Symantec Access Management

Expand all | Collapse all

SAML Authn request Error

  • 1.  SAML Authn request Error

    Posted Jul 17, 2014 01:44 AM

    Hello All,

     

    I have been facing an issue with the SAML Authn Request , I am getting the below error when i am trying to connect to IDP :-

     

    The following error occurred: 403 - Request Forbidden. Transaction ID: 713f6ee1-d8f5e76d-82659bc3-b873316d-f36f3f13-8b failed.

     

    What could be the reason behind this ?

     

    I have checked the SAML Authn Request and it seems to be fine .

     

    Thanks in Advance

    Ankur Taneja



  • 2.  Re: SAML Authn request Error

    Posted Jul 17, 2014 08:48 AM

    Ankur,

     

    Have you checked the logs?

    The error tells you which transaction ID to look at.



  • 3.  Re: SAML Authn request Error

    Posted Jul 17, 2014 02:53 PM

    Greetings - I've been facing the same issue for close to a month now.  Latest from support is to update the "local_policy.jar" & "US_export_policy.jar" in ../java/jdk/jre/lib/ & /java/jre/lib/security folders with the JCE patch.   However, applying that patch didn't work for me :/   I believe the JCE patch was provided to me by CA support but they might of had me download it from somewhere.   I can't remember.   I am running Federation using the CA Federation Gateway with Secure Proxy Server. 

     

    The error I get looks like this:

     

    HTTP Status 403 - Request Forbidden. Transaction ID:
    17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1 failed.

    --------------------------------------------------------------------------------

    type Status report 

    message Request Forbidden. Transaction ID: 17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1 failed.

     

    description Access to the specified resource has beenforbidden.

    --------------------------------------------------------------------------------

    Apache Tomcat/7.0.39

     

     

    We need to get this figured out.... 



  • 4.  Re: SAML Authn request Error

    Posted Jul 17, 2014 03:47 PM

    As had pointed out, is there anything in the logs? At least for the Federation setups we've done it's been pretty specific in terms of the cause of the errors (signature validation fails, incorrect nameid format, other general info).

     

    Just be sure to enable the Federation stuff in the Policy Server log profiler to grab everything. If the assertion generator etc isn't there ya might not get the whole picture. Usually between the FWSTrace + Policy Server logs it's fairly specific the cause of the errors.

     

    On the JCE libraries, that sounds like the Unlimited Strength JCE Policy to support the higher encryption methods. At least in our initial configs the AES-256 wouldn't work without that. But shouldn't impact others.



  • 5.  Re: SAML Authn request Error

    Posted Jul 18, 2014 02:20 AM

    Hello,

    I am getting the below error in the log

     

    [2352/5332][Fri Jul 18 2014 06:00:25][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: 1ae9c184-fc991c3a-639c72a4-ff11d629-00995975-26a failed. Reason: NO_PROVIDER_INFO_FOUND (, , )

    [2352/5332][Fri Jul 18 2014 06:00:25][SSO.java][ERROR][sm-FedClient-02440] No SAML2 provider information found for SP <SP Name>

     

    But the Provide information is present in the SAML Authn Request .



  • 6.  Re: SAML Authn request Error

    Posted Jul 18, 2014 08:38 AM

    I recently had something like this. reproduced last night for CA and can share with you....minus, ofcourse, some things like IP, Agent/Server Names, and since i'm not positive we want the company initials out, which is what flips case, i've removed that but noted the case.

     

    You can look for similar transactions in your environment.

     

    Use the affwebservices log to get the transaction id

     

    AffWebServices Log:

    [1812/3624][Thu Jul 17 2014 15:28:03][SSO.java][ERROR] Transaction with ID: a6138e70-f6975a2e-da189c46-4ddfa39d-d6b8b5ee-a failed. Reason: NO_PROVIDER_INFO_FOUND

    [1812/3624][Thu Jul 17 2014 15:28:03][SSO.java][ERROR] No SAML2 provider information found for SP https://<company initials in upper case>.sharefile.com/saml/info.

