SP-init flow issue with pre-existing SSO session with 12.8 CA SSO

Article Id: 111649
Status: Published
Updated On: 22-10-2019 09:52
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign-On
Issue/Introduction:

We're running Policy Server 12.8SP0 and this one doesn't seem to be

able to validate existing SMSESSION cookie in SP Initiated Post

transaction.


We see the following error in the Policy Server traces :


   [08/13/2018][09:57:49.227][09:57:49][532][139977941837568][AssertionGenerator.java]

   [invoke][385fb99d-c4caacc3-b2480891-4285df97-2cb4af88-07][][][][][][][][][][][][][][][][][][][][Error

   in getting configuration data. Leaving Assertion Generator

   Framework. Exception:


   java.lang.Exception: The Federation Web Service didn't send the

   request with a correct resource! Internal Exception:


   java.lang.IllegalArgumentException: Input byte array has incorrect

   ending byte at 28


We've tried also on our Policy Server 12.7SP2, and for the same

transaction this one returns similar error :


   [3630/139941835171584][Mon Aug 20 2018

   14:39:44][AssertionGenerator.java][ERROR][sm-FedServer-00050] Error

   in getting configuration data. Leaving Assertion Generator

   Framework.nStack Trace:njava.lang.Exception: The Federation Web

   Service didn't send the request with a correct resource! Internal

   Exception:


   java.lang.IllegalArgumentException: Input byte array has wrong

   4-byte ending unit


   at java.util.Base64$Decoder.decode0(Base64.java:704) 

   at java.util.Base64$Decoder.decode(Base64.java:526) 

   at java.util.Base64$Decoder.decode(Base64.java:549) 

   at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.init(Unknown Source) 

   at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.getConfig(Unknown Source) 

   at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source) 

   at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282) 


   at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.getConfig(Unknown Source) 

   at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source) 

   at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)


How can we fix that ?


Cause:

This issue is fixed in Policy Server 12.8SP1


Defects Fixed in 12.8.01


  01148879, 01165951,

  01171578, 01172587

  DE380366 An HTTP-POST request fails in a browser that already contains an SMSESSION cookie.


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/defects-fixed-in-12-8-01.html


Environment:

Policy Server: 12.8
OS: RHEL & Windows

Resolution:

Upgrade the Policy Server to 12.8SP1 to solve this issue.