Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

OpenID Connect Provider authentication loop

  • 1.  OpenID Connect Provider authentication loop

    Broadcom Employee
    Posted Mar 20, 2018 10:07 AM
      |   view attached

    I'm trying to do the (almost) same thing as CA SSO OpenID Connect Provider - with Apache OpenID Client 

     

    Differences are:

     - all running on Linux

     - not prepared dumpvars.bat equivalent yet

     - using html form auth scheme

     

    When I accessed the example page on apache httpd with mod_auth_openidc, authentication screen appeared as expected (as a result of accessing /affwebservices/secure/secureredirect on AG).

    But even if I put right username/password, the authentication screen appeared again.

    Here's the snippet of the sequence.

     

    /affwebservices/CASSO/oidc/authorize
    /affwebservices/secure/secureredirect
    /siteminderagent/forms/login.fcc
    /affwebservices/secure/secureredirect
    /affwebservices/CASSO/oidc/authorize
    /affwebservices/secure/secureredirect
    /siteminderagent/forms/login.fcc

     

    This means that looping happened at OP side.

     

    What might cause authentication looping?

     

    Other things I should mention are:

     - SSL enabled with self signed certificate at httpd

     - session store enabled

     - only /affwebservices/secure/secureredirect was protected by domain

     

    Any comments are appreciated.

     

    Thanks,

    Yoshio

    Attachment(s)

    gz
    smtracedefault_20180320_142729.log.gz   366 KB 1 version


  • 2.  Re: OpenID Connect Provider authentication loop

    Posted Mar 20, 2018 10:20 AM

    yoshio.katayama

     

    It seems like the Policy Server is not generating the Authorization Code.

     

    We need to check the smtracedefault.log on the Policy Server to see why the Policy Server is not generating the AzCode, instead Policy Server thinks you are not authorized to access, hence redirects you back to AuthenticationURL.

     

    1. User Directory Name in OIDC Object VS Policy Domain.

    2. Protection Level in OIDC Object VS Policy Domain.

    3. Missing SMSESSION Cookie.

     

    Based on the redirects, it seems like the product seems to think it is missing SMSESSION Cookie. Hence secureredirect again loops you back to login page.



  • 3.  Re: OpenID Connect Provider authentication loop

    Broadcom Employee
    Posted Mar 20, 2018 10:52 AM

    Hi Hubert,

    Thanks for your comments.

    smtracedefault.log uploaded.

    The authentication steps happened around the timestamp 13:37:51 using username allmi01.



  • 4.  Re: OpenID Connect Provider authentication loop

    Posted Mar 20, 2018 10:58 AM

    Yoshia yoshio.katayama

     

    Could we also have the corresponding FWSTrace.log



  • 5.  Re: OpenID Connect Provider authentication loop

    Posted Mar 20, 2018 11:12 AM

    Yoshio yoshio.katayama

     

    We have 8 occurrences of "Failed to locate the user in input user directory" in smtracedefault.log. Therefore AzCode is never generated. It is failing at the OIDC configuration object in WAMUI / Policy Store. Please recheck user policy configurations and user directory object.

     

    Also please check Cookie Domain / SecureCookie etc. Because I have a feeling that even if we resolve the Failed to locate User, we may hit Cookie issues. This is due to the fact from your browser trace looping.

     

     

     