     

    Corresponding Inputs in Policy Server Trace (AKA Profiler) Log that shows this is a result of case sensitivity in the Policy Server (that I feel should not be present in the Policy Server)

    Good Transaction:

    [07/17/2014][15:37:10.381][3524][4524][00:00:00.000000][][CServer.cpp:1350][ThreadPool::Run][][][][][][][][][][][][][][<ip restricted>][49900][][Dequeuing a Normal Priority message, from IP <ip restricted> with Port No 49900. Current count is 0][]

    [07/17/2014][15:37:10.381][3524][4524][][][CServer.cpp:5725][CServer::ProcessRequest][][][][][][][][][][][][][][][][][Enter function CServer::ProcessRequest][]

    [07/17/2014][15:37:10.381][3524][4524][][][SmAuthUser.cpp:1328][CSmAuthUser::CSmAuthUser][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::CSmAuthUser][]

    [07/17/2014][15:37:10.381][3524][4524][00:00:00.000000][][SmAuthUser.cpp:1371][CSmAuthUser::CSmAuthUser][][][][][][][][][][][][][][][][][Leave function CSmAuthUser::CSmAuthUser][]

    [07/17/2014][15:37:10.381][3524][4524][][][Sm_Az_Message.cpp:152][CSm_Az_Message::ProcessMessage][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::ProcessMessage][]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][][][Receive request attribute 208, data size is 15][*<ip restricted>]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][][][Receive request attribute 221, data size is 60][000080fe000000008d12f328e403ef53-0888-53c825e5-0930-013854c9]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][<agent name restricted>][][][][][][][][][][][][][][][][Receive request attribute 200, data size is 14][<agent name restricted>]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][<agent name restricted>][][][][][][][][][][][][][][][][Receive request attribute 217, data size is 31][https://<server name restricted>]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][<agent name restricted>][][][][][][][][][][][][][][][][Receive request attribute 201, data size is 279][/siteminderagent/redirectjsp/redirect.jsp?SPID=https://<lower case company initials>.sharefile.com/saml/info&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState=https://<lower case company initials>.sharefile.com/saml/info&SMPORTALURL=https%3A%2F%2F<server name restricted>%2Faffwebservices%2Fpublic%2Fsaml2sso]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][<agent name restricted>][][][][][][][][][][][][][][][][Receive request attribute 202, data size is 3][GET]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][<agent name restricted>][][][][][][][][][][][][][][][][Receive request attribute 134, data size is 5][FALSE]

    [07/17/2014][15:37:10.381][3524][4524][][s127/r2][Sm_Az_Message.cpp:199][CSm_Az_Message::ProcessMessage][<agent name restricted>][][][][][][][][][][][][][][][][** Received agent request.][]

    [07/17/2014][15:37:10.381][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:10.381][3524][4524][][][Sm_Az_Message.cpp:381][CSm_Az_Message::AnalyzeAzMessage][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::AnalyzeAzMessage][]

    [07/17/2014][15:37:10.381][3524][4524][00:00:00.000000][][Sm_Az_Message.cpp:389][CSm_Az_Message::AnalyzeAzMessage][][][][][][][][][][][true][][][][][][Leave function CSm_Az_Message::AnalyzeAzMessage][]

    [07/17/2014][15:37:10.381][3524][4524][][][IsProtected.cpp:44][CSm_Az_Message::IsProtected][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::IsProtected][]

    [07/17/2014][15:37:10.381][3524][4524][][][IsProtected.cpp:67][CSm_Az_Message::IsProtected][<agent name restricted>][][][][][][][][][][][][][<ip restricted>][][][Received request from agent, check agent api version.][1536]

    [07/17/2014][15:37:10.381][3524][4524][][][IsProtected.cpp:90][CSm_Az_Message::IsProtected][<agent name restricted>][/siteminderagent/redirectjsp/redirect.jsp?SPID=https://<lower case company initials>.sharefile.com/saml/info&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState=https://<lower case company initials>.sharefile.com/saml/info&SMPORTALURL=https%3A%2F%2F<server name restricted>%2Faffwebservices%2Fpublic%2Fsaml2sso][][][][][][][][][][][][https://<server name restricted>][][][Starting IsProtected processing.][]

    [07/17/2014][15:37:10.381][3524][4524][][][SmAuthorization.cpp:504][CSmAz::IsProtected][][][][][][][][][][][][][][][][][Enter function CSmAz::IsProtected][]

    [07/17/2014][15:37:10.381][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:10.396][3524][4524][][][SmAuthorization.cpp:569][CSmAz::IsProtected][][/siteminderagent/redirectjsp/redirect.jsp?spid=https://<lower case company initials>.sharefile.com/saml/info&protocolbinding=urn:oasis:names:tc:saml:2.0:bindings:http-post&relaystate=https://<lower case company initials>.sharefile.com/saml/info&smportalurl=https%3a%2f%2f<server name restricted>%2faffwebservices%2fpublic%2fsaml2sso][][][Redirectjsp_Protection][][][][][][][][][][][][Resource is protected by realm.][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.015600][][SmAuthorization.cpp:571][CSmAz::IsProtected][][][][][][][][][][][Realm][][][][][][Leave function CSmAz::IsProtected][]

