Seeing an intermittent 403 error when trying to use the Federation partnership with samlRequest ForceAuthn="true".
In this setup, the Service Provider (SP) is MS Azure, and the Identity Provider (IDP) is SiteMinder.
The SP initiated request fails, but IDP initiated request runs fine.
The attribute ForceAuthn="true" is in the samlRequest, but the use case flow itself does not require Step-up Authentication, as the session cookie authentication level remains the same.
In the logs shown these lines:
FWStrace.log:
[07/05/2022][15:14:22][][][][SSO.java][getAuthnRequestData][AuthnRequest: <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="<id>" Version="2.0" IssueInstant="2022-07-05T15:14:22.2786029Z" Destination="https://host.example.com/affwebservices/public/saml2sso" ForceAuthn="true" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://assertionconsumerhost.example.com/samlp/sso/assertionconsumer" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com</saml:Issuer></samlp:AuthnRequest>]
[...omitted for brevity...]
[06/29/2022][14:46:30][][][][SSO.java][processRequest][logout() has been called. Session Id: <sessionid> and the Result: 1]
[06/29/2022][14:46:30][][][][SSO.java][processRequest][Current status of user's identity check is: 2]
[06/29/2022][14:46:30][][][][SSO.java][processRequest][About to validate User's identity for current zone.]
[...omitted for brevity...]
[06/29/2022][14:46:30][3192][][][FWSBase.java][isValidSession][Attribute ID: 255 , value: AuthLevel=5]
[06/29/2022][14:46:30][3192][][][FWSBase.java][isValidSession][ AuthLevel value retrieved: 5]
[...omitted for brevity...]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Transient IP check: false]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Transaction with ID: failed. Reason: FAILED_AUTHEX]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]
[06/29/2022][14:46:30][3192][][][SSO.java][processAssertionGeneration][Sending 403 error]
Policy Server side smtracedefault.log:
[06/29/2022][09:46:30][09:46:30.651][][][][][][1101][140585286674176][][][][][][][][][][LdapStore.cpp:1557][QueryObject][][][][][][][][][][][][][][][][][][][][][][][][][][][Querying for object 'smSessionId=<sessionid>=,o=example', (filter:" <n/a> ")][][][][][][][][]
[06/29/2022][09:46:30][09:46:30.651][][][][][][1101][140585286674176][][][][][][][][][][LdapStore.cpp:1895][CLdapStore][][][][][][][][][][][][][][][][][][][][][][][][][][][Trying to query an object, LDAP returned an error message: No such object, (ldap_search_s returned LDAP err=0x20][][][][][][][][]
[06/29/2022][09:46:30][09:46:30.651][][][][][][1101][140585286674176][][][][][][][][][][SmSSInLDAPStore.cpp:815][DoGetSession][][][][][][][][][][][][][][][][][][][][][][][][][][][Unable to read object 'smSessionId=<sessionid>=,o=example' ErrorCode='32'][][][][][][][][]
Based on ForceAuthn flow use case scenario, this one does not require Step-up Authentication. The auth level remains at level 5.
Then SiteMinder should use old session cookies to generate assertion. However, FWS logs out old session, creates a new session, but still uses old smSessionId to generate assertion.
When the Policy Server tries to search the old smSessionId before generating assertion, it is no longer there.
That's why generating assertion failed.
Per the SAML specification, ForceAuthn is optional, configure to false the ForceAuthn="false" from the SP side in azure to avoid this problem.
When ForceAuthn="false", the code flow will be different from the IDP side.
When ForceAuthn="true", the code flow can be very complicated depending upon a lot of factors (1).
Further, when there are 2 CA Access Gateway (SPS) involved in the setup, and one acts as cookie provider:
SPS <host1> does not set cookie by itself. ACO cookiedomain not set. Agent Config Object "example1"
SPS <host2> (cookieprovider) ACO cookiedomain not set. Agent Config Object "example2"
The error seems only happening if this is an SP initiated request, forceAuthn=true, and using cookie provider at the same time, then the problem occurs.
Cookie Provider is not supported in federated configurations. Cookie provider will confuse the agent on which cookie to keep and which cookie to log out.
When looking at the documentation, it specified that "Federation using Web Agent Option Pack or Access Gateway does not support the use of the Cookie Provider for federated configurations." (2).