Symantec Access Management

Hi All,

I have created a federation setup and I am trying to act as siteminder service provider. For this, I have created SAML 2.0 AuthScheme wherein I have mentioned target URL ( protected in domain with SAML 2.0 AuthScheme). I have also mentioned IDP SSO Url as well in AuthScheme. Other details like IDPID and SPID have also been configured.

My setup works where I initiate the journey from IDP end, creation smsession and post the assertion to siteminder assertion service url "https://dns/affwebservices/public/saml2assertionconsumer" and assertion is validated through saml authscheme. This setup works fine.

For SP initated setup, I am accessing the url "http://SP-DNS/test.html" page which I think should generate an AuthnRequest and send it to IDP SSO URL for initial login. However, upon accessing I get 500 server error.

I want to understand what all configurations are required for Siteminder SP to generated AuthnRequest and send it to IDP. Do we have to hard code sometihng for "saml2authreqeust" service to initiate? I found an article on CA blog which explains hard-coding the links but not very sure about this.

https://comm.support.ca.com/?legacyid=TEC533388

Would anyone be able to help me here please?

Regards,
Neeraj Tati <neeraj.tati@bt.com>

Hi,

We have a similar setup where we want to configure SP initiated SSO. IDP works fine. The problem is once the user reaches idle timeout session and tries to log back in, they are being directed to the page specified in the target which is the landing page of the application. The users now want to have deep link facility and want to end up in the page they clicked on the SP side. In our configuration, we have an internal resource protected by form authentication and the target page is an ASP redirect to the internal application protected by SAML 2.0 authentication. Can you please let me know what we would need to specify in the target section of SAML 2.0 auth settings for SP initiated SSO to work? I tried with selecting Relay State overrides target but it does not seem to work.

Any help is highly appreciated.

pbiswas

Could you elaborate this statement with an example please (I tried with selecting RelayState overrides target but it does not seem to work)?

Using RelayState overrides Target is the only way by which we could redirect User's request to desired Target URLs. Especially if you'd want to send the user off to the same location from where his re-authentication journey was triggered (due to Session Timeout).

The TARGET defined within SAML 2.0 Authentication Settings is a single (default) TARGET URL. Cannot specify multiple TARGET in this field that is provided in the UI. Therefore we use RelayState Overrides Target setting in SAML 2.0 Authentication Scheme and ensure that when SAML 2.0 AuthnRequest URL is constructed on SP Side, we embedded a Query Parameter as "RelayState=************" to the SAML 2.0 AuthnRequest.

The RelayState=xxxxxxxxxx can be any arbitrary value OR a URL, which the SP Side end application understands; then takes necessary action to route the Users request to desired location.

Regards

Hubert

Hi Hubert,

Now it makes sense. Please ignore my previous statement.. I have not made a SAML 2.0 AuthnRequest URL at the SP end. Where do I make this and what do I specify? Can you kindly let me know with an example?

my federation server: https://federation.xyz.com

Service Provider: abc

Thanks again

pbiswas

Here's what I don't know about your environment? What is used on SP Side, is it CA Single Sign On or any other SAML compliant toolkit / product?

Irrespective of the whatever is present on SP Side the Application would need to generate / build the SAML AuthnRequest URL and send it to the SAML Compliant toolkit / product on SP Side to invoke a AuthnRequest to be issued to IdP.

Assuming it is CA Single Sign On on SP Side. The Application would need to build URL to call the SAML AuthnRequest Service hosted by CA Single Sign On.

Example : https://abc.sp.com/affwebservices/public/saml2authnrequest?ProviderID=xyz.com&RelayState=*********************

This would now allow the SAML2 AuthnRequest Service hosted on CA Single Sign On (SP Side) to generate / issue an authnrequest to IdP with RelayState as query parameter (Assuming Redirect binding was used issuance of AuthnRequest to IdP).

The IdP would challenge / authentication the User and return a SAML Assertion with RelayState (as it is, as it received from SP). Now SP CA Single Sign on would validate the Assertion and post successful disambiguation of User, would issue a redirect to whatever location is defined in RelayState.

Regards

Hubert

Hi Hubert,

Both IDP and SP side is SiteMinder/CA Single Sign On. I am the service provider (SP) here. The end application is just a classic asp application protected by SiteMinder. Should I just create a static unprotected page with the URL format you sent and have the IDP users hit the page to check if the authnrequest is being generated? Here is more information on the config

SP Side

Federation URL: https://federation.xyz.com/affwebservices/public/saml2authnrequest

ProviderID = IDP id = xyz.com

Application URL (End Application) protected by SiteMinder Realm: https://internalapp.xyz.com

I have generated the following URL https://federation.xyz.com/affwebservices/public/saml2authnrequest?ProviderID=xyz.com&RelayState=https%3A%2F%2Finternalapp.xyz.com and am using this as a link in a static unprotected page.

Would this work?

Yes it would work, as long as https://federation.xyz.com is SP Side WAOP URL.

Am getting confused by your ProviderID i.e. xyz.com? Is that the IdP ID for IdP; I thought xyz.com was SP based on your federation URL on SP Side. Just a word of caution to use correct nomenclatures to identify correct IdP IDs and SP IDs.

Regards

Hubert

Ah sorry!!! My bad. It should be the IDP id = idp.com. Here is the new Config and thank you for your quick response and guidance.

SP Side

Federation URL: https://federation.xyz.com/affwebservices/public/saml2authnrequest

ProviderID = IDP id = idp.com

Application URL (End Application) protected by SiteMinder Realm: https://internalapp.xyz.com

SP Initiated SSOURL

https://federation.xyz.com/affwebservices/public/saml2authnrequest?ProviderID=idp.com&RelayState=https%3A%2F%2Finternalapp.xyz.com

Hi Hubert,

So far SP initiated SSO works fine. However, here is what the users are complaining about. Suppose if they were working on a link inside the application and then there was an idle timeout, when they log back in they dont get to that link and instead lands up in the dashboard of the application. I have RelayState specified as RelayState=https%3A%2F%2Finternalapp.xyz.com which when accessed separately in a browser lands up on the dashboard of the app. How do I get the users to land to the page they were working on? Do I need to generate RelayState dynamically?Is that possible? Can you kindly help?

pbiswas

Kindly open a new thread for a new query, as it keeps the records cleans and easier for wider peers in the community to search incase they have the same issues.

Having said that, you have the following options (However note this is beyond the remits of CA Single Sign On).

Option-1 : Using a Page Indicator on Application Pages. Then when building RelayState, append that to Relay State. This would helps the application code detect where exactly the user need to be redirected to using page-1. If no page id then defaults to dashboard. This approach only can be used for routing. We cannot use this to preserve any application level data.

Example : RelayState=https://internalapp.xyz.com/?pageid-1.

Option-2 : Use a secure encrypted cookie. Encrypt the landing URL and data on page in a secure application cookie before issuing a SAMLAuthnRequest. This cookie could be decrypted only by the application. Then once the request returns to dashboard page, decrypt the cookie and pull the URL + Data out. The redirect user to correct page. If cookie does not exist OR has been tampered. Then defaults to dashboard page.

Hence these are application level solution. Therefore application owners need to best adjudicate the solution after considering the security risk and what inputs to be considered (i.e. only URL or URL + Data).

Regards

Hubert

Sorry about that. I will post any new questions on a new thread. Thanks for the detailed information

I don't know if it helps. In my case, when I got this error, the SP signing certificate was CA Signed.

I didn't have this intermediate CA Signing cert. So it was throwing this error.