When running CA Access Gateway (SPS) as IdP, when integrated with Amazon Cognito Service Provider, the CA Access Gateway (SPS) Federation Services report error:
[12/28/2022][13:03:05][3416][8588][6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93][SSO.java][doGet][Transaction with ID: 6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93 failed. Reason: SSO_GET_EXCEPTION]
[12/28/2022][13:03:05][3416][8588][6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93][SSO.java][doGet][Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SSO, method doGet: java.lang.IllegalArgumentException: Last unit does not have enough valid bits]
[12/28/2022][13:03:05][3416][8588][6aa148cd-cdd84eda-c14f9985-d310feb0-6c120b83-93][SSO.java][doGet][Stack Trace: java.lang.IllegalArgumentException: Last unit does not have enough valid bits
The page myLoginPage.aspx returns the SAMLRequest value as URL-unencoded in the location header
(fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/m [...omitted for brevity...]):
Line 201:
POST https://mysps.mydomain.com/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-nhKVdqX7DutX5OJofvcIGlwHsf8tFGruSUdsddsw6PU8Z3ckx%2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fmysps.mydomain.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3DfZLJbsIwEIbvfYrI-%2BF9B8-%3D%26RelayState%3DH4sIAAAAAAAAAE1R246iQBT8l36WAAAA.3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fmysps.mydomain.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D9c87d4a1--8cad590a--05s85a--2a5b130a--5491281e--d9 HTTP/1.1
HTTP/1.1 302 Moved Temporarily
Date: Tue, 17 Jan 2023 12:55:08 GMT
Set-Cookie: SMSESSION=7HYxB9nQ07D0awZHQsBUTU5ZM4nKpRTb50VYCAcuQAgQZvyMl8HF5P9iy5y3KnqcegkgdpW6u
Location: HTTPS://mysps.mydomain.com/siteminderagent/redirectjsp/redirect.jsp?lang=en&SAMLRequest=fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/mX8jSfTn6r0LmBQapWQyA+JByrTuVTHhOy2Czoi0/RtgqIqWc1njT2pNZwbQOvNEMFY53vXCpsKzAbMRWawW68ScrK2Rh4EUIoyh4svnNOHhmagrBEljXxRiT/tqo5KWu1nugrakkDmtQGsXSYQb+6KpBK2ne6eWQlbydy/Rrc+URTfcMCuHYO6OZQy69IQNfGW84Tsx0W&RelayState=H4sIAAAAAAAAAE1R246iQBT8l36W-0XxzUVBGGbGQQVlszFNdwu9NtDIZcTN_vv2JJvsvlXlVNWppH4BCJaADBIidX-HTNIuB17MW3Nt2WAG8q8jgwyTUTAkmHW1y16vrXmHed7pqk1wTSkxx1oIsBCUfc-7paJ82SThkwnspo7UWIacK5zBidwVyKmCmqKmfSN1XaMgyFgO0U1kEJGBGkwEvAq4X71GAhZg&SMPORTALURL=https://mysps.mydomain.com/affwebservices/public/saml2sso&SAMLTRANSACTIONID=9c87d4a1-8cad590a-019db26c-2a5b130a-5491281e-d9
Line 202:
GET https://mysps.mydomain.com/siteminderagent/redirectjsp/redirect.jsp?lang=en&SAMLRequest=fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/mX8jSfTn6r0LmBQapWQyA+JByrTuVTHhOy2Czoi0/RtgqIqWc1njT2pNZwbQOvNEMFY53vXCpsKzAbMRWawW68ScrK2Rh4EUIoyh4svnNOHhmagrBEljXxRiT/tqo5KWu1nugrakkDmtQGsXSYQb+6KpBK2ne6eWQlbydy/Rrc+URTfcMCuHYO6OZQy69IQNfGW84Tsx0W&RelayState=H4sIAAAAAAAAAE1R246iQBT8l36W-0XxzUVBGGbGQQVlszFNdwu9NtDIZcTN_vv2JJvsvlXlVNWppH4BCJaADBIidX-HTNIuB17MW3Nt2WAG8q8jgwyTUTAkmHW1y16vrXmHed7pqk1wTSkxx1oIsBCUfc-7paJ82SThkwnspo7UWIacK5zBidwVyKmCmqKmfSN1XaMgyFgO0U1kEJGBGkwEvAq4X71GAhZg&SMPORTALURL=https://mysps.mydomain.com/affwebservices/public/saml2sso&SAMLTRANSACTIONID=9c87d4a1-8cad590a-019db26c-2a5b130a-5491281e-d9
