SungHoon_Kim

Federation Starters 3

Blog Post created by SungHoon_Kim Employee on Jun 15, 2016

This is a continuation from Federation Starters 2

 

Just to demonstrate that the IDP initiated federation can be tested without even having an SP, I took a screenshot of fiddler.

In the above fiddler trace, you can see that IDP initiated federation request(http://www.sso.lab/affwebservices/public/saml2sso?SPID=http://www.partner.lab) was received, redirected to Authentication URL.

User authenticated and redirect back to Authentication URL then redirect to saml2sso.

 

Next, it was reaching out to https://www.partner.lab:443, if IDP initiated federation request tries to connect to the SP site, it means it was trying to POST the assertion(SAMLResponse) so you can consider it as success for now.

 

Browser actually showed more info as below.

 

You can see that it was going to https://www.partner.lab/affwebservices/public/saml2assertionconsumer and this is where SP wanted to receive the SAMLResponse via POST.

 

Let's continue configuring the SP side.

 

Again, we need to perform the same steps below.

 

1. Deploy affwebservices on Application Server

2. Modify affwebservices.properties

3. Modify LoggerConfig.properties

4. User Store

5. Authentication Scheme

6. Domain/Application

7. Realm/Component

8. Rule/Resource

9. Policy/Role

10. Session Store (Not required if you only want to achieve Federation SSO and you do not need SLO)

11. Entity(Local and Remote)

12. Partnership

 

 

 

1. Deploy affwebservices on Application Server

 

This is already done while installing/configuring SPS server.

You would have been asked if you want to use Federation Gateway and if your Policy Server is 12.0 or 12.5.

This is already deployed and is one of the advantages to use SPS.

You do not need to worry about deploying on the application server.

 

2. Modify affwebservices.properties

 

The federation web services is deployed at "C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\affwebservices"

So you can locate the file at "C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\affwebservices\WEB-INF\classes\AffWebServices.properties"

C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\affwebservices\WEB-INF\classes\AffWebServices.properties

 

 

AgentConfigLocation=C:\\Program Files (x86)\\CA\\secure-proxy\\proxy-engine\\conf\\defaultagent\\WebAgent.conf

This is also handled by the SPS configuration wizard so you don't have to change anything.

 

3. Modify LoggerConfig.properties

This is also found in the same folder.

 

C:\Program Files (x86)\CA\secure-proxy\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties

LoggingOn=Y

LogFileName=C:\\Program Files (x86)\\CA\\secure-proxy\\proxy-engine\\logs\\affwebserv.log

TracingOn=Y

TraceFileName=C:\\Program Files (x86)\\CA\\secure-proxy\\proxy-engine\\logs\\FWSTrace.log

TraceConfig=C:\\Program Files (x86)\\CA\\secure-proxy\\proxy-engine\\conf\\defaultagent\\FederationTrace.conf

 

Nothing much here, just need to ensure the Tracing is enabled.

 

4. User Store

 

I created following user directory dedicated to SP.

 

Note that the user search is using "uid" and not the "mail" attribute.

 

5. Authentication Scheme

 

Good thing about Partnership Federation is that the TARGET is protected using a regular authentication scheme. Legacy Federation requires that the TARGET be protected by SAML 2.0 Authentication Scheme.

 

 

 

6. Domain/Application

7. Realm/Component

8. Rule/Resource

9. Policy/Role

 

I am going to create Application called "www.partner.lab" and link the "SP Side User Store" to it.

I will be protecting /saml20/ as that will be the TARGET that I will be specifying in the federation partnership.

 

 

 

 

With what we configured so far, you can actually login to this https://www.partner.lab/saml20/ by submitting user1's credentials. There is no federation involved at this point. It is just ordinary SiteMinder protected resource.

 

11. Entity(Local and Remote)

Let's create the SP side Local and Remote Entity.

In this case, your LocalEntity will be Service Provider and RemoteEntity will be Identity Provider.

As I am creating all these in the same Policy Server, you will see IDP side configuration as well but please ignore.

 

Click "Create Entity" and select "Local" and "SAML2 SP".

 

 

Create Remote IDP Entity.

EntityID must match what was agreed.

EntityName is whatever you want to call it.

"Remote SSO Service" is HTTP-Redirect because we did not configure for HTTP-POST Authentication Request Binding.

"Remote SSO Service" is about how requests will go to saml2sso.

Supported NameID format was "Email Address" so select that one.

As SP must verify the signature on the Assertion, you must specify the IDP side certificate which was used for signing.

