KB43621 - Pulse One On-premises Enterprise SSO/SAML breaks after upgrade to 2.0.1743

This article describes an issue with Pulse One On-premise where SAML authentication stops working upon upgrading the Pulse One appliance to 2.0.1743
 

 

After upgrading Pulse One On-Premise appliance to version 2.0.1743, Enterprise SSO/SAML authentication fails with the following error displayed in Pulse One authentication response:  

Error in SAML processing : 'No SP configured with entity ID'

This issue occurs due to a change in the way the entity ID of the Pulse One device was used in previous releases vs. Pulse 2.0.1743.

In the previous versions of Pulse One, the entity Id of the Pulse One set in the metadata file that got imported to the PCS device was:

api.domain.com

which generated the entity ID as:

api.pulselab.local/api/v1/saml/sso?realm=pulseone-onprem.pulselab.local/sp-metadata

After upgrading to Pulse One 2.0.1743, the entity ID gets set by extracting the common name from its device certificate, resulting in the entity ID getting modified to:

pulseone.pulselab.local/api/v1/saml/sso?realm=pulseone.domain.com/sp-metadata

This causes SAML authentication to fail because there is no SP configured on the PCS device with this entity ID.  
 

Follow the steps below to resolve this issue by modifying the metadata file on the PCS device for the Pulse One IdP configuration and reload it with the correct entity IDs:

1. On the PCS device, sign in as admin and go to System > Configuration > SAML.
2. Select the Metadata entry for the Pulse One Service Provider.

3. Click on the Download icon indicated in the screenshot above.  
4. Open the downloaded metadata file with a text editor.  It will look similar to the example below:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://api.domain.com/api/v1/saml/sso?realm=hostname.domain.com/sp-metadata">
<md:SPSSODescriptor WantAssertionsSigned="0" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://api.domain.com/api/v1/saml/sso?realm=hostname.domain.com/sp-metadata" index="1" isDefault="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor

5. Modify the URL in the entityID and the Location fields from https://api.domain.com to https://hostname.domain.com where hostname.domain.com is the common name found in the Pulse One device certificate.  
6. Save the file with a new name. 
7. Navigate to System > Configuration > SAML and click New Metadata Provider.
8. Enter a name for the Metadata provider then select Local and click Choose File.
9. Browse for and select the Metadata file that was modified in step 5.
10. Select Accept Unsigned Metadata.
11. At the bottom of the page, select Service Provider for this Metadata provider.  
12. Save Changes.
13. Go to Signing In > Sign-In SAML > Identity Provider and scroll to the bottom of the page where the Peer Service Providers are listed.
14. Select the original Peer Service Provider and click Delete SP.
15. Navigate to System > Configuration > SAML and delete the Metadata entry that was used before. 
16. Navigate to Signing In > Sign-In SAML > Identity Provider and scroll to the bottom of the page and click Add SP.
17. From the the Entity ID drop-down menu, select the Entity ID of the SP that was modified in step 5 above.  (Configure any other custom settings here that are needed.)
18. Click Save Changes.
19. Navigate to Authentication > Signing In > Metadata Provider.
20. Download the Metadata provider then open the contents in a text editor.
21. Copy the contents of the metadata provider.
22. Login to Pulse One as local admin.
23. Select the settings gear in the upper right corner of the page.and select Pulse One Properties.
24. Expand the Enterprise Connections section.
25. Click the edit icon for the SAML Identity Provider Metadata file.  This will open a text view of the metadata contents.
26. Paste the contents of the metadata file copied in step 21 and click Save.  This will update the SAML Service Provider Metadata contents as required.
27. Sign out of Pulse One and log back in with SSO Enterprise access.