AnsweredAssumed Answered

SAMLSPEntitlementParser: Invalid Encryption Indication

Question asked by dmt953 on Jun 26, 2018
Latest reply on Jun 27, 2018 by dmt953

We are beginning to see an usual error with our federation services when performing outbound SSO to a particular SAML service provider.  When attempting to do IDP initiated SAML SSO to a particular SP we're getting 500 error from SiteMinder.  The smtrace logs indicate "invalid encryption indication", but SAML encryption is disabled.

 

We have a case open with CA Support, but I think this could be a tough one to debug so we're hoping to get additional help from CA Community if possible.

 


[15154/4012030832][Mon Jun 25 2018 17:55:08][AssertionGenerator.java][ERROR][sm-FedServer-00090] AssertionHandler process() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

 

 

 

 

 


[06/25/2018][18:03:11][3907132272][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 39910. Current count is 1]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 39910. Current count is 0]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Entering Assertion Generator Framework.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Reqesting parameters: -AssertionHandler:SAML20 SSO#unspecified:editableFields=accountholderemail,amount]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandlerAlias][][][][][][][][Found Alias Name : 'SAML20' in the Active Expression parameter.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Requesting resource: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandlerOverrideClass][][][][][][][][Looking for override class in resource string: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Assertion Handler for "SAML20" will be loaded.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandler][][][][][][][][Loading AssertionHandler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGeneratorCache.java][getObject][][][][][][][][Found cached instance for com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandler][][][][][][][][Successfully loaded Assertion Handler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][getConfig][][][][][][][][Start to get configuration data supporting SAML2.0.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][AuthnRequestProtocol][][][][][][][][Initial the context data ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Initial the AuthnRequest with the query parameters ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][
   queryParameters: "/SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041"]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SPID = sp_instamed-member-asuris-uat]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: RelayState = https://pay-uat.instamedtest.com/Form/Payments/New]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: AuthToken = C06DB42FD3753DC1043F7C8748FBCC4C]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: PersonId = 863023321]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SSOUrl = https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: Oid = 21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Attributes being passed to Assertion Generator Plug-in:
{AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C, PersonId=863023321}
]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][
Destination Variable:  https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx
]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][setDeflatedAuthnRequest][][][][][][][][Unsolicited Response is expected by the Service Provider.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getSPProperties][][][][][][][][Loading the configration data for the Service Provider with ID "sp_instamed-member-asuris-uat" ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][preProcess][][][][][][][][Start to validate the SAML2.0 Authn request.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating the Request...All the properties:
{EncryptAssertion=0, AttributeList=SSO#unspecified:editableFields=accountholderemail,amount, IdPSourceID=204440eee359610905f91a46440600caadea14c0, ReuseSessionIndex=0, IsActive=1, MniRequireEncryptedNameID=0, PartnershipSource=1, EnableAuthnRequestRedirect=1, Domain=@03-000d01d9-0307-11b6-aefb-879f0a1610b6, SLOServiceValidityDuration=60, UnauthorizedAccessRedirectMode=0, KEY_SPID=sp_instamed-member-asuris-uat, AttrSvcValidityDuration=60, ArtifactEncoding=FORM, EnableSSOPostBinding=1, EnableServerErrorURL=0, Policy=@04-00073967-722d-1b31-aec7-87f40a16f041, RequireSignedArtifactResolve=0, MniSignRequest=0, AttrSvcEnableProxiedQuery=0, EnableIPD=0, EncryptionBlockAlgorithm=tripledes, PostSignatureOption=0, CustomTimeout=1, MniRequireSignedResponse=0, SignArtifactResponse=0, EnableAttributeService=0, EnableAuthnRequestPost=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniSOAPTimeout=0, Realm=@06-00064eb6-722d-1b31-aec7-87f40a16f041, EnableSLORedirectBinding=0, OneTimeUse=0, AE_PARAM_SAML2=-AssertionHandler:SAML20 