Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

SP initiated SSO Failed

  • 1.  SP initiated SSO Failed

    Posted Jun 29, 2016 01:43 PM

    Hi All,

     

     

    Env Details :--

    R12.52 SP01 CR05

     

    IDP initiated SSO with similar setup is working.

    While configuring the SP initaited SSO. I am getting below :--

     

     

    smps.log :--

     

    [1240/3803482992][Wed Jun 29 2016 11:50:32][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_52276693bdb30460552d125ccf4370c167e9" InResponseTo="_2CAAAAVYtC6_tME8wMjgwMDAwMDA0Qzk2AAAAyqaGMPLwZ2ngiUymOA3eF0Ug0QaHhYcggnOvgLZqiV239R_cFADAt5XNNyLprXIezN1D_fvsIg-0NDcrxV_rYBaeeuCziSF-KfTa-humqDUVNEu1edvTW8wf02-1JLick-9Eu0N6v-3HO0ZnTNiYwEHmBCIYQ28hXpFwYZPEcfWlG7pbVtLs8cDw80Lyhe-zERjHFZgjtHY0yqF87rc3QfWi1A-7iGjYPhZcgBM3hbxc09VVg3JPhZTDF1qvdpQSgQ" IssueInstant="2016-06-29T15:50:32Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

        <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://test.abs.com</ns1:Issuer>

        <Status>

            <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

            <StatusMessage>Configuration error.</StatusMessage>

        </Status>

    </Response>

     

     

    [1240/2156575600][Wed Jun 29 2016 11:52:40][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_b04185d09a57f527cc6e7eb332fbd1f2c480" InResponseTo="_2CAAAAVYtC6_tME8wMjgwMDAwMDA0Qzk2AAAAyqaGMPLwZ2ngiUymOA3eF0Ug0QaHhYcggnOvgLZqiV239R_cFADAt5XNNyLprXIezN1D_fvsIg-0NDcrxV_rYBaeeuCziSF-KfTa-humqDUVNEu1edvTW8wf02-1JLick-9Eu0N6v-3HO0ZnTNiYwEHmBCIYQ28hXpFwYZPEcfWlG7pbVtLs8cDw80Lyhe-zERjHFZgjtHY0yqF87rc3QfWi1A-7iGjYPhZcgBM3hbxc09VVg3JPhZTDF1qvdpQSgQ" IssueInstant="2016-06-29T15:52:40Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

        <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://test.abs.com</ns1:Issuer>

        <Status>

            <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

            <StatusMessage>Configuration error.</StatusMessage>

        </Status>

    </Response>

     

     

     

     

    FWSTrace.log :--

     

     

    [06/29/2016][11:50:28][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[https://test-dev-ed.my.salesforce.com?so=00D28000001PqjD]]></Var><Var name="FederationAPIVersion" rtype="2"><![CDATA[1]]></Var></RVARS>]

    [06/29/2016][11:50:28][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    [06/29/2016][11:50:28][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]

    [06/29/2016][11:50:28][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Transient IP check: false]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Not enforcing ForceAuthnTimeouts.]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Transaction with ID: 10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

    [06/29/2016][11:50:32][21645][782608128][][agentcommon][][Requesting data for ConfigManager ID /apps/CA/webagent_optionpack/config/SmHost.conf and SmAgentConfig ID /apps/CA/webagent_optionpack/config/WebAgent.conf]

    [06/29/2016][11:50:32][21645][782608128][][agentcommon][][Administration Manager is returning data for ConfigManager ID /apps/CA/webagent_optionpack/config/SmHost.conf and SmAgentConfig ID /apps/CA/webagent_optionpack/config/WebAgent.conf]

    [06/29/2016][11:50:32][21645][782608128][][agentcommon][][Requesting data for ConfigManager ID /apps/CA/webagent_optionpack/config/SmHost.conf and SmAgentConfig ID /apps/CA/webagent_optionpack/config/WebAgent.conf]

    [06/29/2016][11:50:32][21645][782608128][][agentcommon][][Administration Manager is returning data for ConfigManager ID /apps/CA/webagent_optionpack/config/SmHost.conf and SmAgentConfig ID /apps/CA/webagent_optionpack/config/WebAgent.conf]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

     

     

     

     

    Affwebservice.log :--

     

     

    [21645/781555456][Wed Jun 29 2016 11:49:20][SSO.java][INFO][sm-FedClient-01520] SAML2 Single Sign-On Service has been successfully initialized.

    [21645/782608128][Wed Jun 29 2016 11:50:32][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: 10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b failed. Reason: FAILED_INVALID_RESPONSE_RETURNED (, , )

    [21645/554632960][Wed Jun 29 2016 11:52:40][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: 216fab0f-29a103e6-5c341130-da0efd1c-42c12571-c5a failed. Reason: FAILED_INVALID_RESPONSE_RETURNED (, , )

     

     

     

     

    Please advise.

     

     

    Thank in advance.



  • 2.  Re: SP initiated SSO Failed

    Posted Jun 29, 2016 09:09 PM

    Hi,

     

    Based on following FWSTrace errors, it seems the issue is resided at IDP side during generate the assertion.

    Policy server trace log should give more information during the assertion generation. Use the "samlidp_trace.template" to capture policy server trace log.

     

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Transaction with ID: 10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

    [06/29/2016][11:50:32][21645][782608128][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

     

    Have you applied JCE patch to Java, restart policy server and check if that make any different?

     

    Regards,

    Kar Meng



  • 3.  Re: SP initiated SSO Failed

    Posted Jul 01, 2016 02:53 AM

    hi Karmeng,

     

    Yes JCE is already patched to the system. IDP initiated SSO is working on same setup.

     

    From Policy Server Trace, I came to know that certificate from SP is having trouble ,as siteminder is appending " forward slash " in name's separated by comma, which causing the issue.

