Error: Resource is not protected, no realm matches this resource in PS
Article ID: 249724
Updated On:
Products
Issue/Introduction
When running Federation services, for a given resource, no protection is applied, and thus, the browser goes to the target page without the SMSESSION cookie.
The realm resource is configured as:
/shared?&SAML2IDPID=https://example.example.com
and resource from the browser is:
/shared/d2DPT7XIQe?vendor-issuer=fslb&reid=1301167E224111ED93428BF28BB2A32A&SAML2IDPID=https://example.example.com
How do you configure the dynamic endpoint in the realm so the request will be protected?
Cause
This can be done by configuring a rule attached to the realm with a regular expression (1).
To illustrate:
Realm: /myApp/
Rule: shared*\?*&SAML2IDPID=https://example.example.com
Requesting this URL in the browser:
http://wa.example.com/myApp/shared/d2DPT7XIQe?vendor-issuer=fslb&reid=1301167E224111ED93428BF28BB2A32A&SAML2IDPID=https://example.example.com
Then the Policy Server protects that resource.
wa.example.com.trace:
[08/30/2022][09:35:36][31060][1451075328][SmAgentAPI.cpp:1883][Sm_AgentApi_IsProtected][0000000000000000000000006601a8c0-7954-630dbdc8-567da700-38cd7167e867][http://wa.example.com][][wa][/myApp/shared/d2DPT7XIQe?vendor-issuer=fslb&reid=1301167E224111ED93428BF28BB2A32A&SAML2IDPID=https://myserver.example.com][GET][][]
[08/30/2022][09:35:36][31060][1451075328][CSmLowLevelAgent.cpp:535][IsResourceProtected][0000000000000000000000006601a8c0-7954-630dbdc8-567da700-38cd7167e867][192.168.1.111][][wa][/myApp/shared/d2DPT7XIQe?vendor-issuer=fslb&reid=1301167E224111ED93428BF28BB2A32A&SAML2IDPID=https://myserver.example.com][GET][user1][Resource is protected from Policy Server.]
Resolution
Configure the regular expression in the rule instead of the realm to solve the issue.
Additional Information
(1)
Resource Matching and Regular Expressions
Rules may use resource matching and regular expression matching to specify resources in a realm.
Feedback
