AnsweredAssumed Answered

OpenID Authentication Scheme - Google & Yahoo Provider - CA Single Sign-On (formerly CA Siteminder)

Question asked by jaisa06 Employee on Feb 12, 2016
Latest reply on Feb 12, 2016 by jaisa06

Reference docs

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1814733.html

https://docops.ca.com/ca-single-sign-on-1252sp2/en/configuring/policy-server-configuration/authentication-schemes/openid-authentication-scheme

 

Question: Yahoo provider works. But google doesn't as OpenID Authentication Scheme.

I am trying to use Google as the OpenID provider. Seems like the google url in C:\Program Files\CA\webagent\win64\samples\forms\openid.fcc on WebServer is not correct.

var providers_large = {

    google : {

        name : 'Google',

        url : 'https://www.google.com/accounts/o8/id'

    },

Is this an URL issue or something. Can somebody spot the issue?

If it is URL issue, what should the url be?

There has been discussion over url here. Tried both.

Two Different Google OpenID URLs - Stack Overflow

 

On SM VM, C:\Program Files (x86)\CA\siteminder\config\properties\Openidproviders.xml has required claim as email for google provider, similar to yahoo.

<TrustedOpenIDProviders>

<OpenIDProvider >

<ProviderName>

google.com

</ProviderName>

<RequiredClaims>

<claim>

<URI>

http://axschema.org/contact/email

</URI>

<alias>

email

</alias>

</claim>

</RequiredClaims>

<OptionalClaims>

</OptionalClaims>

<Pape>

<max_auth_age>

0

</max_auth_age>

<Policies>

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier

</Policies>

</Pape>

</OpenIDProvider>

<OpenIDProvider RequestType="ax">

<ProviderName>yahooapis.com</ProviderName>

<RequiredClaims>

<claim>

<URI>http://axschema.org/contact/email</URI>

<alias>email</alias>

</claim>

</RequiredClaims>

<OptionalClaims>

</OptionalClaims>

<Pape>

<max_auth_age>

0

</max_auth_age>

<Policies>

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier,

http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf

</Policies>

</Pape>

</OpenIDProvider>

 

 

Getting the following error.

[02/11/2016][19:40:46.691][19:40:46][4692][2884][Sm_Auth_Message.cpp:416][CSm_Auth_Message::AuthenticateUser][000000000000000000000000030da8c0-0188-56bd2a0e-0b38-02ac3a2d][iis_agent][/transpolar/employee/employee.jsp][][][EmployeeArea][][][][][][][][][][][][][][][Authenticating user.]

[02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthUser.cpp:649][ServerTrace][][][][][][][][][][][][][][][][][][][][Exception occured while discovery for identifierhttps://www.google.com/accounts/o8/id][SMAuthOpenID:preAuthenticate: Exception occured while discovery for identifierhttps://www.google.com/accounts/o8/id]

[02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthUser.cpp:649][ServerTrace][][][][][][][][][][][][][][][][][][][][Exception Message:0x706: GET failed on https://www.google.com/accounts/o8/id : 404][SMAuthOpenID:preAuthenticate: Exception Message:0x706: GET failed on https://www.google.com/accounts/o8/id : 404]

[02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthUser.cpp:649][ServerTrace][][][][][][][][][][][][][][][][][][][][Discovery failed for the identifier https://www.google.com/accounts/o8/id][SMAuthOpenID:preAuthenticate: Discovery failed for the identifier https://www.google.com/accounts/o8/id]

[02/11/2016][19:40:46.694][19:40:46][4692][2884][Sm_Auth_Message.cpp:1271][CSm_Auth_Message::AuthenticateUser][000000000000000000000000030da8c0-0188-56bd2a0e-0b38-02ac3a2d][iis_agent][/transpolar/employee/employee.jsp][][][EmployeeArea][][AD_Directory][][][][][][][][][][][][][Evaluating OnAuthAttempt policy...]

[02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthorization.cpp:1237][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

Outcomes