Symantec Access Management

Friends,

We use SiteMinder federation Services for SAML integrations.

I am trying to setup SP Initiated authentication with Tableu Server. Entities are created, partnership is enabled with  HTTP-POST binding. When user access service, they get redirected to IDP SSO Service via POST.

Header shows: POST /affwebservices/public/saml2sso HTTP/1.1

There is no Query String. POSTData shows relaystate and SAMLRequest parameter. Decoding SAMLRequest points to correct SPID and some other info.

SPS fails with a 403.

FWS log shows:

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][SAML2 Single Sign-On Service received POST request.]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][FWSBase.java][doRequestLog][Requesting Host: x.x.x.x. Requesting Host IP: x.x.x.x Request protocol: HTTP/1.1 Request was secure: true Authentication type: null]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][POST data: ]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][parseMessage][Exception while parsing message.]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][Transaction with ID: 29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b failed. Reason: SAML2_UNSUPPORTED_POST_REQUEST]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][SAML2 Single Sign-On Service does not support POST requests.]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][Ending SAML2 Single Sign-On Service request processing with HTTP error 403]

[07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 403 ]

[07/14/2016][03:04:11][1184][2592803696][][CustomPostPageCache][performUpdate][Checking for updates]

Appreciate if anyone can throw some light on this.

If I try IDP initiated, I get this error:

[07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

[07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

[07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Transaction with ID: 1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70 failed. Reason: FAILED_AUTHEX]

[07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

[07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Sending 500 error]

[07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

Is there a place where I can see what each of value of authorizeEx is? In this case it says iauthorizeEx call is: 2.

Thanks in advance.

Hello Sam,

Maybe you can check the policy server traces for the same transaction : 1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70

> It will give you more information on the failure.

> Is it a new setup or was it working before ?

Hope it helps,

Julien

Hi,

This just for your information.

The document TEC1351614 states SAML 2.0 HTTP-POST Authentication Binding. While the reason UNSUPPORTED_AUTHN_REQUEST_BINDING is not matched with your SAML2_UNSUPPORTED_POST_REQUEST, it explains some check points which might help.

Regards,

Koichi

Thank You. I needed to upgrade to R12.52 to get the HTTP-Redirect option for authentication binding. Thanks everyone.