SAML Application is not working

book

Article ID: 140403

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running CA Access Gateway (SPS) for Federation Services and once
wet get access to the Web Page through Federation journey the browser
gets error 403 :

  HTTP Status 403 - Request Forbidden. Transaction ID:
  1504bcc6-28a1a500-17fed925-a426c877-92ee2407-34c

The samlrequest is :

  <samlp:AuthnRequest
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="ONELOGIN_20729582316660b3b2199313018744b01b3ed35f"
      Version="2.0"
      IssueInstant="2019-10-30T16:35:17Z"
      Destination="https://myidp.mydomain.com:7443/affwebservices/public/saml2sso?SPID=http://mysp.myotherdomain.com/"
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      AssertionConsumerServiceURL="https://mysp.myotherdomain.com/saml/acs">
    <saml:Issuer>https://mysp.myotherdomain.com/saml/mydata</saml:Issuer>
    <samlp:NameIDPolicy
 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"
 AllowCreate="true" />
  </samlp:AuthnRequest>

How can we solve this ?

 

Cause


The browser goes to http://mysp.myotherdomain.com/saml (which is

configured as such in the html WebPage) and it gets redirected to

Federation Services

https://myidp.mydomain.com:7443 with a

SAMLRequest where the Issuer is set to

https://mysp.myotherdomain.com/saml/mydata :


myidp.mydomain.com.har :


http%3A%2F%2Fbotwdigitalengagement.com%2Fsaml

http%3A%2F%2Fmysp.myotherdomain.com%2Fsaml


        "request": {

          "method": "GET",

          "url": "http://mysp.myotherdomain.com/saml",


        "response": {

          "status": 302,


              "name": "Location",

              "value": "https://myidp.mydomain.com:7443/affwebservices/public/saml2sso?SPID=http://mysp.myotherdomain.com/&SAMLRequest=jZJLj [...] 3zHQ%3D%3D&RelayState=http%3A%2F%2Fmysp.myotherdomain.com%2Fsaml"


          "method": "GET",

          "url": "https://myidp.mydomain.com:7443/affwebservices/public/saml2sso?SPID=http://mysp.myotherdomain.com/&SAMLRequest=jZJLj [...] 3zHQ%3D%3D&RelayState=http%3A%2F%2Fmysp.myotherdomain.com%2Fsaml",


          "queryString": [

            {

              "name": "SPID",

              "value": "http://mysp.myotherdomain.com/"

            },

            {

              "name": "SAMLRequest",

              "value": "jZJLj [...] 3zHQ%3D%3D&RelayState=http%3A%2F%2Fmysp.myotherdomain.com%2Fsaml"

              "name": "RelayState",

              "value": "http%3A%2F%2Fmysp.myotherdomain.com%2Fsaml"



        "response": {

          "status": 403,

          "statusText": "Forbidden",

              "name": "Date",

              "value": "Thu, 31 Oct 2019 16:49:16 GMT"

            "text": "<html><head><title>Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - Request Forbidden. Transaction ID: 25c3ae9e-97fa912f-b23703dc-5e21bc97-30371712-80 failed.</h1><HR size=\"1\" noshade=\"noshade\"><p><b>type</b> Status report</p><p><b>message</b> <u>Request Forbidden. Transaction ID: 25c3ae9e-97fa912f-b23703dc-5e21bc97-30371712-80 failed.</u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><HR size=\"1\" noshade=\"noshade\"></body></html>"


The SPID from the headers and url are correct, but the most important

is the issuer within the SAMLRequest which is set to

https://mysp.myotherdomain.com/saml/mydata


  <samlp:AuthnRequest

      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

      ID="ONELOGIN_5eb62555b7752b24ddb94100473637745f5157b8"

      Version="2.0"


      IssueInstant="2019-10-31T16:49:15Z"

      Destination="https://myidp.mydomain.com:7443/affwebservices/public/saml2sso?SPID=http://mysp.myotherdomain.com/"

      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

      AssertionConsumerServiceURL="https://mysp.myotherdomain.com/saml/acs">

      <saml:Issuer>https://mysp.myotherdomain.com/saml/mydata</saml:Issuer>

      <samlp:NameIDPolicy

  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"

  AllowCreate="true" />


  </samlp:AuthnRequest>


So the Federation Service at myidp.mydomain.com fails :


affwebserv.log :


  [51396/140057615410944][Thu Oct 31 2019

  16:49:16][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID:

  25c3ae9e-97fa912f-b23703dc-5e21bc97-30371712-80 failed. Reason:

  NO_PROVIDER_INFO_FOUND (, , )


  [51396/140057615410944][Thu Oct 31 2019

  16:49:16][SSO.java][ERROR][sm-FedClient-02440] No SAML2 provider

  information found for SP

  https://mysp.myotherdomain.com/saml/mydata.


As the Policy Server doesn't find the SPID

https://mysp.myotherdomain.com/saml/mydata :


smtracedefault.log :


  [11/13/2019][07:35:18.073][07:35:18][11814][140455446550272]

  [SAMLSPbyIDTunnelService.java][tunnel][ae863c99-11d91244-3084648a-7

  57eac94-0f4493fc-26][][][][][][][][][][][][][][][][][][][][Received

  request to obtain Service Provider data. Provider ID:

  https://mysp.myotherdomain.com/saml/mydata]


  [11/13/2019][07:35:18.074][07:35:18][11814][140455446550272][SAMLSP

  byIDTunnelService.java][tunnel][ae863c99-11d91244-3084648a-757eac94

  -0f4493fc-26][][][][][][][][][][][][][][][][][][][][Failed

  to obtain Service Provider data by provider ID. Provider ID:

  https://mysp.myotherdomain.com/saml/mydata]


  [11/13/2019][07:35:18.074][07:35:18][11814][140455446550272][SAMLSP

  byIDTunnelService.java][tunnel][ae863c99-11d91244-3084648a-757eac94

  -0f4493fc-26][][][][][][][][][][][][][][][][][][][][Policy

  server returns SAML2.0 SP Configuration [CHECKPOINT =

  SSOSAML2_SPCONFFROMPS_RSP]]


  [11/13/2019][07:35:18.074][07:35:18][11814][140455446550272][SAMLSP

  byIDTunnelService.java][tunnel][ae863c99-11d91244-3084648a-757eac94

  -0f4493fc-26][][][][][][][][][][][][][][][][][][][][status:

  status=5&message=Failed to obtain Service Provider data by provider

  ID. Provider ID: https://mysp.myotherdomain.com/saml/mydata]


Note that when it works, the Federation Service request SPID as http://mysp.myotherdomain.com


  [11/13/2019][07:42:11.575][07:42:11][11814][140455412979456][AuthnRequestProtocol.java]

  [init][276994a6-5b4b45b5-5fd567d1-cd18ebcc-0baa43bf-ecd][][][][][][][][][][][][][][][]

  [][][][][Query parameter: SPID = http://mysp.myotherdomain.com/]



Environment


  CA Access Gateway (SPS) 12.8SP00 on Linux;

  Policy Server 12.8SP00 on Linux;



Resolution


Make sure that the application running here

http://mysp.myotherdomain.com/saml creates a SAMLRequest where the

Issuer is http://mysp.myotherdomain.com/ to solve this issue.


or 


that the Issuer defined in the SAMLRequest is found in your

configuration.