search cancel

Getting error "ACS_FAILED_PROCESS_FAILURE"

book

Article ID: 188681

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Federation Services as SP (Service Provider) and when

the browser comes back to the Assertion Consumer page on our SP
(Service Provider) after having successfully authenticated at IdP
(Identity Provider), then the Federation Service returns error 500 to
the browser.

  https://mysp.sp.com/affwebservices/public/saml2assertionconsumer

  HTTP Status 500 - Internal Error occured while trying to process the
  request. Transaction ID:
  beea39ed-52f0ed02-c785bf98-7e237392-2a8392dd-f7 failed.

  The Federation Service shows error :

    "ACS_FAILED_PROCESS_FAILURE"

How can we fix this ?

Cause


The error that the Policy Server reports there's no signature to

verify :

  Assertion rejected (id4411154545787544): POST binding
  request, but no signatures on assertion or request

and it uses that configuration :

  Description=SP to IDP partnership
  Name=mypartnership,
  DisableSignatureProcessing=0,
  DSigVerInfoSerialNumber=1441125s555w5,
  DSigVerificationAlias=mycert,

  [email protected], CN=mysp,
  OU=myidp, myteam, L=Atlanta, ST=Georgia, C=US,

which is reflected here, you haven't disable the signature
processing :

pstore.xml  :

        <Object Class="CA.FED::PartnershipBase"
        Xid="CA.FED::[email protected]"
        CreatedDateTime="2020-03-24T10:45:47"
        ModifiedDateTime="2020-03-25T13:08:23" UpdatedBy="wamadmin"
        UpdateMethod="GUI" ExportType="Replace">

            <Property Name="CA.FED::PartnershipBase.Name">
                <StringValue>mypartnership</StringValue>
            <Property Name="CA.FED::PartnershipBase.DisableSignatureProcessing">
                <BooleanValue>false</BooleanValue>
            <Property Name="CA.FED::PartnershipBase.Description">
                <StringValue>SP to IDP partnership</StringValue>

The configuration from the IdP have signature disabled :

  Assertion Signature Unsigned

Detail of the full error :

fiddler.saz :

Line 1 :

GET https://myidp.idp.com/app/evryorg783532_oktasamlapplication_1/exk4rm7qtjbFoLOTi4x6/sso/saml?SAMLRequest=pVHLboMwELznK5DvYDAkEAuQIkWRIqUPtVEPvUTGmMYN2MRrquTva1Ck9NJeuoc97MzOjmbz1WCP6kWcBwHWW7smFbNSqwIdre2BYiy%2BzNU6AEAH%2BmRZwHWHWd9PgDYfaRbPY3IYIWBd65BW8knjEGFxOSWmS8%2F2s9ro3dNeJpcFdkp4pCJvuy7QoWYJbzhbxiwlQrCsqpZN6IZknpE4Zsu6IgtHBRjEVoFlyhaIhCT0w8QP032Y0YTQOHlH3pswMHknQYi8S9cqKNBgFNUMJFDFOgHUcvq6ethRx6G90VZz3aJy5rnKFUR0OmS8jTYds7%2BvR0E0TWTtNxOVDgp6wWUjRX07Tp3e3wYYgDBjVqgclcYQfehzfDdyc%2FboVrfrZ%2B2yvf7TGy5nOf759%2FIb

  HTTP/1.1 200 OK
  Date: Tue, 07 Apr 2020 08:43:01 GMT
  Server: Apache

Line 2 :

POST https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8h1sr01srwIpDYqE1CRSSHPopVp2x81WeG1510n4%2B84aMDYhtFUjcWGYnffmvZnh%2FOIlXzlPUGlZqLEbDH3XAcULIdXPsfvt%2FmqQuBeTc83yFSnpHeiyUBqcGWgjFTPNo0djSk09L1%2FrcogfXuQey7JnWGqoniQH7ZX1ciW515RhGsP2JcdSdQ6V68xnY1eKIE6DlETRKAqCyCckJn4QR2GYno0wRe3A74ux%2B0OwiGdCM6ZF9qwFS5bLNPMxSkgYslQsyRm%2B0bqGudKGKTN2iU%2F8gR8N%2FPjeT2gUUj8Yxj757joPu%2FaJbR8FUZpuOh67daVowbTUVLEcNDWcLqbXXymm0rIqTMGLlTv59HEjEW0gK%2BeqqHJmTr%2B2ESkGWZNKQRlp1j30089bGS264%2BRrKcqBFMjE61JpqZV0YZipdZPdD10WApwHtqrhNKRusumi5uipdr1JC9YpvhViuqPXMxcgSRJCIoKejphmQUDewaZ%2FEuqdjGpqdWXHyofCt2CLevkLuNm%2B2QZvsOx89kcGwTA4YFArXQKXmQSxo4FE4PNm9bYYXhekD7xlc1moTNqC1qRrMI%2BFOK0Dz%2BkSWIUL26K%2BXXHGDDu6tJylIYtxEuzO4voy3OJmcUdJZ3VvCnOrbqtpZqB6NRPJfibuUIhSgh2c%2Fz5D3qSv3ZGuJl2fu65uhcBcIW2ith18AXQMDumHHfp%2F2Wbfv2ktsGMOqK2pJG95HUnB%2BAerx3ZCu911Uo6FD4vvft932O17WptHZU8A5OiF03x9a6MJHaXDOEqx%2FQWeESw1VwJejs7H5qaP7F9COxuHYiAUkjLwYl6rsP%2FtcoWG30FmFTl5LTjlNhXDnT17Ld7Rym%2Bl9BTsa7W%2FofuT2b2ruwWa%2FAY%3D

