Symantec Access Management

Tech Tip : CA Single Sign-On : Federation Manager :: Delegated Authentication Status : Session Timeout and Redirection to the Delegated Authentication Page

  • 1.  Tech Tip : CA Single Sign-On : Federation Manager :: Delegated Authentication Status : Session Timeout and Redirection to the Delegated Authentication Page

    Broadcom Employee
    Posted Dec 01, 2016 04:21 AM

    Issue:

     

    I run Federation Manager Services, and once the session times out on the SP side, users are not getting redirected to the login page and as such, they get error 500 in the browser.
    Environment:
    Federation Manager 12.52
    Cause:

     

    You should run Federation Manager 12.52 at least, and configure properly
    the "Track Delegated Authentication Status" to get the user back to the login page.
    Resolution:

     

    You need to upgrade Federation Manager 12.52 :

     

    By the AdminUI online help:

     

        Federation Partnerships Reference:
        SSO and SLO Dialog (SAML 2.0 IdP):
        Authentication (SAML 2.0 IdP)

     

        Track Delegated Authentication Status

     

        Tracks whether delegated authentication is successful.
        If delegated authentication fails, this setting determines the behavior of the federation system.
        By default, this check box is selected. If a user does not provide credentials when accessing a protected resource configured for delegated authentication, delegated authentication fails. If that user tries accessing the resource again in the same browser session, the browser displays a 404 error and the federation system writes an error message to the affwebservices.log and the FWSTrace.log files. The error message indicates that the credentials for delegated authentication are missing. The federation system does not redirect the user back to the delegated authentication URL to provide credentials.

     

        To have the federation system redirect the user back to the delegated authentication URL in the same browser session, clear this check box. By disabling tracking, a user can try accessing the resource again in the same browser session without receiving a 404 error. Instead, the federation system redirects the browser to the delegated authentication URL. where the user is prompted again for credentials.

     

        (Help for Partnership Federation and Federation
        Standalone for 12.52)

     

    You might also consider to configure the ACO on the SP side :

     

      ServerErrorFile

     

    to handle any other error in a browser, and show a user friendly message.

     

    KB : TEC1446194