Single Sign On Siteminder - Logout Issue

book

Article ID: 130295

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running Federation Services and when user logs out, then the
browser recieves a soap message exception in browser like this one :

  https://fed.mydomain.com/affwebservices/public/saml2slo?dsadasdefggasdsad [...] 

  Etat HTTP 500 - Une erreur interne sest produite lors de la 
  tentative de traitement de la demande de déconnexion. Echec de la 
  transaction avec lID 
  1aacc1ea-8bf91faf-3a1fe03e-f78a7787-2b3318f4-1d 

  Apache Tomcat/7.0.88 

We can see in the traces the error and the Web Agent Option Pack
returns code 500 :

  [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e 
  -f78a7787-2b3318f4-1d][SLOService.java][handleLogout][ 

  TUNNEL STATUS: 
  status : 2 
  message : No SOAP or Redirect or Post binding configured 
  for provider Provider ID: myproviderid.mydomain.com]

  [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e 
  -f78a7787-2b3318f4-1d][SLOService.java][doGet][Transaction 
  with ID: 1aacc1ea-8bf91faf-3a1fe03e-f78a7787-2b3318f4-1d 
  failed. Reason: SLO_GET_EXCEPTION] 

  [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e 
  -f78a7787-2b3318f4-1d][SLOService.java][doGet][Exception 
  caught in class 
  com.netegrity.affiliateminder.webservices.saml2.SLOService, method 
  doGet: java.lang.NullPointerException 
  java.lang.NullPointerException 
  at 
  com.netegrity.affiliateminder.webservices.saml2.SLOService.a 
  (DashoA10*..:1111) 

  [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e 
  -f78a7787-2b3318f4-1d][SLOService.java][doGet][Ending 
  SAML2 Single Logout Service request processing with HTTP error 500] 
 

Cause

The SAML SLO document that the Web Agent Option Pack recieves is for
the SP "myproviderid.mydomain.com" :

<LogoutRequest
Destination="https://fed.mydomain.com/affwebservices/public/saml2slo"
ID="444444444-4444-4444-4444-444444444444"
IssueInstant="2019-03-20T09:46:29.167Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
<ns2:Issuer>myproviderid.mydomain.com</ns2:Issuer><ns2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">711157
</ns2:NameID><SessionIndex>NaSMsGamadsdqwXqsSs1ALya3Vs61GU=l7fVqg==</SessionIndex>
</LogoutRequest>

The Legacy Federation SP 
"myproviderid.mydomain.com" is configured with 2 
Endpoints for SLO : 

 - each EndPoint has the same index; 
 - each EndPoint is not defined as default, so there's no default;

From the export of the Policy Store :

<ReferenceValue ReferenceId="Ref00444"> 
<StringValue>myproviderid.mydomain.com</StringValue> 

<Object Class="CA.FED::SPBase" 
Xid="CA.FED::[email protected]"
Name="CA.FED::SPBase.SPID"> 
<StringValue>myproviderid.mydomain.com</StringValue> 

<Property Name="CA.FED::SPBase.Name"> 
<StringValue>SP_Name</StringValue> 

The SP has 2 end points defined :

<Property Name="CA.FED::SPBase.SLOSvcsLink"> 
<LinkValue> 
<XID>CA.FED::[email protected]</XID> 
<LinkValue> 
<XID>CA.FED::[email protected]</XID> 
                      
and each of them isn't set as default and has the index value set to
0 :

<Object Class="CA.FED::Endpoint" 
Xid="CA.FED::[email protected]
UpdatedBy="XPSDictionary::Import" UpdateMethod="Internal" 
ExportType="Replace"> 

  <Property Name="CA.FED::Endpoint.Index"> 
  <NumberValue>0</NumberValue> 
  <Property Name="CA.FED::Endpoint.IsDefault"> 
  <BooleanValue>false</BooleanValue> 

<Object Class="CA.FED::Endpoint" 
Xid="CA.FED::[email protected]
UpdatedBy="XPSDictionary::Import" UpdateMethod="Internal" 
ExportType="Replace"> 

  <Property Name="CA.FED::Endpoint.Index"> 
  <NumberValue>0</NumberValue> 
  <Property Name="CA.FED::Endpoint.IsDefault"> 
  <BooleanValue>false</BooleanValue> 

From documentation, you do need to define a default, and different 
indexes for each of them, and the incoming SAML document should show a 
property ProtocolBinding or AssertionConsumerServiceIndex : 

Define Indexed Endpoints for Different Single Sign-on Bindings 

Note: If your network contains different CA Single Sign-On versions, 
you cannot configure indexed endpoints. For example, you cannot 
configure indexed endpoints if the Service Provider is r12.0 SP 2 and 
the Identity Provider is r12.0 SP3. Configure only one Assertion 
Consumer Service for both HTTP bindings. 

Using indexed endpoints, the sequence of events is as follows: 

1. The user selects a link to authenticate with a specific IdP. The 
link contains the IdP ID and AssertionConsumerServiceIndex query 
parameters index as query parameters because the index feature is 
enabled. 

2. The SP Federation Web Services (FWS) application asks for an 
AuthnRequest from its local Policy Server. The request that it 
sends includes the IdP ID and optionally, the 
AssertionConsumerServiceIndex and ForceAuthn query parameters. 

A protocol binding is not part of the request because the ACS 
Index and the Protocol Binding parameters are mutually 
exclusive. The AssertionConsumerServiceIndex is already 
associated with a binding so there is no need to specify a 
Protocol Binding value. If the protocol binding and the 
AssertionConsumerServiceIndex are passed as query parameters, the 
local Policy Server responds with an error denying the request. 

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/legacy-federation/single-sign-on-configuration-for-saml-2-0#SingleSign-onConfigurationforSAML2.0-DefineIndexedEndpointsforDifferentSingleSign-onBindings 
 

Environment

  Web Agent Option Pack 12.52SP1CR09 on Windows; 
  Policy Server 12.8 on Windows 2016; 
  Session Store on ODBC; 
 

Resolution

To solve the issue :

- Among the Federation EndPoints, select one as Default Index; 

- Among the Federation EndPoints, set for each one a different Index; 

- Configure the SAMLRequest for SLO to specify 
  AssertionConsumerServiceIndex or the ProtocolBinding properties;