     

    Thanks,

    Ankush



  • 4.  Re: SP initiated SSO Failed

    Posted Jul 04, 2016 03:51 AM

    Hi Ankush,

     

    Can you share the portion of smps trace log that mentioned the "forward slash"?

     

    Regards,

    Kar Meng



  • 5.  Re: SP initiated SSO Failed

    Posted Jul 06, 2016 01:16 AM

    Hi kar,

     

    Log doesn't states that forward slash in front of comma. I tested SP initiated SSO with certificate having Issuer DN ( not containing special character such as comma ).

    Please find below error from the smtrace log :--

     

    ][13786][2753964912][AuthnRequestProtocol.java][verifySignatureOnRequest][216fab0f-29a103e6-5c341130-da12b787-45fa9a4f-85a][][][][][][][][][][][][][][][][][][][][Certificate not found for issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US serial number: 4382b137b13768018fd6ba70426ea067]

     

     

    Thanks,

    Ankush



  • 6.  Re: SP initiated SSO Failed

    Posted Jul 06, 2016 09:19 AM

    Hi Ankush,

    Thanks for your update. I remember there is a limitation on the special character (ie: comma) used in the certificate dn. Please try what Sharan mentioned above to see if that workaround work for you.

     

    Regards,

    Kar Meng



  • 7.  Re: SP initiated SSO Failed

    Posted Jun 30, 2016 06:26 AM

    Hi Ankush,

     

    Also check below points.

    1) Did you select below option under the partnership to allow both IDP and SP Initiated transactions.

    Transactions Allowed: ALLOW_BOTH

    2) Could you please check what is the error in smtrace logs at the same? because it will have more details on the error message.

    3) Are you using the signature processing ? If it is enabled, Did you check certificate is selected for verifying signature of authnrequest?

    4) did you try disabling signature processing and accessing SP Initiated transaction ?

     

    Thanks,

    Sharan



  • 8.  Re: SP initiated SSO Failed

    Posted Jul 01, 2016 02:55 AM

    Thanks Sharan,

     

    I have already checked all points highlighted by you and they look good.

     

    Thanks,

    Ankush



  • 9.  Re: SP initiated SSO Failed
    Best Answer

    Posted Jul 04, 2016 03:02 PM

    Hi Ankush,

     

    Below is the error from smtrace logs when the policy server is trying to validate Authn request.

    [06/29/2016][11:50:29.041][11:50:29][1240][3803482992][AssertionHandlerSAML20.java][preProcess][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][][][][][][][][][][][][][][][][][][][][Start to validate the SAML2.0 Authn request.]
    [06/29/2016][11:50:29.041][11:50:29][1240][3803482992][AuthnRequestProtocol.java][validateRequest][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][][][][][][][][][][][][][][][][][][][][Validating the Request...All the properties:
    ....
    ....
    ....
    [06/29/2016][11:50:32.085][11:50:32][1240][3803482992][AuthnRequestProtocol.java][verifySignatureOnRequest][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][][][][][][][][][][][][][][][][][][][][Certificate not found for issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US serial number: xxxxxxxxxxxxxxxxx]
    [06/29/2016][11:50:32.117][11:50:32][1240][3803482992][AssertionGenerator.java][invoke][10e1702f-b556c00c-79da3638-0b01daf2-95c29666-a2b][][][][][][][][][][][][][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

     

    The issue is that signature verification of Authn request is failing due to "," in issuerDN. (smkeydatabase uses "/" as the escape character to escape special characters like comma)

    issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

     

    Please find the work-around below.

    1. Disable the partnership which is using the certificate
    2. Check the "Disable Signature Processing" checkbox.
    3. Save the partnership.
    4. Launch XPSExplorer, navigate to the CDS Certs section (option 3), select the appropriate certificate, and copy the Issuer DN exactly (you do not need the leading and trailing quotation marks ["]).
    5. Navigate to the Fed Certs (option 27), select the appropriate certificate, modify its IssuerDN, and paste the copied Issuer DN in.
    6. Save, and quit out.
    7. Modify the partnership, and uncheck the "Disable Signature Processing" box.
    8. Re-Enable the Partnership.

     

    Note: Please make sure that the FED cert object matches the issuer DN of the CDS object.

     

    Thanks,

    Sharan



  • 10.  Re: SP initiated SSO Failed

    Posted Dec 07, 2018 10:27 AM

    Hi Sharana,

     

    When i faced the similar issue i have seen your reply to the issue and found out we need to use Verification signature certificate .When i used a  Verification signature certificate in  partnership then above errors related to issueDN and serial gone.Now i was facing below errors ,i hope you could able to help me on this.

     

    [12/05/2018][07:29:01][16835][13][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][Signature did not verify.][][][][1595c462-cda45141-8d122478-89b90674-21a1cdba-95][][][][]

    [12/05/2018][07:29:01][16835][13][AssertionGenerator.java][invoke][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.][][][][1595c462-cda45141-8d122478-89b90674-21a1cdba-95][][][][]

     

    Thanks regards,

    Balakrishna

     



  • 11.  Re: SP initiated SSO Failed

    Posted Oct 09, 2017 08:02 AM

    Hi,

     

    I am facing the same issue. Please note that with same setup/certificate, it is working in one environment and NOT working in another environment.

     

    I compared the Certificate in CDS and FEDCertificate in both environment, looks good.

     

    What could the reason?

     

    Error in smtracedeafult.log:

     

    Certificate not found for issuer DN: CN=AffirmTrust Certificate Authority - OV1,OU=See www.affirmtrust.com/repository,O=AffirmTrust,C=CA serial number: c01d763499b31ddb00000000580810bc]

     

    Regards

    Rikash