Symantec Access Management

Expand all | Collapse all

Steps to test SAML 2.0 Steps to test SAML 2.0 environment

Sharanabasava Kariyappa

Sharanabasava KariyappaMay 09, 2017 11:41 AM

  • 1.  Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 08:42 AM

    I would need to test SAML setup. I understand IdP 
    (eg http://agentidp.example.com//affwebservices/redirectjsp/) needs to be protected with some Authentication Scheme Basic Template.
    but how about my protected app, I read https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/getting-started-with-a-simple-partnership and I do not understand how example target 
    (http://spapp.demo.com:80/spsample/welcome.html) is protected since there is no agent on it.



  • 2.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 08:59 AM

    Hi,

     

    I believe you are using Partnership federation.

    It is not mandatory to protect the Target Application. Because we get the SAML response from Identity provider and Service provider will consume it and create SMSESSION for SP domain and redirect to the target.

     

    If you protect the target with the web agent (It can be any normal agent), We already have SMSESSION for SP domain (which is created after consuming the SAML Response), So web agent will validate the SMSESSION and Authorize the resource. (This is an extra level of Authorization) 

     

    Please refer below link for more details.

    Application Integration at the Relying Party - CA Single Sign-On - 12.6.01 - CA Technologies Documentation 

     

    Thanks,

    Sharan



  • 3.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 10:15 AM

    Hi, after performing provided basic test:

    <a href="Link" rel="nofollow" target="_blank">http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a> (testsso.html)

    I am getting in browser (it is directed to http://agentidp.example.com/affwebservices/redirectjsp/redirect.jsp)

     

    HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 2693d65f-ed3ae6b2-50a52490-c18e808e-8307cf0e-329 failed.


    type Status report

    message Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 2693d65f-ed3ae6b2-50a52490-c18e808e-8307cf0e-329 failed.

    description The request sent by the client was syntactically incorrect.


    Apache Tomcat/7.0.70

     

    Where did I go wrong in configuration?



  • 4.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 10:30 AM

    Hi,

     

    You are trying to test SP Initiated federation journey.

    Once you hit the SP initiated URL, It will redirect to IDP along with the SAML request.

    --> /affwebservices/public/saml2sso?SAMLRequest=

     

    IDP will decode the SAML request and fetch the required details for processing the request. Once it finds an authentication URL, it will send the request to authentication URL along with SAML request like below.

    /affwebservices/redirectjsp/redirect.jsp?SAMLRequest=

     

    Since authentication URL is protected, you will get login page to enter the credentials and once authentication/authorization is successfull, it will redirect the request to public/saml2sso along with SMSESSION and SAML request like below.

    /affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SAMLRequest=f

     

    Are you using custom login page? if so please make sure to redirect the request to public/saml2sso after the authentication.

    Also please check the FWSTrace logs for the transaction ID and find out what is the error coming in the logs.

    Also is it failing after entering the credentials or before entering the credentials?

     

    Thanks,

    Sharan



  • 5.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 11:21 AM

    Hi, it is failing before credentials.

    I have created:

    1. http://ahttp.example.com/testsso.html  that has (<a href="Link" rel="nofollow" target="_blank">http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a>)

    2. When I click "Link to Test POST Single Sign-on" it is redirecting to:

    http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com

    with content HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters...

     

    The 

    http://agentidp.example.com/affwebservices/redirectjsp/


    itself is protected by Basic Template and when I point browser there I have Basic login box.

    I assume the same box should pop up when I hit http://ahttp.example.com/testsso.html



  • 6.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 11:29 AM

    I think, SMSESSION is already present in the browser for ".example.com", Hence you are not getting the login page.

    Please capture the fiddler trace and also check the FWSTrace logs and find out why it is saying bad request.

     

    Also did you test IDP Initiated?

    If not please try with below URL.

    http://agentidp.example.com/affwebservices/public/saml2sso?SPID=enteryourspid 

     

    Thanks,

    Sharan



  • 7.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 11:39 AM

    Is enteryourspid my service provider "remote" Entity Id?



  • 8.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 11:41 AM

    Yes, it is service provider entity ID.

     

    Thanks,

    Sharan



  • 9.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 11:44 AM

    http://agentidp.example.com/affwebservices/public/saml2sso?SPID=mysp

    result:

    HTTP Status 403 - Request Forbidden. Transaction ID: f43cc649-2abf832c-e18b04d3-ff612b42-967258a3-5 failed.


    type Status report

    message Request Forbidden. Transaction ID: f43cc649-2abf832c-e18b04d3-ff612b42-967258a3-5 failed.

    description Access to the specified resource has been forbidden.



  • 10.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 11:48 AM

    Please check below points.

    1) verify SP ID is valid or not?

    2) JCE (Unlimited Java cryptography encryption) patch applied on the policy server?

     

    Also refer below KB article.

    Could not find service provider information for sp/idp 

     

    Thanks,

    Sharan



  • 11.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment



  • 12.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 12:21 PM

    Kindly verify authentication URL is mentioned properly in the partnership and it is reaching to correct server for authentication ?

     

    Please capture the fiddler trace and corresponding agent trace, FWSTrace and Smtrace and find out why it is going in loop.

     

    Thanks,

    Sharan



  • 13.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 12:29 PM

    Authentication URL: http://agentidp.example.com/affwebservices/redirectjsp/redirect.jsp is this correct?

     

    Will try to enable all traces.



  • 14.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 09, 2017 12:36 PM

    Yes, Authentication URL looks correct.

