search cancel

SiteMinder SP SAML Integration fails with AuthReason=47

book

Article ID: 240394

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

After upgrading from 12.8.01 build 1775 to 12.8.05 build 2546, user noticed SiteMinder as SP, that user authentication is failing with AuthReason=47.

Under Federation partnership "User Identification" tab, this setup had always used xpath config as below and was working:

Specify XPath: translate(//NameID, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')

Customer needs to use xpath instead of choosing default Identity attribute source "Use Name ID", in order to convert the NameID to all upper case, then search in a DB store.

Transaction fails because 12.8.05 loginId is set to an empty value after applying xpath, however XML assertion does include NameID in it.

Here is logs from 12.8.05 build 2546:

FWStrace.log:

[04/26/2022][16:42:32][126572][140363139950336][76d8b368-b380250d-51186b0a-6b605abf-3dccfb09-09][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
[04/26/2022][16:42:32][126572][140363139950336][76d8b368-b380250d-51186b0a-6b605abf-3dccfb09-09][AssertionConsumer.java][redirectLoginFailure][AuthReason=47]
[04/26/2022][16:42:32][126572][140363139950336][76d8b368-b380250d-51186b0a-6b605abf-3dccfb09-09][AssertionConsumer.java][redirectLoginFailure][Redirecting user to user not found page [CHECKPOINT = SSOSAML2_USERNOTFOUNDURL_REDIRECT]]

....

smtracedefault.log

[04/26/2022][16:49:10.761][16:49:10][104834][140065309185792][11fae21b-9006552b-812f6218-454af6ba-5863f184-cf8][Saml2Validator.java][getLoginId][][][][][][][][][][][][Applying this xpath: translate(//NameID, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/26/2022][16:49:10.763][16:49:10][104834][140065183360768][][CServer.cpp:1965][CAgentMessageHandler::HandleInput][][][][][][][][][][][][Enqueuing a Normal Priority Message, from IP ::ffff:10.x.x.x with Port No 33914. Current count is 1][][][][][][][][][][][][][][::ffff:10.x.x.x][33914][][][][][][][][][][][][][][][][][][][]

...
[04/26/2022][16:49:10.768][16:49:10][104834][140065309185792][11fae21b-9006552b-812f6218-454af6ba-5863f184-cf8][Saml2Validator.java][getLoginId][][][][][][][][][][][][No nodes found on XPath, loginId is set to: ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
..
[04/26/2022][16:49:10.768][16:49:10][104834][140065309185792][][Sm_Auth_Message.cpp:104][g_ServerTrace][][][][][][][][Enter SetSamlData][][][][
SetSamlData: Enter SetSamlData][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/26/2022][16:49:10.768][16:49:10][104834][140065309185792][11fae21b-9006552b-812f6218-454af6ba-5863f184-cf8][Saml2Validator.java][saveSAMLData][][][][][][][][][][][][SAMLData: SAMLData:
   nameId: aduser1
   format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
   loginId:
   authnContext: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
 
Logs from 12.8.01 build 1775:
 
[04/25/2022][11:51:21.755][11:51:21][12931][139822282811136][Saml2Validator.java][getLoginId][16163ea7-c109b164-d23b2e50-a07a29ab-80b112e0-ba][][][][][][][][][][][][][][][][][][][][Applying this xpath: translate(//NameID, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/25/2022][11:51:21.774][11:51:21][12931][139822282811136][Saml2Validator.java][getLoginId][16163ea7-c109b164-d23b2e50-a07a29ab-80b112e0-ba][][][][][][][][][][][][][][][][][][][][loginId found:  IDXXXXXXX][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
 

Environment

Release : 12.8.05

Component : SiteMinder Federation(Federation Manager)

Cause

There was 3rd party XML parser library changes that is pre-packaged within SiteMinder policy server.

This impacts any policy server version after 12.8sp5, including 12.8sp6.

Resolution

Once policy server is upgraded, if XPath is used, customer needs to adjust existing XPath configuration.

The xpath expression //NameID used to work in earlier policy server(12.8.Sp1) which uses JAXB1, but in 12.8.5 or later the JAXB is upgraded to 2.x version, which requires to change xpath expression from //NameID to //NameID/text() to retrieve the value.

Customer can continue to use below workaround xpath expression as well.

Specify XPath: translate(//*[local-name()='NameID'], 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')]

Choosing default "Use Name ID" is still an option, if federation SP takes the original raw NameID value from its partners, then no XPath is required.

Additional Information

DE534360

Attachments