SiteMinder SP SAML Integration fails with AuthReason=47

book

Article ID: 240394

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

After upgrading from 12.8.01 build 1775 to 12.8.05 build 2546, user noticed SiteMinder as SP, that user authentication is failing with AuthReason=47.

Under Federation partnership "User Identification" tab, this setup had always used xpath config as below and was working:

Specify XPath: translate(//NameID, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')

Customer needs to use xpath instead of choosing default Identity attribute source "Use Name ID", in order to convert the NameID to all upper case, then search in a DB store.

Transaction fails because 12.8.05 loginId is set to an empty value after applying xpath, however XML assertion does include NameID in it.

Here is logs from 12.8.05 build 2546:

FWStrace.log:

[04/26/2022][16:42:32][126572][140363139950336][76d8b368-b380250d-51186b0a-6b605abf-3dccfb09-09][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
[04/26/2022][16:42:32][126572][140363139950336][76d8b368-b380250d-51186b0a-6b605abf-3dccfb09-09][AssertionConsumer.java][redirectLoginFailure][AuthReason=47]
[04/26/2022][16:42:32][126572][140363139950336][76d8b368-b380250d-51186b0a-6b605abf-3dccfb09-09][AssertionConsumer.java][redirectLoginFailure][Redirecting user to user not found page [CHECKPOINT = SSOSAML2_USERNOTFOUNDURL_REDIRECT]]

....

smtracedefault.log

[04/26/2022][16:49:10.761][16:49:10][104834][140065309185792][11fae21b-9006552b-812f6218-454af6ba-5863f184-cf8][Saml2Validator.java][getLoginId][][][][][][][][][][][][Applying this xpath: translate(//NameID, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/26/2022][16:49:10.763][16:49:10][104834][140065183360768][][CServer.cpp:1965][CAgentMessageHandler::HandleInput][][][][][][][][][][][][Enqueuing a Normal Priority Message, from IP ::ffff:10.x.x.x with Port No 33914. Current count is 1][][][][][][][][][][][][][][::ffff:10.x.x.x][33914][][][][][][][][][][][][][][][][][][][]

...
[04/26/2022][16:49:10.768][16:49:10][104834][140065309185792][11fae21b-9006552b-812f6218-454af6ba-5863f184-cf8][Saml2Validator.java][getLoginId][][][][][][][][][][][][No nodes found on XPath, loginId is set to: ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
..
[04/26/2022][16:49:10.768][16:49:10][104834][140065309185792][][Sm_Auth_Message.cpp:104][g_ServerTrace][][][][][][][][Enter SetSamlData][][][][
SetSamlData: Enter SetSamlData][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/26/2022][16:49:10.768][16:49:10][104834][140065309185792][11fae21b-9006552b-812f6218-454af6ba-5863f184-cf8][Saml2Validator.java][saveSAMLData][][][][][][][][][][][][SAMLData: SAMLData:
   nameId: aduser1
   format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
   loginId:
   authnContext: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
 
Logs from 12.8.01 build 1775:
 
[04/25/2022][11:51:21.755][11:51:21][12931][139822282811136][Saml2Validator.java][getLoginId][16163ea7-c109b164-d23b2e50-a07a29ab-80b112e0-ba][][][][][][][][][][][][][][][][][][][][Applying this xpath: translate(//NameID, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[04/25/2022][11:51:21.774][11:51:21][12931][139822282811136][Saml2Validator.java][getLoginId][16163ea7-c109b164-d23b2e50-a07a29ab-80b112e0-ba][][][][][][][][][][][][][][][][][][][][loginId found:  IDXXXXXXX][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
 

Cause

There was 3rd party XML parser library changes that is pre-packaged within SiteMinder policy server.

This impacts any policy server version after 12.8sp5, including 12.8sp6.

Environment

Release : 12.8.05

Component : SiteMinder Federation(Federation Manager)

Resolution

Once policy server is upgraded, if XPath is used, customer needs to adjust existing XPath configuration.

The xpath expression //NameID used to work in earlier policy server(12.8.Sp1) which uses JAXB1, but in 12.8.5 or later the JAXB is upgraded to 2.x version, which requires to change xpath expression from //NameID to //NameID/text() to retrieve the value.

Customer can continue to use below workaround xpath expression as well.

Specify XPath: translate(//*[local-name()='NameID'], 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ')]

Choosing default "Use Name ID" is still an option, if federation SP takes the original raw NameID value from its partners, then no XPath is required.

Additional Information

DE534360

Attachments