Error : FWSB_NULL_SMSESSION in SAML Logout not working in WAOP
search cancel

Error : FWSB_NULL_SMSESSION in SAML Logout not working in WAOP


Article ID: 233904


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)



When running Federation Services on Web Agent Option Pack, when user
tries to logout a Federation journey, the cookie doesn't get removed
from the browser and the Federation services report errors :

    Transaction with ID:
    158af913-43330f90-ec332935-e75284f7-23965cef-8da3 failed. Reason: FWSB_NULL_SMSESSION

    Neither SESSION nor SESSIONSIGNOUT Cookie found. Global Logout can not be performed.

    Transaction with ID:
    158af913-43330f90-ec332935-e75284f7-23965cef-8da3 failed. Reason: SLO_POST_EXCEPTION




Web Agent Option Pack 12.52SP1CR08
Web Agent 12.52SP1CR08




Fiddler traces show that the browser doesn't send a SMSESSION cookie
with the logout request. 

fiddler.saz :

  Line 32 :


    HTTP/1.1 302 Found
    Date: Thu, 20 Jan 2022 16:53:41 GMT
    Server: Apache
    Set-Cookie: SMSESSION=QNBcji/Jppy5ngz3zs7Ufp0Ug1wbYgDvtiCE25mJAvXkWm [...]; path=/;; secure; HTTPOnly

  Line 56 :

  GET [...]
  SMSESSION=aK75AFxVqZPXSz1epXY5kIZhEa2QqN4sc4ScDbVTYRBtFTe1X7nXgaS8duGcJIu84f [...]

    HTTP/1.1 200
    Date: Thu, 20 Jan 2022 16:53:55 GMT
    Server: Tomcat

    Set-Cookie: SMSESSION=w3C7IGrgq5NTi6NEigOhzA+1Nr5QLCD1U [...] ;; Path=/; Secure; HttpOnly

  Line 135 :


    HTTP/1.1 200 OK
    Date: Thu, 20 Jan 2022 16:54:22 GMT

      <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
      <style type="text/css">
     visibility: hidden;}
    <body onLoad='document.forms[0].submit();'>
      <form action="" method="post">
 <input type=hidden name="SAMLRequest" value="PHNhbWxwOkxvZ291 [...] lvbkluZGV4Pjwvc2FtbHA6TG9nb3V0UmVxdWVzdD4=">
 <span id="If you are not automatically redirected click ">
 <input id="Continue" type="submit" value="Continue">
 <span id="Trailing phrase after Continue button">

  Line 137 :

  SAMLRequest=PHNhbWxwOkxvZ291 [...] WVzdD4%3D

  This request did not send any cookie data.

    HTTP/1.1 500 Unknown Reason
    Date: Thu, 20 Jan 2022 16:54:23 GMT
    Server: Apache
    Set-Cookie: SAMLSession=INVALID; path=/;; expires=Thu, 20-Jan-2022 16:53:23 GMT

Taking a look at Chrome Debug, it shows Cookies that would be set in
the browser but are not sent with the current request for certain

During the saml2slo request, the SMSESSION cookie is not sent by the
browser because no SameSite attributes were sent when the cookie was
previously set.




Upgrade the Web Agent Option Pack and Web Agent to 12.52SP1CR11
(1). Samesite feature has some limitation as it doesn't support the
SAML SLO with HTTP-POST binding (when it has the signature included in
the assertion)(2).

In order to make it working, change the Logout request to
HTTP-Redirect, which will present the signature outside the assertion

General information about Samesite and Siteminder are given here (4).


Additional Information



    CA Single Sign-On (formerly CA SiteMinder) Hotfix/Cumulative Release Index


    List of Use Cases that Will Fail

      SAML 2.0 SLO with HTTP-POST binding


    Error : FAILED_INVALID_RESPONSE_RETURNED in SP Web Agent Option Pack


    Configure SiteMinder to Manage the Change in the Default Behavior of Google Chrome 80