A working OIDC setup suddenly stops working over the weekend.
OS: Red Hat Enterprise Linux Server release 7
Policy server version : 12.8.0200.1992
Access gateway OS:Red Hat Enterprise Linux Server release 7
Access gateway version:12.8.0200.1992
Client side error:
x.x.x.x(IP) - - [12/Apr/2021:08:35:03 -0400] "GET /oidc_login_page?error=server_error&error_description=Internal+Server+Error.&state=6k3LtQwUocZTEJ3e_xxxxxxxxxxx HTTP/1.1" 500 1273
Siteminder side FWStrace.log:
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][resource is: /&response_type=code&scope=openid&client_id=0000xxxxxxxxxxx&state=E-Fmb7ZdPBxxxxxx&redirect_uri=https%3A%2F%2xxxxxxxxx%2Foidc_login_page&nonce=gwPPvC0DIvcp9rNXxxxxxxxxx&authenticationURL=https://idp.com/affwebservices/CASSO/oidc/authorize&Oid=null]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][resolved variable list is: <RVARS><Var name="USER_DIR_OID" rtype="3"><![CDATA[0e-3dffab22-c0db-0028-0000-165100001651]]></Var><Var name="SessionToken" rtype="3"><![CDATA[6rcSDesZ1O....
...
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Calling authorizeEx to invoke autorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Transient IP check: false]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Result of authorizeEx call is: 1.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Transaction with ID: 58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1 failed. Reason: FAILED_NO_ATTR_RETURNED]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][AuthorizationService.java][processAuthorization][Denying request due to no attribute returned from authorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][58a8219b-f554bd8c-22139912-b14568f7-d5c7b1eb-ef1][OpenIDConnectServiceBase.java][sendErrorResponse][ Sending error response:
ErrorResponse [error=server_error, error_description=Error interno del servidor., error_uri=null] to:https://xxxxxxxxxxxxx.com/oidc_login_page]
...
[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Resolving service to forward, for URI: /affwebservices/CASSO/oidc/client_name/authorize]
[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Forwarding to URI: /CASSO/oidc/authorize]
Release : 12.8
Component : SITEMINDER FEDERATION SECURITY SERVICES
Customer is on 12.8sp2, where oidc uses end point with client_name in it.
e.g.
https://idp.com/affwebservices/CASSO/oidc/client_name/authorize?
However, after user is authenticated, user is being redirected via /affwebservices/secure/secureredirect to a default TARGET, instead of original authorize TARGET end point.
It was redirect back to https://idp.com/affwebservices/CASSO/oidc/authorize
which should be original https://idp.com/affwebservices/CASSO/oidc/client_name/authorize
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/upgrading/in-place-upgrade/upgrade-policy-server.html
The main fact is that CA access gateway calls policy server to get an authorization code, but it got denied, so something is wrong at policy server side, unfortunately no logs were provided from production policy server.
The true cause is that session stores are down. Hence, recycling Access gateway and policy server, has not helped much.
Once customer brings up session stores, which is needed component for OIDC authentication, everything works again.