    Snippets from trace
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][AgentAuth.cpp:91][CSm_Auth_Message::ProcessAgentMessage][s155/r144][oidcp:oidctest1][][][][][][][][][][][][][][][][][][][** Received request from agent]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][AgentAuth.cpp:330][CSm_Auth_Message::AnalyzeAgentAuthMessage][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AnalyzeAgentAuthMessage]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][AgentAuth.cpp:396][CSm_Auth_Message::AnalyzeAgentAuthMessage][][][][][][][][][][][][][true][][][][][][][][Leave function CSm_Auth_Message::AnalyzeAgentAuthMessage]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2740][CSm_Auth_Message::ValidateUser][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::ValidateUser]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2752][CSm_Auth_Message::ValidateUser][][][][][][][][][][][][][][][][][][][][][SessionAssurance is not enabled.]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][LdapStore.cpp:376][Lock_LdapHandle][][][][][][][][][][][][][][][][][][][][][Lock LDAP handle. slot=0 ld=0x<NAN>]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][LdapStore.cpp:1559][QueryObject][][][][][][][][][][][][][][][][][][][][][Querying for object 'smSessionId=JtKzIVCPNsUfQkgv26MW7UzJvVw\=,dc=baby,dc=metal', (filter:" <n/a> ")]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2042][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::LookUpUserInDir]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2140][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][][][][][][][][][Processing Local Identity Mappings for Auth-Validate processing]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:5431][CSm_Auth_Message::ProcessRealm][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::ProcessRealm]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmAzMapping.cpp:2752][CSmAzMapping::SmLocateValidationUser][][][][][][][][][][][][][][][][][][][][][Enter function CSmAzMapping::SmLocateValidationUser]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmAzMapping.cpp:2771][CSmAzMapping::SmLocateValidationUser][][][][][][][][][][][][][][][][][][][][][Realm Validation Mapping optimized]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmAzMapping.cpp:2773][CSmAzMapping::SmLocateValidationUser][][][][][][][][][][][][][-1][][][][][][][][Leave function CSmAzMapping::SmLocateValidationUser]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:5449][CSm_Auth_Message::ProcessRealm][][][][][][][][][][][][][ ][][][][][][][][Leave function CSm_Auth_Message::ProcessRealm]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2150][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][][][][][][][][][No Local Identity Mappings apply.]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2154][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][][][][][][][][][Processing Global Identity Mappings for Auth-Validate processing]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:5431][CSm_Auth_Message::ProcessRealm][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::ProcessRealm]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmAzMapping.cpp:2752][CSmAzMapping::SmLocateValidationUser][][][][][][][][][][][][][][][][][][][][][Enter function CSmAzMapping::SmLocateValidationUser]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmAzMapping.cpp:2771][CSmAzMapping::SmLocateValidationUser][][][][][][][][][][][][][][][][][][][][][Global Realm Validation Mapping optimized]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmAzMapping.cpp:2773][CSmAzMapping::SmLocateValidationUser][][][][][][][][][][][][][-1][][][][][][][][Leave function CSmAzMapping::SmLocateValidationUser]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:5449][CSm_Auth_Message::ProcessRealm][][][][][][][][][][][][][ ][][][][][][][][Leave function CSm_Auth_Message::ProcessRealm]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2163][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][][][][][][][][][No Global Identity Mappings apply.]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmDsLdapProvider.cpp:1518][CSmDsLdapProvider::InitDir][][][][][][][][][][][][][][][ip-10-160-128-181.ap-northeast-1.compute.internal][25389][][][][][Using LDAP server bank #1]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][SmDsLdapProvider.cpp:1861][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][Search request DN, 'uid=allmi01,ou=users,ou=northamerica,dc=ForwardInc,dc=ca', is out of the User Directory�s search root scope (Directory Root DN: '')][][Ldap search DN is out of the Directory�s base DN scope.]
    [03/20/2018][13:37:51.592][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2301][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][][][][][][][][][Failed to locate user 'uid=allmi01,ou=users,ou=northamerica,dc=ForwardInc,dc=ca' in user directory 'ForwardInc']
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:2574][CSm_Auth_Message::LookUpUserInDir][][][][][][][][][][][][][Failed to locate the user in input user directory][][][][][][][][Leave function CSm_Auth_Message::LookUpUserInDir]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1414][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1453][CSmAz::IsOk][][][][allmi01][][oidcp:oidctest1_az][oidcp:oidctest1][][][][][][][][][][][][][][Start of user policy analysis for realm.]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1856][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:2303][CSmAz::IsOkGlobal][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOkGlobal]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:2325][CSmAz::IsOkGlobal][][][][allmi01][][oidcp:oidctest1_az][oidcp:oidctest1][][][][][][][][][][][][][][Evaluating OnAuthUserNotFound global policies in the realm.]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1414][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1453][CSmAz::IsOk][][][][allmi01][][oidcp:oidctest1_az][oidcp:oidctest1][][][][][][][][][][][][][][Start of user policy analysis for realm.]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:1856][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthorization.cpp:2339][CSmAz::IsOkGlobal][][][][][][][][][][][][][0][][][][][][][][Leave function CSmAz::IsOkGlobal]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:4530][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Auth_Message::SendReply]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthAnon.cpp:44][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthQuery]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][SmAuthAnon.cpp:63][SmAuthQuery][][][][][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Leave function SmAuthQuery]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:5403][CSm_Auth_Message::FormatAttribute][s155/r144][oidcp:oidctest1][][allmi01][][oidcp:oidctest1_az][oidcp:oidctest1][ForwardInc][][][][][][][][][][][][........][Send response attribute 212, data size is 8]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:5403][CSm_Auth_Message::FormatAttribute][s155/r144][oidcp:oidctest1][][allmi01][][oidcp:oidctest1_az][oidcp:oidctest1][ForwardInc][][][][][][][][][][][][Failed to locate the user in input user directory][Send response attribute 158, data size is 49]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:4900][CSm_Auth_Message::SendReply][s155/r144][oidcp:oidctest1][][allmi01][][oidcp:oidctest1_az][oidcp:oidctest1][ForwardInc][][][][][][][][][][][][][** Status: Not Validated. Failed to locate the user in input user directory]
    [03/20/2018][13:37:51.593][13:37:51][12570][140275372091136][Sm_Auth_Message.cpp:4904][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]

     

     

     

    Regards

    Hubert



  • 6.  Re: OpenID Connect Provider authentication loop

    Broadcom Employee
    Posted Mar 20, 2018 08:10 PM

    Thanks for pointing out.

     

    I forgot to set the root path to the directory.

    Adding the root path solved my issue.



  • 7.  Re: OpenID Connect Provider authentication loop

    Posted Mar 20, 2018 12:04 PM

    I am also having the similar issue now after SSL enabled on Access Gateway.



  • 8.  Re: OpenID Connect Provider authentication loop

    Posted Mar 20, 2018 12:42 PM

    sgangaraboina

     

    We need to be more specific. You may not be hitting the same issue but just the visual representation may be looking the same.

     

    Please investigate the following.

    1. A complete fiddler trace of Cookies being sent to the browser and received by the Server.

    2. FWSTrace.log

    3. smtracedefault.log

    4. Follow one complete thread of a single user access using the above three artifacts.



  • 9.  Re: OpenID Connect Provider authentication loop

    Posted Mar 29, 2018 11:21 PM

    I am having the same issue.  Have you found a solution yet?



  • 10.  Re: OpenID Connect Provider authentication loop

    Broadcom Employee
    Posted Mar 30, 2018 12:27 AM

    In my case, adding ldap search root path fixed the issue.

    https://communities.ca.com/servlet/JiveServlet/showImage/2-242052114-153880/pastedImage_1.png



  • 11.  Re: OpenID Connect Provider authentication loop

    Posted Mar 30, 2018 10:26 AM

    As advised by Hubert Dennis, I enabled the FWS trace log file that helped me to discover the error. The error was related to https (secure connection between OP & RP).

     

    In my case, we had a load balance before the Access Gateway. Initially, I enabled SSL on LB but not on Access gateway. After I enable the SSL on Access Gateway that resolved the issue.