Reset Search
 

 

Article

KB45234 - Override Global Host FQDN

« Go Back

Information

 
Last Modified Date9/28/2022 8:36 AM
Synopsis

This article explains the behavioral change when the option "Override Global Host FQDN" get enabled under the SAML auth. server, when there is a configuration change.

Also, if there is a certificate changed (under SAML auth. server), the host entry is getting updated, which then changes the connect secure Entity ID.
Problem or Goal
Whenever the option "Override Global Host FQDN" is enabled in the SAML setup, when the administrator clicks "Save Changes", the connect secure entity ID is getting updated.

Also, if there is a certificate changed (under SAML auth. server), the host entry is getting updated, which then changes the connect secure Entity ID.
Cause
The option "Override Global Host FQDN" explains, when enabled the connect secure hostname will be overwritten for the configured SAML server.

Navigation: Authentication>>Auth.servers>>SAML server.

The behavior is quite the same (with host name change), when the cert. applied under the SAML auth. server is getting changed. 

When the above scenarios matches, the configured entity ID from the SAML server will be getting automatically updated from SP1 to SP2.

From the admin access log, we can confirm this issue from the below log entry:

Info ADM32045 2022-06-09 12:56:48 - HOFVN9005 - [172.29.161.49] user.name(Clearpass Admin)[.Administrators] - SAML server SAML-ESO: Host saml fqdn changed from '' to 'xxxserver.domain.com'.
Info ADM32045 2022-06-09 12:56:48 - HOFVN9005 - [172.29.161.49] user.name(Clearpass Admin)[.Administrators] - SAML server SAML-ESO: modified time changed from 'Tue Jul 13 07:05:51 2021' to 'Thu Jun 9 12:56:48 2022'.
Info ADM32045 2022-06-09 12:56:48 - HOFVN9005 - [172.29.161.49] user.name(Clearpass Admin)[.Administrators] - SAML server SAML-ESO: ive entity id changed from 'https://abc.domain.com/dana-na/auth/saml-endpoint.cgi?p=sp1' to 'https://abc.domain.com/dana-na/auth/saml-endpoint.cgi?p=sp2'.
Info ADM32045 2022-06-09 12:56:48 - HOFVN9005 - [172.29.161.49] user.name(Clearpass Admin)[.Administrators] - SAML server SAML-ESO: request signing certificate changed from 'serverCert_862' to 'serverCert_973'.
Solution
This change in the connect secure entity ID is happening as per the design when we change the cert or enable the option "Override Global Host FQDN" in the SAML server.

When there is an update made, the same entity ID (SP1 to SP2) needed to be updated on the IDP side, to have a successful user authentication.

Otherwise the users will receive SAML-transfer failed messages while connecting to the PCS.
Related Links
Nil
Created ByHarriprasath T S

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255