Symantec Access Management

Hi All,

Currently I am working on a dot application which interacts with the siteminder IDP for authentication. And the problem is that Siteminder is not able to generate assertion (Response) once I enable the signature functionality.

Steps at dot net Application:

1. Generated a SHA1 certificate using makecert executable and installed it on Host1

2. Used Security Cryptography APIs to generate the Signature.

3. Redirected to IDP (/affwebservice/public/saml2sso)

          a. SAMLRequest - encoded

          b. RelayState

          c. SigAlg - "http://www.w3.org/2000/09/rsa-sha1" - URL encoded

          d. Signature- sent from generated by dot net api - URL encoded

SiteMinder:

1. Imported SHA1 certificate for  IDP configuration.

2. Enabled the Signature in partnership

3. Activated the partnership.

FWSTrace.log And Fiddler Sceen shot attached:

Error:

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Enforce Force Authn Timeouts is set to: false]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][resource is: /SMASSERTIONREF=QUERY&SAMLRequest=nVJNb%2bIwFPwrke%2bJna8uawFSNmlVJNiNgFJpLyvjvJRIiZ3Nc4D99zWBVkjbcujJkmc8npn3xiiauuVJb3ZqCX97QOMcm1ohH4AJ6TvFtcAKuRINIDeSr5LFnAce422njZa6Jk6CCJ2ptEq1wr6BbgXdvpLwtJxPyM6YllPaHvZNAXtsWhZ7RXvwalnz6HsYxNQKFb009DMZ4mTWWKXECXsXzJ83i%2bx%2bs1rkLPKy%2fNmbp3MqyvIAWzy%2fQ9r227qS9BQmQNTEedCdhCHuhPjEmWX2KMNg5DPmxncidqOoHLmiAObKKA5DHyLGSmaZiD3MFBqhzIQEzI9c9s0N2dqPOYt4HP8mTn4p5Eelikq93G5veyYhf1yvczf%2ftVoTZwMdDhEtgUzHJ9t8%2bLi7msptWfHWIZmmOk%2fuj3In1Av8WeZjeqV3Fm%2f5Tyswy3JtW%2frnJHWtD2kHwsDQDn1jXVYDiqE5Ox0DR3Pxd32V1vb7JZRfcXtz0zQaLiSXJ32LqQqNO7Ijuwu5f8n1kY%2fpGfs0AP1%2f%2faev&RelayState=ss:mem:67c1258534f184fe7dc222ea0a3c587b044464367142625d02bc61351893c7d1&Signature=NuYv6eJ%2b0w59DmsEsD2jk2uABxrmPIr7TEvTt0vzsZ%2fsrpPmKQNkGnx40DjZhiUceQrMx%2bqwTf0SaeEb0llhM9IYtd9DQNdF6fkMVvNq7olPnJkMF1n1yKArvuYFu1vcUyYZgeAxeQRNdS3IE%2bneRnpgocPhqdqGWjLa0xd6z3g%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1&SAMLTRANSACTIONID=12491de8-277c71e1-4744a6db-48631f63-8ff36cd1-96&SSOUrl=http://PWVMDEVSMP04.DPW.LCL/affwebservices/public/saml2sso&Oid=21-0fe871ff-7739-43f3-9acb-1160d143c0d6]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[http://pwvmdevsmp05.dpw.lcl:49325/product/AssertionConsumerService]]></Var><Var name="FederationAPIVersion" rtype="2"><![CDATA[1]]></Var></RVARS>]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Transaction with ID: 23b6b633-09379405-3fc44733-46f79a23-48b6b309-1 failed. Reason: FAILED_AUTHEX]

[07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

[07/30/2014][11:05:59][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Sending 500 error]

Any help or suggestion is most welcome. Thank you.

Your AuthorizeEx call of 2 is likely the reply form the Polcy Server. what do those logs say?

your transaction id ([23b6b633-09379405-3fc44733-46f79a23-48b6b309-1]) should appear as attribute 221 in the Profiler log.

[07/30/2014][11:05:58][3200][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][IsAuthorized.cpp:685][CSm_Az_Message::IsAuthorized][samlsp:copaexchange_idp-signed][][][bliu][Authorizing user...]

[07/30/2014][11:05:58][3200][][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][Enter function CSmAz::IsOk]

[07/30/2014][11:05:58][3200][][SmAuthorization.cpp:1443][CSmAz::IsOk][samlsp:copaexchange_idp-signed][][][bliu][Start of user policy analysis for realm.]

