Symantec Access Management

  • 1.  OpenID Connect Provider with CA Single Sign On 12.8- PoC

    Posted Aug 14, 2018 08:28 PM

    Here I have detailed the configuration to configure CA Single Sign On 12.8 as OpenID Connect provider.

     

    Please help us to move ahead. I am not sure what I am missing here. I have followed below link to configure openid authorization provider with apache client. 

     

    CA SSO OpenID Connect Provider - with Apache OpenID Client 


    Authorization Provider setup:

     

    1. Name: SSO12.8OIDC
    2. User Directory: Selected
    3. Search Specification : empty
    4. Authorization base URL : https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com
    5. Authorization Code Expiry Time : 10 mins
    6. Use Secure Authentication URL: Yes
    7. Min Authentication level : 5
    8. Enable Dynamic Authentication Mode : No
    9. Authentication URL: https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect
    10. Signing Certificate Alias : SPS (Created through wam ui)
    11. Signing Algorithm: RS256 & Select only Sign ID Token

     

    12. Claim mapping
    Claim Name:                User attribute
        email                       cn
        username                    smLogin

     

    13. Scope Mapping
    Scope name                  Claim Name
    email                          email
    username                       username

     


    Client Setup on siteminder:

     

    Client name : Apache-OIDC
    Disable User Consent : Yes
    Application Type: Confidential
    Authentication Type: POST
    Authorization Provider: SSO12.8OIDC
    Scopes: openid, email, username (selected).
    Grant Types: Authorization Code
    Response Types: code
    Redirect URL : https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/redirect.html
    Access Token: 20 mins timeout
    ID Token: 20 mins timeout

     

    Authentication Scheme and Protection:
    Resource : /affwebservices/secure/secureredirect
    Auth.Scheme : Basic (Authentication level-5)
    Persistent session realm created.

     

    ======================================
    Client Setup:
    Apache OpenID Client:

     

    section of httd.conf

     

    OIDCSSLValidateServer Off
    OIDCProviderIssuer https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com
    OIDCClientID 000f4164-d937-1b63-9647-0f3fac1f0000
    OIDCClientSecret 2yCqGbmuaEOSi4s0DvmWaWklINMy7uiPoP1LJJdkDGQ=
    OIDCProviderAuthorizationEndpoint https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/authorize
    OIDCProviderTokenEndpoint https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/token
    OIDCRedirectURI https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/redirect.html
    OIDCCryptoPassphrase somepassword
    OIDCProviderTokenEndpointAuth client_secret_post
    OIDCProviderJwksUri https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=SSO12.8OIDC
    OIDCScope "openid email username"
    OIDCProviderUserInfoEndpoint https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/userinfo

     

    <Location /openid/>
    AuthType openid-connect
    Require valid-user
    </Location>

     

    ********************
    Note:
    1. CA Access gateway enabled for SSL (self signed certificate)
    2. LDAP dsa1 as user store
    3. LDAP dsa2 as sessions store
    4. LDAP dsa1 as object store and key store.
    ********************
    Environment: CA SSO OpenID Connect Provider - with Apache OpenID Client 

     

    1. CA Access Gateway:
    Linux ip-172-31-14-176.us-east-2.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux

     

    2. CA Directory
    Linux ip-172-31-1-147.us-east-2.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux

     

    3. Siteminder policy server:
    Linux ip-172-31-15-63.us-east-2.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux

     

    4. Apache Client:
    Linux sasikumar.chenniyappan.usr.optusnet.com.au 4.17.11-100.fc27.x86_64 #1 SMP Mon Jul 30 15:22:33 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

     

    ============================================================================================================================================================
    Problem Statement:

     

    1. When user accessing apache protected resource using

     

        https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/dumpvars.sh

     

    2. user challenged for authetnication.

     

    3. user enters credetials and submit.

     

    4. authentication successful and enters into loop between https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/authorize and protected

     

    https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect?response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4&SMPORTALURL=https%3A%2F%2Fec2-18-191-195-234.us-east-2.compute.amazonaws.com%2Faffwebservices%2FCASSO%2Foidc%2Fauthorize

     

    HTTP Status 500 - Internal Error occured while trying to process the request. Transaction ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed.

     

    type Status report

     

    message Internal Error occured while trying to process the request. Transaction ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed.

     

    description The server encountered an internal error that prevented it from fulfilling this request.

