OIDC authentication failed with HTTP error 500
search cancel

OIDC authentication failed with HTTP error 500

book

Article ID: 246039

calendar_today

Updated On: 10-05-2023

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

In a new Oauth2 partnership, where partner is authorizing server and SiteMinder is Oauth client.

Partner suggests to use claim "SUB" from OIDC token for validation and creating smsession.

When testing the flow, user gets HTTP error 500, due to "User is not found".

FWStrace.log:

[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][processOAuthLogin][Authenticating the user.]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][retrieveUserID][OAuth Authorization and Single Sign-on Retrieving user id attribute from claims.]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][retrieveUserID][OAuth Authorization and Single Sign-on Authenticating the user with attribute null]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][authenticateUser][OAuth Authorization and Single Sign-on Calling authenticate for user: null]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][FWSBase.java][authenticateUser][Passing response message through login call [CHECKPOINT = SSO_RESPONSEMESSAGEINLOGIN_REQ]]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2]

...

[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][FWSBase.java][processFailedAuthentication][   255:AttributeMappingResponse=ClkIARIvMTlhMj..........................................................................g8IAhIGdXNlcmlkGgNzdWI=]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][FWSBase.java][processFailedAuthentication][   255:UserState=UserNotFound]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][authenticateUser][OAuth Authorization and Single Sign-on Authentication returned 1]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][processAuthenticationResponse][Enter into process authentication attributes]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][processAuthenticationResponse][Setting any claims to samldata object]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][processAuthenticationResponse][User is not found, setting auth status as user not found]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][processOAuthLogin][OAuth Authorization and Single Sign-on Failed to authenticate the user.  Failure code:  1]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][redirectLoginFailure][AuthReason=48]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][redirectLoginFailure][Redirect Mode="0" URL="null"]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][setupFailureDefault][Ending OAuth service request processing with HTTP error 500]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][OAuthUtils.java][removeStateDataCookie][Removing the state data cookie]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][TokenConsumer.java][processRequest][Sending an error.]

Environment

Release : 12.8

Component : SiteMinder Federation(Federation Manager)

Cause

From the same FWStrace.log, we can tell user was authenticated. We can see both "id_token" and "access_token" received.

However, next, Siteminder is making user info end point call to get sub, email attribute etc.

The user info end point from partner does not work.

This is what received after user info end point call:

[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][OAuth20TokenConsumerHandler][sendUserInformationRequest][Received user information response.]
[06/15/2022][17:47:32][10992][140241547839232][19a295fd-52b4d8dd-ff373fcc-eea8501b-19e1f82a-5b][OAuthUtils.java][parseResponse][Message to parse:  [Status Line: HTTP/1.1 200 OK ]
[Headers:{X-Powered-By=PHP/7.4.21, Cache-Control=no-store, no-cache, must-revalidate, Access-Control-Allow-Headers=Origin, X-Requested-With, Content-Type, Accept, Authorization, Access-Control-Request-Method, Access-Control-Allow-Methods=GET, POST, OPTIONS, PUT, DELETE, Strict-Transport-Security=max-age=31536000; includeSubDomains; preload, X-Frame-Options=SAMEORIGIN, Server=nginx, Date=Wed, 15 Jun 2022 15:47:32 GMT, Pragma=no-cache, Vary=Accept-Encoding, X-XSS-Protection=1; mode=block, Expires=Thu, 19 Nov 1981 08:52:00 GMT, Allow=GET, POST, OPTIONS, PUT, DELETE, Content-Type=application/json, Connection=close, Transfer-Encoding=chunked}]
[Cookies:{cookie_name=sab................5q; path=/}]
[Message: {"id":"302","label":"Tester OAuth","email":"tester@domain.com"}]]

There was no "sub" in the above response.

If you check out other 3rd party example for UserInfo endpoint response as below:

https://connect2id.com/products/server/docs/api/userinfo

{
  "sub"                                   : "83692",
  "name"                                : "Alice Adams",
  "email"                                : "alice@example.com",
  "birthdate"                           : "1975-12-31",
  "https://claims.example.com/department" : "engineering"
}

Sub should be included as one of the userinfo attribute.

The root cause is that partner does not have a valid OIDC user info endpoint.

Resolution

OIDC standard flow requires SiteMinder to reach user info endpoint to obtain the attribute including "sub".

Even though the user is authenticated with legit OIDC token, the ID token response from Authorization Endpoint does not have "sub" user info and hence is not relevant.

ALL OIDC vendor should have a working user endpoint, and return the attribute required.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/authentication-using-authorization-code-flow.html

https://connect2id.com/products/server/docs/api/userinfo

Powered by Wolken Software