ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

OIDC failure "Denying request due to no attribute returned from authorization code generator"

book

Article ID: 212573

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

A working OIDC setup suddenly stops working over the weekend.

OS: Red Hat Enterprise Linux Server release 7
Policy server version : 12.8.0200.1992

Access gateway OS:Red Hat Enterprise Linux Server release 7
Access gateway version:12.8.0200.1992

Client side error:

x.x.x.x(IP) - - [12/Apr/2021:08:35:03 -0400] "GET /oidc_login_page?error=server_error&error_description=Internal+Server+Error.&state=6k3LtQwUocZTEJ3e_xxxxxxxxxxx HTTP/1.1" 500 1273

Siteminder side FWStrace.log:

[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][resource is: /&response_type=code&scope=openid&client_id=0000xxxxxxxxxxx&state=E-Fmb7ZdPBxxxxxx&redirect_uri=https%3A%2F%2xxxxxxxxx%2Foidc_login_page&nonce=gwPPvC0DIvcp9rNXxxxxxxxxx&authenticationURL=https://idp.com/affwebservices/CASSO/oidc/authorize&Oid=null]

[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][resolved variable list is: <RVARS><Var name="USER_DIR_OID" rtype="3"><![CDATA[0e-3dffab22-c0db-0028-0000-165100001651]]></Var><Var name="SessionToken" rtype="3"><![CDATA[6rcSDesZ1O....

...

[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Calling authorizeEx to invoke autorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Transient IP check: false]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Result of authorizeEx call is: 1.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Transaction with ID: 58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1 failed. Reason: FAILED_NO_ATTR_RETURNED]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Denying request due to no attribute returned from authorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][OpenIDConnectServiceBase.java][sendErrorResponse][ Sending error response: 
ErrorResponse [error=server_error, error_description=Error interno del servidor., error_uri=null]  to:https://xxxxxxxxxxxxx.com/oidc_login_page]

...

[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Resolving service to forward, for URI: /affwebservices/CASSO/oidc/client_name/authorize]
[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Forwarding to URI: /CASSO/oidc/authorize]

Cause

Customer is on 12.8sp2, where oidc uses end point with client_name in it.
e.g.
https://idp.com/affwebservices/CASSO/oidc/client_name/authorize?
However, after user is authenticated, user is being redirected via /affwebservices/secure/secureredirect to a default TARGET, instead of original authorize TARGET end point.

It was redirect back to       https://idp.com/affwebservices/CASSO/oidc/authorize
which should be original   https://idp.com/affwebservices/CASSO/oidc/client_name/authorize

This observation can be confirmed from both FWStrace.log and browser trace log. This may or may not be an issue depending on version of policy server.
Please see release note for end point changes between 12.8sp2 and sp3 onwards.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/upgrading/in-place-upgrade/upgrade-policy-server.html

The main fact is that CA access gateway calls policy server to get an authorization code, but it got denied, so something is wrong at policy server side, unfortunately no logs were provided from production policy server.

Environment

Release : 12.8

Component : SITEMINDER FEDERATION SECURITY SERVICES

Resolution

The true cause is that session stores are down. Hence, recycling Access gateway and policy server, has not helped much.

Once customer brings up session stores, which is needed component for OIDC authentication, everything works again.