Redirection issues

If you are facing issues with redirection, check the error messages in web services log files to narrow down the cause of the issue. NetBackup creates logs for the NetBackup web server and for the web server applications. These logs are written to the following location:

UNIX: /usr/openv/logs/nbwebservice
Windows:install_path\NetBackup\logs\nbwebservice

NetBackup web UI does not redirect to the IDP sign in page

The IDP metadata XML file contains the IDP certificate, the entity ID, the redirect URL, and the logout URL. The NetBackup web UI can fail to redirect to the IDP sign in page, if the IDP XML metadata file is outdated or corrupted. The following message is added to the web service log:

Failed to redirect to the IDP server.

To ensure that the latest configuration details are available to the NetBackup primary server, download the latest copy of the XML metadata file from the IDP. Use the IDP XML metadata file to add and enable the latest IDP configuration on the NetBackup primary server. See Configure the SAML keystore and add and enable the IDP configuration.

IDP sign in page does not redirect to the NetBackup web UI

When you enter your credentials in the IDP sign in page, your browser might display an Authentication failed error, instead of redirecting to the NetBackup web UI. Refer to the following table for resolution steps based on the error found in the web service log.

Table:

Web Service log error message	Explanation and recommended action
userPrincipalName not found in response.	While adding the IDP configuration to the NetBackup primary server, the value entered for the user (-u) option must match the SAML attribute name, which is mapped to the userPrincipalName attribute in AD or LDAP. For more information, See Configure the SAML keystore and add and enable the IDP configuration.
userPrincipalName is not in expected format	The IDP sends SAML responses to the NetBackup primary server, which contains SAML user and SAML user group information. To enable the IDP to successfully send this information, ensure the value of userPrincipalName attribute sent by the IDP is defined in the format of `username@domainname`. For more information, See Enroll the NetBackup primary server with the IDP.
Authentication issue instant is too old or in the future	This error can occur because of the following reasons: The date and time of IDP server and the NetBackup primary server is not synchronized. By default, the NetBackup primary server allows a user to remain authenticated for a period of 24 hours. You might encounter this error, If an IDP allows a user to remain authenticated for a period longer than 24 hours. To resolve this error, you can update the SAML authentication lifetime of the NetBackup primary server to match that of the IDP. Specify the new SAML authentication lifetime in the `<installpath>\var\global\wsl\config\web.conf` file on the NetBackup primary server. For example, If your IDP has an authentication lifetime as 36 hours, update the entry in the `web.conf` file as follows: SAML_ASSERTION_LIFETIME_IN_SECS=129600
Response is not success	This error can occur because of the following reasons: The IDP metadata XML file contains an IDP certificate. If you are using a NetBackup CA, ensure that the IDP certificate is updated with latest NetBackup CA certificate information. For more information, See Configure the SAML KeyStore. The Certificate Revocation List (CRL) must be disabled in the IDP if you are using a NetBackup CA keystore.

Redirection issues

Feedback

Feedback