User loops to login page and SAML assertions are not getting generated
search cancel

User loops to login page and SAML assertions are not getting generated

book

Article ID: 40900

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

The user initiates an IDP-initiated transaction where the user keeps on looping between the redirect.jsp and the authentication URL and the authentication scheme. This can be verified by taking a fiddler trace.

User posts credentials to

  https://_host.example.com/siteminderagent/forms/login.fcc

The user is redirected to redirect.jsp as expected:

  http://_host.example.com/affwebservices/redirectjsp/redirect.jsp

From that page, the user should get access to the requested resource. Instead, the user again gets redirected to the authentication scheme URL.

  https://_host.example.com/siteminderagent/forms/login.fcc

Environment

Any Partnership model.

 

Cause

From the logs, the user is not authorized to access the redirect.jsp file: 

  • First, the user clicks the saml2sso service URL;
  • Second, now since the user does not have the smsession the user gets redirected to the authentication URL;
  • Third, the user does a GET on "login.fcc" and posts their credentials: An smsession cookie is set;
  • Finally, after this the user is again sent back to the redirect.jsp and then the user again posts the credentials and then again the user is sent back to redirect.jsp 

This is happening is because the user is "not authorized by the policy server": 

From the Web Agent traces: 

  [03/11/2016][10:34:39][3736][3660][CSmLowLevelAgent.cpp:2011][AuthorizeUser]
  [][*10.0.0.1][][mysamltest]
  [/affwebservices/redirectjsp/redirect.jsp?SPID=https://_sp.example.com:4043/singlesignon.aspx&SMPORTALURL=http%3A%2F%2F_test.example.com%2Faffwebservices%2Fpublic%2Fsaml2sso][xxx][User 'CN=xxxxxx,OU=xxxx.....,DC=example,DC=com' is not authorized by Policy Server.]

From the Policy Server traces:

 [03/11/2016][10:34:39.089][10:34:39][2016][3140][Sm_Az_Message.cpp:595][CSm_Az_Message::ProcessMessage]
 [s1308/r7][mysamltest][][myagent][][mypage][mysamltest][][][][][][][][][][][][][]
 [** Status: Not Authorized. ][][][][][][][][][][][]
 [yz .. fz0mAJXF][][][CN=xxxxxx,OU=xxxx.....,DC=example,DC=com][][][][][][][][][][][][][][][][][][][][][][]

Resolution

  1. In the AdminUI, open the Domain where the redirect is.jsp Realm is configured or the authentication URL Realm;
  2. Check if the correct user directory is attached to this Domain. The user should exist in this Domain.
  3. Open the Policy attached to this Domain. Click on the Users tab in the policy and check if the user in the test is included in the Users tab or not.
  4. Click the Rules tab in Policy and see if you have a Rule attached to the Policy or not. The policy for the AuthenticationURL Domain should have a Rule attached to it.

      This Rule should apply to the redirect.jsp page. For instance:
      Effective Resource: iisagent/siteminderagent/redirectjsp/*
Powered by Wolken Software