Error: Last unit does not have enough valid bits from SAMLRequest in SPS
search cancel

Error: Last unit does not have enough valid bits from SAMLRequest in SPS

book

Article ID: 259386

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS) as IdP, when integrated with Amazon Cognito Service Provider, the CA Access Gateway (SPS) Federation Services report error:

  [12/28/2022][13:03:05][3416][8588][6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93][SSO.java][doGet][Transaction with ID: 6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93 failed. Reason: SSO_GET_EXCEPTION]
  [12/28/2022][13:03:05][3416][8588][6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93][SSO.java][doGet][Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SSO, method doGet: java.lang.IllegalArgumentException: Last unit does not have enough valid bits]
  [12/28/2022][13:03:05][3416][8588][6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93][SSO.java][doGet][Stack Trace: java.lang.IllegalArgumentException: Last unit does not have enough valid bits

 

Cause

 

The page myLoginPage.aspx returns the SAMLRequest value as URL-unencoded in the location header

(fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/m [...omitted for brevity...]):

Line 201:

POST https://mysps.mydomain.com/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-nhKVdqX7DutX5OJofvcIGlwHsf8tFGruSUdsddsw6PU8Z3ckx%2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fmysps.mydomain.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3DfZLJbsIwEIbvfYrI-%2BF9B8-%3D%26RelayState%3DH4sIAAAAAAAAAE1R246iQBT8l36WAAAA.3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fmysps.mydomain.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D9c87d4a1--8cad590a--05s85a--2a5b130a--5491281e--d9 HTTP/1.1

  HTTP/1.1 302 Moved Temporarily
  Date: Tue, 17 Jan 2023 12:55:08 GMT
  Set-Cookie: SMSESSION=7HYxB9nQ07D0awZHQsBUTU5ZM4nKpRTb50VYCAcuQAgQZvyMl8HF5P9iy5y3KnqcegkgdpW6u
  Location: HTTPS://mysps.mydomain.com/siteminderagent/redirectjsp/redirect.jsp?lang=en&SAMLRequest=fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/mX8jSfTn6r0LmBQapWQyA+JByrTuVTHhOy2Czoi0/RtgqIqWc1njT2pNZwbQOvNEMFY53vXCpsKzAbMRWawW68ScrK2Rh4EUIoyh4svnNOHhmagrBEljXxRiT/tqo5KWu1nugrakkDmtQGsXSYQb+6KpBK2ne6eWQlbydy/Rrc+URTfcMCuHYO6OZQy69IQNfGW84Tsx0W&RelayState=H4sIAAAAAAAAAE1R246iQBT8l36W-0XxzUVBGGbGQQVlszFNdwu9NtDIZcTN_vv2JJvsvlXlVNWppH4BCJaADBIidX-HTNIuB17MW3Nt2WAG8q8jgwyTUTAkmHW1y16vrXmHed7pqk1wTSkxx1oIsBCUfc-7paJ82SThkwnspo7UWIacK5zBidwVyKmCmqKmfSN1XaMgyFgO0U1kEJGBGkwEvAq4X71GAhZg&SMPORTALURL=https://mysps.mydomain.com/affwebservices/public/saml2sso&SAMLTRANSACTIONID=9c87d4a1-8cad590a-019db26c-2a5b130a-5491281e-d9

Line 202:

GET https://mysps.mydomain.com/siteminderagent/redirectjsp/redirect.jsp?lang=en&SAMLRequest=fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/mX8jSfTn6r0LmBQapWQyA+JByrTuVTHhOy2Czoi0/RtgqIqWc1njT2pNZwbQOvNEMFY53vXCpsKzAbMRWawW68ScrK2Rh4EUIoyh4svnNOHhmagrBEljXxRiT/tqo5KWu1nugrakkDmtQGsXSYQb+6KpBK2ne6eWQlbydy/Rrc+URTfcMCuHYO6OZQy69IQNfGW84Tsx0W&RelayState=H4sIAAAAAAAAAE1R246iQBT8l36W-0XxzUVBGGbGQQVlszFNdwu9NtDIZcTN_vv2JJvsvlXlVNWppH4BCJaADBIidX-HTNIuB17MW3Nt2WAG8q8jgwyTUTAkmHW1y16vrXmHed7pqk1wTSkxx1oIsBCUfc-7paJ82SThkwnspo7UWIacK5zBidwVyKmCmqKmfSN1XaMgyFgO0U1kEJGBGkwEvAq4X71GAhZg&SMPORTALURL=https://mysps.mydomain.com/affwebservices/public/saml2sso&SAMLTRANSACTIONID=9c87d4a1-8cad590a-019db26c-2a5b130a-5491281e-d9

