AnsweredAssumed Answered

SAML Authentication fails at Service Provider ACS

Question asked by Dsarkar1987 on Mar 10, 2016
Latest reply on Jul 5, 2018 by rangaswamy.lingutla

Hi team,

Please help me with the below issue:

I configured Simteminder Federation partnership with OPENAM (acting as IDP). After authenticating at IDP the saml is posted to the Siteminder Assertion consumer URL and fails here with error 500. I am unable to understand the reason behind it. All configuration are done by default and correct to my knowledge. What settings could possibly miss here. Below is a snippet from FWSTrace.log, if that will be helpful.

 

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][SAML2Base.java][getIdentityProviderInfo][Obtained identity provider information from cache for: IDP_OPENAM.]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][getPartnershipSourceValue][Partnership source value = 3]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Reading the configuration to get the target url [CHECKPOINT = SSOSAML2_READTARGETURL_REQ]]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][SAML2Base.java][getRedirectTargetFromCookie][cookie contains target:]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][targetURL:http://mysmsp.xyz.com:90/protect/test1.html usingRelayState: false]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Get realm oid for target resource from property [CHECKPOINT = SSOSAML2_REALMOIDFORTARGETFROMPROPERTY_RSP]]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Realm Name: ]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][getRealmForTarget][Realm OID: 06-937326a5-b57a-4c4e-b290-64cf4d3d0170]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][validateDestination][Using Proxy URL: http://mysmsp.xyz.com:90/affwebservices/public/saml2assertionconsumer]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][processSAMLResponse][Credentials: <UserCredentials><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2c29cb4b501ab7e64d6e00592bad01faadcc58c51"

InResponseTo="_f22fd93e9ee9a1f56c58a395b04f88d431da" Version="2.0" IssueInstant="2016-03-10T12:57:55Z" Destination="http://mysmsp.xyz.com:90/affwebservices/public/saml2assertionconsumer"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">IDP_OPENAM</saml:Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">

.

.

<SAML ASSERTION>

.

.

.

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][FWSBase.java][processFailedAuthentication][Response Attributes:]

[5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][AuthReason=0]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="null" URL="null"]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97 failed. Reason: ACS_FAILED_PROCESS_FAILURE]

[5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[5152][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[5152][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

[5152][2006edc9-f7eaaf8f-5a0d0c2a-e5ea0b87-5b5d5482-f97][AssertionConsumer.java][doPost][processSAMLResponse TIME: 93ms]

[2480][][agentcommon][][The Configuration Management thread is calling doManagement()]

 

....................................................

 

Below is a log snippet from SMTRACEDEFAULT.log, where I see some error relating to policy check. I have no policy defined for the target resource.

 

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1443][CSmAz::IsOk][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Start of user policy analysis for realm.]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1842][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1844][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2291][CSmAz::IsOkGlobal][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOkGlobal]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2313][CSmAz::IsOkGlobal][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Evaluating OnAuthReject global policies in the realm.]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1443][CSmAz::IsOk][][][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][][][][][][][][][][][][][][Start of user policy analysis for realm.]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1842][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:1844][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthorization.cpp:2327][CSmAz::IsOkGlobal][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOkGlobal]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:101][g_ServerTrace][][][][][][][][][][][][][][][][][][][][Cleaning up][SmSamlDataContext::~SmSamlDataContext: Cleaning up]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4268][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::SendReply]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:920][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Entering SmAuthSaml SmAuthQuery. lpszParam data follows:]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:924][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Query Parameter: SAML2:@21-75074494-122e-4c73-985a-08218e96aec5]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][SmAuthSaml.cpp:990][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][SAML 2.0 auth scheme param found, returning SAML20 in buffer]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4602][CSm_Auth_Message::SendReply][s3/r424][samlidp:siteminder_openam_partnership][][][][samlidp:siteminder_openam_partnership][samlidp:siteminder_openam_partnership][AXA_LDAP][][][][][][][][][][][][][** Status: Not Authenticated. ]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:4606][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][Sm_Auth_Message.cpp:1840][CSm_Auth_Message::AuthenticateUser][][][][][][][][][][][][][ok][][][][][][][][Leave function CSm_Auth_Message::AuthenticateUser]

[03/10/2016][18:27:55.925][18:27:55][1968][4556][AgentAuth.cpp:317][CSm_Auth_Message::ProcessAgentMessage][][][][][][][][][][][][][20][][][][][][][][Leave function CSm_Auth_Message::ProcessAgentMessage]

 

.............................................................................

 

Thanks in advance,

Debasish Sarkar.

Outcomes