In this use case, because both configuration is in the same policy server you see the "idpsigningkey" but if you have separate SP configured then you would have to import the certificate and you can assign an alias of your choice.

Regardless, that certificate must be associated here for signature verification.

From above, only the highlighted ones are for the SP side configuration.

 

12. Partnership

 

Create Partnership "SAML2 SP -> IDP"

By default, "Use Name ID" is used. Whatever string received as NameID would be used as userID.

You can also specify XPath to programatically extract certain information in the assertion to make up a userID to use.

Note the "LDAP Search Specification", this is important part.

Because the NameID that we are expecting is an email address, you need to specify the "attributename=%s" to perform the search. In this case we use "mail=%s" which will guarantee the user1@sso.lab would find "user1" from "SP Side User Store".

 

And in the "Federated Users", I can simply say "All Users" but I have chosed to restrict to only the "OU=People,dc=sso,dc=lab". Well, we only have 1 user in that OU

 

Don't forget to activate the newly created partnership.

Now both partnerships are configured.

 

Let's test and see if it works.

Unfortunately, it did not work. But that gives us a chance to learn how to troubleshoot.

Based on the fiddler, the HTTP 500 is at the SP side https://www.partner.lab/affwebservices/public/saml2assertionconsumer

 

So, we must look at SP side logs first.

What I would look at is the affwebserv.log and FWSTrace.log

The first thing in the log, I will be searching for "6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49" because this is the TransactionID that logged the HTTP 500.

In most case, affwebservices.log gives hint to what could be the problem but in this case it reports

affwebserv.log

[4528/4224][Wed Jun 15 2016 10:33:11][AssertionConsumer.java][ERROR][sm-FedClient-01660] sm-FedClient-01660 (com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer, doPost, java.lang.RuntimeException: java.net.URISyntaxException: Expected authority at index 8: https://, , )

[4528/4224][Wed Jun 15 2016 10:33:11][AssertionConsumer.java][ERROR][sm-FedClient-02890] sm-FedClient-02890 (6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49, ACS_EXCEP_DO_POST, , , )

 

It seems there is something missing in the received data.

 

FWSTrace.log

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][doPost][SAML2 AssertionConsumer Service received POST request.]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][doRequestLog][Requesting Host: 192.168.201.104 Requesting Host IP: 192.168.201.104 Request protocol: HTTP/1.1 Request was secure: true Authentication type: null]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][doPost][Obtained response message from post data for http post binding [CHECKPOINT = SSOSAML2_READRESPONSEPOSTDATA_RSP]]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][createPostRequestContext][SAMLResponse parameter (base-64 encoded): PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERl

 

 

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][SAMLResponse: <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.partner.lab/affwebservices/public/saml2assertionconsumer" ID="_b27d347d8a87e57f65454274ef39876392c7" IssueInstant="2016-06-15T10:33:04Z" Version="2.0">

 

 