    [07/17/2014][15:37:10.396][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:10.396][3524][4524][][][SmAuthHtml.cpp:114][SmAuthQuery][][][][][][][][][][][][][][][][][Enter function SmAuthQuery][]

    [07/17/2014][15:37:10.396][3524][4524][][][SmAuthHtml.cpp:157][SmAuthQuery][][][][][][][][][][][][][][][][][Use Relative Target enabled for HTML form Scheme][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.000000][][SmAuthHtml.cpp:241][SmAuthQuery][][][][][][][][][][][0][][][][][][Leave function SmAuthQuery][]

    [07/17/2014][15:37:10.396][3524][4524][][][Sm_Az_Message.cpp:400][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::SendReply][]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 150, data size is 39][03-dd07129a-e9fc-483a-a25a-e9ee9e571260]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 204, data size is 39][06-ccf5c2ed-a7f9-47a3-b548-34244ac82880]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 203, data size is 22][Redirectjsp_Protection]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 219, data size is 8][33554433]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 220, data size is 33][/siteminderagent/forms/login2.fcc]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 146, data size is 0][]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][Send response attribute 147, data size is 0][]

    [07/17/2014][15:37:10.396][3524][4524][][s127/r2][Sm_Az_Message.cpp:563][CSm_Az_Message::ProcessMessage][<agent name restricted>][][][][Redirectjsp_Protection][][][][][][][][][][][][** Status: Protected. ][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.000000][][Sm_Az_Message.cpp:567][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::SendReply][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.015600][][IsProtected.cpp:265][CSm_Az_Message::IsProtected][][][][][][][][][][][Protected][][][][][][Leave function CSm_Az_Message::IsProtected][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.015600][][Sm_Az_Message.cpp:371][CSm_Az_Message::ProcessMessage][][][][][][][][][][][721][][][][][][Leave function CSm_Az_Message::ProcessMessage][]

    [07/17/2014][15:37:10.396][3524][4524][][][SmAuthUser.cpp:1376][CSmAuthUser::~CSmAuthUser][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::~CSmAuthUser][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.000000][][SmAuthUser.cpp:1428][CSmAuthUser::~CSmAuthUser][][][][][][][][][][][][][][][][][Leave function CSmAuthUser::~CSmAuthUser][]

    [07/17/2014][15:37:10.396][3524][4524][00:00:00.015600][][CServer.cpp:5901][CServer::ProcessRequest][][][][][][][][][][][721][][][][][][Leave function CServer::ProcessRequest][]

     

    And search the Trace/Profiler log for the Transaction ID

     

    As for what's used, i have a lot more on than you need. You want all Components, it will only write if they trigger, and a minimum of the following data points:

    Date, PreciseTime, Pid, Tid, Message, Data

     

    Support will likely ask for more, looking for:

    Date, PreciseTime, Pid, Tid, ExecutionTime, TransactionID, SrcFile, Function, AgentName, Resource, User, Realm, Domain, Directory, Policy, Message, Data

     

    both of you preferring what we used, which is:

    Date, PreciseTime, Pid, Tid, ExecutionTime, TransactionID, SrcFile, Function, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ReturnValue, ErrorValue, ErrorString, IPAddr, IPPort, CallDetail, Message, Data

     

     

    Bad Transaction:

    [07/17/2014][15:37:52.018][3524][4524][00:00:00.000000][][CServer.cpp:1350][ThreadPool::Run][][][][][][][][][][][][][][<ip restricted>][49946][][Dequeuing a Normal Priority message, from IP <ip restricted> with Port No 49946. Current count is 0][]

    [07/17/2014][15:37:52.018][3524][4524][][][CServer.cpp:5725][CServer::ProcessRequest][][][][][][][][][][][][][][][][][Enter function CServer::ProcessRequest][]

    [07/17/2014][15:37:52.018][3524][4524][][][CServer.cpp:5994][CServer::Tunnel][][][][][][][][][][][][][][][][][Enter function CServer::Tunnel][]

    [07/17/2014][15:37:52.018][3524][4524][][1d829608-8bebb218-8cd97aad-34e12f1d-86484087-3c][CServer.cpp:6097][CServer::Tunnel][][][][][][][][][][][][][][<ip restricted>][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSPbyIDTunnelService', Server='', Device=''][Resolved all the input parameters][]

