Here I have detailed the configuration to configure CA Single Sign On 12.8 as OpenID Connect provider.
Please help us to move ahead. I am not sure what I am missing here. I have followed below link to configure openid authorization provider with apache client.
CA SSO OpenID Connect Provider - with Apache OpenID Client
Authorization Provider setup:
1. Name: SSO12.8OIDC
2. User Directory: Selected
3. Search Specification : empty
4. Authorization base URL : https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com
5. Authorization Code Expiry Time : 10 mins
6. Use Secure Authentication URL: Yes
7. Min Authentication level : 5
8. Enable Dynamic Authentication Mode : No
9. Authentication URL: https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect
10. Signing Certificate Alias : SPS (Created through wam ui)
11. Signing Algorithm: RS256 & Select only Sign ID Token
12. Claim mapping
Claim Name: User attribute
email cn
username smLogin
13. Scope Mapping
Scope name Claim Name
email email
username username
Client Setup on siteminder:
Client name : Apache-OIDC
Disable User Consent : Yes
Application Type: Confidential
Authentication Type: POST
Authorization Provider: SSO12.8OIDC
Scopes: openid, email, username (selected).
Grant Types: Authorization Code
Response Types: code
Redirect URL : https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/redirect.html
Access Token: 20 mins timeout
ID Token: 20 mins timeout
Authentication Scheme and Protection:
Resource : /affwebservices/secure/secureredirect
Auth.Scheme : Basic (Authentication level-5)
Persistent session realm created.
======================================
Client Setup:
Apache OpenID Client:
section of httd.conf
OIDCSSLValidateServer Off
OIDCProviderIssuer https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com
OIDCClientID 000f4164-d937-1b63-9647-0f3fac1f0000
OIDCClientSecret 2yCqGbmuaEOSi4s0DvmWaWklINMy7uiPoP1LJJdkDGQ=
OIDCProviderAuthorizationEndpoint https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/authorize
OIDCProviderTokenEndpoint https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/token
OIDCRedirectURI https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/redirect.html
OIDCCryptoPassphrase somepassword
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderJwksUri https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=SSO12.8OIDC
OIDCScope "openid email username"
OIDCProviderUserInfoEndpoint https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/userinfo
<Location /openid/>
AuthType openid-connect
Require valid-user
</Location>
********************
Note:
1. CA Access gateway enabled for SSL (self signed certificate)
2. LDAP dsa1 as user store
3. LDAP dsa2 as sessions store
4. LDAP dsa1 as object store and key store.
********************
Environment: CA SSO OpenID Connect Provider - with Apache OpenID Client
1. CA Access Gateway:
Linux ip-172-31-14-176.us-east-2.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
2. CA Directory
Linux ip-172-31-1-147.us-east-2.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
3. Siteminder policy server:
Linux ip-172-31-15-63.us-east-2.compute.internal 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
4. Apache Client:
Linux sasikumar.chenniyappan.usr.optusnet.com.au 4.17.11-100.fc27.x86_64 #1 SMP Mon Jul 30 15:22:33 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
============================================================================================================================================================
Problem Statement:
1. When user accessing apache protected resource using
https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/dumpvars.sh
2. user challenged for authetnication.
3. user enters credetials and submit.
4. authentication successful and enters into loop between https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/authorize and protected
https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect?response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4&SMPORTALURL=https%3A%2F%2Fec2-18-191-195-234.us-east-2.compute.amazonaws.com%2Faffwebservices%2FCASSO%2Foidc%2Fauthorize
HTTP Status 500 - Internal Error occured while trying to process the request. Transaction ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed.
type Status report
message Internal Error occured while trying to process the request. Transaction ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed.
description The server encountered an internal error that prevented it from fulfilling this request.
affwebserv.log
[7805/139925230561024][Wed Aug 15 2018 00:24:09][SecureRedirect.java][ERROR][sm-FedClient-02890] Transaction with ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed. Reason: SERE_GET_EXCEPTION (, , )
[7805/139925230561024][Wed Aug 15 2018 00:24:09][SecureRedirect.java][ERROR][sm-FedClient-01660] Exception caught in class com.netegrity.affiliateminder.webservices.SecureRedirect, method doGet, message com.netegrity.siteminder.agentcommon.utils.k: Failed to decrypt.. (, )
FWSTrace.log
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,doGet,OpenIDConnect Authorization Service Service received GET request.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,doGet,Query String:response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getSavedRequestDataUsingGuid,Enter getSavedRequestDataUsingGuid
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,retrieveRequestDataFromStateCookie,return Map: null
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getClientInfo,Obtained client information from cache for: 000f4164-d937-1b63-9647-0f3fac1f0000.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getClientInfo,Obtained client information from cache for: 000f4164-d937-1b63-9647-0f3fac1f0000.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,redirectURI=https://sasikumar.chenniyappan.usr.optusnet.com.au/openid/dumpvars.bat
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,state=z2Wf3v6V9-Pb-7szWnPgUoANtMI
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,scope=openid email username
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,response_type=code
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,validateInputWithConfiguration,validScopes: openid email username
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,CLIENT_NAME/AffiliateName: SSO12.8OIDC
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,RealmOID: 06-0000f104-d8fc-1b63-9647-0f3fac1f0000
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,Validating current session.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,FWSBase.java,isValidSession,Checking for valid SESSION cookies.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,FWSBase.java,getSessionData,Request does not have any cookies.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,FWSBase.java,isValidSession,No SESSION cookie on request.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,prompt=login. Hence will reauthenticate the user.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3CA SSO OpenID Connect Provider - with Apache OpenID Client cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processRequest,Query string after removing login value from prompt query parameter=response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getAuthenticationURL,AuthenticationType = 1
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getAuthenticationURL,Authentication Type is null/Local, returning default authentication url = https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect
08/15/2018,00:24:00,7805,139925228455680,66379bea-3CA SSO OpenID Connect Provider - with Apache OpenID Client cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getLocalServiceURL,Enter getLocalServiceURL
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,getLocalServiceURL,Using Proxy URL for local SSO service: https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/CASSO/oidc/authorize
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processAuthentication,Not using secure authentication URL.