07/30/2014][11:05:58][3200][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][Sm_Auth_Message.cpp:4043][CSm_Auth_Message::SetAuthContext][samlsp:copaexchange_idp-signed][/][][bliu][Evaluating 'OnAuthAccept' policy...]

[07/30/2014][11:05:58][3200][][SmAuthorization.cpp:2262][CSmAz::GetRealmList][][][][][Enter function CSmAz::GetRealmList]

[07/30/2014][11:05:58][3200][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][IsAuthorized.cpp:685][CSm_Az_Message::IsAuthorized][samlsp:copaexchange_idp-signed][][][bliu][Authorizing user...]

[07/30/2014][11:05:58][3200][][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][Enter function CSmAz::IsOk]

I don't understand much though, Is that what you are looking for?

Thank You.

"AnupamNandan"

You seem to have only pulled part of the log.

If that was everything then you are way to limited. Your next move should be FULL logging on BOTH sides.

Remember you have many moving parts. only looking at one part will never be the full picture.

You need a minimum of:

• Agent Error Log (LogFileName of the ACO)
• Agent Trace Log (TraceFileName of the ACO)
• Federation Error Log (normally AffWebServices.log)
• Federation Trace Log (normally FWSTrace.log)
• Policy Server Access Log (normally smaccess)
• Policy Server Error Log (normally smps.log)
• Policy Server Trace Log (normally smtracedefault.log also known as the profiler log)

The agent logs  (first four)  show you what is happening agent side.

The Policy Server logs (last three) show the Policy Server Side.

There's a bunch of documentation that i had created when i was with CA that would be great for them  to post to the documentation page, but they have not.(I haven't been CA for over a year.)

I hope the links work... here's some KB Documents that might be useful

PS Log Reading Primer: https://support.ca.com/irj/portal/kbtech?docid=487823

WA Log Reading Primer: https://support.ca.com/irj/portal/kbtech?docid=487843

More on Log Reading: https://support.ca.com/irj/portal/kbtech?docid=589903

More on Log Correlation: https://support.ca.com/irj/portal/kbtech?docid=829800

Sure, Thank you for Pointing it out.

I looked it all around and didnt find anything much helpful today.

I am using simple dot net code :

public static string SignSAMLRequest(string  samlRequest, X509Certificate2 certificate)

        {

            byte[] buffer = Encoding.Default.GetBytes(samlRequest);

            byte[] hash = SHA1Managed.Create().ComputeHash(buffer);

            RSAPKCS1SignatureFormatter formatter

                                = new RSAPKCS1SignatureFormatter(certificate.PrivateKey);

            formatter.SetHashAlgorithm("SHA1");

            byte[] signature = formatter.CreateSignature(hash);

          //  formatter.GetType().BaseType.

            return System.Convert.ToBase64String(signature);

        }

And finally redirecting to the siteminder and myapplication partnership (with certificate configured in partnership)

encode using

Signature = SignSAMLRequest(req, cert)

newEncodedSignature= HttpUtility.UrlEncode(Signature);

return Redirect(getURL + "?SAMLRequest=" + newSAMLEncodedRequest + "&RelayState=" + TempData[relaystate].ToString() + "&Signature=" + newEncodedSignature + "&SigAlg=" + sigedAlgo);

Things works fine form me if I disable certificate option in the partnership and send only :

return Redirect(getURL + "?SAMLRequest=" + newSAMLEncodedRequest + "&RelayState=" + TempData[relaystate].ToString()).

Let me know if you have any thing her or where I am going wrong?

Thank you.

Hi Anupam ,

I am also facing the similar issue. Please let me know if you resolved the issue.

Regards

Kannan

Anupam,

I dont know the code enough to see errors there.

I do know the logging was way to low to get anything useful.

You should configure the Polciy Server to

components: AgentFunc, Server, IsProtected, Login_Logout, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC, LDAP, IdentityMinder, TXM, Fed_Server, DLP

data: Date, PreciseTime, ExecutionTime, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, SearchKey, Query, Expression, ObjectClass, DomainOID, ObjectOID, Property, AuthStatus, AuthReason, AuthScheme, CertSerial, SubjectDN, IssuerDN, SessionSpec, SessionID, CertDistPt, UserDN, Action, RealmOID, State, ClusterID, HandleCount, FreeHandleCount, BusyHandleCount, ResponseTime, Throughput, MaxThroughput, MinThroughput, Threshold, TransactionName, HexadecimalData, ActiveExpr, RequestIPAddr, CacheHits, CacheSize, RefCount, Message, Data

version: 1.1

unless you know something can be removed.

