AnsweredAssumed Answered

CA SSO OpenID Connect Provider configuration issue

Question asked by PKSahu on Nov 22, 2018
Latest reply on Nov 23, 2018 by PKSahu

I am configuring CA SSO OpenID Connect Provider with Apache open ID client using doc - CA SSO OpenID Connect Provider - with Apache OpenID Client 

 

below are details of my infrastructure -

RHEL 7.4

Policy Server R12.7 

Access Gateway R12.7 

Installed Apache 2.4 

Installed mod_auth_openidc

 

OpenIDC Client  : http://*********.xxxx.******/example/redirect

OpenIDC Connect Provider : http://******.xxxx.xxxx/affwebservices/secure/secureredirect

 

when I access URL openIDC client side http://*********.xxxx.******/example/index.html page I get error 400 bad request

 

below are the logs I get in spstrace and policy server trace logs 

 

Policy server trace logs

 

[11/22/2018][06:48:07.257][IsProtected.cpp:98][CSm_Az_Message::IsProtected][13286][140130924869376][][][][fed_qa_dmz][][][][][][][][][GET][/affwebservices/CASSO/oidc/authorize?response_type=code&scope=openid%20uid%20email&client_id=00074f98-1f86-1bf5-ac7e-2de60a690000&state=EIZTCaUhTrzUjaHlRl7Q7RAulmM&redirect_uri=http%3A%2F%2Fabc.pqr.com%3A8001%2Fexample%2Fredirect&nonce=DJa-j41HoGKzw7NKwP6b4QSKbyMbWYw7A0W75uTxIOM][][][][][Starting IsProtected processing.][][][][][]
[11/22/2018][06:48:07.257][SmAuthorization.cpp:642][CSmAz::IsProtected][13286][140130924869376][][][][][][][][][][][][][][/affwebservices/casso/oidc/authorize?response_type=code&scope=openid%20uid%20email&client_id=00074f98-1f86-1bf5-ac7e-2de60a690000&state=eiztcauhtrzujahlrl7q7raulmm&redirect_uri=http%3a%2f%2fabc.pqr.com%3a8001%2fexample%2fredirect&nonce=dja-j41hogkzw7nkwp6b4qskbymbwyw7a0w75utxiom][][][][][Not Protected: No matching rules found for resource.][][][][][]

 

SPS trace log

 

[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmSessionManager::EstablishSession][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmSessionManager::EstablishSession][Calling SM_WAF_AG_PLUGIN->EstablishSession.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmSessionManager::EstablishSession][SM_WAF_AG_PLUGIN->EstablishSession returned SmNoAction.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][IsResourceProtected][Resource is not protected from Policy Server.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][Calling SM_WAF_AG_PLUGIN->ProcessResponses.]
[11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][SM_WAF_AG_PLUGIN->ProcessResponses returned SmNoAction.]

 

 

I noticed below point from doc so I unprotected /affwebservices/CASSO/oidc/  in realm but still instead of showing login pop-up it directly thows 400 bad request error

 

Below is my apache oidc module configuration -

 

OIDCSSLValidateServer Off
OIDCProviderIssuer https://xyz.abc.com
OIDCClientID ***************************
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
OIDCProviderAuthorizationEndpoint https://xyz.abc.com/affwebservices/CASSO/oidc/authorize
OIDCProviderTokenEndpoint https://xyz.abc.com/affwebservices/CASSO/oidc/token
OIDCRedirectURI http://abc.pqr.com:8001/example/redirect
OIDCCryptoPassphrase *********
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderJwksUri https://xyz.abc.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=ABCCorp
OIDCScope "openid uid email"
OIDCProviderUserInfoEndpoint https://xyz.abc.com/affwebservices/CASSO/oidc/userinfo
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
AddHandler cgi-script .bat
Options +Indexes +FollowSymLinks +ExecCGI

 

Can someone please help me where I am missing ?

 

Regards

Prashant

Outcomes