Symantec Access Management

  • 1.  SAML Authentication fails at Service Provider ACS

    Posted Mar 10, 2016 08:46 AM

    Hi team,

    Please help me with the below issue:

    I configured Simteminder Federation partnership with OPENAM (acting as IDP). After authenticating at IDP the saml is posted to the Siteminder Assertion consumer URL and fails here with error 500. I am unable to understand the reason behind it. All configuration are done by default and correct to my knowledge. What settings could possibly miss here. Below is a snippet from FWSTrace.log, if that will be helpful.

     

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: IDP_OPENAM.]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][SAML2Base.java][getRedirectTargetFromCookie][cookie contains target:]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][targetURL:http://mysmsp.xyz.com:90/protect/test1.html usingRelayState: false]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Get realm oid for target resource from property [CHECKPOINT = SSOSAML2_REALMOIDFORTARGETFROMPROPERTY_RSP]]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Realm Name: ]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Realm OID: 06-937326a5-b57a-4c4e-b290-64cf4d3d0170]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][validateDestination][Using Proxy URL: http://mysmsp.xyz.com:90/affwebservices/public/saml2assertionconsumer]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][processSAMLResponse][Credentials: <UserCredentials><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2c29cb4b501ab7e64d6e00592bad01faadcc58c51"

    InResponseTo="_f22fd93e9ee9a1f56c58a395b04f88d431da" Version="2.0" IssueInstant="2016-03-10T12:57:55Z" Destination="http://mysmsp.xyz.com:90/affwebservices/public/saml2assertionconsumer"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">IDP_OPENAM</saml:Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">

    .

    .

    <SAML ASSERTION>

    .

    .

    .

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][processFailedAuthentication][Response Attributes:]

    [5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][AuthReason=0]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="null" URL="null"]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97 failed. Reason: ACS_FAILED_PROCESS_FAILURE]

    [5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

    [5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][doPost][processSAMLResponse TIME: 93ms]

    [2480][][agentcommon][][The Configuration Management thread is calling doManagement()]

     

    ....................................................

     

    Below is a log snippet from SMTRACEDEFAULT.log, where I see some error relating to policy check. I have no policy defined for the target resource.

     

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1443][CSmAz::IsOk][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Start of user policy analysis for realm.]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1842][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1844][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2291][CSmAz::IsOkGlobal][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOkGlobal]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2313][CSmAz::IsOkGlobal][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Evaluating OnAuthReject global policies in the realm.]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1443][CSmAz::IsOk][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Start of user policy analysis for realm.]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1842][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1844][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2327][CSmAz::IsOkGlobal][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOkGlobal]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:101][g_ServerTrace][][][][][][][][][][][][][][][][][][][][Cleaning up][SmSamlDataContext::~SmSamlDataContext: Cleaning up]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4268][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::SendReply]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:920][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Entering SmAuthSaml SmAuthQuery. lpszParam data follows:]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:924][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Query Parameter: SAML2:@21-75074494-122e-4c73-985a-08218e96aec5]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:990][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][SAML 2.0 auth scheme param found, returning SAML20 in buffer]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4602][CSm_Auth_Message::SendReply][s3/r424][samlidp:siteminder_openam_partnership][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][AXA_LDAP][][][][][][][][][][][][][** Status: Not Authenticated. ]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4606][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:1840][CSm_Auth_Message::AuthenticateUser][][][][][][][][][][][][][ok][][][][][][][][Leave function CSm_Auth_Message::AuthenticateUser]

    [03/10/2016][18:27:55.925][18:27:55][1968][4556][AgentAuth.cpp:317][CSm_Auth_Message::ProcessAgentMessage][][][][][][][][][][][][][20][][][][][][][][Leave function CSm_Auth_Message::ProcessAgentMessage]

     

    .............................................................................

     

    Thanks in advance,

    Debasish Sarkar.



  • 2.  Re: SAML Authentication fails at Service Provider ACS
    Best Answer

    Posted Mar 10, 2016 04:22 PM

    Hi Debasish,

     

    The assertion was received and validated by the Policy Server. There are more to what you have extracted from the PS trace. The snippet above is after the validation is performed and usually the issue is within the validation stage.

     

    Ensure that you have all required component and data selected in the PS trace template. Follow the same thread ID [4556] to find out how the assertion was validated.



  • 3.  Re: SAML Authentication fails at Service Provider ACS

    Posted Mar 16, 2016 06:46 AM

    Hi Wonsa,

         Thank you for the suggestion. I did the work around as per your suggestion, and could conclude that, the Partnership required a certificate to be present, which I did not include the first time. Once included, it solved the problem. I was not sure if it was mandatory.

     

    Thanks,

    Debasish.



  • 4.  Re: SAML Authentication fails at Service Provider ACS

    Posted Jul 05, 2018 10:51 AM

    Hi Wonsa/Debasish,

     

    I' m also getting the similar error in the logs, can you please confirm which Certificate you have added in Partnership  and specify the location, i could see only one difference from your logs to my logs Authreason=50

     

    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][FWSBase.java][processFailedAuthentication][Response Attributes:]
    [07/05/2018][10:35:42][28569][140074883225344][][agentcommon][][Requesting data for ConfigManager ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf and SmAgentConfig ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf]
    [07/05/2018][10:35:42][28569][140074883225344][][agentcommon][][Administration Manager is returning data for ConfigManager ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf and SmAgentConfig ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][AssertionConsumer.java][redirectLoginFailure][AuthReason=50]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="0" URL="null"]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83 failed. Reason: ACS_FAILED_PROCESS_FAILURE]
    [07/05/2018][10:35:42][28569][140074883225344][][agentcommon][][Requesting data for ConfigManager ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf and SmAgentConfig ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf]
    [07/05/2018][10:35:42][28569][140074883225344][][agentcommon][][Administration Manager is returning data for ConfigManager ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf and SmAgentConfig ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf]
    [07/05/2018][10:35:42][28569][140074883225344][][agentcommon][][Requesting data for ConfigManager ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf and SmAgentConfig ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf]
    [07/05/2018][10:35:42][28569][140074883225344][][agentcommon][][Administration Manager is returning data for ConfigManager ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/SmHost.conf and SmAgentConfig ID /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]
    [07/05/2018][10:35:42][28569][140074883225344][16cc970c-8970dbd4-c179b793-31fb0cba-7deaf643-6c83][AssertionConsumer.java][doPost][
    processSAMLResponse TIME: 23ms]

     

    Thanks

    Rangaswamy