400 Error: Unable to decrypt FED_TEMPORARY_STATE cookie.
search cancel

400 Error: Unable to decrypt FED_TEMPORARY_STATE cookie.

book

Article ID: 136418

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Upon receiving an assertion, the request fails with a 400 error and the following is printed int he FWSTrace.log:

[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][SAML2Base.java][getRedirectTargetFromCookie][Unable to decrypt FED_TEMPORARY_STATE cookie. Exception Message: Tried out all the decrypt keys, decryption failed.. No login redirection target URL.]
[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][SAML2Base.java][getRedirectTargetFromCookie][cookie contains target:]
[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][AssertionConsumer.java][getRealmForTarget][targetURL: usingRelayState: true]
[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][AssertionConsumer.java][getRealmForTarget][No target URL in identity provider information or in RelayState.]
[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][AssertionConsumer.java][getRealmForTarget][Ending SAML2 AssertionConsumer Service request processing with HTTP error 400]
[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][AssertionConsumer.java][getRealmForTarget][Transaction with ID: 6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b failed. Reason: ACS_NO_TARGET]
[08/20/2019][22:06:50][3112][5368][6a8d05ee-ac70711c-8a22f314-b46df16e-c22b7819-b][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 400 ]

Environment

Release : 12.8.x

Component : SITEMINDER -POLICY SERVER, Web Agent Option Pack, Federation Gateway

Cause

The issue can be caused by an improper configuration within the Legacy Federation configuration where Target was NOT specified in the SAML auth scheme  and the 'Relay State Overrides Target' box was not checked. 

This miss-configuration will result in such exception when attempting to process the received assertion.

Resolution

It is Required to either specify a Target within the SAML Auth Scheme or make sure that 'RelayState Overrides Target' check box is selected for the Federation code to be able to process the assertion

 

Powered by Wolken Software