Running CA Access Gateway (SPS), randomly users gets return code 403 in the browser

book

Article ID: 131096

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running CA Access Gateway (SPS), randomly users gets return code 403 
in the browser and we want to know why and how to fix this. 

Cause

The 403 errors are mainly due to unexisting SPID that the browser sends.

"myspecifichostname.mydomain.com" 

in the Policy Store. As there's no configuration for that SPID, so the 
Federation Services return error 400 (bad request) and as there no 
redirection configured, SPS Web Server returns to the browser 
error 403. 


You can see that from the traces :

Look in FWSTrace.log, and you'll find this request :

[04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 
2a41ff5b-cbf95872-1d88d7c2-1f][SSO.java][getAuthnRequestData][AuthnRequest: 
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
  ID="_9e918f16c2f102fcff36fbb74a672f9a82a6eebf68" Version="2.0" 
  IssueInstant="2019-04-16T13:39:42Z" 
  Destination="https://myprodserver.mydomain.com/affwebservices/public/saml2sso" 
  ForceAuthn="true" 
  AssertionConsumerServiceURL="https://myspecifichostname.mydomain.com/myapp" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>myspecifichostname.mydomain.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>] 

which shows the issuer as myspecifichostname.mydomain.com. 

The Federation Service ask the Policy Server to get all configuration
data for that Issuer, and as the Policy Server doesn't find it in the
Policy Store data :

  [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 
  2a41ff5b-cbf95872-1d88d7c2-1f][SAMLTunnelClient.java][getSe 
  rviceProviderInfoByID][Provider 
  ID: myspecifichostname.mydomain.com.] 

  [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 
  2a41ff5b-cbf95872-1d88d7c2-1f][SAMLTunnelClient.java][getSe 
  rviceProviderInfoByID][SAMLTunnelStatus: 
  5, Failed to obtain Service Provider data by provider ID. Provider 
  ID: myspecifichostname.mydomain.com] 

  [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 
  2a41ff5b-cbf95872-1d88d7c2-1f][SAML2Base.java][getServiceProviderInfo][Could 
  not find service provider information for sp: mediab2e.group.echonet 
  Message: Failed to obtain Service Provider data by provider 
  ID. Provider ID: myspecifichostname.mydomain.com.] 

  [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 
  2a41ff5b-cbf95872-1d88d7c2-1f][SSO.java][processRequest][Ending 
  SAML2 Single Sign-On Service request processing with HTTP error 400] 

And you'll see in the resulting access log of the CA Access Gateway
(SPS) Web Server which shows a SAMLRequest ending in 403
(HTTP/1.1" 403) :

access_log

  192.168.1.1 - - [16/Apr/2019:13:39:01 +0200] "GET 
  /affwebservices/public/saml2sso?SAMLRequest=fZJBb9swDIX%2Fi 
  qG7LSuuW0dIAmQNhgXotqDJduilkGQ6EWBLmiit27%2BfbHdYN3Q9ESD53g 
  M%2FcIVi6B3fxnAx9%2FAtAobsx9Ab5NNgTaI33ArUyI0YAHlQ%2FLj9eMc 
  [...]
  ieNurYhUIXrkJuDY%2F7JValOdFChosJiqCvNuaI%3D 
  HTTP/1.1" 403 1075 27918 0 - 
 

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

Configure properly partnership for the SP issuer
"myspecifichostname.mydomain.com" in order to be able to handle these
requests.