    [07/17/2014][15:37:52.018][3524][4524][][][CServer.cpp:6251][CServer::Tunnel][][][][][][][][][][][][][][][][][Resolving tunnel Service function JavaTunnelService...][]

    [07/17/2014][15:37:52.018][3524][4524][][][CServer.cpp:6280][CServer::Tunnel][][][][][][][][][][][][][][][][][Start of tunnel call JavaTunnelService][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmJVMSupport.cpp:112][GetJVMEnv][][][][][][][][][][][][][][][][][SmJVMSupport, Successfully attached JVM to thread][]

    [07/17/2014][15:37:52.018][3524][4524][][][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][][][][][][][][][][Received request to obtain Service Provider data.][]

    [07/17/2014][15:37:52.018][3524][4524][][_6c9316b84261452cabe2d090e68bcc82][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][][][][][][][][][][Received request to obtain Service Provider data. Provider ID: https://<upper case company initials>.sharefile.com/saml/info][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjProvider.cpp:700][CSmObjProvider::Search][][][][][][][][][][][][][][][][][Searching for 'Property' object with a search key in one domain][]

    [07/17/2014][15:37:52.018][3524][4524][][][smldaputils.cpp:1445][SmSearchLDAPControls][][][][][][][][][][][][][][][][Handle='047CE140', Root='ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc=SmPolicyStore.net', Scope=2, Filter='(&(cn=KEY_SPID)(objectclass=smProperty5))', attrsonly=0][Start of call ldap_search_st:Search LDAP.][]

    [07/17/2014][15:37:52.018][3524][4524][][][smldaputils.cpp:1451][SmSearchLDAPControls][][][][][][][][][][][0][][Success][][][Handle='047CE140', Root='ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc=SmPolicyStore.net', Scope=2, Filter='(&(cn=KEY_SPID)(objectclass=smProperty5))', attrsonly=0][Return from call ldap_search_st][]

    [07/17/2014][15:37:52.018][3524][4524][][][smldaputils.cpp:1922][SmLDAPOIDSearch][][][][][][][][][][][][][][][][Handle='047CE140'][Start of call ldap_count_entries:How many entries?][]

    [07/17/2014][15:37:52.018][3524][4524][][][smldaputils.cpp:1925][SmLDAPOIDSearch][][][][][][][][][][][6][][][][][Handle='047CE140'][Return from call ldap_count_entries][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmObjCache.cpp:793][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][Look up a cached object.][]

    [07/17/2014][15:37:52.018][3524][4524][][_6c9316b84261452cabe2d090e68bcc82][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][]

    [07/17/2014][15:37:52.018][3524][4524][][_6c9316b84261452cabe2d090e68bcc82][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][][][][][][][][][][status: status=5&message=Failed to obtain Service Provider data by provider ID. Provider ID: https://<upper case company initials>.sharefile.com/saml/info][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmJavaAPI.cpp:1500][JavaTunnelService][][][][][][][][][][][153][][][][][][Active Expression evaluated for SmJavaAPI: JavaTunnelService successfully invoked.  Parameter to follow:][]

    [07/17/2014][15:37:52.018][3524][4524][][][SmJVMSupport.cpp:439][DetachCurrentThread][][][][][][][][][][][][][][][][][SmJVMSupport: Successfully detached JVM from thread][]

    [07/17/2014][15:37:52.018][3524][4524][][][CServer.cpp:6407][CServer::Tunnel][][][][][][][][][][][153][][][][][][Return from tunnel call JavaTunnelService][]

    [07/17/2014][15:37:52.018][3524][4524][00:00:00.000000][][CServer.cpp:6425][CServer::Tunnel][][][][][][][][][][][253][][][][][][Leave function CServer::Tunnel][]

    [07/17/2014][15:37:52.018][3524][4524][00:00:00.000000][][CServer.cpp:5901][CServer::ProcessRequest][][][][][][][][][][][253][][][][][][Leave function CServer::ProcessRequest][]

    As you can see this is clearly a case sensitvity issue that should not exist. Who codes case sensitive for things that often resemble URLs??????



