authenticate SBM users using more than one Identity Provider (IdP). We do this by manually modifying a couple of files in the Tomcat IDP directory to setup IDPSelectors. See the resolution below.
When setting up SAML2 or updating the IdP SSL certificate, SBM now gets the error 'Incoming SAML message is invalid'. Here are the likely remedies for the error.
It is possible that SBM users can get a SAML2 login error when configured to use third party authentication with SAML2 . This issue would have started occurring as of February 2020, and affects many IdP providers such as Okta and SecureAuth. This occurs because of changes in the way third party cookies are handled in by Chrome, Firefox and Edge. Specifically, the industry refers to this as SameSite cookie policy.
If you configure External Identity Provider authentication using a SAML2 service provider and then upgrade to SBM 11.0.1.1, the settings are not preserved in SBM Configurator.
• Third Party Authentication System Browser user credentials are collected and authenticated by a SAML2 identity provider or another identity management system. You will configure additional settings on the External Identity Provider tab that appears.
To configure SBM to accept authenticated users from an external identity provider, select one of the following: • Use 3rd Party Service Provider • Use SAML2 Service Provider (appears if you have selected Single Sign-On) Refer to one of the following sections according to your selection.
For Tomcat installs this is located in C:\Program Files\Serena\SBM\Common\Tomcat 7.0\server\default\webapps\idp\img or C:\Program Files\Serena\SBM\Common\Tomcat 7.0\server\default\webapps\idp\ saml2 sp\img To update the other parts of the login page:
Check that file in your installation to see if it has the following lines: ... virtualClasspath="$/webapps/idp/ saml2 sp/lib/*.jar"/> ... base="$/webapps/idp/ saml2 sp/lib"