OpenId Authentication Scheme

book

Article ID: 206458

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Web Agent, and when our user tries to login a Web Site
protected with OpenID Authentication SCheme, then the Web Agent
reports error :

  Communication failure between SiteMinder policy server and web agent.

and the browser receives 500 http return code.

How can we fix this ?

 

Cause

 

It looks like the Google support for OpenID doesn't work anymore and
you do need to migrate to OpenID Connect instead. Our updated
documentation 12.8 precise that very few providers still support
OpenID 2.0 :

  Customize the OpenID Forms Credential Collector

    Most of the providers in the default FCC file have deprecated support
    for OpenID authentication scheme. Do not use these or modify the FCC
    file to remove the providers. Only Yahoo from the default providers
    list in the FCC file continue to support OpenID.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/openid-authentication-scheme.html

Indeed, Google doesn't support OpenID 2.0 anymore :

  OpenID 2.0 for Google Accounts has gone away

    Some websites use OpenID 2.0 for authentication when you're signing
    in, and to access data that you've given them permission to
    access. OpenID 2.0 was replaced by OpenID Connect, and since April 20,
    2015, no longer works for Google Accounts. OpenID 2.0 support was shut
    down in order to focus on the newer open standard OpenID Connect,
    which provides greater security for your account.

    If you're a developer of an application that uses OpenID 2.0, you
    should migrate to OpenID Connect.

  https://support.google.com/accounts/answer/6206245?visit_id=637457015313922341-3515263490&rd=1

From the last logs, indeed you've configured the Policy Server to use
Google OpenID 2.0, and this will never work.

Here's what we see from the log :

The browser goes to the myapp resource :

fiddler.saz :

Line 6 :

GET https://myhost.mydomain.com/myapp/ 

  HTTP/1.1 500 Internal Server Error
  Date: Mon, 04 Jan 2021 17:14:38 GMT

  <title>500 Internal Server Error</title>

And the Web Agent configured for OpenID 2.0 get an error from the
Policy Server when it ask the protection details :

WebAgent.log :

  [9757/652633856][Mon Jan 04 2021 18:14:06]
  ignoreext='.class,.gif,.jpg,.jpeg,.png,.fcc,.scc,.sfcc,.ccc,.ntc,.css,.ico,.js'.

  [9757/652633856][Mon Jan 04 2021 18:14:06] fcccompatmode='no'.

  [9757/652633856][Mon Jan 04 2021 18:14:06]
  loadplugin='/opt/CA/webagent/bin/libOpenIDPlugin.so'.

  [9772/1457039104][Mon Jan 04 2021
  18:14:39][CSmLowLevelAgent.cpp:557][ERROR][sm-AgentFramework-00520]
  LLA: SiteMinder Agent Api function failed -
  'Sm_AgentApi_IsProtectedEx' returned '-1'.

  [9772/1457039104][Mon Jan 04 2021
  18:14:39][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420]
  HLA: Component reported fatal error: 'Low Level Agent'.

  [9772/1457039104][Mon Jan 04 2021
  18:14:39][CSmHighLevelAgent.cpp:424][ERROR][sm-AgentFramework-00420]
  HLA: Component reported fatal error: 'Protection Manager'.

The Web Agent traces report a problem when communicating with the
Policy Server, which is not related to network connectivity :

WebAgenttrace.log :

  [01/04/2021][18:14:38][18:14:38.966][9772][1457039104][]
  [Selected server 10.0.0.1: Current total capacity:  70, current throughput:   1]
  [SmClient.cpp:2977][GetServer][][][][][][][][][][][][][][][][][][][][][][2][][]
  [ACTIVE][2]

  [01/04/2021][18:14:39][18:14:39.411][9772][1457039104]
  [00000000000000000000000061050a0a-262c-5ff34cfe-56d8a700-78b8fc1e6eb]
  [Communication failure between SiteMinder policy server and web agent.]
  [CSmLowLevelAgent.cpp:552][IsResourceProtected][10.0.0.2][*10.0.0.3][]
  [myhost.mydomain.com_WebAgent][][][][][/myapp/][GET][][][][][][][][][][][][][][][][]
smtracedefault.log :

