ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Status Error Redirect URL not working with web agent option pack

book

Article ID: 226463

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

"Status Error Redirect URL" is set for sp-idp partnership, but during federation SLO, when user encounters error 500, the error url redirect did not fire.
This is on WAOP version 12.52.111.2820.

The use case is this:
1. User already logged in sp-idp partnership app.
2. User session could be idled time out.
3. Now user tries to initiate federation SLO.
4. It goes through session validation stage, and noticed that User's session is already in logged off state. 
Now, the WAOP server generates HTTP error 500.
5. At this point, we should expect user be redirected to already configured "Status Error Redirect URL".
But instead, they just gets error 500 page, not the custom redirect error page.

FWSTrace.log

[08/12/2021][13:24:55][18916][3609179904][f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54][FWSBase.java][getSessionCookie][SESSIONSIGNOUT Cookie found.]
[08/12/2021][13:24:55][18916][3609179904][f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54][FWSBase.java][getSessionCookie][SESSION Cookie is logged off.  Looking for another]
[08/12/2021][13:24:55][18916][3609179904][f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54][FWSBase.java][getSessionCookie][SESSION Cookie found.]
[08/12/2021][13:24:55][18916][3609179904][f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54][FWSBase.java][getSessionCookie][SESSION Cookie is logged off.  Looking for another]
[08/12/2021][13:24:55][18916][3609179904][f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54][FWSBase.java][validateSessionData][User's session is already in logged off state. Global Logout can not be performed.]
[08/12/2021][13:24:55][18916][3609179904][f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54][FWSBase.java][validateSessionData][Ending SAML2 Single Logout Service request processing with HTTP error 500]


affwebserv.log
[18916/3609179904][Thu Aug 12 2021 13:24:55][FWSBase.java][ERROR][sm-FedClient-02890] Transaction with ID: f16fe633-e29bb2b5-8cc9f084-15530d87-088222cf-54 failed. Reason: FWSB_USER_LOGGED_OFF (, , )

Cause

In federation SLO, there could be many other use cases, where smsession exists, and SLOService.java will handle the exception before even reaching to FWSBase.java.

However, that is not the case here.

By design, "Status Error Redirect URL" only fires if there is valid smsession detected.

When User's session is already in logged off state,  policy server can not retrieve the Logout info object which contains the redirect URL, base on user information.

Hence exception was caught by application server itself with default error 500 thrown.

 

Environment

Release : 12.52

Component : SITEMINDER FEDERATION END POINT

Resolution

Since application server caught the error,  the easiest work around solution will be using application server side configuration to handle it. 

This will require some effort from customer to modify the deployment and conduct further testing.

Here are proposed work around steps:

1. Manually configure web.xml inside affwebservices.war file on the application server side.

Contact application server vendor if needed.

External reference:

https://www.codejava.net/java-ee/servlet/how-to-handle-error-in-web-xml-for-java-web-applications

by adding section below:

<error-page>
<error-code>404</error-code>
<location>/public/error404.jsp</location>
</error-page>

<error-page>
<error-code>500</error-code>
<location>/public/error500.jsp</location>
</error-page>
 

2. Provide physical jsp pages of error404.jsp and error500.jsp of your own to handle both use cases,  under folder /public folder, inside affwebservices.war file itself.

These are non-protected page, and should be accessible right away once deployed.

3. Recycle application server and test.

Broadcom engineering team did a feasibility study into the code.

The plan is to include the fix in the next major WAOP release that is 12.52 sp1 CR12.

Please note, the solution which Broadcom engineering will provide works for default /affwebservices path and we do not test anything for customized uri path.

Additional Information

https://www.codejava.net/java-ee/servlet/how-to-handle-error-in-web-xml-for-java-web-applications

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/release-notes/cumulative-releases/Defects-Fixed-in-12_52SP1-CR10.html

The following issue is fixed in cr10 Web Agent Option Pack:
 
Salesforce/Wolken Case Number
Internal Defect ID 
Issue Description 
01081836
DE366620
Error with the user logout attempt does not redirect to the specified page while configuring SAML2SingleLogoutErrorPage parameter in the WOAP AffWebService.properties file.
 
Pre-requisite:
 
Have an IDP to SP and SP to IDP SAML2 post partnership setup ready.
Configure SLO on both sides of SP and IDP.
Enable session store on both sides.
Add below parameter to both sides of Affwebservices.properties file :
SAML2SingleLogoutErrorPage=http://.......broadcom.net/sloerror/sloerror.html

Attachments