ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error : FAILED_INVALID_RESPONSE_RETURNED in SP Web Agent Option Pack

book

Article ID: 141423

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Federation Service as Service Provider (SP) side, the
SP initiated requests fail with error 500 in the browser. The
Federation Service returns error :
 
  affwebserv.log :


    [9748/140064010385152][Tue Oct 08 2019
    17:10:35][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID:
    abd66c3c-27718530-143ea65a-737d6f8e-a08ae68f-1 failed. Reason:
    FAILED_INVALID_RESPONSE_RETURNED (, , )
 
 

FWSTrace.log 


    [Received the following response from SAML2 assertion generator:
    SAML2Response=NO.]
 
    [Transaction with ID:
    2efab415-448ecdcd-47ac323f-218f8d84-84945eac-6 failed. Reason:
    FAILED_INVALID_RESPONSE_RETURNED]
 
    [Denying request due to "NO" returned from SAML2 assertion
    generator.]
 
 

smtracedefault,log :


 
    [Error in getting configuration data. Leaving Assertion Generator
    Framework.  Exception:
 
    java.lang.Exception: The Federation Web Service didn't send the
    request with a correct resource! Internal Exception:
 
     javax.xml.bind.UnmarshalException: Unexpected element 
        {http://www.w3.org/2000/09/xmldsig#}:Signature
      at com.netegrity.SAML2Gen.impl.runtime.SAXUnmarshallerHandlerImpl.
        handleEvent(Unknown Source)

Cause

 

Siteminder supports "Signed AuthnReqest" as a "Query Parameter" only
(Redirect Binding), not as a part in AuthnRequest Element which is
sent by a POST binding.

Here's the Assertion received when it fails by POST. The signature is
inside the authnrequest assertion :

  <samlp:AuthnRequest
      ID="v90a428e-c80b-4992-8969-1348cd044ec7"
      Version="2.0"
      IssueInstant="2019-10-08T15:10:23Z"
      Destination="https://myidp.mydomain.com/affwebservices/public/saml2sso"
      ForceAuthn="false"
      IsPassive="false"
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      AssertionConsumerServiceURL="https://mysp.sp.com/saml/myconsume.jsp"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
      https://mysp.sp.com
    </saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
 <Reference URI="#v90a428e-c80b-4992-8969-1348cd044ec7">
   <Transforms>
     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
   <DigestValue>
     hwGymNmerPOs0u2TH4W3F6lF03U=
   </DigestValue>
 </Reference>
      </SignedInfo>
      <SignatureValue>
Lonv  [...] 1ZCng==
      </SignatureValue>
      <KeyInfo>
<X509Data>
  <X509Certificate>
    MIIG8TCC [...] yQmGXIYQsprfCA=
  </X509Certificate>
 </X509Data>
      </KeyInfo>
    </Signature>
  </samlp:AuthnRequest>

Environment

 

Policy Server 12.8SP6 on RedHat 8

 

Resolution

 

Configure Redirect instead of POST. The data will be received indeed
as Query Paramters and it has the signature outside the Authnrequest
and the request will succeed.