After upgrading CA Access Gateway (SPS) to 12.8sp7, there's a problem with one of CA Access Gateway (SPS) embedded Agent.

User received error 500 on the favicon and during the Authentication.

agent log:

[13276/4624][Thu Aug 10 2023 08:59:27.236][CSmSAMLDataPlugin.cpp:179][ERROR][sm-SAMLAgent-00020] Bad or missing context 'HTTPPLUGIN'.
[13276/4624][Thu Aug 10 2023 08:59:27.236][CSmResourceManager.cpp:103][ERROR][sm-AgentFramework-00460] HLA: Analyzer from module 'SM_WAF_SAMLDATA_PLUGIN' returned unknown response code '-1' for component 'Resource Manager'.
[13276/4624][Thu Aug 10 2023 08:59:27.236][CSmResourceManager.cpp:151][WARNING][sm-AgentFramework-00480] HLA: Missing resource data.
[13276/4624][Thu Aug 10 2023 08:59:27.236][CSmHighLevelAgent.cpp:339][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Resource Manager'.
[13276/9148][Thu Aug 10 2023 08:59:27.330][CSmSAMLDataPlugin.cpp:179][ERROR][sm-SAMLAgent-00020] Bad or missing context 'HTTPPLUGIN'.
[13276/9148][Thu Aug 10 2023 08:59:27.330][CSmResourceManager.cpp:103][ERROR][sm-AgentFramework-00460] HLA: Analyzer from module 'SM_WAF_SAMLDATA_PLUGIN' returned unknown response code '-1' for component 'Resource Manager'.
[13276/9148][Thu Aug 10 2023 08:59:27.330][CSmResourceManager.cpp:151][WARNING][sm-AgentFramework-00480] HLA: Missing resource data.

agent trace log:

[08/10/2023][09:00:13][09:00:13.335][][][][CSmSAMLDataPlugin::ProcessResource][Retrieving pointer to HTTPPlugin]
[08/10/2023][09:00:13][09:00:13.335][][][][CSmResourceManager::ProcessResource][SM_WAF_SAMLDATA_PLUGIN->ProcessResource returned SmFailure.]
[08/10/2023][09:00:13][09:00:13.335][][][][CSmResourceManager::ProcessResource][Plugins did not collect required resource data.]
[08/10/2023][09:00:13][09:00:13.335][][][][ProcessRequest][ResourceManager returned SmNoAction or SmFailure, end new request.]

CA Access Gateway (SPS) 12.8SP7

Misconfiguration within webagent.conf, causes HttpPlugin.dll not loading properly. The root cause is not related to the upgraded version.

There is a predefined order on how *.dll is loaded by the SPS Agent.

There is a misconfiguration within {SPS_Home}\secure-proxy\proxy-engine\conf\defaultagent\webagent.conf.

The documentation actually says "The SAMLDataPlugin.dll must appear after HttpPlugin.dll for the Web Agent to load without failures." (1).

Here is the default order list of dll within webagent.conf, customer may uncomment a line, but please keep the same order.

LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\HttpPlugin.dll"
LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\SPSPlugin.dll"
#LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\SPPlugin.dll"
#LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\DisambiguatePlugin.dll"
#LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\OpenIDPlugin.dll"
#LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\SessionLinkerPlugin.dll"
#LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\SAMLDataPlugin.dll"
#LoadPlugin="{SPS_Home}\secure-proxy\agentframework\bin\CertSessionLinkerPlugin.dll"
 

1. Pass Assertion Data as HTTP Headers to Relying Party Applications
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/application-integration-at-the-relying-party/pass-assertion-data-as-http-headers-to-relying-party-applications.html