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][RelayState: null]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][RequestID: _b27d347d8a87e57f65454274ef39876392c7]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][ResponseID: _b27d347d8a87e57f65454274ef39876392c7]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][RequestID _b27d347d8a87e57f65454274ef39876392c7 maps to TransactionID: 6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49.]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][IDPID (Issuer): http://www.sso.lab]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAML2Base.java][getIdentityProviderInfo][Trying to fetch SAML2.0 IDP Configuration from cache [CHECKPOINT = SSOSAML2_IDPCONFFROMCACHE_REQ]]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAML2Base.java][getIdentityProviderInfo][SAML2.0 IDP Configuration is not in cache. Requesting to get from policy server [CHECKPOINT = SSOSAML2_IDPCONFFROMPS_REQ]]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAMLTunnelClient.java][getIdentityProviderInfoByID][Provider ID: http://www.sso.lab.]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAMLTunnelClient.java][getIdentityProviderInfoByID][Tunnel result code: 1.]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAMLTunnelClient.java][getIdentityProviderInfoByID][SAMLTunnelStatus: 0, ]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAMLTunnelClient.java][getIdentityProviderInfoByID][infoIdp: {IncomingBackChannelAuthType=2, ApplicationAttributeValueExps=, TargetOpenCookieEncPassword=<Value not shown>, IsActive=1, MniRequireEncryptedNameID=0, ApplicationAttributeNames=, UrlEncodeAttrCookieData=0, HidingMask=1, InvalidRedirectMode=0, PartnershipSource=3, EnableAuthnRequestRedirect=1, ValidateTargetURLDomain=0, BackChannelAuthType=2, SLOServiceValidityDuration=60, EnableSAMLRequester=0, UnauthorizedAccessRedirectMode=0, EnableSLOSOAPBinding=0, EnableSSOPostBinding=1, EnableServerErrorURL=0, MniSignRequest=0, TargetEnableOpenCookieHMAC=0, FailureRedirectMode=0, Password=<Value not shown>, TargetEnableQuotedOpenCookie=0, MniRequireSignedResponse=0, DSigVerInfoIssuerDN=CN=TESTLABCA, DC=sso, DC=lab, ProvisioningDeliveryType=3, Target=https://, AllowAuthLevelOverride=0, EnableAuthnRequestPost=0, AllowTransactionType=1, MniSOAPTimeout=60, SAMLReqRequireSignedAssertion=0, EnableSLORedirectBinding=0, EnforceSingleUsePolicy=0, RequireEncryptedAssertion=0, RedirectMode=0, AuthnContextUsage=1, RequireSignedArtifactResponse=0, MniRequireSignedRequest=0, CompareUserDNForSMC=1, DisableSignatureProcessing=0, EnableSMC=0, EnableRequestedAuthnContext=0, AssertionConsumerDefaultURL=06-24b16054-3382-4b1c-aff8-a9259584a485, MniRetryBoundary=15, MniRetryCount=3, MniEnableSOAPBinding=0, XPath=, QPOverridesReqAuthnContext=0, ProvOpenCookieEncPassword=<Value not shown>, NameIdType=0, RequireUserConsent=0, PersistSessionVars=0, SMCOverrideProtectionLevel=0, DSigVerInfoSerialNumber=30276d8e000000000008, Oid=21-de5fb651-8fa4-4047-af72-0aab7d8addc0, EncryptNameIDForSLOSOAP=0, AllowIdPtoCreateUserIdentifier=0, DelegatedAuthHashSecret=<Value not shown>, MniEncryptNameID=0, SignArtifactResolve=0, MniAllowUserSelfService=0, MniNotificationAuthType=1, SSOArtifactIndex=1, SPID=http://www.partner.lab, MniEnableNotification=0, SAMLReqGetAllAttributes=0, LDAPSearchSpec=mail=%s, MniEnablePostBinding=0, SSOPostIndex=0, SAMLMajorVersion=2, DelegatedAuthSecret=<Value not shown>, MniNotifyUserName=*, OpenCookieEncryptionPassword=<Value not shown>, RequireEncryptedNameID=0, EnableAttributeMapping=0, MniSignResponse=0, DomainOid=@03-030165a7-7050-4e75-a8ab-811948f61421, UnauthorizedAccessRedirectURL=, InvalidRequestRedirectMode=0, OutgoingPassword=<Value not shown>, EnableSSOArtifactBinding=0, SSODefaultService=https://www.sso.lab/affwebservices/public/saml2sso, SkewTime=30, NameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, ProxyServer=https://www.partner.lab, MniDeleteNameID=0, ProvEnableQuotedOpenCookie=0, Enabled=1, ProvEnableOpenCookieHMAC=0, EnableInvalidRequestURL=0, SAMLReqSignAttributeQuery=0, IncomingPassword=<Value not shown>, ServerErrorRedirectMode=0, UserNotFoundRedirectMode=0, InvalidRequestRedirectURL=, NameIdStatic=*, KEY_IdPSourceID=8880e2d69fe63cf8d71d1bc28c97697e77600293, SignAuthnRequests=0, KEY_IdPID=http://www.sso.lab, MniNotifyPassword=<Value not shown>, MniEnableRedirectBinding=0, SAMLMinorVersion=0, EnableSSOECPProfile=0, SignatureAlgo=1, Name=partner2sso, RelayStateOverridesSsoTarget=0, AuthnContextRowCount=0, ProvisioningType=0, MniNotifyTimeout=60, NameIdAllowNested=0, EnableUnauthorizedRequestURL=0, QPOverrideAllowCreate=0, ServerErrorRedirectURL=, RelayStateOverridesSloConfirm=0}]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAML2Base.java][getIdentityProviderInfo][Tunnel client message: .]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from policy server for: http://www.sso.lab.]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][encryptProviderPasswords][Encrypted password for attribute MniNotifyPassword]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: http://www.sso.lab.]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][getRealmForTarget][targetURL:https:// usingRelayState: false]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][validateTarget][Target: https:// is not in the CookieDomain: .partner.lab]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][getRealmForTarget][Get realm oid for target resource from property [CHECKPOINT = SSOSAML2_REALMOIDFORTARGETFROMPROPERTY_RSP]]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][getRealmForTarget][Realm Name: ]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][getRealmForTarget][Realm OID: 06-24b16054-3382-4b1c-aff8-a9259584a485]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][validateDestination][Using Proxy URL: https://www.partner.lab/affwebservices/public/saml2assertionconsumer]

