Preview Tool

Cisco Bug: CSCvr94305 - APIC login through SAML provider fails when Single-Browser Session is enabled

Last Modified

Aug 27, 2020

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.0(3d) 4.2(2f)

Description (partial)

When a user logs into the Cisco APIC GUI and selects the SAL login domain, the authorization fails and the user gets thrown back to the initial login screen. The Cisco APIC NGINX logs show a failure to parse the AVPair value that is sent back by the SAML IDP. When checking the AVPair value returned by the Okta SAML IDP "<inRole value="shell:domains=all//read-all"/>", the value seems to have correct syntax.

- APICs running firmware release 4.0(3d)
- Login Domain configured with a SAML Auth Realm and Okta Identity Provider (IDP)
- APIC User Profile Settings ->  Single Browser Session (SBS) disabled
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.