Patrick-Dussault

Tech Tip : CA Single Sign-On : Running CA Access Gateway (SPS), randomly users gets return code 403 in the browser

Discussion created by Patrick-Dussault Employee on Apr 18, 2019

Issue:

 

We're running CA Access Gateway (SPS), randomly users gets return code 403
in the browser and we want to know why and how to fix this.

 

Cause:

 

The 403 errors are mainly due to unexisting SPID that the browser sends.

 

"myspecifichostname.mydomain.com"

 

in the Policy Store. As there's no configuration for that SPID, so the
Federation Services return error 400 (bad request) and as there no
redirection configured, SPS Web Server returns to the browser
error 403.

 

You can see that from the traces :

 

Look in FWSTrace.log, and you'll find this request :

 

[04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
2a41ff5b-cbf95872-1d88d7c2-1f][SSO.java][getAuthnRequestData][AuthnRequest:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_9e918f16c2f102fcff36fbb74a672f9a82a6eebf68" Version="2.0"
IssueInstant="2019-04-16T13:39:42Z"
Destination="https://myprodserver.mydomain.com/affwebservices/public/saml2sso"
ForceAuthn="true"
AssertionConsumerServiceURL="https://myspecifichostname.mydomain.com/myapp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>myspecifichostname.mydomain.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>]

 

which shows the issuer as myspecifichostname.mydomain.com.

The Federation Service ask the Policy Server to get all configuration
data for that Issuer, and as the Policy Server doesn't find it in the
Policy Store data :

 

[04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
2a41ff5b-cbf95872-1d88d7c2-1f][SAMLTunnelClient.java][getSe
rviceProviderInfoByID][Provider
ID: myspecifichostname.mydomain.com.]

[04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
2a41ff5b-cbf95872-1d88d7c2-1f][SAMLTunnelClient.java][getSe
rviceProviderInfoByID][SAMLTunnelStatus:
5, Failed to obtain Service Provider data by provider ID. Provider
ID: myspecifichostname.mydomain.com]

 

[04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 

2a41ff5b-cbf95872-1d88d7c2-1f][SAML2Base.java][getServiceProviderInfo][Could
not find service provider information for sp: mediab2e.group.echonet
Message: Failed to obtain Service Provider data by provider
ID. Provider ID: myspecifichostname.mydomain.com.]

[04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
2a41ff5b-cbf95872-1d88d7c2-1f][SSO.java][processRequest][Ending
SAML2 Single Sign-On Service request processing with HTTP error 400]

And you'll see in the resulting access log of the CA Access Gateway
(SPS) Web Server which shows a SAMLRequest ending in 403
(HTTP/1.1" 403) :

 

access_log

 

192.168.1.1 - - [16/Apr/2019:13:39:01 +0200] "GET
/affwebservices/public/saml2sso?SAMLRequest=fZJBb9swDIX%2Fi
qG7LSuuW0dIAmQNhgXotqDJduilkGQ6EWBLmiit27%2BfbHdYN3Q9ESD53g
M%2FcIVi6B3fxnAx9%2FAtAobsx9Ab5NNgTaI33ArUyI0YAHlQ%2FLj9eMc
[...]
ieNurYhUIXrkJuDY%2F7JValOdFChosJiqCvNuaI%3D
HTTP/1.1" 403 1075 27918 0 -

Resolution:

 

Configure properly partnership for the SP issuer
"myspecifichostname.mydomain.com" in order to be able to handle these
requests.

 

KB : KB000131096

Outcomes