Randomly users get return code 403 in the browser in SPS
search cancel

Randomly users get return code 403 in the browser in SPS

book

Article ID: 131096

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction


When running CA Access Gateway (SPS), randomly users get return code 403 in the browser.

 

Cause

 
The 403 errors are mostly caused by an unexisting SPID that the browser sends:
 
  myspecifichostname.example.com 
 
in the Policy Store.
 
As there's no configuration for that SPID, so the Federation Services return error 400 (bad request) and as there is no redirection configured, the SPS Web Server returns to the browser the error 403. 
 
Take this request from the SPS FWSTrace.log:
 
  [04/16/2019][13:39:45][21468][107805552][][SSO.java][getAuthnRequestData][AuthnRequest: 
  <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
      ID="_9e918f16c2f102fcff36fbb74a672f9a82a6eebf68" Version="2.0" 
      IssueInstant="2019-04-16T13:39:42Z" 
      Destination="https://myprodserver.example.com/affwebservices/public/saml2sso" 
      ForceAuthn="true" 
      AssertionConsumerServiceURL="https://myspecifichostname.example.com/myapp" 
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
    <saml:Issuer>myspecifichostname.example.com</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
  </samlp:AuthnRequest>] 
 
which shows the issuer as myspecifichostname.example.com.
 
The Federation Service asks the Policy Server to get all configuration data for that Issuer, and as the Policy Server doesn't find it in the Policy Store data:
 
  [04/16/2019][13:39:45][21468][107805552][][SAMLTunnelClient.java][getServiceProviderInfoByID][Provider ID: myspecifichostname.example.com.] 
  [04/16/2019][13:39:45][21468][107805552][][SAMLTunnelClient.java][getServiceProviderInfoByID][SAMLTunnelStatus: 5, Failed to obtain Service Provider data by provider ID. Provider ID: myspecifichostname.example.com] 
  [04/16/2019][13:39:45][21468][107805552][][SAML2Base.java][getServiceProviderInfo][Could not find service provider information for sp: machine.example.net Message: Failed to obtain Service Provider data by provider ID. Provider ID: myspecifichostname.example.com.] 
  [04/16/2019][13:39:45][21468][107805552][][SSO.java][processRequest][Ending SAML2 Single Sign-On Service request processing with HTTP error 400] 
 
The resulting access log of the CA Access Gateway(SPS) Web Server which shows a SAMLRequest ending in 403 (HTTP/1.1" 403):
 
access_log:
 
  192.168.1.1 - - [16/Apr/2019:13:39:01 +0200] "GET /affwebservices/public/saml2sso?SAMLRequest=<value> HTTP/1.1" 403 1075 27918 0 - 
 

 

Resolution


Configure properly the partnership for the SP issuer "myspecifichostname.example.com" in order to be able to handle these requests.

If it's already configured, fix the Policy Store data, it may have data inconsistencies leading to the same problem.

 

Powered by Wolken Software