     

    affwebserv.log
    [7805/139925230561024][Wed Aug 15 2018 00:24:09][SecureRedirect.java][ERROR][sm-FedClient-02890] Transaction with ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed. Reason: SERE_GET_EXCEPTION (, , )
    [7805/139925230561024][Wed Aug 15 2018 00:24:09][SecureRedirect.java][ERROR][sm-FedClient-01660] Exception caught in class com.netegrity.affiliateminder.webservices.SecureRedirect, method doGet, message com.netegrity.siteminder.agentcommon.utils.k: Failed to decrypt.. (, )

     

    FWSTrace.log
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,doGet,OpenIDConnect Authorization Service Service received GET request.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,doGet,Query String:response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getSavedRequestDataUsingGuid,Enter getSavedRequestDataUsingGuid
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,retrieveRequestDataFromStateCookie,return Map: null
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getClientInfo,Obtained client information from cache for: 000f4164-d937-1b63-9647-0f3fac1f0000.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getClientInfo,Obtained client information from cache for: 000f4164-d937-1b63-9647-0f3fac1f0000.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,redirectURI=https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/dumpvars.bat
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,state=z2Wf3v6V9-Pb-7szWnPgUoANtMI
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,scope=openid email username
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,response_type=code
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,validScopes: openid email username
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,CLIENT_NAME/AffiliateName: SSO12.8OIDC
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,RealmOID: 06-0000f104-d8fc-1b63-9647-0f3fac1f0000
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,Validating current session.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,FWSBase.java,isValidSession,Checking for valid SESSION cookies.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,FWSBase.java,getSessionData,Request does not have any cookies.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,FWSBase.java,isValidSession,No SESSION cookie on request.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,prompt=login. Hence will reauthenticate the user.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3CA SSO OpenID Connect Provider - with Apache OpenID Client cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,Query string after removing login value from prompt query parameter=response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getAuthenticationURL,AuthenticationType = 1
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getAuthenticationURL,Authentication Type is null/Local, returning default authentication url = https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3CA SSO OpenID Connect Provider - with Apache OpenID Client cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getLocalServiceURL,Enter getLocalServiceURL
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getLocalServiceURL,Using Proxy URL for local SSO service:  https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/authorize
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processAuthentication,Not using secure authentication URL.
    08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processAuthentication,OpenIDConnect Authorization Service Service redirecting to authentication URL: https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect?response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4&SMCA SSO OpenID Connect Provider - with Apache OpenID Client PORTALURL=https%3A%2F%2Fec2-18-191-195-234.us-east-2.compute.amazonaws.com%2Faffwebservices%2FCASSO%2Foidc%2Fauthorize.
    08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,SAML2 Secure Redirect Service received GET request.
    08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Query string is: response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4&SMPORTALURL=https%3A%2F%2Fec2-18-191-195-234.us-east-2.compute.amazonaws.com%2Faffwebservices%2FCASSO%2Foidc%2Fauthorize
    08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Transaction with ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed. Reason: SERE_GET_EXCEPTIONCA SSO OpenID Connect Provider - with Apache OpenID Client 
    08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Exception caught in class com.netegrity.affiliateminder.webservices.SecureRedirect, method doGet: com.netegrity.siteminder.agentcommon.utils.k: Failed to decrypt.
    08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Stack Trace: com.netegrity.siteminder.agentcommon.utils.k: Failed to decrypt.
        at com.netegrity.affiliateminder.webservices.f.a(fedfws_obfsc:3935)
        at com.netegrity.affiliateminder.webservices.SecureRedirect.doGet(fedfws_obfsc:189)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at com.netegrity.affiliateminder.webservices.CAFedFilter.doFilter(fedfws_obfsc:58)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:106)
        at com.netegrity.proxy.ProxyValve.processRequest(Unknown Source)
        at com.netegrity.proxy.ProxyValve.invoke(Unknown Source)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: com.netegrity.siteminder.agentcommon.utils.k: SiteMinder Decryption Exception
        at com.netegrity.siteminder.agentcommon.utils.SmCryptoUtil.c(Unknown Source)
        at com.netegrity.siteminder.agentcommon.utils.SmCryptoUtil.e(Unknown Source)
        at com.netegrity.affiliateminder.webservices.f.a(fedfws_obfsc:3930)
        ... 24 more
    Caused by: com.ca.sso.smcrypto.SmCryptoLibException: org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
        at com.ca.sso.smcrypto.bcfipsimpl.SmBaseCrypto.decryptBytes(SmBaseCrypto.java:421)
        ... 27 more
    Caused by: org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
        at org.bouncycastle.crypto.internal.io.CipherOutputStreamImpl.close(Unknown Source)
        at com.ca.sso.smcrypto.bcfipsimpl.SmBaseCrypto.decryptBytes(SmBaseCrypto.java:384)
        ... 27 more
    Caused by: org.bouncycastle.crypto.internal.DataLengthException: last block incomplete in decryption
        at org.bouncycastle.crypto.internal.paddings.PaddedBufferedBlockCipher.doFinal(Unknown Source)
        ... 29 more

     

    Exception history:
        com.ca.sso.smcrypto.SmCryptoLibException: org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
        com.netegrity.siteminder.agentcommon.utils.k: SiteMinder Decryption Exception



  • 2.  Re: OpenID Connect Provider with CA Single Sign On 12.8- PoC

    Broadcom Employee
    Posted Aug 16, 2018 02:01 AM

    Hi Suhas, I am not as directly involved in SSO as I was - but I did do some of the sample setup for this use case. 