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][Credentials: <UserCredentials><Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.partner.lab/affwebservices/public/saml2assertionconsumer" ID="_b27d347d8a87e57f65454274ef39876392c7" IssueInstant="2016-06-15T10:33:04Z" Version="2.0">

 

 

[06/15/2016][10:33:10][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][authenticateUser][result code from AgentAPI login call: 1]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][authenticateUser][Login successful [CHECKPOINT = SSO_LOGINSUCEESS_RSP]]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][SAML Assertion based user authentication succeeded.]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][session id is: Kf/C3ZepKbCrcp8DTCfrnwBWjRQ=]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][Response Attributes:]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][   255:SAMLDataResponse=rO0ABXcEAAAABnQADXVzZXIxQHNzby5sYWJ3BAAAAAd0ADZ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3N3BAAAAANxAH4AAHcEAAAACXQAL3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkdwQAAAACdAAlXzNkMDQ3ODFmZWYzYWRmMzFkNzQxZWIxZGYyZjYzOTE4M2UxNncJAAAABQEAAAABdAAvNjgyNmU2ZjgtMjhlNzBlMDMtNDAzMzZiM2QtMTczM2QxMDItN2YzZTUyNTMtNDl3EAAAAAsAAAAAV2EvWAAAAAh0ABJodHRwOi8vd3d3LnNzby5sYWJ3BAAAAA90AAExdwQAAAAOdAACLTF3CAAAAGMAAAAA]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][   218:uid=user1,OU=People,dc=sso,dc=lab]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][   152:user1]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][   151:0e-03b4d1c3-010f-4aeb-9066-a0da3eee0585]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][SAMLData returned]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][processSuccessfulAuthentication][

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][createSessionCookie][Validating input...]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][createSessionCookie][Creating the smsession cookie for SP domain [CHECKPOINT = SSO_SMSESSIONFORSPDOMAIN_REQ]]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][createSessionCookie][Recived valid input. Attempting to create SESSION cookie.]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][createSessionCookie][session id is: Kf/C3ZepKbCrcp8DTCfrnwBWjRQ=]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][createSessionCookie][About to create SESSION cookie.]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][FWSBase.java][createSessionCookie][Placing smsession in browser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][authenticateUser succeded: 0]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][Redirecting user to target url [CHECKPOINT = SSOSAML2_REDIRECTUSERTARGETURL_REQ]]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][handleUserRedirection][Enter: handleUserRedirection]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][redirectUser][

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][redirectUser][Redirecting the user to https:// using '302 No Data' redirect mode.]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][doPost][Exception caught in class com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer, method doPost, message java.lang.RuntimeException: java.net.URISyntaxException: Expected authority at index 8: https://.]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][doPost][Stack Trace: java.lang.RuntimeException: java.net.URISyntaxException: Expected authority at index 8: https://

 

 

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][doPost][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][doPost][Transaction with ID: 6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49 failed. Reason: ACS_EXCEP_DO_POST]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

 

This new portrait mode on the blog is really making it difficult when trying to look at logs.

The abstract is as below.

 

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][processSAMLResponse][Redirecting user to target url [CHECKPOINT = SSOSAML2_REDIRECTUSERTARGETURL_REQ]]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][handleUserRedirection][Enter: handleUserRedirection]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][redirectUser][

redirectMode: 0]

[06/15/2016][10:33:11][4528][4224][6826e6f8-28e70e03-40336b3d-1733d102-7f3e5253-49][AssertionConsumer.java][redirectUser][Redirecting the user to https:// using '302 No Data' redirect mode.]

 

User1 was found and authenticated so it wants to redirect to the predefined TARGET which I am expecting it to be https://www.partner.lab/saml20/

But the log says it is redirecting to "https://" which is not valid.

 

We need to modify the SP Side Partnership.

 

You can first view it before editing. Once you confirm the error then you can deactivate the partnership and make the changes.

As you can see above, for some reason the Target is saved as "https://" so the log explained the error condition correctly.

 

This clearly shows how much important it is to get FWSTrace.log to troubleshoot.

After fixing the typo, I am testing again.

It was a success.

This is how the IDP initiated Federation is setup.

In the next article, I will demonstrate how to setup SP initiated Federation.

Outcomes