A working OIDC setup suddenly stops working over the weekend.

OS: Red Hat Enterprise Linux Server release 7
Policy server version : 12.8.0200.1992

Access gateway OS:Red Hat Enterprise Linux Server release 7
Access gateway version:12.8.0200.1992

Client side error:

x.x.x.x(IP) - - [12/Apr/2021:08:35:03 -0400] "GET /oidc_login_page?error=server_error&error_description=Internal+Server+Error.&state=6k3LtQwUocZTEJ3e_xxxxxxxxxxx HTTP/1.1" 500 1273

Siteminder side FWStrace.log:

[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][resource is: /&response_type=code&scope=openid&client_id=0000xxxxxxxxxxx&state=E-Fmb7ZdPBxxxxxx&redirect_uri=https%3A%2F%2xxxxxxxxx%2Foidc_login_page&nonce=gwPPvC0DIvcp9rNXxxxxxxxxx&authenticationURL=https://idp.com/affwebservices/CASSO/oidc/authorize&Oid=null]

[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][resolved variable list is: <RVARS><Var name="USER_DIR_OID" rtype="3"><![CDATA[0e-3dffab22-c0db-0028-0000-165100001651]]></Var><Var name="SessionToken" rtype="3"><![CDATA[6rcSDesZ1O....

...

[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Calling authorizeEx to invoke autorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Transient IP check: false]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Result of authorizeEx call is: 1.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Transaction with ID: 58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1 failed. Reason: FAILED_NO_ATTR_RETURNED]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Denying request due to no attribute returned from authorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][OpenIDConnectServiceBase.java][sendErrorResponse][ Sending error response: 
ErrorResponse [error=server_error, error_description=Error interno del servidor., error_uri=null]  to:https://xxxxxxxxxxxxx.com/oidc_login_page]

...

[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Resolving service to forward, for URI: /affwebservices/CASSO/oidc/client_name/authorize]
[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Forwarding to URI: /CASSO/oidc/authorize]

Customer is on 12.8sp2, where oidc uses end point with client_name in it.
e.g.
https://idp.com/affwebservices/CASSO/oidc/client_name/authorize?
However, after user is authenticated, user is being redirected via /affwebservices/secure/secureredirect to a default TARGET, instead of original authorize TARGET end point.

It was redirect back to       https://idp.com/affwebservices/CASSO/oidc/authorize
which should be original   https://idp.com/affwebservices/CASSO/oidc/client_name/authorize

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/upgrading/in-place-upgrade/upgrade-policy-server.html

The main fact is that CA access gateway calls policy server to get an authorization code, but it got denied, so something is wrong at policy server side, unfortunately no logs were provided from production policy server.

Release : 12.8

Component : SITEMINDER FEDERATION SECURITY SERVICES

The true cause is that session stores are down. Hence, recycling Access gateway and policy server, has not helped much.

Once customer brings up session stores, which is needed component for OIDC authentication, everything works again.