     

    For the problem you have - it looks like an SMSESSION cookie is expected, and the exception is a byproduct of that cookie being missed - this may be due to missing policy to proctect the secureredirect realm - as below.

     

    The Exception :

    For this case, the exception in the trace log is because it expects the PORTALURL query parameter to be encrypted – and it is not.

     

    But prior to that it looked for a SESSION cookie (presumably SMSESSION) and did not find it

     

    So I think it is expecting SMSESSION cookie, and that is the first failure – and the stacktrace is a follow on error.

     

    Maybe they have missed this setup :

     

    In :

    https://communities.ca.com/docs/DOC-231177118-ca-sso-openid-connect-provider-with-apache-openid-client

     

    The secureredirect needs to be protected with the webagent – so any request past that will have an SMSESSION cookie - and maybe they missed that step or did not apply it correctly.

     

    The /affwebservices/secure/secureredirect realm, contains our Access Gateway webagent (here called agent) :

    We are using the "Basic" auth scheme - but it could be any other auth scheme.

    It contains one rule: AllowGetPost :

     

    That will ensure that access is only allowed when a valid SMSESSION cookie is seen. 

     

    Cheers - Mark



  • 3.  Re: OpenID Connect Provider with CA Single Sign On 12.8- PoC

    Posted Aug 16, 2018 02:13 AM

    Hi Mark,

     

    Thank you for your response. here is the protection we did,

     

    Authentication Scheme and Protection:
    Resource : /affwebservices/secure/secureredirect
    Auth.Scheme : Basic (Authentication level-5)
    Persistent session realm created.

    Rules:

    OnGetPost

    OnAuthAccept

    OnAccessAccept.

     

    I assume, if /affwebservices/secure/secureredirect is not protected, we will not be challenged for authentication. However, we are getting challenged for authentication with basic authentication and then we are seeing that encryption issue.

     

    Note: SMPORTAL URL encryption depends whether authentication URL is secure or non-secure, we kept that as non secure and we are using 12.8 siteminder stack.

     

    Cheers.

    Suhas.



  • 4.  Re: OpenID Connect Provider with CA Single Sign On 12.8- PoC

    Posted Aug 16, 2018 09:29 AM

    Suhas Suhas.Kulkarni

     

    I mentioned this on the other thread as well. But you choosing to use /affwebservices/secure/secureredirect in Authentication URL keeping the SecureURL box unchecked; is an incorrect configuration.

     

    We can use SecureURL OR the UnSecureURL; but refer below how both URLs should be used in combination with "Use Secure Authentication URL - Check Box". Irrespective of which URL is used, the URL has to be protected.

     

    Non Persistent Realm.

    Authentication URL : https://FQDN/affwebservices/secure/secureredirect 

    [Use Secure Authentication URL "Checked"] :

    Realm Protecting /affwebservices/secure/secureredirect*

    Authentication URL : https://FQDN/affwebservices/redirectjsp/redirect.jsp 

    [Use Secure Authentication URL "UnChecked"] :

    Realm Protecting /affwebservices/redirectjsp/redirect.jsp*

     

     

    Also please check this thread as well. Have we enabled JCE on Java. Tech Tip : CA Single Sign-On : SecureRedirect webapp error 

     

    Regards

     

    Hubert



  • 5.  Re: OpenID Connect Provider with CA Single Sign On 12.8- PoC

    Broadcom Employee
    Posted Aug 18, 2018 03:14 AM

    Hi Suhas 

     

    You wrote :

    I assume, if /affwebservices/secure/secureredirect is not protected, we will not be challenged for authentication. However, we are getting challenged for authentication with basic authentication and then we are seeing that encryption issue.

     

    I's probably best to look at the webagenttrace.log to confirm what actually happened.  There should be evidence of processing the request, asking for basic auth, then processing the auth request and then passing the request to the FWS module. 

     

    The evidence from FWSTrace log you posted above is that the request arrives in FWS without an SMSESSION cookie.

     

     

    Cheers - Mark

     

     

     

     



  • 6.  Re: OpenID Connect Provider with CA Single Sign On 12.8- PoC
    Best Answer

    Posted Aug 20, 2018 11:24 PM

    Hello All, 

     

    Thank you for all who has responded to my query. We have resolved the problem. 

     

    Here is the problem: 

     

    We are using AWS cloud environment for IDP setup and that has domain name ends with compute.amazonaws.com which is very common domain in the cloud and chrome browser (after version 58) is not setting the SMSESSION cookie in the browser. Hence everytime authentication data submitted and getting new SMSESSION before it redirects to authorise endpoint. 

     

    Solution: 

    There are two possible solution: 

    1. Change cookie domain scope 

    2. Assign dns name instead of using cloud host name. 

     

    We have opted out option 1 due to time constraints (This is for PoC setup). 

     

    After changing cookie domain scope to 5, we can see the complete flow successful. 

     

    Thanks 

    Suhas