search cancel

SiteMinder and Social Media (Google) Integration does not work

book

Article ID: 230407

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Symantec Siteminder integrated with Google Social Media .  After signing-in to Google,  the redirect to /Affwebservices  fails with an HTTP 500 Error:

 

In Federation Trace log, I can see the follow error message, but I am not sure what is wrong in my configuration.

 

12/02/2021][19:43:35][18640][140300370945792][42afbafd-618b1136-de44563c-a0c97b47-cfd72c32-d0][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown an exception while processing the message. SrcaException Message: HTTP status line was not returned: Possible cause is timeout before response received from remote service.
Message contents = 

[Headers:{}]
[Cookies:{}]
[Message: ].]
[12/02/2021][19:43:35][18640][140300370945792][42afbafd-618b1136-de44563c-a0c97b47-cfd72c32-d0][MessageDispatcher.java][dispatchMessage][Exception:
com.netegrity.srca.SrcaException: HTTP status line was not returned: Possible cause is timeout before response received from remote service.
Message contents = 

[Headers:{}]
[Cookies:{}]

Environment

SiteMinder 12.8.x

Access Gateway 12.8.x

 

Cause

Google Root CA certificate not properly added to Symantec Access Gateway.

Access Gateway does not validate "code" in google apiserver.

1) To get access token using Authorization code using  API https://developers.google.com/nest/device-access/reference/errors/authorization#3-access-token

curl -L -X POST 'https://www.googleapis.com/oauth2/v4/token?client_id=83876948441-iaufrd2cpqpde6hr78k6rph9qh5ddjo3.apps.googleusercontent.com&client_secret=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&redirect_uri=https%3A%2F%2Fsso01.security.demo-broadcom.com%2Faffwebservices%2Fpublic%2Foauthtokenconsumer%2Fgoogle83876948441iaufrd2cpqpde6hr78k6rph9qh5ddjo3appsgoogleusercontentcom' \
--data grant_type=authorization_code \
--data 'code=4/0AX4XfWi84GXbTH0RKe4FJauClmg7fcyyr2uATWW4GKjLO0ubGqc66spFiSvhOAIuf-Zbfw' \
--verbose --silent

In Access Gateway, it is working fine. There is no issue in authorization code itself.

2) Capture network traffic in Access Gateway (Linux environment) -- reproduce the error in browser.

  • tcpdump -nn -s 0 -i any -w /tmp/https.pcap port 443
  • tshark -r /tmp/https.pcap | less 

     There is a certificate error in TCP packet

      

This means that Access Gateway is not connecting to 74.125.142.84, which is the Google API server.

Resolution

1) Go to https://www.googleapis.com/ and get the root certificate.

2) Import certificate into Access Gateway and restart Access Gateway.

3) Validate Google Social Media integration.