Error message 403 while using a partnership

book

Article ID: 186118

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Having a SSO setup with partnership application, and giving an error message 403

Environment

Release : 12.8.03

Component : SiteMinder Federation(Federation Manager)

Resolution

From the fiddler trace respose textview we could see the following reason for the line with the 403 error:

<h1>HTTP Status 403 – Forbidden</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Request Forbidden. Transaction ID: 2b90d625-f5f067ec-00b0051a-4af90ba6-bc9eb3c3-fb failed.</p><p><b>Description</b> The server understood the request but refuses to authorize it.</p>

Searching for the transaction id (2b90d625-f5f067ec-00b0051a-4af90ba6-bc9eb3c3-fb) in smtracedefault.log we could see "Policy is blocked by time"

[03/06/2020][21:03:56][4128][2b90d625-f5f067ec-00b0051a-4af90ba6-bc9eb3c3-fb][IsAuthorized.cpp:680][CSm_Az_Message::IsAuthorized][samlsp:<POLICY>][][][<USER>][][][][Authorizing user...]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:1453][CSmAz::IsOk][samlsp:<POLICY>][][][<USER>][][][][Start of user policy analysis for realm.]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:1546][CSmAz::IsOk][samlsp:<POLICY>l][][][][][][][Check the Policy.]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:1587][CSmAz::IsOk][samlsp:<POLICY>][][][][][][][Check the Rule]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:809][CSmAz::TestPolicy][samlsp:<POLICY>][][][][][][][Evaluating policy...]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:823][CSmAz::TestPolicy][samlsp:<POLICY>][][][][][][][Policy is blocked by time]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:1726][CSmAz::IsOk][samlsp:<POLICY>][][][][][][][Policy is not applicable. Skipped.]
[03/06/2020][21:03:56][4128][][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][IsOk? No.]

Customer had all the checkboxes in the time restriction for the partnership unchecked. Pressed "Always Allow" button so all checkboxes were checked then finished and activated the partnership.