The refrences I gave you should enable that, as should an xls in the SM forum

You neeed to capture in the logs. if hte logs are configured right it will tell you the issue.

Hi Anupam,

The FWSTrace log shows the issue related to authorization. Did the testing user has right to federate (SAML Service Provider Properties -> Users)? The policy server trace log will give more information on why it failed to generate the assertion.

I'm having the same problem. It was working for weeks then random users started to fail with this AUTHEX error.

Hi Brian,

If the error in FWSTrace log is same as what reported by Anupam, then we need to look into policy server trace log on why random users started to fail. Policy server is responsible for authorization so we need to find more hints from policy server trace log. The profiler template that JPerlmutter provided earlier is a good point to start with.

Thanks.

Hi Karmeng,

I turned on full profiler trace on the policy servers and don’t see any issue in the smtrade logs. The last entry I see for the users is Is Authorized with a value of True.  Also the web agent trace logs show the user as being authorized. The only error I can find is in the FWStrace.log:

Result of authorizeEx call is: 2.

Transaction with ID: 24db28de-d8958614-b6ea32ea-112e7da0-1d4e1a7a-554 failed. Reason: FAILED_AUTHEX]

Denying request due to authorizeEx call failure.

Sending 500 error

and the affwebserv.log:

[sm-FedClient-02890] Transaction with ID: 24db28de-d8958614-b6ea32ea-112e7da0-1d4e1a7a-554 failed. Reason: FAILED_AUTHEX (, , )

I did a comparison of a successful and failed login in the policy server trace logs, and one noticeable item is that the second affwebservices call after the secureredirect never happens on the failed attempt. I believe the 500 is being throw prior to that call being made.

Thanks,

Brian

Please disregard.

I was unable to find any more detailed errors, but it turns out the user was unexpected removed from the required AD groups.

Thanks,

Brian

Hi Brian,

Glad you found the root cause. "Unexpected remove the user" is really not what I expect . I will put this in my memory to check in future similar use case. Thanks for sharing.,

Regards,

Kar Meng

Hi All,

We faced similar issue in our Siteminder environment where Federation Partnership is configured.

Siteminder version r12.52 cr1

Error message:

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Transaction with ID: 11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72 failed. Reason: FAILED_AUTHEX]

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

[02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Sending 500 error]

Solution:

The issue is related to the selected User Directory in the Federation Partnership and to rectify we followed the steps below:

1. We deactivate the Federation Partnership having issue and attempted to modify the Federation definition.

2. Removed the selected User Directory and assigned the dummy User Directory so that the section is not empty.

3. Click on Next button till the last stage where its shows the confirmed screen before submitting the changes.

4. On submitting, re-opened the same Federation to modify the definition.

5. Reassigned the User Directory which is originally meant for authentication/authorization purpose.

6. Submit the change and Activate the Federation Partnership.

7. Attempt to access the Federated based application.

Result: On performing the changes above the issue was resolved.

This option worked for me. 

I still have other errors but no longer says: "HTTP Status - 403 Request Forbbiden...."

Thanks.

I too hvae same issue with 403 Request Forbidden. LuisCossio Were you able to resolve this?

Hello Chris. Yes, indeed once I followed the procedure indicated by @amitshinde I managed to eliminate the error  "HTTP Status - 403 Request Forbbiden....":

"

Solution:

The issue is related to the selected User Directory in the Federation Partnership and to rectify we followed the steps below:

1. We deactivate the Federation Partnership having issue and attempted to modify the Federation definition.

2. Removed the selected User Directory and assigned the dummy User Directory so that the section is not empty.

3. Click on Next button till the last stage where its shows the confirmed screen before submitting the changes.

4. On submitting, re-opened the same Federation to modify the definition.

5. Reassigned the User Directory which is originally meant for authentication/authorization purpose.

6. Submit the change and Activate the Federation Partnership.

7. Attempt to access the Federated based application.

Result: On performing the changes above the issue was resolved."

I did the same,

But still with the same errors :(