  [Receive request attribute 221, data size is 67][SmMessage.cpp:557][64864]
  [139919808775936][01/04/2021][18:14:26][18:14:26.531][CSmMessage::ParseAgentMessage]
  [][][][][][][][][][][s197/r122][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][00000000000000000000000061050a0a-262c-5ff34cfe-56d8a700-78b8fc1e6eb][][]
  [][][][][][][][][][][]

  [Receive request attribute 201, data size is 5][SmMessage.cpp:557][64864]
  [139919808775936][01/04/2021][18:14:26][18:14:26.531][CSmMessage::ParseAgentMessage]
  [][][][][][][][][myhost.mydomain.com_WebAgent][][s197/r122][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][/myapp/][][][][][][][][][][][][][]

  [Starting IsProtected processing.][IsProtected.cpp:98][64864][139919808775936]
  [01/04/2021][18:14:26][18:14:26.532][CSm_Az_Message::IsProtected][][][][][][][][]
  [myhost.mydomain.com_WebAgent][][][][][][][][][][https://myhost.mydomain.com][][]
  [][][][][][][][][][/myapp/][GET][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [LogMessage:ERROR:[sm-Server-02940] Failed to query authentication scheme 'myGoogleOpenID']
  [SmAuthServer.cpp:339][64864][139919808775936][01/04/2021][18:14:26][18:14:26.973][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][]

  [Send response attribute 158, data size is 98][Sm_Az_Message.cpp:828][64864]
  [139919808775936][01/04/2021][18:14:26][18:14:26.975][CSm_Az_Message::FormatAttribute]
  [][][][mydomain.com][myrealm][][][][myhost.mydomain.com_WebAgent][][s197/r122]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][IsProtectedEx]
  [Reject s197/r122 : internal error - failed to obtain scheme credentials for scheme 'myGoogleOpenID']
  [52 65 6a 65 63 74 20 73 31 39 37 2f 72 31 32 32 20 3a 20 69 6e 74 65 72 6e 61 6c 20 
  65 72 72 6f 72 20 2d 20 66 61 69 6c 65 64 20 74 6f 20 6f 62 74 61 69 6e 20 73 63 68 
  65 6d 65 20 63 72 65 64 65 6e 74 69 61 6c 73 20 66 6f 72 20 73 63 68 65 6d 65 20 27 
  47 6f 6f 67 6c 65 5f 4f 70 65 6e 49 44 27 ][][][][][][][][][][][][]

  [** Status: Error. Reject s197/r122 : internal error - failed to obtain scheme 
  credentials for scheme 'myGoogleOpenID'][Sm_Az_Message.cpp:598][64864][139919808775936]
  [01/04/2021][18:14:26][18:14:26.975][CSm_Az_Message::SendReply][][][][mydomain.com]
  [myrealm][][][][myhost.mydomain.com_WebAgent][][s197/r122][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

You've configured an OpenID Authentication Scheme :

pstore.xml :

        <Object Class="CA.SM::AuthScheme"
        Xid="CA.SM::[email protected]"
        CreatedDateTime="2000-12-14T11:14:23"
        ModifiedDateTime="2000-12-14T14:00:55" UpdatedBy="siteminder"
        UpdateMethod="GUI" ExportType="Replace">

            <Property Name="CA.SM::AuthScheme.Param">

                <StringValue>com.ca.sm.openid.SmAuthOpenID
                Name=myGoogleOpenID;Fcc=/siteminderagent/forms/openid.fcc;TrustedOpenIDProviders=
                Openidproviders.xml;ICAMCompliance=no;ProxyAuthentication=no;
  AnonymousMode=no;PostProcessingChain=;PreProcessingChain=</StringValue>

            <Property Name="CA.SM::AuthScheme.Type">
                <NumberValue>33</NumberValue>

            <Property Name="CA.SM::AuthScheme.Library">
                <StringValue>smjavaapi</StringValue>

            <Property Name="CA.SM::AuthScheme.Name">
                <StringValue>myGoogleOpenID</StringValue>

AuthScheme.Type 33 is OpenID.

 

Environment

 

  Web Agent 12.52SP1CR09 64bit on Apache 2.2.34 64bit on RedHat 6;
  Policy Server 12.8SP3 on RedHat 6;
    AdoptOpenJDK 1.8.0_252;

 

Resolution

 

Implement OpenID Connect (OIDC) instead of OpenID in order to login
using the Google API.