Symantec Access Management

  • 1.  getting 400 BAD request error for SP initiated federation

    Posted Jun 17, 2018 09:08 PM

    Hi All,

     

    We have CA SSO federation setup in our environment with servers in cluster. We are getting error 400 BAD request when the request goes from particular sps server to policy server whereas it is working with other sps server which is configured for different policy server. Tested the federation by changing the policy servers and found that when request going to particular policy server it is failing.

     

    Further to it the request is failing as after login unable to get the actual request details from expiry tables. So is there any way to check why it is having issues with particular policy server?

     

    Regards,

    Rajesh



  • 2.  Re: getting 400 BAD request error for SP initiated federation

    Posted Jun 17, 2018 10:39 PM

    Is this policy server connected to same session store as other working PS?

    On Mon, 18 Jun 2018 at 11:08, rajeuppa <



  • 3.  Re: getting 400 BAD request error for SP initiated federation

    Posted Jun 17, 2018 11:04 PM

    Hi Ujwols,

     

    Yes the policy server is connected to same session store and what we found is that when request going to sps1 - policyserver1 the requested details are not getting saved in SS_EXPIRYDATA5 table whereas when request is going to sps2 - policyserver2 the details are getting saved correctly in the table and federation is getting successful.

     

    Is there a way to check why the details are not getting saved correctly in database from policy server1?

     

    Regards,

    Rajesh



  • 4.  Re: getting 400 BAD request error for SP initiated federation

    Posted Jun 18, 2018 07:34 AM

    Couple of items to check.

     

    1. Is PS1 and PS2 pointing to the same PStore?

     

    2. Have we checked that PS1 to SStore connection is successful. Does PS1 smps.log show any errors related to SStore.

     

    3. Please check SStore connection parameters like username, IP address, port between PS1 and PS2.

     

    Regards 

    Hubert.



  • 5.  Re: getting 400 BAD request error for SP initiated federation

    Posted Jun 18, 2018 07:58 AM

    Hi Hubert,

     

    1. Is PS1 and PS2 pointing to the same PStore?

    Answer: Yes they are pointing to same Policy store. Verified from Database configuration files

     

    2. Have we checked that PS1 to SStore connection is successful. Does PS1 smps.log show any errors related to SStore.

    Answer: We dont have session store in our environment

     

    3. Please check SStore connection parameters like username, IP address, port between PS1 and PS2.

    Answer: We dont have session store in our environment

     

    Regards,

    Rajesh



  • 6.  Re: getting 400 BAD request error for SP initiated federation

    Posted Jun 19, 2018 12:33 PM

    Strange, in your rely to Ujwol it is mentioned SStore (SS_EXPIRYDATA5 table) and in your reply to my comment it is stated no SStore.

     

    Anyways, I would really start looking at the Policy Server Trace logs as to why PS1 is rejecting your request. As Joe suggested open a case OR you could also do a first hand review of the logs to move ahead.



  • 7.  Re: getting 400 BAD request error for SP initiated federation

    Broadcom Employee
    Posted Jun 18, 2018 08:37 AM

    Hi Rajesh ,

     

    I would suggest you to open a case with CA Support and upload your Fiddler trace, FWStrace , smps log and policy server trace so we can review and see what is happening 

     

    Thank you 

    Joe 



  • 8.  Re: getting 400 BAD request error for SP initiated federation
    Best Answer

    Posted Jun 28, 2018 08:29 PM

    Hi All,

     

    Found the issue that Session store is not enabled on policy server due to which the request details are not getting stored in the session table which is making the request fail after authentication as in SP initiated flow the actual request details are fetched from Session tables. After enabling the session store on policy server the requests are working fine.

     

    Thank all for helping us.

     

    Regards,

    Rajesh