search cancel

SAML SSO not working for any of the flow

book

Article ID: 189065

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running Federation Services and the SAML requests fail and that

the request gets added

  SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY [...]

continuously and the browser reports :

    ERR_TOO_MANY_REDIRECTS

How can we fix this ?

Cause


The browser goes into loop as per KD


  Request Looping Between Authentication URL and Federation URL
  https://knowledge.broadcom.com/external/article?articleId=75133

  Federation IdP initiated transaction entering in a redirection loop
  https://knowledge.broadcom.com/external/article?articleId=6225

but the cause is little different.

We see in the browser that the request goes into loop indeed :

Fiddler.saz :

Line 5 :

GET https://myidp.idp.com/affwebservices/public/saml2sso?SPID=mysp.sp.com

  HTTP/1.1 302 Moved Temporarily
  Date: Tue, 07 Apr 2020 10:28:52 GMT
  Server: Apache
  Location: https://myidp.idp.com:443/affwebservices/nuage/redirect.jsp?SPID=mysp.sp.com&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf

Line 7 :

GET https://myidp.idp.com/affwebservices/nuage/redirect.jsp?SPID=mysp.sp.com&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf

  HTTP/1.1 302 Moved Temporarily
  Date: Tue, 07 Apr 2020 10:28:58 GMT
  Server: Apache
  Location: https://myidp.idp.com:443/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf

Line 8 :

GET https://myidp.idp.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf

  HTTP/1.1 302 Moved Temporarily
  Date: Tue, 07 Apr 2020 10:28:58 GMT
  Server: Apache
  Location: https://myidp.idp.com:443/affwebservices/nuage/redirect.jsp?SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7

Line 9 :

GET https://myidp.idp.com/affwebservices/nuage/redirect.jsp?SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7

  HTTP/1.1 302 Moved Temporarily
  Date: Tue, 07 Apr 2020 10:28:58 GMT
  Server: Apache
  Location: https://myidp.idp.com:443/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7

Line 10 :

GET https://myidp.idp.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7

  HTTP/1.1 302 Moved Temporarily
  Date: Tue, 07 Apr 2020 10:28:58 GMT
  Server: Apache
  Location: https://myidp.idp.com:443/affwebservices/nuage/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=85651c1d-b7ac239a-13f0e21d-89b446cd-78fd0ba1-808

And the Web Agent shows that URLs aren't protected :

WebAgentTrace.log

  [04/07/2020][06:28:58][8881][2227083008][CSmHttpPlugin.cpp:703][CSmHttpPlugin::
  ProcessResource][000000000000000000000000fc4112ac-22b1-5e8c55e5-84be9700-99324e
  2d6ef5][*192.168.1.1][][fed_cox_wa][][][Resolved URL: '/affwebservices/public/
  saml2sso?SPID=mysp.sp.com'.]

  [04/07/2020][06:28:58][8881][2227083008][CSmLowLevelAgent.cpp:531][IsResourcePr
  otected][000000000000000000000000fc4112ac-22b1-5e8c55e5-84be9700-99324e2d6ef5][
  *192.168.1.1][][][/affwebservices/public/saml2sso?SPID=mysp.sp.com][]
  [Resource is not protected from cache.]

  [04/07/2020][06:28:58][8881][2147481344][CSmHttpPlugin.cpp:703][CSmHttpPlugin::
  ProcessResource][000000000000000000000000fc4112ac-22b1-5e8c55ea-7ffff700-b3c730
  1aa68cxb][*192.168.1.1][][][][][Resolved URL: '/affwebservices/myotherapp
  /redirect.jsp?SPID=mysp.sp.com&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com
  %3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=412da
  244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf'.]

  [04/07/2020][06:28:58][8881][2147481344][CSmLowLevelAgent.cpp:535][IsResourcePr
  otected][000000000000000000000000fc4112ac-22b1-5e8c55ea-7ffff700-b3c7301aa68c][
  *192.168.1.1][][][/affwebservices/nuage/redirect.jsp?SPID=mysp.sp.com
  &SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2Faffwebse
  rvices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e
  3-56f0288d-adf][][Resource is not protected from Policy Server.]

  [04/07/2020][06:28:58][8881][2139088640][CSmHttpPlugin.cpp:703][CSmHttpPlugin::
  ProcessResource][000000000000000000000000fc4112ac-22b1-5e8c55ea-7f7fe700-ca7914
  70a08b][*192.168.1.1][][][][][Resolved URL: '/affwebservices/public/
  saml2sso?SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412
  da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf'.]

  [04/07/2020][06:28:58][8881][2139088640][CSmLowLevelAgent.cpp:535][IsResourcePr
  otected][000000000000000000000000fc4112ac-22b1-5e8c55ea-7f7fe700-ca791470a08b][
  *192.168.1.1][][fed_cox_wa][/affwebservices/public/saml2sso?SMASSERTIONREF=QUE
  RY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa5
  6f0e3-56f0288d-adf][][Resource is not protected from Policy Server.]

  [04/07/2020][06:28:58][8881][2130695936][CSmHttpPlugin.cpp:703][CSmHttpPlugin::
  ProcessResource][000000000000000000000000fc4112ac-22b1-5e8c55ea-7effd700-e1314c
  626aaf][*192.168.1.1][][fed_cox_wa][][][Resolved URL: '/affwebservices/myother
  app/redirect.jsp?SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=
  412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SMPORTALURL=https%3A%2F%2Fmyidp
  .idp.com%3A443%2Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONI
  D=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7'.]