  • 7.  Re: SAML Authn request Error

    Posted Jul 18, 2014 09:50 AM


    We have yet to experience a "good" request.  Interesting that you mention case sensitivity.   Haven't examined that angle yet.   It looks like we are all experiencing the same error of "NO_PROVIDER_INFO_FOUND...  ".   I'll post my findings as we dig deeper.  Other thngs to note:  My overall Federation Gateway configuration (SPS and Policy Server) was checked out via WebEx by CA support and all appears to be well.   Test on the following URI were good:  /affwebservices/assertionretriever

     

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SAMLTunnelClient.java][getServiceProviderInfoByID][Tunnel result code: 1.]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SAMLTunnelClient.java][getServiceProviderInfoByID][SAMLTunnelStatus: 5, ]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SAML2Base.java][getServiceProviderInfo][SAML2.0 SP Configuration is not in cache. Requesting to get from policy server [CHECKPOINT = SSOSAML2_SPCONFFROMPS_REQ]]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SAML2Base.java][getServiceProviderInfo][Could not find service provider information for sp: N3A_110_SAML_Service_Provider Message: .]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SAML2Base.java][getServiceProviderInfo][Could not find service provider information for idp: N3A_110_SAML_Service_Provider.]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SSO.java][processRequest][Transaction with ID: 17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1 failed. Reason: NO_PROVIDER_INFO_FOUND]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SSO.java][processRequest][No SAML2 provider information found for SP N3A_110_SAML_Service_Provider.]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][SSO.java][processRequest][Ending SAML2 Single Sign-On Service request processing with HTTP error 400]

    [07/17/2014][13:48:34][2040][3544][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [07/17/2014][13:48:34][2040][3544][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [07/17/2014][13:48:34][2040][3544][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [07/17/2014][13:48:34][2040][3544][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [07/17/2014][13:48:34][2040][3544][17adb7f0-6b8cbe6c-8942e806-77cbec32-d275778f-4ff1][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 403 ]



  • 8.  Re: SAML Authn request Error

    Posted Jul 18, 2014 10:03 AM

    I should also note that when I take the post data from an http trace, and run the post data thru a SAML decoder, the "SP Provider Info" is present in the Authn request.



  • 9.  Re: SAML Authn request Error

    Posted Jul 18, 2014 10:35 AM

    Just wanted to point to this nifty add-on for Firefox called SAML Tracer - SAML tracer :: Add-ons for Firefox  . It's very handy for troubleshooting without having to grab the SAML request/response from a header trace and then throw it through a decoder.

     

    It will show the trace, mark the ones that are SAML, and if you select those ones just hit the "SAML" tab and it will decode it for you. Makes it pretty easy to follow the trace + view decoded messages in one spot.

     

    Anyhow, thought you might find it useful when troubleshooting.



  • 10.  Re: SAML Authn request Error

    Posted Jul 18, 2014 10:50 AM

    Chris,

     

    This makes me wish FireFox was authorized where i work.

    Using Bit9 I can't install it...

    I wonder if there is an IE equivalent....



  • 11.  Re: SAML Authn request Error

    Posted Jul 18, 2014 10:13 AM

    Dan,

     

    We're not using the SPS... and I would wonder who did the remote check. Onlybecasue i know how most of them work and how well they do that due to some... history...

     

    As for the logs, if you have the right things in the logs, as i mentioned, you can find the transaction ID from the SPS, and use that to find the failing in the Policy Server. Then you can go to the provider identity and compare how it shows in the Policy Server to how it shows in your UI. If case is off, then you can probably get ti working by adjusting case.

     

    Problem i have is sharefile has a browser entry and a sharefile app entry. App always uses UPPERCASE for the subdoamin to sharefile.com and the browser based seems to always come across lower case. We noticed it was working for the browser and figured out that was the difference. Toggled the case in the Entity ID and it toggled which worked...



  • 12.  Re: SAML Authn request Error

    Posted Jul 21, 2014 01:51 AM

    Hello All,

     

    Thank you all for your valuable inputs and insight on the issue . But yesterday evening i was doing some further testing and tried to change the SAML2 provider information in the SAML Authn Request and i tried the below mentioned 2 cases :-

     

    1-> Change the ProviderName and set it same as the saml2:Issuer .

    2-> Change the saml2:Issuer and set it same as the ProviderName .

     

    Ex:- ProviderName="abc" <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">abc</saml2:Issuer>

     

    Somehow and not sure why , the case 2 worked and the IDP started accepting the SAML Authn Request and it started working as expected .

     

    May be if somebody has faced a similar kind of issue they can try and make a change like this , But i am still not sure why after this change it started working . There should be some logical explanation behind this because i know the ProviderName and the saml2:Issuer can both be different .

     

    Thank you again for all your inputs.