search cancel

Error: ACS_FAILED_PROCESS_FAILURE and 500 in browser in Federation

book

Article ID: 188685

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Federation Services as SP (Service Provider) and when the browser comes back to the Assertion Consumer page on our SP (Service Provider) after having successfully authenticated at IdP (Identity Provider), then the Federation Service returns error 500 to the browser.

  https://mysp.sp.com/affwebservices/public/saml2assertionconsumer

  HTTP Status 500 - Internal Error occurred while trying to process the
  request. Transaction ID:
  beea39ed-52f0ed02-c785bf98-7e237392-2a8392dd-f7 failed.

The Federation Service shows error:

    "ACS_FAILED_PROCESS_FAILURE"

Environment

 

  CA Access Gateway (SPS) 12.8SP0 on Windows 2016;
  Policy Server 12.8SP1 on Windows 2016;

 

Cause

 

The request ends with 500 error:

logs.saz

fiddler.saz :

Line 1 :

GET https://myidp.idp.com/sso/saml?SAMLRequest=pVHLboMwELznK5DvYDAkEAuQIkWRIqUPtVEPvUTGmMYN2MRrquTva1Ck9NJeuoc97MzOjmbz1WCP6kWcBwHWW7smFbNSqwIdre2BYiy%2BzNU6AEAH%2BmRZwHWHWd9PgDYfaRbPY3IYIWBd65BW8knjEGFxOSWmS8%2F2s9ro3dNeJpcFdkp4pCJvuy7QoWYJbzhbxiwlQrCsqpZN6IZknpE4Zsu6IgtHBRjEVoFlyhaIhCT0w8QP032Y0YTQOHlH3pswMHknQYi8S9cqKNBgFNUMJFDFOgHUcvq6ethRx6G90VZz3aJy5rnKFUR0OmS8jTYds7%2BvR0E0TWTtNxOVDgp6wWUjRX07Tp3e3wYYgDBjVqgclcYQfehzfDdyc%2FboVrfrZ%2B2yvf7TGy5nOf759%2FIb

  HTTP/1.1 200 OK
  Date: Tue, 07 Apr 2020 08:43:01 GMT
  Server: Apache

Line 2 :

POST https://mysp.sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8h1sr01srwIpDYqE1CRSSHPopVp2x81WeG1510n4%2B84aMDYhtFUjcWGYnffmvZnh%2FOIlXzlPUGlZqLEbDH3XAcULIdXPsfvt%2FmqQuBeTc83yFSnpHeiyUBqcGWgjFTPNo0djSk09L1%2FrcogfXuQey7JnWGqoniQH7ZX1ciW515RhGsP2JcdSdQ6V68xnY1eKIE6DlETRKAqCyCckJn4QR2GYno0wRe3A74ux%2B0OwiGdCM6ZF9qwFS5bLNPMxSkgYslQsyRm%2B0bqGudKGKTN2iU%2F8gR8N%2FPjeT2gUUj8Yxj757joPu%2FaJbR8FUZpuOh67daVowbTUVLEcNDWcLqbXXymm0rIqTMGLlTv59HEjEW0gK%2BeqqHJmTr%2B2ESkGWZNKQRlp1j30089bGS264%2BRrKcqBFMjE61JpqZV0YZipdZPdD10WApwHtqrhNKRusumi5uipdr1JC9YpvhViuqPXMxcgSRJCIoKejphmQUDewaZ%2FEuqdjGpqdWXHyofCt2CLevkLuNm%2B2QZvsOx89kcGwTA4YFArXQKXmQSxo4FE4PNm9bYYXhekD7xlc1moTNqC1qRrMI%2BFOK0Dz%2BkSWIUL26K%2BXXHGDDu6tJylIYtxEuzO4voy3OJmcUdJZ3VvCnOrbqtpZqB6NRPJfibuUIhSgh2c%2Fz5D3qSv3ZGuJl2fu65uhcBcIW2ith18AXQMDumHHfp%2F2Wbfv2ktsGMOqK2pJG95HUnB%2BAerx3ZCu911Uo6FD4vvft932O17WptHZU8A5OiF03x9a6MJHaXDOEqx%2FQWeESw1VwJejs7H5qaP7F9COxuHYiAUkjLwYl6rsP%2FtcoWG30FmFTl5LTjlNhXDnT17Ld7Rym%2Bl9BTsa7W%2FofuT2b2ruwWa%2FAY%3D

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 07 Apr 2020 08:43:02 GMT
  Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42

  HTTP Status 500 - Internal Error occurred while trying to process the
  request. Transaction ID:
  137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed.

affwebserv.log :

  [2844/8752][Tue Apr 07 2020 12:20:59][AssertionConsumer.java][ERROR][sm-FedClient-02
  890] Transaction with ID: 1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496 failed.
  Reason: ACS_FAILED_PROCESS_FAILURE (, , )

FWSTrace.log :

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [AssertionConsumer.java][redirectLoginFailure][AuthReason=48]

  [04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

The Policy Server consumes successfully the assertion, but it finds 2 users with the same mail attribute, and as such, it cannot disambiguate the user and it fails:

smtracedefault.log<SM2> :

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmMessage.cpp:557][CSmMessage::ParseAgentMessage]
  [s17816/r365][][][][][][][][][][][][][][][][][][][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
  [Receive request attribute 221, data size is 48][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][Saml2Validator.java][checkAssertion]
  [1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496][][][][][][][][][][][][][][][][][][][]
  [Assertion not rejected(id179327112032433342074115472): POST binding request, sig processing disabled]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmAuthSaml.cpp:1478][SmAuthenticate]
  [][][][][][][][][][][][][][][][][][][][][Search Pattern: [email protected]][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsDir.cpp:66][CSmDsDir::CSmDsDir]
  [][][][][][][][][][][][][][][][][][][About to initialize directory, Oid='0e-e7d7cd6d-55w2-4ffb-9e48-19e092c03805', Name='myspstore'][][Start of call InitDir.]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsLdapProvider.cpp:1901][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][]
  [search filter is : (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))([email protected]))]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.223][14:21:00][3056][3544][SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][]
  [(Search) Base: 'ou=postqa,dc=tenants,dc=home', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))([email protected]))'. Status: 2 entries.]
  [][Ldap Search callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

  [04/07/2020][14:21:00.223][14:21:00][3056][3544][SmAuthSaml.cpp:2315][SmAuthenticate][][][][][][][][][][][][][][][][][][][][]
  [User directory : 'myspstore', returned more than one user for search: '[email protected]'. Failed to disambiguate user uniquely. Returning user not found status code.]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][14:21:00.223][14:21:00][3056][3544][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][s17816/r365][samlidp:myidp][][][][samlidp:myidp][samlidp:myidp]
  [myspstore][][][][][][][][][][][][][** Status: Authentication Attempt Failed. ][][][][][][48][][samlidp:mysp-idp-partnership][][][][][][][][]
  [06-56351236-84b4-4ff2-82f2-0f61f9f1be6e][][][][][][][][][][][][][][][][][][][][][]

Insure that users from the User Directory are unique!

 

Resolution

 

In User Directory 

     myspstore 10.0.0.1:10000

ensure that only 1 user has the attribute:

     [email protected]

to solve this issue.