Error : FWSB_NULL_SMSESSION in SAML Logout not working in WAOP
search cancel

Error : FWSB_NULL_SMSESSION in SAML Logout not working in WAOP

book

Article ID: 233904

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running Federation Services on Web Agent Option Pack, when user
tries to logout a Federation journey, the cookie doesn't get removed
from the browser and the Federation services report errors :

    Transaction with ID:
    158af913-43330f90-ec332935-e75284f7-23965cef-8da3 failed. Reason: FWSB_NULL_SMSESSION

    Neither SESSION nor SESSIONSIGNOUT Cookie found. Global Logout can not be performed.

    Transaction with ID:
    158af913-43330f90-ec332935-e75284f7-23965cef-8da3 failed. Reason: SLO_POST_EXCEPTION

 

Environment

 

Web Agent Option Pack 12.52SP1CR08
Web Agent 12.52SP1CR08

 

Cause

 

Fiddler traces show that the browser doesn't send a SMSESSION cookie
with the logout request. 

fiddler.saz :

  Line 32 :

  POST https://myapp.mydomain.com/login.fcc

    HTTP/1.1 302 Found
    Date: Thu, 20 Jan 2022 16:53:41 GMT
    Server: Apache
    Set-Cookie: SMSESSION=QNBcji/Jppy5ngz3zs7Ufp0Ug1wbYgDvtiCE25mJAvXkWm [...]; path=/; domain=.mydomain.com; secure; HTTPOnly

  Line 56 :

  GET https://mysp.myspdomain.com/affwebservices/public/saml2sso?SAMLRequest=fJHNTsMwEIRf [...]
  SMSESSION=aK75AFxVqZPXSz1epXY5kIZhEa2QqN4sc4ScDbVTYRBtFTe1X7nXgaS8duGcJIu84f [...]

    HTTP/1.1 200
    Date: Thu, 20 Jan 2022 16:53:55 GMT
    Server: Tomcat

    Set-Cookie: SMSESSION=w3C7IGrgq5NTi6NEigOhzA+1Nr5QLCD1U [...] ; Domain=.portal.at; Path=/; Secure; HttpOnly

  Line 135 :

  GET https://myidp.idpdomain.com/logout

    HTTP/1.1 200 OK
    Date: Thu, 20 Jan 2022 16:54:22 GMT

    <html>
    <head>
      <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
      <style type="text/css">
 body{
     visibility: hidden;}
      </style>
    </head>
    <body onLoad='document.forms[0].submit();'>
      <form action="https://mysp.myspdomain.com/affwebservices/public/saml2slo" method="post">
 <input type=hidden name="SAMLRequest" value="PHNhbWxwOkxvZ291 [...] lvbkluZGV4Pjwvc2FtbHA6TG9nb3V0UmVxdWVzdD4=">
 <span id="If you are not automatically redirected click ">
 </span>
 <input id="Continue" type="submit" value="Continue">
 <span id="Trailing phrase after Continue button">
 </span>
      </form>
    </body>
  </html>

  Line 137 :

  POST https://mysp.myspdomain.com/affwebservices/public/saml2slo
  SAMLRequest=PHNhbWxwOkxvZ291 [...] WVzdD4%3D

  This request did not send any cookie data.

    HTTP/1.1 500 Unknown Reason
    Date: Thu, 20 Jan 2022 16:54:23 GMT
    Server: Apache
    Set-Cookie: SAMLSession=INVALID; path=/; domain=.mydomain.com; expires=Thu, 20-Jan-2022 16:53:23 GMT

Taking a look at Chrome Debug, it shows Cookies that would be set in
the browser but are not sent with the current request for certain
reasons.

During the saml2slo request, the SMSESSION cookie is not sent by the
browser because no SameSite attributes were sent when the cookie was
previously set.

 

Resolution

 

Upgrade the Web Agent Option Pack and Web Agent to 12.52SP1CR11
(1). Samesite feature has some limitation as it doesn't support the
SAML SLO with HTTP-POST binding (when it has the signature included in
the assertion)(2).

In order to make it working, change the Logout request to
HTTP-Redirect, which will present the signature outside the assertion
(3).

General information about Samesite and Siteminder are given here (4).

 

Additional Information

 

(1)

    CA Single Sign-On (formerly CA SiteMinder) Hotfix/Cumulative Release Index
    https://techdocs.broadcom.com/us/product-content/recommended-reading/technical-document-index/ca-single-sign-on-hotfix-cumulative-release-index.html

(2)

    List of Use Cases that Will Fail

      SAML 2.0 SLO with HTTP-POST binding

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/How-SiteMinder-Avoids-Impact-of-the-Default-Behavior-of-Google-Chrome-80-for-SameSite-Cookie-Attribute.html

(3)

    Error : FAILED_INVALID_RESPONSE_RETURNED in SP Web Agent Option Pack
    https://knowledge.broadcom.com/external/article?articleId=141423

(4)

    Configure SiteMinder to Manage the Change in the Default Behavior of Google Chrome 80
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/How-SiteMinder-Avoids-Impact-of-the-Default-Behavior-of-Google-Chrome-80-for-SameSite-Cookie-Attribute/Configure-SiteMinder-to-Manage-the-Change-in-the-Default-Behavior-of-Google-Chrome-80.html

 

Powered by Wolken Software