HTTP/1.1 302 Moved Temporarily
Line 210:
GET https://mysps.mydomain.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&lang=en&SAMLRequest=fZLJbsIwEIbvfYrId2cxYbNIECpCQqIXlh56QSaZgKXEDh6HLk9fk4AEF462/mX8jSfTn6r0LmBQapWQyA+JByrTuVTHhOy2Czoi0/RtgqIqWc1njT2pNZwbQOvNEMFY53vXCpsKzAbMRWawW68ScrK2Rh4EUIoyh4svnNOHhmagrBEljXxRiT/tqo5KWu1nugrakkDmtQGsXSYQb+6KpBK2ne6eWQlbydy/Rrc+URTfcMCuHYO6OZQy69IQNfGW84Tsx0W&RelayState=H4sIAAAAAAAAAE1R246iQBT8l36W-0XxzUVBGGbGQQVlszFNdwu9NtDIZcTN_vv2JJvsvlXlVNWppH4BCJaADBIidX-HTNIuB17MW3Nt2WAG8q8jgwyTUTAkmHW1y16vrXmEnd7pqk1wTSkxx1oIsBCUfc-7paJ82SThkwnspo7UWIacK5zBidwVyKmCmqKmfSN1XaMgyFgO0U1kEJGBGkwEvAq4X71GAhZg-R2QClImSMNJTTH4MQPlV78pLPEpbo5VcoOnkJ2NOEHVJ32nKwq3sYq2r3Y0OSz3vS5KY4apxc6nNwvpyZC5Vom2qxH7yRO7GiOp1-2MkGdrLTh4sQY35RRXvZ_uQ0c8vol3mkr7It-2oX-7OPzwufeZMTaPN709sXTc9YnautkNT&SAMLTRANSACTIONID=9c87d4a1-8cad590a-019db26c-2a5b130a-5491281e-d9
HTTP/1.1 400 Bad Request
HTTP Status 400 Bad Request
Type Status ReportMessage Bad Request. The request has bad syntax or incorrect parameters. Transaction ID: 9c87d4a1-8cad590a-05s85a-2a5b130a-5491281e-d9 failed.
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
The request seems to go to the same SPS and the myLoginPage.aspx appears to be a page held by a backend server:
myspstraces.log:
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][CSmHttpPlugin::ProcessResource][Resolved URL: '/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-nhKVdqX7DutX5OJofvcIGlwHsf8tFGruSUdsddsw6PU8Z3ckx%2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fmysps.mydomain.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3DfZLJbsIwEIbvfYrI-%2BF9B8-%3D%26RelayState%3DH4sIAAAAAAAAAE1R246iQBT8l36WAAAA.3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fmysps.mydomain.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D9c87d4a1--8cad590a--05s85a--2a5b130a--5491281e--d9'.]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][IsResourceProtected][Resource is not protected from Policy Server.]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][execute][Sending request to backend = mysps.mydomain.com url = https://mysps.mydomain.com/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-nhKVdqX7DutX5OJofvcIGlwHsf8tFGruSUdsddsw6PU8Z3ckx%2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fmysps.mydomain.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3DfZLJbsIwEIbvfYrI-%2BF9B8-%3D%26RelayState%3DH4sIAAAAAAAAAE1R246iQBT8l36WAAAA.3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fmysps.mydomain.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D9c87d4a1--8cad590a--05s85a--2a5b130a--5491281e--d9]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][requestConnection(): ][Get connection: {s}->https://mysps.mydomain.com:443, timeout = 60000]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][openConnection()][Connecting to mysps.mydomain.com/10.0.0.1:443]
[01/17/2023][14:50:35][3480][5528][6d36fd31-363c7020-385007c2-fadc89b3-c396165f-148][execute][Response status code from backend webserver is 200]
Investigate with the developers of the myLoginPage.aspx page is the reason why this page sends the SAMLRequest URL-unencoded instead of URL-encoded.