SSO#unspecified:editableFields=accountholderemail,amount, Response=@07-0007281e-722d-1b31-aec7-87f40a16f041, SAML2.AuthnRequestProtocolManager=com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol@1506fa2, MniRequireSignedRequest=0, CompareUserDNForSMC=1, DisableSignatureProcessing=0, EnableSMC=0, AssertionConsumerDefaultURL=https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx, MniRetryBoundary=0, MniEnableSOAPBinding=0, MniRetryCount=0, EnforceForceAuthnSessionTimeouts=0, NameIdType=1, AttrList=SSO#SSO#unspecified:editableFields=accountholderemail,amount, AttrSvcPartnershipAAProtEnabled=0, LegacyArtifactProtEnabled=0, Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041, MniEncryptNameID=0, MniAllowUserSelfService=0, MniNotificationAuthType=1, MniEnableNotification=0, MniEnablePostBinding=0, SAMLMajorVersion=2, AttrSvcSignAssertion=0, RequireSignedAuthnRequests=0, SessionNotOnOrAfterType=0, MniSignResponse=0, EncryptionKeyAlgorithm=rsa-v15, Agent=@01-0006318f-722d-1b31-aec7-87f40a16f041, AssertionPluginClass=com.cambiahealth.enterprise.plugin.assertiongenerator.CambiaSAML2AssertionGeneratorPlugin, AllowCreationOfUserIdentifier=0, InvalidRequestRedirectMode=0, EnableSSOArtifactBinding=0, SkewTime=30, NameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, ValidityDuration=60, MniDeleteNameID=0, ProxyServer=https://fedsvc-staging.asuris.com, NetegrityAffiliateMinderAuthURL=https://fedsvc-staging.asuris.com/affwebservices/redirectjsp/smportalstate_asuris.jsp, AssertionPluginParameters=/usr/pservices/ca/siteminder/bin/thirdparty/instamed-member-uat-mock.properties, PersistentCookie=0, EnableInvalidRequestURL=0, IdPID=idp_asuris_member-instamed-uat, ServerErrorRedirectMode=0, AllowOFCAuthnContextOverride=0, AttrSvcRequireSignedQuery=0, EncryptNameID=0, MniEnableRedirectBinding=0, ArtifactSignatureOption=3, SAMLMinorVersion=0, Rule=@0b-00071df4-722d-1b31-aec7-87f40a16f041, EnableSSOECPProfile=0, IgnoreRequestedAuthnContext=0, SignatureAlgo=1, DSigningAlias=cambiasamlcertificate, AuthenticationLevel=5, Name=instamed - member_asuris-uat, AttrSvcLegacyAAProtEnabled=0, MniNotifyTimeout=0, PartnershipArtifactProtEnabled=0, EnableUnauthorizedRequestURL=0, ApplicationURL=https://portal-qa2.asuris.com/group/asuris_common/agp, AttrSvcSignResponse=0, UseSecureAuthURL=0, RelayStateOverridesSloConfirm=0}]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Identity Provider is not allowed to create a new identifier to represent the principal.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Creation of new user identifier is not applicable with TRANSIENT name identifiers.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][User Name Identifier from IdP resolved.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating Service Provider ID ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Service Provider ID is valid.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating AuthnRequest ProtocolBinding ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateBindings][][][][][][][][Requesting Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest ProtocolBinding is valid and supported.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest validation is successful.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() succeeds, it returns:]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][process][][][][][][][][Start to handle the SAML2.0 Authn request.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][processRequest][][][][][][][][Start to process the request ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][Generating SAML Assertion Conditions...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][Adding SPID audience to AudienceRestriction element: sp_instamed-member-asuris-uat]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][SAML Assertion Conditions generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateSubject][][][][][][][][Generating SAML Assertion Subject.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateSubject][][][][][][][][SAML Assertion Subject generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Generating SAML Assertion AuthnStatement...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getSessionIndex][][][][][][][][A new session index will not be created.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getStartTime][][][][][][][][Use Force Authn Session Timeouts is: true]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Using authn context from properties map]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][AuthnContext Class Ref used: urn:oasis:names:tc:SAML:2.0:ac:classes:Password]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 0]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :90]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SAML Assertion AuthnStatement generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Error happens in running Assertionhandler process(). Leaving Assertion Generator Framework.  Exception:
com.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][18:03:11][3907132272][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.131.45 with Port No 55970. Current count is 1]
[06/25/2018][18:03:11][3938601840][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.131.45 with Port No

Outcomes