SAML2 Request Contains Too Many SERVERSESSIONID Headers

book

Article ID: 142862

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

We have 4 machines running SiteMinder Policy Server 12.8.2 and 2 machines running Access Gateway 12.8.2. 

 

The configuration between the Access Gateway machines is consistent. We see an issue that affects only one of the Access Gateways. In the affwebsrv.log we see this:

[isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers.  Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

 

In the FWSTrace.log we see this:

[FWSBase.java][getSessionData][session cookie name: SMSESSION]

[FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]

[FWSBase.java][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]

[FWSBase.java][isSessionIdle][returning true]

[FWSBase.java][isValidSession][Session is Idle]

 

The result is that the client keeps getting redirected to the authentication URL until the browser displays error ERR_TOO_MANY_REDIRECTS.

 

Cause

The SERVERSESSIONID header was missing.  This was due to inconsistent ACO settings (setting 'DisableSessionVars=yes' in any of the ACOs can cause this)

Environment

Release : All

Component : SITEMINDER -POLICY SERVER

Resolution

Make sure ACO settings in the SSO environment are consistent and result in the SERVERSESSIONID being set when the user attempts to access a federated application.