Error: Communication failure when using OpenId Authentication Scheme
Article ID: 206458
Updated On:
Products
Issue/Introduction
When running a Web Agent, and when the user tries to log in a Web Site protected with OpenID Authentication SCheme, then the Web Agent reports the error:
Communication failure between SiteMinder policy server and web agent.
and the browser receives a 500 HTTP return code.
Environment
Web Agent 12.52SP1CR09 64bit on Apache 2.2.34 64bit on RedHat 6;
Policy Server 12.8SP3 on RedHat 6;
AdoptOpenJDK 1.8.0_252;
Cause
It looks like the Google support for OpenID doesn't work anymore and the configuration should be migrated to OpenID Connect instead. Documentation 12.8 is precise that very few providers still support (1).
Indeed, Google doesn't support OpenID 2.0 anymore (2).
From the last logs, if the Policy Server is configured to use Google OpenID 2.0, this will never work.
The logs will show that that way:
The browser goes to the myapp resource:
fiddler.saz:
Line 6:
GET https://_host._domain._com/myapp/
HTTP/1.1 500 Internal Server Error
Date: Mon, 04 Jan 2021 17:14:38 GMT
<title>500 Internal Server Error</title>
And the Web Agent configured for OpenID 2.0 get an error from the Policy Server when it asks for the protection details:
WebAgent.log :
[9757/652633856][Mon Jan 04 2021 18:14:06] ignoreext='.class,.gif,.jpg,.jpeg,.png,.fcc,.scc,.sfcc,.ccc,.ntc,.css,.ico,.js'.
[9757/652633856][Mon Jan 04 2021 18:14:06] fcccompatmode='no'.
[9757/652633856][Mon Jan 04 2021 18:14:06] loadplugin='/opt/CA/webagent/bin/libOpenIDPlugin.so'.
[9772/1457039104][Mon Jan 04 2021 18:14:39][CSmLowLevelAgent.cpp:557][ERROR][sm-AgentFramework-00520] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.
[9772/1457039104][Mon Jan 04 2021 18:14:39][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Low Level Agent'.
[9772/1457039104][Mon Jan 04 2021 18:14:39][CSmHighLevelAgent.cpp:424][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Protection Manager'.
The Web Agent traces report a problem when communicating with the Policy Server, which is not related to network connectivity:
WebAgenttrace.log :
[01/04/2021][18:14:38][18:14:38.966][9772][1457039104][][Selected server 10.0.0.1: Current total capacity: 70, current throughput: 1][SmClient.cpp:2977][GetServer][][][][][][][][][][][][][][][][][][][][][][2][][][ACTIVE][2]
[01/04/2021][18:14:39][18:14:39.411][9772][1457039104][00000000000000000000000061050a0a-262c-5ff34cfe-56d8a700-78b8fc1e6eb][Communication failure between SiteMinder policy server and web agent.][CSmLowLevelAgent.cpp:552][IsResourceProtected][10.0.0.2][*10.0.0.3][][_host._domain._com_WebAgent][][][][][/myapp/][GET][][][][][][][][][][][][][][][][]
smtracedefault.log:
[Receive request attribute 221, data size is 67][SmMessage.cpp:557][64864][139919808775936][01/04/2021][18:14:26][18:14:26.531][CSmMessage::ParseAgentMessage][][][][][][][][][][][s197/r122][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00000000000000000000000061050a0a-262c-5ff34cfe-56d8a700-78b8fc1e6eb][][][][][][][][][][][][][]
[Receive request attribute 201, data size is 5][SmMessage.cpp:557][64864][139919808775936][01/04/2021][18:14:26][18:14:26.531][CSmMessage::ParseAgentMessage][][][][][][][][][_host._domain._com_WebAgent][][s197/r122][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][/myapp/][][][][][][][][][][][][][]
[Starting IsProtected processing.][IsProtected.cpp:98][64864][139919808775936][01/04/2021][18:14:26][18:14:26.532][CSm_Az_Message::IsProtected][][][][][][][][][_host._domain._com_WebAgent][][][][][][][][][][https://_host._domain._com][][][][][][][][][][][][/myapp/][GET][][][][][][][][][][][][][][][][][][][][][][][][][][]
[LogMessage:ERROR:[sm-Server-02940] Failed to query authentication scheme 'myGoogleOpenID'][SmAuthServer.cpp:339][64864][139919808775936][01/04/2021][18:14:26][18:14:26.973][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[Send response attribute 158, data size is 98][Sm_Az_Message.cpp:828][64864][139919808775936][01/04/2021][18:14:26][18:14:26.975][CSm_Az_Message::FormatAttribute][][][][mydomain.com][myrealm][][][][_host._domain._com_WebAgent][][s197/r122][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][IsProtectedEx][Reject s197/r122 : internal error - failed to obtain scheme credentials for scheme 'myGoogleOpenID'][52 65 6a 65 63 74 20 73 31 39 37 2f 72 31 32 32 20 3a 20 69 6e 74 65 72 6e 61 6c 20 [...omitted for brevity...] 47 6f 6f 67 6c 65 5f 4f 70 65 6e 49 44 27 ][][][][][][][][][][][][]
[** Status: Error. Reject s197/r122 : internal error - failed to obtain scheme credentials for scheme 'myGoogleOpenID'][Sm_Az_Message.cpp:598][64864][139919808775936][01/04/2021][18:14:26][18:14:26.975][CSm_Az_Message::SendReply][][][][mydomain.com][myrealm][][][][_host._domain._com_WebAgent][][s197/r122][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
The OpenID Authentication Scheme is configured as:
pstore.xml :
<Object Class="CA.SM::AuthScheme" Xid="CA.SM::AuthScheme@0d-01112w1s-44g4d441 [...omitted for brevity...]>
<Property Name="CA.SM::AuthScheme.Param">
<StringValue>com.ca.sm.openid.SmAuthOpenID Name=myGoogleOpenID;Fcc=/siteminderagent/forms/openid.fcc;TrustedOpenIDProviders=Openidproviders.xml;ICAMCompliance=no;ProxyAuthentication=no;AnonymousMode=no;PostProcessingChain=;PreProcessingChain=</StringValue>
<Property Name="CA.SM::AuthScheme.Type">
<NumberValue>33</NumberValue>
<Property Name="CA.SM::AuthScheme.Library">
<StringValue>smjavaapi</StringValue>
<Property Name="CA.SM::AuthScheme.Name">
<StringValue>myGoogleOpenID</StringValue>
AuthScheme.Type 33 is OpenID.
Resolution
Implement OpenID Connect (OIDC) instead of OpenID to log in using the Google API.
Additional Information
Feedback
