I would need to test SAML setup. I understand IdP
(eg http://agentidp.example.com//affwebservices/redirectjsp/) needs to be protected with some Authentication Scheme Basic Template.
but how about my protected app, I read https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/getting-started-with-a-simple-partnership and I do not understand how example target
(http://spapp.demo.com:80/spsample/welcome.html) is protected since there is no agent on it.
Hi,
I believe you are using Partnership federation.
It is not mandatory to protect the Target Application. Because we get the SAML response from Identity provider and Service provider will consume it and create SMSESSION for SP domain and redirect to the target.
If you protect the target with the web agent (It can be any normal agent), We already have SMSESSION for SP domain (which is created after consuming the SAML Response), So web agent will validate the SMSESSION and Authorize the resource. (This is an extra level of Authorization)
Please refer below link for more details.
Thanks,
Sharan
Hi, after performing provided basic test:
<a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a> (testsso.html)
I am getting in browser (it is directed to http://agentidp.example.com/affwebservices/redirectjsp/redirect.jsp)
HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 2693d65f-ed3ae6b2-50a52490-c18e808e-8307cf0e-329 failed.
type Status report
message Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 2693d65f-ed3ae6b2-50a52490-c18e808e-8307cf0e-329 failed.
description The request sent by the client was syntactically incorrect.
Apache Tomcat/7.0.70
Where did I go wrong in configuration?
Hi,
You are trying to test SP Initiated federation journey.
Once you hit the SP initiated URL, It will redirect to IDP along with the SAML request.
--> /affwebservices/public/saml2sso?SAMLRequest=
IDP will decode the SAML request and fetch the required details for processing the request. Once it finds an authentication URL, it will send the request to authentication URL along with SAML request like below.
/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=
Since authentication URL is protected, you will get login page to enter the credentials and once authentication/authorization is successfull, it will redirect the request to public/saml2sso along with SMSESSION and SAML request like below.
/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SAMLRequest=f
Are you using custom login page? if so please make sure to redirect the request to public/saml2sso after the authentication.
Also please check the FWSTrace logs for the transaction ID and find out what is the error coming in the logs.
Also is it failing after entering the credentials or before entering the credentials?
Thanks,
Sharan
Hi, it is failing before credentials.
I have created:
1. http://ahttp.example.com/testsso.html that has (<a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a>)
2. When I click "Link to Test POST Single Sign-on" it is redirecting to:
http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com
with content HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters...
The
http://agentidp.example.com/affwebservices/redirectjsp/
itself is protected by Basic Template and when I point browser there I have Basic login box.I assume the same box should pop up when I hit http://ahttp.example.com/testsso.html
I think, SMSESSION is already present in the browser for ".example.com", Hence you are not getting the login page.
Please capture the fiddler trace and also check the FWSTrace logs and find out why it is saying bad request.
Also did you test IDP Initiated?
If not please try with below URL.
http://agentidp.example.com/affwebservices/public/saml2sso?SPID=enteryourspid
Thanks,
Sharan
Is enteryourspid my service provider "remote" Entity Id?
http://agentidp.example.com/affwebservices/public/saml2sso?SPID=mysp
result:
HTTP Status 403 - Request Forbidden. Transaction ID: f43cc649-2abf832c-e18b04d3-ff612b42-967258a3-5 failed.
type Status report
message Request Forbidden. Transaction ID: f43cc649-2abf832c-e18b04d3-ff612b42-967258a3-5 failed.
description Access to the specified resource has been forbidden.
Please check below points.
1) verify SP ID is valid or not?
2) JCE (Unlimited Java cryptography encryption) patch applied on the policy server?
Also refer below KB article.
Could not find service provider information for sp/idp
Thanks,
Sharan
You were right there was no JCE.
Now http://agentidp.example.com/affwebservices/public/saml2sso?SPID=mysp shows Basic login box and after I put in credentials I have terrible url and The page isn't redirecting properly / ERR_TOO_MANY_REDIRECTS
http://agentidp.example.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=mysp&SAMLTRANSACTIONID=1eb5b363-6eea492d-a1f70933-8f4c1f1d-26a9c3cc-a0a&SAMLTRANSACTIONID=8ae9b78e-c8974a6e-4545d749-167cc66c-09cbdcbe-622&SAMLTRANSACTIONID=e03429f3-6806f05a-226ccc28-d9c5cc23-11823d86-dc4&SAMLTRANSACTIONID=a8b339b7-1d51ba8c-5ea070a8-7e4ebdae-19f21f97-20f&SAMLTRANSACTIONID=11a736a3-fd4d5a2f-ab86064e-1a0a7951-e215f685-cfd4&SAMLTRANSACTIONID=20c9325d-3f6cd2d9-5acfcbe7-02aa4c61-1155522b-05&SAMLTRANSACTIONID=9af026ef-0f794da6-3b7c93c6-229b2115-b54b28e0-839&SAMLTRANSACTIONID=1492153f-c6c52674-73b7af02-74dbcc15-3de28f2f-aaf&SAMLTRANSACTIONID=81f652ec-244b9ad5-0ab239aa-07b4f066-d7072d2b-61&SAMLTRANSACTIONID=156c01fe-48ee3b32-9494d397-75856f6c-ae30fb32-d1cKindly verify authentication URL is mentioned properly in the partnership and it is reaching to correct server for authentication ?
