search cancel

Spectrum integration with SAML fails with error 500

book

Article ID: 252950

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We configured Spectrum with SSO using an Identity Provider (IdP) that support SAML 2.0.

When we try to access OneClick we are redirected to the IdP for authentication, and after successfully authenticate, when redirected back to OneClick home page, we are just getting an error 500.

The catalina.out show next message when this occurs:

Oct 18, 2022 12:37:33 PM (https-jsse-nio-8080-exec-9) (com.aprisma.spectrum.app.sso.saml2.SamlTomcatSigninHandler) - (ERROR) - The request was invalid or malformed
org.apache.cxf.fediz.core.exception.ProcessingException: The request was invalid or malformed
        at org.apache.cxf.fediz.core.processor.SAMLProcessorImpl.validateSamlSSOResponse(SAMLProcessorImpl.java:373) ~[fediz-core-1.4.5.jar:1.4.5]
        at com.aprisma.spectrum.app.sso.saml2.SAML2ProcessorImpl.processSignInRequest(SAML2ProcessorImpl.java:127) ~[sso-agent.jar:?]
        at org.apache.cxf.fediz.core.processor.SAMLProcessorImpl.processRequest(SAMLProcessorImpl.java:114) ~[fediz-core-1.4.5.jar:1.4.5]
        at com.aprisma.spectrum.app.sso.saml2.SamlTomcatSigninHandler.processSigninRequest(SamlTomcatSigninHandler.java:102) [sso-agent.jar:?]
        at org.apache.cxf.fediz.core.handler.SigninHandler.handleRequest(SigninHandler.java:76) [fediz-core-1.4.5.jar:1.4.5]
        at com.aprisma.tomcat.authenticator.Saml2FederationAuthenticator.authenticate(Saml2FederationAuthenticator.java:188) [sso-authenticator.jar:?]
        at org.apache.cxf.fediz.tomcat8.FederationAuthenticator.doAuthenticate(FederationAuthenticator.java:231) [fediz-tomcat8-1.4.5.jar:1.4.5]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:624) [catalina.jar:9.0.58]
        at org.apache.cxf.fediz.tomcat8.FederationAuthenticator.invoke(FederationAuthenticator.java:184) [fediz-tomcat8-1.4.5.jar:1.4.5]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [catalina.jar:9.0.58]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.58]
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) [catalina.jar:9.0.58]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:9.0.58]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) [catalina.jar:9.0.58]
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) [tomcat-coyote.jar:9.0.58]
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:9.0.58]
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) [tomcat-coyote.jar:9.0.58]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735) [tomcat-coyote.jar:9.0.58]
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.58]
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:9.0.58]
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:9.0.58]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.58]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]
Oct 18, 2022 12:37:33 PM (https-jsse-nio-8080-exec-9) (org.apache.cxf.fediz.core.handler.SigninHandler) - (ERROR) - Federation processing failed: The request was invalid or malformed

 

Environment

Release : 21.2

Cause

The reason for this message can vary.

SAML tracer add-on in Firefox or Chrome can help to identify the Request, and the Response to find inconsistencies.

Some times additional debugging might be necessary

Resolution

A first recommendation is to use SAML tracer extension, and review the SAML request and the response from the IdP.

For example, if in the SAML Response the Audience is next :

<AudienceRestriction>

                <Audience>https://oneclick.mydomain.com:8443/spectrum</Audience>

</AudienceRestriction>

But the value in fediz_config for <realm> and <audienceItem> is https://oneclick.mydomain.com:8443/spectrum/ (with a forward slash after spectrum) the SSO will fail.

The <Audience> URL included in the response must match with fediz_confi.xml <realm> and <audienceItem>. In the above example, a change on the Service Provider URL will be necessary in the IdP.

Another thing where the SAML tracer can help is to confirm that the Signature is included in the Assertion. The IdP can include the signature in the <Assertion> tag, in the <Response> tag or both. Digitally sign the Assertion is a requirement for the IdP following the SAML 2.0 specification, so you should expect to see the <Signature> tag inside the <Assertion> tag.

A final recommendation, is to make sure to use lower case for the Service Provider URL (OneClick URL) in the fediz_config.xml and in the Service Provider definition in the IdP.

Remember that the Response must contain a destination that matches the assertion consumer URL. In any browser, independently if you use upper or lower case to type in the URL in the address bar, as soon as you press Go, the URL will be changed to lower case. If OneClick URL is using upper case in the IdP configuration or in the fediz_config.xml file, the authentication will fail with an error 500.

Additional Information

SAML2 Authentication in DX NetOps Spectrum
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/21-2/administrating/single-sign-on/integrate-with-the-identity-provider-server-from-2126.html