  HTTP/1.1 302 Moved Temporarily

Line 210:

GET https://mysps.mydomain.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&lang=en&SAMLRequest=fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/mX8jSfTn6r0LmBQapWQyA+JByrTuVTHhOy2Czoi0/RtgqIqWc1njT2pNZwbQOvNEMFY53vXCpsKzAbMRWawW68ScrK2Rh4EUIoyh4svnNOHhmagrBEljXxRiT/tqo5KWu1nugrakkDmtQGsXSYQb+6KpBK2ne6eWQlbydy/Rrc+URTfcMCuHYO6OZQy69IQNfGW84Tsx0W&RelayState=H4sIAAAAAAAAAE1R246iQBT8l36W-0XxzUVBGGbGQQVlszFNdwu9NtDIZcTN_vv2JJvsvlXlVNWppH4BCJaADBIidX-HTNIuB17MW3Nt2WAG8q8jgwyTUTAkmHW1y16vrXmEnd7pqk1wTSkxx1oIsBCUfc-7paJ82SThkwnspo7UWIacK5zBidwVyKmCmqKmfSN1XaMgyFgO0U1kEJGBGkwEvAq4X71GAhZg-R2QClImSMNJTTH4MQPlV78pLPEpbo5VcoOnkJ2NOEHVJ32nKwq3sYq2r3Y0OSz3vS5KY4apxc6nNwvpyZC5Vom2qxH7yRO7GiOp1-2MkGdrLTh4sQY35RRXvZ_uQ0c8vol3mkr7It-2oX-7OPzwufeZMTaPN709sXTc9YnautkNT&SAMLTRANSACTIONID=9c87d4a1-8cad590a-019db26c-2a5b130a-5491281e-d9

  HTTP/1.1 400 Bad Request

  HTTP Status 400 Bad Request
  Type Status Report

  Message Bad Request. The request has bad syntax or incorrect parameters. Transaction ID: 9c87d4a1-8cad590a-05s85a-2a5b130a-5491281e-d9 failed.

  Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

The request seems to go to the same SPS and the myLoginPage.aspx appears to be a page held by a backend server:

myspstraces.log:

[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][CSmHttpPlugin::ProcessResource][Resolved URL: '/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-nhKVdqX7DutX5OJofvcIGlwHsf8tFGruSUdsddsw6PU8Z3ckx%2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fmysps.mydomain.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3DfZLJbsIwEIbvfYrI-%2BF9B8-%3D%26RelayState%3DH4sIAAAAAAAAAE1R246iQBT8l36WAAAA.3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fmysps.mydomain.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D9c87d4a1--8cad590a--05s85a--2a5b130a--5491281e--d9'.]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][IsResourceProtected][Resource is not protected from Policy Server.]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][execute][Sending request to backend = mysps.mydomain.com url = https://mysps.mydomain.com/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-nhKVdqX7DutX5OJofvcIGlwHsf8tFGruSUdsddsw6PU8Z3ckx%2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fmysps.mydomain.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3DfZLJbsIwEIbvfYrI-%2BF9B8-%3D%26RelayState%3DH4sIAAAAAAAAAE1R246iQBT8l36WAAAA.3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fmysps.mydomain.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D9c87d4a1--8cad590a--05s85a--2a5b130a--5491281e--d9]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][requestConnection(): ][Get connection: {s}->https://mysps.mydomain.com:443, timeout = 60000]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][openConnection()][Connecting to mysps.mydomain.com/10.0.0.1:443]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][execute][Response status code from backend webserver is 200]

 

Resolution

 

Investigate with the developers of the myLoginPage.aspx page is the reason why this page sends the SAMLRequest URL-unencoded instead of URL-encoded.

 

Powered by Wolken Software