Getting error "ACS_FAILED_PROCESS_FAILURE"
Article ID: 188681
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running a Federation Services as SP (Service Provider) and when
the browser comes back to the Assertion Consumer page on our SP
(Service Provider) after having successfully authenticated at IdP
(Identity Provider), then the Federation Service returns error 500 to
the browser.
https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
HTTP Status 500 - Internal Error occured while trying to process the
request. Transaction ID:
beea39ed-52f0ed02-c785bf98-7e237392-2a8392dd-f7 failed.
The Federation Service shows error :
"ACS_FAILED_PROCESS_FAILURE"
How can we fix this ?
Environment
CA Access Gateway (SPS) 12.8SP0 on Windows 2016;
Policy Server 12.8SP1 on Windows 2016;
Cause
The error that the Policy Server reports there's no signature to
verify :
Assertion rejected (id4411154545787544): POST binding
request, but no signatures on assertion or request
and it uses that configuration :
Description=SP to IDP partnership
Name=mypartnership,
DisableSignatureProcessing=0,
DSigVerInfoSerialNumber=1441125s555w5,
DSigVerificationAlias=mycert,
[email protected], CN=mysp,
OU=myidp, myteam, L=Atlanta, ST=Georgia, C=US,
which is reflected here, you haven't disable the signature
processing :
pstore.xml :
<Object Class="CA.FED::PartnershipBase"
Xid="CA.FED::[email protected]"
CreatedDateTime="2020-03-24T10:45:47"
ModifiedDateTime="2020-03-25T13:08:23" UpdatedBy="wamadmin"
UpdateMethod="GUI" ExportType="Replace">
<Property Name="CA.FED::PartnershipBase.Name">
<StringValue>mypartnership</StringValue>
<Property Name="CA.FED::PartnershipBase.DisableSignatureProcessing">
<BooleanValue>false</BooleanValue>
<Property Name="CA.FED::PartnershipBase.Description">
<StringValue>SP to IDP partnership</StringValue>
The configuration from the IdP have signature disabled :
Assertion Signature Unsigned
Detail of the full error :
fiddler.saz :
Line 1 :
GET https://myidp.idp.com/app/evryorg783532_oktasamlapplication_1/exk4rm7qtjbFoLOTi4x6/sso/saml?SAMLRequest=pVHLboMwELznK5DvYDAkEAuQIkWRIqUPtVEPvUTGmMYN2MRrquTva1Ck9NJeuoc97MzOjmbz1WCP6kWcBwHWW7smFbNSqwIdre2BYiy%2BzNU6AEAH%2BmRZwHWHWd9PgDYfaRbPY3IYIWBd65BW8knjEGFxOSWmS8%2F2s9ro3dNeJpcFdkp4pCJvuy7QoWYJbzhbxiwlQrCsqpZN6IZknpE4Zsu6IgtHBRjEVoFlyhaIhCT0w8QP032Y0YTQOHlH3pswMHknQYi8S9cqKNBgFNUMJFDFOgHUcvq6ethRx6G90VZz3aJy5rnKFUR0OmS8jTYds7%2BvR0E0TWTtNxOVDgp6wWUjRX07Tp3e3wYYgDBjVqgclcYQfehzfDdyc%2FboVrfrZ%2B2yvf7TGy5nOf759%2FIb
HTTP/1.1 200 OK
Date: Tue, 07 Apr 2020 08:43:01 GMT
Server: Apache
Line 2 :
POST https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8h1sr01srwIpDYqE1CRSSHPopVp2x81WeG1510n4%2B84aMDYhtFUjcWGYnffmvZnh%2FOIlXzlPUGlZqLEbDH3XAcULIdXPsfvt%2FmqQuBeTc83yFSnpHeiyUBqcGWgjFTPNo0djSk09L1%2FrcogfXuQey7JnWGqoniQH7ZX1ciW515RhGsP2JcdSdQ6V68xnY1eKIE6DlETRKAqCyCckJn4QR2GYno0wRe3A74ux%2B0OwiGdCM6ZF9qwFS5bLNPMxSkgYslQsyRm%2B0bqGudKGKTN2iU%2F8gR8N%2FPjeT2gUUj8Yxj757joPu%2FaJbR8FUZpuOh67daVowbTUVLEcNDWcLqbXXymm0rIqTMGLlTv59HEjEW0gK%2BeqqHJmTr%2B2ESkGWZNKQRlp1j30089bGS264%2BRrKcqBFMjE61JpqZV0YZipdZPdD10WApwHtqrhNKRusumi5uipdr1JC9YpvhViuqPXMxcgSRJCIoKejphmQUDewaZ%2FEuqdjGpqdWXHyofCt2CLevkLuNm%2B2QZvsOx89kcGwTA4YFArXQKXmQSxo4FE4PNm9bYYXhekD7xlc1moTNqC1qRrMI%2BFOK0Dz%2BkSWIUL26K%2BXXHGDDu6tJylIYtxEuzO4voy3OJmcUdJZ3VvCnOrbqtpZqB6NRPJfibuUIhSgh2c%2Fz5D3qSv3ZGuJl2fu65uhcBcIW2ith18AXQMDumHHfp%2F2Wbfv2ktsGMOqK2pJG95HUnB%2BAerx3ZCu911Uo6FD4vvft932O17WptHZU8A5OiF03x9a6MJHaXDOEqx%2FQWeESw1VwJejs7H5qaP7F9COxuHYiAUkjLwYl6rsP%2FtcoWG30FmFTl5LTjlNhXDnT17Ld7Rym%2Bl9BTsa7W%2FofuT2b2ruwWa%2FAY%3D
HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Apr 2020 08:43:02 GMT
Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42
HTTP Status 500 - Internal Error occured while trying to process the
request. Transaction ID:
137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed.