08/15/2018,00:24:00,7805,139925228455680,66379bea-3cfd7ec4-19a86cf3-402db7b3-f3540217-1c,AuthorizationService.java,processAuthentication,OpenIDConnect Authorization Service Service redirecting to authentication URL: https://ec2-18-191-195-234.us-east-2.compute.amazonaws.com/affwebservices/secure/secureredirect?response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4&SMCA SSO OpenID Connect Provider - with Apache OpenID Client PORTALURL=https%3A%2F%2Fec2-18-191-195-234.us-east-2.compute.amazonaws.com%2Faffwebservices%2FCASSO%2Foidc%2Fauthorize.
08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,SAML2 Secure Redirect Service received GET request.
08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Query string is: response_type=code&scope=openid%20email%20username&client_id=000f4164-d937-1b63-9647-0f3fac1f0000&state=z2Wf3v6V9-Pb-7szWnPgUoANtMI&redirect_uri=https%3A%2F%2Fsasikumar.chenniyappan.usr.optusnet.com.au%2Fopenid%2Fdumpvars.bat&nonce=iyQHX-qK55OG1TfEMSXtQpODp4KAwIvAPM78nMaRvw4&SMPORTALURL=https%3A%2F%2Fec2-18-191-195-234.us-east-2.compute.amazonaws.com%2Faffwebservices%2FCASSO%2Foidc%2Fauthorize
08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Transaction with ID: 91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc failed. Reason: SERE_GET_EXCEPTIONCA SSO OpenID Connect Provider - with Apache OpenID Client
08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Exception caught in class com.netegrity.affiliateminder.webservices.SecureRedirect, method doGet: com.netegrity.siteminder.agentcommon.utils.k: Failed to decrypt.
08/15/2018,00:24:09,7805,139925230561024,91b3144d-e900f7d1-5e9a1592-41e662d1-1dde4eba-5cc,SecureRedirect.java,doGet,Stack Trace: com.netegrity.siteminder.agentcommon.utils.k: Failed to decrypt.
at com.netegrity.affiliateminder.webservices.f.a(fedfws_obfsc:3935)
at com.netegrity.affiliateminder.webservices.SecureRedirect.doGet(fedfws_obfsc:189)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.netegrity.affiliateminder.webservices.CAFedFilter.doFilter(fedfws_obfsc:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:106)
at com.netegrity.proxy.ProxyValve.processRequest(Unknown Source)
at com.netegrity.proxy.ProxyValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.netegrity.siteminder.agentcommon.utils.k: SiteMinder Decryption Exception
at com.netegrity.siteminder.agentcommon.utils.SmCryptoUtil.c(Unknown Source)
at com.netegrity.siteminder.agentcommon.utils.SmCryptoUtil.e(Unknown Source)
at com.netegrity.affiliateminder.webservices.f.a(fedfws_obfsc:3930)
... 24 more
Caused by: com.ca.sso.smcrypto.SmCryptoLibException: org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
at com.ca.sso.smcrypto.bcfipsimpl.SmBaseCrypto.decryptBytes(SmBaseCrypto.java:421)
... 27 more
Caused by: org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
at org.bouncycastle.crypto.internal.io.CipherOutputStreamImpl.close(Unknown Source)
at com.ca.sso.smcrypto.bcfipsimpl.SmBaseCrypto.decryptBytes(SmBaseCrypto.java:384)
... 27 more
Caused by: org.bouncycastle.crypto.internal.DataLengthException: last block incomplete in decryption
at org.bouncycastle.crypto.internal.paddings.PaddedBufferedBlockCipher.doFinal(Unknown Source)
... 29 more
Exception history:
com.ca.sso.smcrypto.SmCryptoLibException: org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
com.netegrity.siteminder.agentcommon.utils.k: SiteMinder Decryption Exception