When running a Federation Services as SP (Service Provider) and when the browser comes back to the Assertion Consumer page on our SP (Service Provider) after having successfully authenticated at IdP (Identity Provider), then the Federation Service returns error 500 to the browser.
https://mysp.spexample.com/affwebservices/public/saml2assertionconsumer
HTTP Status 500 - Internal Error occurred while trying to process the
request. Transaction ID:
beea39ed-52f0ed02-c785bf98-7e237392-2a8392dd-f7 failed.
The Federation Service shows error:
"ACS_FAILED_PROCESS_FAILURE"
CA Access Gateway (SPS) 12.8SP0 on Windows 2016;
Policy Server 12.8SP1 on Windows 2016;
The request ends with 500 error:
logs.saz
fiddler.saz :
Line 1 :
GET https://myidp.idpexample.com/sso/saml?SAMLRequest=pVHLboMwELznK5DvYDA...........
Date: Tue, 07 Apr 2020 08:43:01 GMT
Server: Apache
Line 2 :
POST https://mysp.spexample.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8h1........HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Apr 2020 08:43:02 GMT
Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42HTTP Status 500 - Internal Error occurred while trying to process the
request. Transaction ID:
137d7ea0-6b7b3339-5bbb8cae-04bbe378-726f86ba-20a failed.
affwebserv.log :
[2844/8752][Tue Apr 07 2020 12:20:59][AssertionConsumer.java][ERROR][sm-FedClient-02
890] Transaction with ID: 1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496 failed.
Reason: ACS_FAILED_PROCESS_FAILURE (, , )
FWSTrace.log :
[04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]][04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][authenticateUser][result code from AgentAPI login call: 2][04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]][04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.][04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1][04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[AssertionConsumer.java][redirectLoginFailure][AuthReason=48][04/07/2020][12:20:59][2844][8752][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]
The Policy Server consumes successfully the assertion, but it finds 2 users with the same mail attribute, and as such, it cannot disambiguate the user and it fails:
smtracedefault.log<SM2> :
[04/07/2020][14:21:00.067][14:21:00][3056][3544][SmMessage.cpp:557][CSmMessage::ParseAgentMessage]
[s17816/r365][][][][][][][][][][][][][][][][][][][1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496]
[Receive request attribute 221, data size is 48][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.067][14:21:00][3056][3544][Saml2Validator.java][checkAssertion]
[1280942c-0033dc38-c685a3fc-98cec5cc-6a0824bb-496][][][][][][][][][][][][][][][][][][][]
[Assertion not rejected(id179327112032433342074115472): POST binding request, sig processing disabled]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.067][14:21:00][3056][3544][SmAuthSaml.cpp:1478][SmAuthenticate]
[][][][][][][][][][][][][][][][][][][][][Search Pattern: [email protected]][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsDir.cpp:66][CSmDsDir::CSmDsDir]
[][][][][][][][][][][][][][][][][][][About to initialize directory, Oid='0e-e7d7cd6d-55w2-4ffb-9e48-19e092c03805', Name='myspstore'][][Start of call InitDir.]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.067][14:21:00][3056][3544][SmDsLdapProvider.cpp:1901][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][]
[search filter is : (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))([email protected]))]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.223][14:21:00][3056][3544][SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][]
[(Search) Base: 'ou=postqa,dc=tenants,dc=home', Filter: '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))([email protected]))'. Status: 2 entries.]
[][Ldap Search callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.223][14:21:00][3056][3544][SmAuthSaml.cpp:2315][SmAuthenticate][][][][][][][][][][][][][][][][][][][][]
[User directory : 'myspstore', returned more than one user for search: '[email protected]'. Failed to disambiguate user uniquely. Returning user not found status code.]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][04/07/2020][14:21:00.223][14:21:00][3056][3544][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][s17816/r365][samlidp:myidp][][][][samlidp:myidp][samlidp:myidp]
[myspstore][][][][][][][][][][][][][** Status: Authentication Attempt Failed. ][][][][][][48][][samlidp:mysp-idp-partnership][][][][][][][][]
[06-56351236-84b4-4ff2-82f2-0f61f9f1be6e][][][][][][][][][][][][][][][][][][][][][]
Insure that users from the User Directory are unique!
In User Directory
myspstore 10.0.0.1:10000
ensure that only 1 user has the attribute:
to solve this issue.