Hi team,
Please help me with the below issue:
I configured Simteminder Federation partnership with OPENAM (acting as IDP). After authenticating at IDP the saml is posted to the Siteminder Assertion consumer URL and fails here with error 500. I am unable to understand the reason behind it. All configuration are done by default and correct to my knowledge. What settings could possibly miss here. Below is a snippet from FWSTrace.log, if that will be helpful.
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: IDP_OPENAM.]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][SAML2Base.java][getRedirectTargetFromCookie][cookie contains target:]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][targetURL:http://mysmsp.xyz.com:90/protect/test1.html usingRelayState: false]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Get realm oid for target resource from property [CHECKPOINT = SSOSAML2_REALMOIDFORTARGETFROMPROPERTY_RSP]]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Realm Name: ]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Realm OID: 06-937326a5-b57a-4c4e-b290-64cf4d3d0170]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][validateDestination][Using Proxy URL: http://mysmsp.xyz.com:90/affwebservices/public/saml2assertionconsumer]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][processSAMLResponse][Credentials: <UserCredentials><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2c29cb4b501ab7e64d6e00592bad01faadcc58c51"
InResponseTo="_f22fd93e9ee9a1f56c58a395b04f88d431da" Version="2.0" IssueInstant="2016-03-10T12:57:55Z" Destination="http://mysmsp.xyz.com:90/affwebservices/public/saml2assertionconsumer"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">IDP_OPENAM</saml:Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
.
.
<SAML ASSERTION>
.
.
.
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][processFailedAuthentication][Response Attributes:]
[5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]
[5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][AuthReason=0]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="null" URL="null"]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97 failed. Reason: ACS_FAILED_PROCESS_FAILURE]
[5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]
[5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]
[5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]
[5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]
[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][doPost][processSAMLResponse TIME: 93ms]
[2480][][agentcommon][][The Configuration Management thread is calling doManagement()]
....................................................
Below is a log snippet from SMTRACEDEFAULT.log, where I see some error relating to policy check. I have no policy defined for the target resource.
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1443][CSmAz::IsOk][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Start of user policy analysis for realm.]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1842][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1844][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2291][CSmAz::IsOkGlobal][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOkGlobal]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2313][CSmAz::IsOkGlobal][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Evaluating OnAuthReject global policies in the realm.]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1443][CSmAz::IsOk][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Start of user policy analysis for realm.]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1842][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1844][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2327][CSmAz::IsOkGlobal][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOkGlobal]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:101][g_ServerTrace][][][][][][][][][][][][][][][][][][][][Cleaning up][SmSamlDataContext::~SmSamlDataContext: Cleaning up]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4268][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::SendReply]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:920][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Entering SmAuthSaml SmAuthQuery. lpszParam data follows:]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:924][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Query Parameter: SAML2:@21-75074494-122e-4c73-985a-08218e96aec5]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:990][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][SAML 2.0 auth scheme param found, returning SAML20 in buffer]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4602][CSm_Auth_Message::SendReply][s3/r424][samlidp:siteminder_openam_partnership][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][AXA_LDAP][][][][][][][][][][][][][** Status: Not Authenticated. ]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4606][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:1840][CSm_Auth_Message::AuthenticateUser][][][][][][][][][][][][][ok][][][][][][][][Leave function CSm_Auth_Message::AuthenticateUser]
[03/10/2016][18:27:55.925][18:27:55][1968][4556][AgentAuth.cpp:317][CSm_Auth_Message::ProcessAgentMessage][][][][][][][][][][][][][20][][][][][][][][Leave function CSm_Auth_Message::ProcessAgentMessage]
.............................................................................
Thanks in advance,
Debasish Sarkar.