AnsweredAssumed Answered

Federation Web Services - Partnership

Question asked by didier.deguette on Jul 19, 2013
Latest reply on Oct 3, 2016 by manjunath.mudigonda
Hello,

I am currently working on Federation, and i'm trying to set up a partnership between a remote IDP (using SimpleSAMLphp) and a local SP (CA Siteminder with Federation Web Services).

On the SP server, i installed a Policy Server, AdminUI, a Web Agent (Apache) and a Web Agent Option Pack. I also deployed the Federation Web Services and i can access on this page with success : http://myserver:port/affwebservices/assertionretriever

So i think my setup is correct.
I also configured my IDP (SimpleSAMLphp) i tested with a SimpleSAMLphp SP with success. But with a CA Siteminder SP i have no success.

This is what i did :

On the AdminUI, i entered the 2 entities, IDP and SP and i declared a partnership SP local -> IDP Distant
So I go to the login page on my IDP, enter my login, and i am redirected on the CA Siteminder SP.
This is where i have a problem. First i can see on the browser, a 403 error with this message :
HTTP Status 403 - Request forbidden. Transaction ID: 3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b failed.
type Status report
message Request forbidden. Transaction ID: 3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b failed.
description Access to the specified resource (Request forbidden. Transaction ID: 3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b failed.) has been forbidden.
So to see more, I open the FWS log file on the SP server (/opt/application/CA/webagent/log/FWSTrace.log), and i see that the server correctly received my SAML assertion from IDP. In addition, i can see that he has managed to retrieve the IDP ID.
But after i can see this error :
[07/19/2013][09:58:30][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][SAMLTunnelClient.java][getIdentityProviderInfoByID][Tunnel result code: 1.]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][SAMLTunnelClient.java][getIdentityProviderInfoByID][SAMLTunnelStatus: 5, Failed to obtain Identity Provider data by provider ID. Provider ID: idp]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][SAML2Base.java][getIdentityProviderInfo][Tunnel client message: Failed to obtain Identity Provider data by provider ID. Provider ID: idp.]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][SAML2Base.java][getIdentityProviderInfo][Could not find identity provider information for idp: idp.]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][AssertionConsumer.java][processSAMLResponse][Transaction with ID: 3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b failed. Reason: ACS_NO_IDP_INFO_FOUND]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][AssertionConsumer.java][processSAMLResponse][No SAML identity provider information found for IDP idp]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][AssertionConsumer.java][processSAMLResponse][Ending SAML2 AssertionConsumer Service request processing with HTTP error 403]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 403 ]
[07/19/2013][09:58:31][23238][72201984][3f05a99f-81b2aa08-2a11c731-2bd7e804-01830644-2b][AssertionConsumer.java][doPost][
   processSAMLResponse TIME: 1352ms]
On my Policy Server log file (/opt/application/CA/siteminder/log/smps.log) i can see this :
[SAMLIdPbyIDTunnelService.java][ERROR][sm-FedServer-00330] Failed to obtain Identity Provider data by provider ID. Provider ID: idp
Really i don't understand the problem. Can someone help me ? (I said that i entered the IDP entity on my Policy Server, with the ID "idp")

Thanks in advandce

Outcomes