search cancel

Issues with Legacy Federation after using Affwebservices on Access Gateway: error 500

book

Article ID: 202827

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

We are getting 500 errors for our Legacy federated application.  The 500 error occurs while consuming the assertion.  The assertion looks valid and the user ID (NameID) exists in the configured user store.

Environment

Release : ALL

Component : SITEMINDER FEDERATION SECURITY SERVICES

Cause

The FWSTrace.log showed that the 500 error was occurring due to the Target application not being protected.  As the SP is using Legacy Federation, the Target application must be protected with the SAML auth scheme.

Resolution

AgentName resolution was not occurring as expected, resulting in the Target application not being protected.  With an update to the AgentName ACO parameter, the Target application was effectively protected with the required SAML auth scheme and the problem resolved.

Additional Information

One of the advantages of Partnership Federation over Legacy Federation is in Partnership Federation the Target application can be protected with any regular (non-SAML) auth scheme.  This allows unauthenticated internal users to request the application directly without going through SAML authentication.  With Legacy Federation, the Target application must be protected with the SAML auth scheme, as as such, if an unauthenticated user requests the application directly, a 500 error will occur as the web agent has no way to challenge the user under this circumstance (SAML auth scheme can only perform assertion-based authentication).