When running CA Access Gateway (SPS) as IdP, when integrated with Amazon Cognito Service Provider, the CA Access Gateway (SPS) Federation Services report error:
[12/28/2022][13:03:05][3416][8588][][SSO.java][doGet][Transaction with ID: <value> failed. Reason: SSO_GET_EXCEPTION]
[12/28/2022][13:03:05][3416][8588][][SSO.java][doGet][Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SSO, method doGet: java.lang.IllegalArgumentException: Last unit does not have enough valid bits]
[12/28/2022][13:03:05][3416][8588][][SSO.java][doGet][Stack Trace: java.lang.IllegalArgumentException: Last unit does not have enough valid bits
The page myLoginPage.aspx returns the SAMLRequest value as URL-unencoded in the location header
(fZL [...omitted for brevity...]):
Line 201:
POST https://sps.example.com/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=<value>&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-g8&TARGET=-SM-HTTPS%3A%2F%2Fsps.example.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3<value>%26RelayState%3DH4sIAAA ... .3%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fsps.example.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D<value> HTTP/1.1
HTTP/1.1 302 Moved Temporarily
Date: Tue, 17 Jan 2023 12:55:08 GMT
Set-Cookie: SMSESSION=7HYxB9nQ07D0awZHQsBUTU5ZM4nKpRTb50VYCAcuQAgQZvyMl8HF5P9iy5y3KnqcegkgdpW6u
Location: HTTPS://sps.example.com/siteminderagent/redirectjsp/redirect.jsp?lang=en&SAMLRequest=<value>&SMPORTALURL=https://sps.example.com/affwebservices/public/saml2sso&SAMLTRANSACTIONID=<value>
Line 202:
GET https://sps.example.com/siteminderagent/redirectjsp/redirect.jsp?lang=en&SAMLRequest=<value>&SMPORTALURL=https://sps.example.com/affwebservices/public/saml2sso&SAMLTRANSACTIONID=<value>
HTTP/1.1 302 Moved Temporarily
Line 210:
GET https://sps.example.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&lang=en&SAMLRequest=<value>
HTTP/1.1 400 Bad Request
HTTP Status 400 Bad Request
Type Status ReportMessage Bad Request. The request has bad syntax or incorrect parameters. Transaction ID: <value> failed.
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
The request seems to go to the same SPS and the myLoginPage.aspx appears to be a page held by a backend server:
spstraces.log:
[01/17/2023][14:50:35][3480][5528][][CSmHttpPlugin::ProcessResource][Resolved URL: '/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM- ... %2fgHMgbpNC0H%2bFNbW83Bg8&TARGET=-SM-HTTPS%3A%2F%2Fsps.example.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3D<value>%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fsps.example.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D<value>'.]
[01/17/2023][14:50:35][3480][5528][][IsResourceProtected][Resource is not protected from Policy Server.]
[01/17/2023][14:50:35][3480][5528][][execute][Sending request to backend = sps.example.com url = https://sps.example.com/myapp/myLoginPage.aspx?TYPE=33554432&REALMOID=06-b4495105-adcc-4357-1f87-WSsasdf4a4a&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-<value>&TARGET=-SM-HTTPS%3A%2F%2Fsps.example.com%2Fsiteminderagent%2Fredirectjsp%2Fredirect.jsp%3Flang%3Den%26SAMLRequest%3<value>%26SMPORTALURL%3Dhttps-%3A-%2F-%2Fsps.example.com-%2Faffwebservices-%2Fpublic-%2Fsaml2sso%26SAMLTRANSACTIONID%3D<value>]
[01/17/2023][14:50:35][3480][5528][][requestConnection(): ][Get connection: {s}->https://sps.example.com:443, timeout = 60000]
[01/17/2023][14:50:35][3480][5528][][openConnection()][Connecting to sps.example.com/10.0.0.1:443]
[01/17/2023][14:50:35][3480][5528][][execute][Response status code from backend webserver is 200]
Investigate with the developers of the myLoginPage.aspx page why this page sends the SAMLRequest URL-unencoded instead of URL-encoded.