    Please enable the logs and verify further.

     

    Thanks,

    Sharan



  • 15.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 02:57 AM

    Hi I am attaching http trace and FWSTrace.

    Attachment(s)

    zip
    http_trace.txt.zip   985 B 1 version
    zip
    FWSTrace_cp.log.zip   4 KB 1 version


  • 16.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 07:22 AM

    I can see pyramid of redirects, but I can not figure out reason:

    [SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SPID=mysp&...
    [SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF...
    [SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SPID...
    [SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF....
    [SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF....
    [SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF...



  • 17.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 07:30 AM
    the /redirectjsp/ resource needs to be protected with  forms authentication e.g login.fcc? it seems that it is protected with an authentication scheme which has login page as redirect.jsp itself and as such getting into loop..,




  • 18.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 07:41 AM

    It seems like you have renamed the SMSESSION to idpSESSION (SSOZoneName set to idp).

     

    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][getSavedRequestDataUsingGuid][Enter getSavedRequestDataUsingGuid]
    [05/10/2017][06:43:24][3754][139765126670080][][DelegatedAuthHelper][getCookie][Cookie Name: idpSESSION]

     

    But option pack is looking for SMSESSION, since there is no smsession you are getting redirected to authentication url and getting looped in this step.

     

    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Request to validate the session [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][isValidSession][Checking for valid SESSION cookies.]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][getSessionData][session cookie name: SMSESSION]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][getSessionData][evaluate trusted zone: SM]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][isValidSession][No SESSION cookie on request.]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Force Authn is disabled.]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Current session state is: false]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Current session is not a valid session.]
    [05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Session cookie does not exists. redirecting to authentication url

     

    Can you please remove/comment the SSOZoneName ACO patameter and re-test the application OR add idp under trusted zone and re-test the application.

     

    Thanks,

    Sharan



  • 19.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 08:27 AM

    Much nicer error now :-).

    It is redirected to (after credentials):

    http://agentsp.example.com/affwebservices/public/saml2assertionconsumer

    HTTP Status 403 - Request forbidden. Transaction ID: 1540add3-cad12c11-ba8373a2-49ac2117-fb557134-98df failed.


    type Status report

    message Request forbidden. Transaction ID: 1540add3-cad12c11-ba8373a2-49ac2117-fb557134-98df failed.

    description Access to the specified resource has been forbidden.


    Apache Tomcat/7.0.70



  • 20.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 08:32 AM

    IDP is able to post the SAML Response to SP but it is failing at SP end. Kindly track the request with the transactionID in FWSTrace and SMtrace logs to find the reason for the failure.

     

    Thanks,

    Sharan



  • 21.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 08:54 AM

    By SMtrace you mean Policy Server traces?



  • 22.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:00 AM

    Something wrong with user directory:

    [User directory : 'psql', returned more than one user for search: '=name=admin'. Failed to disambiguate user uniquely. Returning user not found status code.]



  • 23.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment
    Best Answer

    Posted May 10, 2017 09:10 AM

    The Policy Server can use one of the following methods for the disambiguation process:

    Extract the Name ID value from the assertion.
    Use the value of a specific attribute from the assertion.
    Use the value that the Xpath query obtains.

     

    Did you put ODBC search specification like below?

    name=%s

     

    Please refer below link for User Identification at the Relying Party
    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/user-identification-for-a-partnership

     

    Thanks,

    Sharan



  • 24.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:33 AM

    Going back to where we started:

    <a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a>

    gives the same exact error:

    HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 161696f5-eafd763c-47af1586-e7e0ef80-a250e871-1551 failed.


    type Status report

    message Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 161696f5-eafd763c-47af1586-e7e0ef80-a250e871-1551 failed.

    description The request sent by the client was syntactically incorrect.


    Apache Tomcat/7.0.70



  • 25.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:13 AM

    Looks like you can not have the same user name and group name in that simple sql directory.

    I have amended user admin to Admin and I am redirected to Target Application after I click and provide credentials

    on:

    <a href="http://agentidp.example.com/affwebservices/public/saml2sso?SPID=mysp">SPID</a>


  • 26.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:30 AM

    If I’ve answered your question please mark my response as the Correct Answer.

     

    Thanks,

    Sharan



  • 27.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:39 AM

    Almost, how about first test we were trying:

     

    <a href="Link" rel="nofollow" target="_blank">http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a>

    it gives the same error where we started:

    HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters.



  • 28.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:42 AM

    Please create new thread for this.

    I would suggest the to enable FWSTrace and SMtrace at IDP and track the request and find out why it is saying bad request.

    Also you can use Fiddler to capture the traffic.  

     

    Thanks,

    Sharan



  • 29.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 09:43 AM

    ok, you are double correct, test should be:

    <a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=myidp">Link to Test POST Single Sign-on</a> </br>


  • 30.  Re: Steps to test SAML 2.0 Steps to test SAML 2.0 environment

    Posted May 10, 2017 03:04 AM

    To get started with Federation configuration in CA SSO, I would strongly advise you to go through these "Federation Starters" series blog written by our Federation guru SungHoon_Kim

     

    Federation Starters 

    Federation Starters 2 

    Federation Starters 3 

    Federation Starters 4 

    Federation Starters 5 

    Federation Starters 6 

    Federation Starters 8 

    Federation Starters 9 

     

    They are extremely helpful. You will also get idea on troubleshooting techniques should you encounter any issues.

     

    Regards,

    Ujwol