search cancel

SP initiated request is failing, siteminder rejects it with SAMLRespsonse =no.

book

Article ID: 134399

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

Siteminder is IDP.

AWS sends SP initiated samlRequest in milliseconds within "IssueInstant" parameter, siteminder will reject it with SAMLRespsonse =no.

If we pay attention to AuthnRequest parameter IssueInstant="2004-12-05T09:21:59Z

In non-working transaction,  AuthnRequest has IssueInstant="2019-06-04T18:56:46.111Z", with extra milliseconds in it.

If partner changed AuthnRequest by removing the extra byte (111) for milliseconds manually, then it will work.


When this fails:

Policy server receives the request, it will throw below exception:

[06/04/2019][13:57:31.912][13:57:31][30585][139936124622592][AuthnRequestProtocol.java][setAuthnRequest][37cb350f-45a1253a-94ea3502-5840e6ab-6fefd38f-3][][][][][][][][][][][][][][][][][][][][AuthnRequest is received.

<?xml versn][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[06/04/2019][13:57:31.912][13:57:31][30585][139936124622592][AuthnRequestProtocol.java][setAuthnRequest][37cb350f-45a1253a-94ea3502-5840e6ab-6fefd38f-3][][][][][][][][][][][][][][][][][][][][<?xml versn][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[06/04/2019][13:57:31.918][13:57:31][30585][139936124622592][AssertionGenerator.java][invoke][37cb350f-45a1253a-94ea3502-5840e6ab-6fefd38f-3][][][][][][][][][][][][][][][][][][][][Error in getting configuration data. Leaving Assertion Generator Framework.  Exception:

java.lang.Exception: The Federation Web Service didn't send the request with a correct resource! Internal Exception:

 javax.xml.bind.UnmarshalException: XML document structures must start and end within the same entity.

 - with linked exception:

[org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.]

at com.netegrity.SAML2Gen.impl.runtime.SAXUnmarshallerHandlerImpl.handleEvent(Unknown Source)

at com.netegrity.SAML2Gen.impl.runtime.ErrorHandlerAdaptor.propagateEvent(Unknown Source)

at com.netegrity.SAML2Gen.impl.runtime.ErrorHandlerAdaptor.fatalError(Unknown Source)

at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)

at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)

at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)

at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.endEntity(Unknown Source)

at org.apache.xerces.impl.XMLDocumentScannerImpl.endEntity(Unknown Source)

at org.apache.xerces.impl.XMLEntityManager.endEntity(Unknown Source)

at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)

at org.apache.xerces.impl.XMLEntityScanner.skipDeclSpaces(Unknown Source)

at org.apache.xerces.impl.XMLScanner.scanPseudoAttribute(Unknown Source)

at org.apache.xerces.impl.XMLScanner.scanXMLDeclOrTextDecl(Unknown Source)

at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanXMLDeclOrTextDecl(Unknown Source)

at org.apache.xerces.impl.XMLDocumentScannerImpl$XMLDeclDispatcher.dispatch(Unknown Source)

at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)

at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)

at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)

at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)

at com.netegrity.SAML2Gen.impl.runtime.UnmarshallerImpl.unmarshal(Unknown Source)

at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:172)

at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.setAuthnRequest(Unknown Source)

at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.init(Unknown Source)

at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.getConfig(Unknown Source)

at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)

at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)

Caused by: org.xml.sax.SAXParseException: XML document structures must start and end within the same entity.

at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)

... 27 more


at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.getConfig(Unknown Source)

at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)

at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)


Cause

12.8sp1 release defect due to bouncycastle upgrade.

Environment

Release :SiteMinder Policy Server Version: 12.8; Update: 01.00; Build: 1775; CR: 00;

Component : SITEMINDER FEDERATION SECURITY SERVICES

Policy server OS: Red Hat Enterprise Linux Server release 7

Policy Store: LDAP


Resolution

The root cause is not just with IssueInstant format itself as indicated in defect DE420988 , rather that AuthnRequest decoding is not properly happening in version 12.8sp1. Only a portion of SAMLRespsonse xml is decoded and not fully decoded (<?xml versn) due to exception is thrown on format.

This is a defect in the product which is fixed in standard release 12.8.02, by changing underlining xml parser library.

Patching to 12.8.02 should resolve the issue.


If customer can not patch to release 12.8.02 , then dev fix for 12.8.01 can be obtained from DE395403.

Please follow below instructions on dev fix.

Please take jars named assertiongenerator.jar and saml2.jar from DE395403 

Stop Policy Server if running

Take backup of assertiongenerator.jar and saml2.jar from PS Installation i.e <ps_install>\bin\jars

Replace attached assertiongenerator.jar and saml2.jar in PS Installation i.e <ps_install>\bin\jars

Start PS

Stop Access Gateway if running.

Take backup of saml2.jar from AG Installation i.e <AG_Install>\Tomcat\webapps\affwebservices\WEB-INF\lib

Replace attached saml2.jar in AG Installation i.e <AG_Install>\Tomcat\webapps\affwebservices\WEB-INF\lib

Start AG service