affwebserv.log
[2844/8752][Tue Apr 07 2020
08:43:02][FWSBase.java][ERROR][sm-FedClient-00360] SAML Assertion
based user authentication failed. ()
[2844/8752][Tue Apr 07 2020
08:43:02][AssertionConsumer.java][ERROR][sm-FedClient-02890]
Transaction with ID:
137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed. Reason:
ACS_FAILED_PROCESS_FAILURE (, , )
FWSTrace.log :
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][FWSBase.java][authenticateUser][Passing response messag
e through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][FWSBase.java][authenticateUser][result code from AgentA
PI login call: 2]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][FWSBase.java][authenticateUser][Login failure [CHECKPOI
NT = SSO_LOGINFAILURE_RSP]]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][FWSBase.java][processFailedAuthentication][SAML Asserti
on based user authentication failed.]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][AssertionConsumer.java][processSAMLResponse][authentica
teUser failed: 1]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][AssertionConsumer.java][redirectLoginFailure][AuthReaso
n=50]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][AssertionConsumer.java][redirectLoginFailure][Redirect
Mode="0" URL="null"]
[04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
-726f86ba-20a][AssertionConsumer.java][redirectLoginFailure][Ending SA
ML2 AssertionConsumer Service request processing with HTTP error 500]
smtracedefault.log<SM2> :
[04/07/2020][10:43:03.260][10:43:03][3056][3536][SmMessage.cpp:557][CS
mMessage::ParseAgentMessage][s17311/r644][][][][][][][][][][][][][][][
][][][][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][Receive requ
est attribute 221, data size is 48][][][][][][][][][][][][][][][][][][
][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Sm_Auth_Message.cpp:7
80][CSm_Auth_Message::AuthenticateUser][137d7ea0-6b7b3339-5bbb8cae-04b
be378-726f86ba-20a][samlidp:mypartnership][/][][][samlidp:mypartnership][samlidp:p
n-okta][][][][][][][][][][][][][][Authenticating user.][][][][][][5][0
][samlidp:mypartnership_auth][][][][][][][][][06-56351236-84b4-4ff2-82f2-0f6
1f9f1be6e][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
getConfig][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][][][][][]
[][][][][][][][][][][][][][][samlConfigData: {NameIDPolicyFormat=urn:o
asis:names:tc:SAML:1.1:nameid-format:unspecified, [...] Description=S
P to IDP partnership, [...] DSigVerInfoSerialNumber=17096e23d
8a, [...] DSigVerificationAlias=mycert, [...] DisableSignatureP
rocessing=0, [...] Name=mypartnership, [...] DSigVerInfoIssuerDN=EMAILADDRES
[email protected], CN=mysp, OU=myidp, myteam, L=Atlanta, ST=Georgia, C=US,
[...] ][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
stripWrapper][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][][][][
][][][][][][][][][][][][][][][][Response message being processed: <Use
rCredentials><?xml version="1.0" encoding="UTF-8"?><saml2p:Response De
[...] </UserCredentials][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
checkAssertion][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][][][
][][][][][][][][][][][][][][][][][Assertion rejected (id17919213888224
296556220112): POST binding request, but no signatures on assertion or
request][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][]
[04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:1295][
][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-0000
0] SmAuthenticateJNI() failed. ][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:2027][
SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Sche
me returning auth state: 3, auth reason: 50.][][][][][][][][][][][][][
][][][][][][][][][][][][][][][][][][][][][][][][][]
smps.log :
[3056/3536][Tue Apr 07 2020
10:43:03][SmAuthSaml.cpp:1295][INFO][sm-log-00000]
SmAuthenticateJNI() failed.
Resolution
- Disable signature processing in the Partnership "mypartnership" or ask the
IdP side to sign the SAMLResponse Assertions.
DisableSignatureProcessing should be set to 1
Feedback
Yes
No
Powered by
