Error: No authorization server ID or state cookie available in WAOP

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

When running Federation Services as OAuthClient when a user tries to
login in Azure AD (OAuth Authorization Server) the browser gets the
error :

    500 - Internal Error occured while trying to process the request.

The Federation Services ends the request with the error :

    [TokenConsumer.java][processOAuthLogin][No authorization server ID or state cookie available.]
    [OAuthUtils.java][removeStateDataCookie][Removing the state data cookie]
    [TokenConsumer.java][processRequest][Sending an error.]

Environment

Policy Server 12.8SP5 on RedHat 7;
Web Agent Option Pack 12.52SP1CR09 on ServletExec 6 on RedHat 6;
Web Agent 12.52SP1CR09 on Apache 2.2.34 on RedHat 6;

Cause

The first request to the Federation Services produces a
OAuthStateDataCookie with the samesite flag set to strict :

fiddler.saz

Line 5 :

GET https://myoauthclient.myhomedomain.com/affwebservices/public/oauthtokenconsumer/a26fa4fb-d8b5-4979-932e-ce9665b582be?AuthzServerID=myazureoauthaz

  HTTP/1.1 302 Moved temporarily
  Date: Mon, 11 Apr 2022 12:19:22 GMT
  Server: Apache
  Set-Cookie: OAuthStateDataCookie=NOdq7lx1fm/BzooMDtZA3d2FY9TuBnQy [...] Domain=myhomedomain.com; Path=/; secure; HTTPOnly; SameSite=strict

Line 95 :

POST https://login.microsoftonline.com/login.srf

  HTTP/1.1 302 Found
  Location: https://myoauthclient.myhomedomain.com/affwebservices/public/oauthtokenconsumer/a26fa4fb-d8b5-4979-932e-ce9665b582be?code=0. [...] -1&session_state=3aac4ea8-8s5s-47b3-a8f4-ef04a17aa9fb#
  Date: Mon, 11 Apr 2022 12:19:55 GMT

As the request comes from microsoftonline.com and the browser has the
OAuthStateDataCookie with samesite flag set to strict, then the
browser doesn't send the cookie back to the Federation Service, and as
Federation Services doesn't get the OAuthStateDataCookie value, then
it returns 500 code to the browser :

Line 97 :

GET https://myoauthclient.myhomedomain.com/affwebservices/public/oauthtokenconsumer/a26fa4fb-d8b5-4979-932e-ce9665b582be?code=0. [...] -1&session_state=3aac4ea8-8s5s-47b3-a8f4-ef04a17aa9fb
This request did not send any cookie data.

  HTTP/1.1 500 Internal Error occured while trying to process the request.
  Transaction ID: 1a3876e9-093736ac-61581d02-9434e68d-afc64733-4 failed.
  Date: Mon, 11 Apr 2022 12:19:56 GMT
  Server: Apache

FWSTrace.log :

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [TokenConsumer.java][doGet][Query String: code=0

  [...]

  A&state=11a55580-f02ec057-3fd5246e-85e343ab-da92d4fe-1
  &session_state=3aac4ea8-8s5s-47b3-a8f4-ef04a17aa9fb]

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [OAuthUtils.java][getStateDataCookieValue][Retrieving State Data Cookie values]

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [OAuthUtils.java][getStateDataCookie][Could not find state data cookie]

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [OAuthUtils.java][getStateDataCookieValue][State data cookie does not exist.]

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [TokenConsumer.java][processOAuthLogin][No authorization server ID or state cookie available.]

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [OAuthUtils.java][removeStateDataCookie][Removing the state data cookie]

  [04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
  [TokenConsumer.java][processRequest][Sending an error.]

Resolution


- Upgrade Web Agent and Web Agent Option Pack to 12.52SP1CR11, and set
  ACO

  SameSite to none or lax
  UseSecureCookies to yes

  to solve the issue;