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 07 Apr 2020 08:43:02 GMT
  Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42

  HTTP Status 500 - Internal Error occured while trying to process the
  request. Transaction ID:
  137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed.

affwebserv.log

  [2844/8752][Tue Apr 07 2020
  08:43:02][FWSBase.java][ERROR][sm-FedClient-00360] SAML Assertion
  based user authentication failed. ()

  [2844/8752][Tue Apr 07 2020
  08:43:02][AssertionConsumer.java][ERROR][sm-FedClient-02890]
  Transaction with ID:
  137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed. Reason:
  ACS_FAILED_PROCESS_FAILURE (, , )

FWSTrace.log :

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][FWSBase.java][authenticateUser][Passing response messag
  e through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][FWSBase.java][authenticateUser][result code from AgentA
  PI login call: 2]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][FWSBase.java][authenticateUser][Login failure [CHECKPOI
  NT = SSO_LOGINFAILURE_RSP]]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][FWSBase.java][processFailedAuthentication][SAML Asserti
  on based user authentication failed.]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][AssertionConsumer.java][processSAMLResponse][authentica
  teUser failed: 1]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][AssertionConsumer.java][redirectLoginFailure][AuthReaso
  n=50]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][AssertionConsumer.java][redirectLoginFailure][Redirect 
  Mode="0" URL="null"]

  [04/07/2020][08:43:02][2844][8752][137d7ea0-6b7b3339-5bbb8cae-04bbe378
  -726f86ba-20a][AssertionConsumer.java][redirectLoginFailure][Ending SA
  ML2 AssertionConsumer Service request processing with HTTP error 500]

smtracedefault.log<SM2> :

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][SmMessage.cpp:557][CS
  mMessage::ParseAgentMessage][s17311/r644][][][][][][][][][][][][][][][
  ][][][][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][Receive requ
  est attribute 221, data size is 48][][][][][][][][][][][][][][][][][][
  ][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Sm_Auth_Message.cpp:7
  80][CSm_Auth_Message::AuthenticateUser][137d7ea0-6b7b3339-5bbb8cae-04b
  be378-726f86ba-20a][samlidp:mypartnership][/][][][samlidp:mypartnership][samlidp:p
  n-okta][][][][][][][][][][][][][][Authenticating user.][][][][][][5][0
  ][samlidp:mypartnership_auth][][][][][][][][][06-56351236-84b4-4ff2-82f2-0f6
  1f9f1be6e][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
  getConfig][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][][][][][]
  [][][][][][][][][][][][][][][samlConfigData: {NameIDPolicyFormat=urn:o
  asis:names:tc:SAML:1.1:nameid-format:unspecified,  [...] Description=S
  P to IDP partnership, [...] DSigVerInfoSerialNumber=17096e23d
  8a, [...] DSigVerificationAlias=mycert, [...] DisableSignatureP
  rocessing=0, [...] Name=mypartnership, [...] DSigVerInfoIssuerDN=EMAILADDRES
  [email protected], CN=mysp, OU=myidp, myteam, L=Atlanta, ST=Georgia, C=US,
  [...] ][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
  stripWrapper][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][][][][
  ][][][][][][][][][][][][][][][][Response message being processed: <Use
  rCredentials><?xml version="1.0" encoding="UTF-8"?><saml2p:Response De
  [...] </UserCredentials][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
  checkAssertion][137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a][][][
  ][][][][][][][][][][][][][][][][][Assertion rejected (id17919213888224
  296556220112): POST binding request, but no signatures on assertion or
  request][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][]

  [04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:1295][
  ][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-0000
  0] SmAuthenticateJNI() failed. ][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:2027][
  SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Sche
  me returning auth state: 3, auth reason: 50.][][][][][][][][][][][][][
  ][][][][][][][][][][][][][][][][][][][][][][][][][]

smps.log :

  [3056/3536][Tue Apr 07 2020
  10:43:03][SmAuthSaml.cpp:1295][INFO][sm-log-00000]
  SmAuthenticateJNI() failed.

Environment


  CA Access Gateway (SPS) 12.8SP0 on Windows 2016;

  Policy Server 12.8SP1 on Windows 2016;

Resolution


- Disable signature processing in the Partnership "mypartnership" or ask the

  IdP side to sign the SAMLResponse Assertions.

  DisableSignatureProcessing should be set to 1