SP initiated request fails, SiteMinder rejects it with SAMLRespsonse=no
search cancel

SP initiated request fails, SiteMinder rejects it with SAMLRespsonse=no

book

Article ID: 134399

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction


SiteMinder is IDP.

AWS sends SP initiated samlRequest in milliseconds within "IssueInstant" parameter, SiteMinder will reject it with SAMLRespsonse=no.

Paying attention to AuthnRequest parameter IssueInstant="2004-12-05T09:21:59Z

In non-working transaction, the AuthnRequest has IssueInstant="2019-06-04T18:56:46.111Z", with extra milliseconds in it.

If the Partner changed AuthnRequest by removing the extra byte (111) for milliseconds manually, then it will work.

When this fails:

The Policy Server receives the request, it will throw an exception:

  [06/04/2019][13:57:31.912][13:57:31][30585][139936124622592][AuthnRequestProtocol.java][setAuthnRequest][][][][][][][][][][][][][][][][][][][][][AuthnRequest is received.
  <?xml versn][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [06/04/2019][13:57:31.912][13:57:31][30585][139936124622592][AuthnRequestProtocol.java][setAuthnRequest][][][][][][][][][][][][][][][][][][][][][<?xml versn][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [06/04/2019][13:57:31.918][13:57:31][30585][139936124622592][AssertionGenerator.java][invoke][][][][][][][][][][][][][][][][][][][][][Error in getting configuration data. Leaving Assertion Generator Framework.  Exception:
  java.lang.Exception: The Federation Web Service didn't send the request with a correct resource! Internal Exception:
   javax.xml.bind.UnmarshalException: XML document structures must start and end within the same entity.
   - with linked exception:
  [org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.]
  at com.netegrity.SAML2Gen.impl.runtime.SAXUnmarshallerHandlerImpl.handleEvent(Unknown Source)
  at com.netegrity.SAML2Gen.impl.runtime.ErrorHandlerAdaptor.propagateEvent(Unknown Source)
  at com.netegrity.SAML2Gen.impl.runtime.ErrorHandlerAdaptor.fatalError(Unknown Source)

  [...omitted for brevity...]

  at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)
  Caused by: org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.

  [...omitted for brevity...]

  at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)

 

Environment


  Policy Server Version 12.8SP01 Build: 1775 on RedHat 7;
  Policy Store: LDAP

 

Cause


12.8SP1 release defects due to Bouncy castle upgrade.

The root cause is not just with IssueInstant format itself as indicated in defect DE420988, rather that AuthnRequest decoding is not properly happening in version 12.8sp1.

Only a portion of SAMLRespsonse xml is decoded and not fully decoded (<?xml versn) due to exception is thrown on format.

This is a defect in the product which is fixed in standard release 12.8SP02, by changing underlining xml parser library.

 

Resolution


Upgrade the Policy Server, and the CA Access Gateway (SPS) to the latest version to resolve the issue (1).

 

Additional Information

Powered by Wolken Software