Please capture the fiddler trace and corresponding agent trace, FWSTrace and Smtrace and find out why it is going in loop.
Thanks,
Sharan
Authentication URL: http://agentidp.example.com/affwebservices/redirectjsp/redirect.jsp is this correct?
Will try to enable all traces.
Yes, Authentication URL looks correct.
Please enable the logs and verify further.
Thanks,
Sharan
Hi I am attaching http trace and FWSTrace.
I can see pyramid of redirects, but I can not figure out reason:
[SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SPID=mysp&...
[SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF...
[SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SPID...
[SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF....
[SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF....
[SAML2 Single Sign-On Service redirecting to authentication URL: http://agentidp.example.com/siteminderagent/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF...- the /redirectjsp/ resource needs to be protected with forms authentication e.g login.fcc? it seems that it is protected with an authentication scheme which has login page as redirect.jsp itself and as such getting into loop..,
It seems like you have renamed the SMSESSION to idpSESSION (SSOZoneName set to idp).
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][getSavedRequestDataUsingGuid][Enter getSavedRequestDataUsingGuid]
[05/10/2017][06:43:24][3754][139765126670080][][DelegatedAuthHelper][getCookie][Cookie Name: idpSESSION]But option pack is looking for SMSESSION, since there is no smsession you are getting redirected to authentication url and getting looped in this step.
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Request to validate the session [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][isValidSession][Checking for valid SESSION cookies.]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][getSessionData][session cookie name: SMSESSION]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][getSessionData][evaluate trusted zone: SM]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][FWSBase.java][isValidSession][No SESSION cookie on request.]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Force Authn is disabled.]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Current session state is: false]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Current session is not a valid session.]
[05/10/2017][06:43:24][3754][139765126670080][1467648b-74912c36-879ba7bd-82e76afc-f05e0ca7-be6][SSO.java][processRequest][Session cookie does not exists. redirecting to authentication urlCan you please remove/comment the SSOZoneName ACO patameter and re-test the application OR add idp under trusted zone and re-test the application.
Thanks,
Sharan
Much nicer error now :-).
It is redirected to (after credentials):
http://agentsp.example.com/affwebservices/public/saml2assertionconsumer
HTTP Status 403 - Request forbidden. Transaction ID: 1540add3-cad12c11-ba8373a2-49ac2117-fb557134-98df failed.
type Status report
message Request forbidden. Transaction ID: 1540add3-cad12c11-ba8373a2-49ac2117-fb557134-98df failed.
description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.70
IDP is able to post the SAML Response to SP but it is failing at SP end. Kindly track the request with the transactionID in FWSTrace and SMtrace logs to find the reason for the failure.
Thanks,
Sharan
By SMtrace you mean Policy Server traces?
Something wrong with user directory:
[User directory : 'psql', returned more than one user for search: '=name=admin'. Failed to disambiguate user uniquely. Returning user not found status code.]
- 2 people found this helpful
The Policy Server can use one of the following methods for the disambiguation process:
Extract the Name ID value from the assertion.
Use the value of a specific attribute from the assertion.
Use the value that the Xpath query obtains.Did you put ODBC search specification like below?
name=%s
Please refer below link for User Identification at the Relying Party
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/user-identification-for-a-partnershipThanks,
Sharan
Going back to where we started:
<a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a>
gives the same exact error:HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 161696f5-eafd763c-47af1586-e7e0ef80-a250e871-1551 failed.
type Status report
message Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: 161696f5-eafd763c-47af1586-e7e0ef80-a250e871-1551 failed.
description The request sent by the client was syntactically incorrect.
Apache Tomcat/7.0.70
Looks like you can not have the same user name and group name in that simple sql directory.
I have amended user admin to Admin and I am redirected to Target Application after I click and provide credentials
on:
<a href="http://agentidp.example.com/affwebservices/public/saml2sso?SPID=mysp">SPID</a>
If I’ve answered your question please mark my response as the Correct Answer.
Thanks,
Sharan
Almost, how about first test we were trying:
<a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=agentidp.example.com">Link to Test POST Single Sign-on</a>
it gives the same error where we started:
HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters.
Please create new thread for this.
I would suggest the to enable FWSTrace and SMtrace at IDP and track the request and find out why it is saying bad request.
Also you can use Fiddler to capture the traffic.
Thanks,
Sharan
ok, you are double correct, test should be:
<a href="http://agentsp.example.com/affwebservices/public/saml2authnrequest?ProviderID=myidp">Link to Test POST Single Sign-on</a> </br>
- 1 person found this helpful
To get started with Federation configuration in CA SSO, I would strongly advise you to go through these "Federation Starters" series blog written by our Federation guru SungHoon_Kim
They are extremely helpful. You will also get idea on troubleshooting techniques should you encounter any issues.
Regards,
Ujwol
The Policy Server can use one of the following methods for the disambiguation process:
Extract the Name ID value from the assertion.
Use the value of a specific attribute from the assertion.
Use the value that the Xpath query obtains.
Did you put ODBC search specification like below?
name=%s
Please refer below link for User Identification at the Relying Party
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/user-identification-for-a-partnership
Thanks,
Sharan