SAML2 Request Contains Too Many SERVERSESSIONID Headers

Article Id: 142862

Status: Published

Updated On: 10-01-2020 06:48

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On Agents (SiteMinder) , SITEMINDER , CA Single Sign On Federation (SiteMinder) , SITEMINDER

Issue/Introduction:

We have 4 machines running SiteMinder Policy Server 12.8.2 and 2 machines running Access Gateway 12.8.2.

The configuration between the Access Gateway machines is consistent. We see an issue that affects only one of the Access Gateways. In the affwebsrv.log we see this:

[isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

In the FWSTrace.log we see this:

[FWSBase.java][getSessionData][session cookie name: SMSESSION]

[FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]

[FWSBase.java][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]

[FWSBase.java][isSessionIdle][returning true]

[FWSBase.java][isValidSession][Session is Idle]

The result is that the client keeps getting redirected to the authentication URL until the browser displays error ERR_TOO_MANY_REDIRECTS.

Cause:

The SERVERSESSIONID header was missing. This was due to inconsistent ACO settings (setting 'DisableSessionVars=yes' in any of the ACOs can cause this)

Environment:

Release : All

Component : SITEMINDER -POLICY SERVER

Resolution:

Make sure ACO settings in the SSO environment are consistent and result in the SERVERSESSIONID being set when the user attempts to access a federated application.