  [04/07/2020][06:28:58][8881][2130695936][CSmLowLevelAgent.cpp:535][IsResourcePr
  otected][000000000000000000000000fc4112ac-22b1-5e8c55ea-7effd700-e1314c626aaf][
  *192.168.1.1][][][/affwebservices/nuage/redirect.jsp?SMASSERTIONREF=
  QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-
  fa56f0e3-56f0288d-adf&SMPORTALURL=https%3A%2F%2Fmyidp.idp.com%3A443%2
  Faffwebservices%2Fpublic%2Fsaml2sso&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b46a0
  7-6005f90b-240317fc-ab7][][Resource is not protected from Policy Server.]

  [04/07/2020][06:28:58][8881][2122303232][CSmHttpPlugin.cpp:703][CSmHttpPlugin::
  ProcessResource][000000000000000000000000fc4112ac-22b1-5e8c55ea-7e7fc700-f79f37
  78894][*192.168.1.1][][][][][Resolved URL: '/affwebservices/public/s
  aml2sso?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=mysp.sp.com&S
  AMLTRANSACTIONID=412da244-95dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SAMLTRANSACTI
  ONID=24d66d38-64a3b27f-87b46a07-6005f90b-240317fc-ab7'.]

  [04/07/2020][06:28:58][8881][2122303232][CSmLowLevelAgent.cpp:535][IsResourcePr
  otected][000000000000000000000000fc4112ac-22b1-5e8c55ea-7e7fc700-f79f3778894][*
  192.168.1.1][][][/affwebservices/public/saml2sso?SMASSERTIONREF=QUER
  Y&SMASSERTIONREF=QUERY&SPID=mysp.sp.com&SAMLTRANSACTIONID=412da244-9
  5dfd42e-98fa15a0-fa56f0e3-56f0288d-adf&SAMLTRANSACTIONID=24d66d38-64a3b27f-87b4
  6a07-6005f90b-240317fc-ab7][][Resource is not protected from Policy Server.]

And looking at the configuration, you protect the realm for
redirect.jsp with Agent Group :

  AgentGroup

This AgentGroup doesn't include the AgentName to protect the
resource :

pstore.xml :

        <Object Class="CA.SM::AgentGroup" Xid="CA.SM::[email protected]" [...] >
                <LinkValue>
                    <XID>CA.SM::[email protected]</XID>
            <Property Name="CA.SM::AgentGroup.AgentTypeLink">
                <LinkValue>
                    <XID>CA.SM::[email protected]</XID>
            <Property Name="CA.SM::AgentGroup.Desc">
                <StringValue>agent group</StringValue>
            </Property>
            <Property Name="CA.SM::AgentGroup.Name">
                <StringValue>AgentGroup</StringValue>

        <Object Class="CA.SM::Agent" Xid="CA.SM::[email protected]" [...] >
            <Property Name="CA.SM::Agent.AgentTypeLink">
                <LinkValue>
                    <XID>CA.SM::[email protected]</XID>
            <Property Name="CA.SM::Agent.Desc">
                <StringValue>mywebagent</StringValue>
            </Property>
            <Property Name="CA.SM::Agent.Name">
                <StringValue>mywebagent</StringValue>

            <Object Class="CA.SM::Realm" Xid="CA.SM::[email protected]" [...] >
                <Property Name="CA.SM::Realm.AgentGroupLink">
                    <LinkValue>
                        <XID>CA.SM::[email protected]</XID>
                <Property Name="CA.SM::Realm.ResourceFilter">
                    <StringValue>/affwebservices/myotherapp/</StringValue>

You haven't defined AgentName or set the DefaultAgentName to fit with
the "mywebagent" :

WebAgent.log :

  [8668/1897109248][Tue Apr 07 2020 06:16:29] ***** Begin
  Configuration *******************************************

  [8668/1897109248][Tue Apr 07 2020 06:16:29] accepttpcookie='yes'.

  [8668/1897109248][Tue Apr 07 2020 06:16:29]
  agentconfigobject='myotherwebagentyACO'.

  [8668/1897109248][Tue Apr 07 2020 06:16:29]
  agentidfile='/opt/CA/webagent/conf/AgentId.dat'.

  [8668/1897109248][Tue Apr 07 2020 06:16:29] allowcacheheaders='no'.

  [8668/1897109248][Tue Apr 07 2020 06:16:29] allowlocalconfig='no'.

  [8668/1897109248][Tue Apr 07 2020 06:16:29]
  badurlchars='//,./,/.,/*,*.,~,\,%00-%1f,%7f-%ff,%25'.

  [8668/1897109248][Tue Apr 07 2020 06:16:29]
  defaultagentname='myotherwebagent'.

Environment


  Web Agent 12.52SP1CR09 on Apache 2.4 on Linux;

  Web Agent Option Pack 12.52SP1CR09 on on Linux;

Resolution


The problem is that the request going to 


  https://myidp.idp.com:443/affwebservices/myotherapp/redirect.jsp

is not protected as mentioned before. 

Looking at the configuration, protection of /affwebservices/myotherapp is
defined for Web Agent group name
"AgentGroup". This Agent group has unique member
agent "mywebagent".

And the Web Agent you run is only configured for Agentname
"myotherwebagent".

Insure that realms are protected by the desired Agent to solve the issue.