User is intermittently redirected to error page in Keycloak oidc integration
search cancel

User is intermittently redirected to error page in Keycloak oidc integration

book

Article ID: 413092

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

In oidc integration setup, Keycloak acts an external identity provider, while SiteMinder is on the service provider side.

Users observed intermittent behavior where SiteMinder is redirecting users to the URL specified in the ServerErrorFile parameter configured in the ACO.

ServerErrorFile  = https://examples.com/sample_error_page

However, same issue did not occur in other environment testing.

Environment

OS: Windows Server
Policy server version : 12.9

Cause

FWSTrace log shows Keycloak as IDP returns oidc error to SiteMinder with error_description=authentication_expired, so subsequent redirect by Access gateway to error page is expected. 

[mm/dd/yyyy][hh:mm:ss][812][10096][xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-8b][BCTokenController.java][doGet][Back Channel Token Controller and Single Sign-on Service received GET request.]

[mm/dd/yyyy][hh:mm:ss][812][10096][xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-8b][FWSBase.java][doRequestLog][Requesting Host: x.x.x.x Requesting Host IP: x.x.x.x Request protocol: HTTP/1.1 Request was secure: true Authentication type: null]

[mm/dd/yyyy][hh:mm:ss][812][10096][xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-8b][BCTokenController.java][doGet][Query String: error=temporarily_unavailable&error_description=authentication_expired&state=SMSTATEGUID-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-bd&iss=https%3A%2F%2Fexample.com%2Fsample%2F]

According to 3rd party Keycloak documentation, the "authentication_expired," is when user already had a keycloak cookie session in the browser.

So it seems that Keycloak detected a session in browser and decided not to authenticate and render error "authentication_expired," instead.

Resolution

This session cookie detected by browser was possibly an old Keycloak session, siteminder has no control over it, hence not part of the root cause.  

The "authentication_expired" error was received from Keycloak in the oidc data flow, so siteminder can not change that, only processes it upon receiving afterwards.  

After enabling sticky sessions in network or application devices in this particular integrated environment,  the issue is no longer occurring. 

Powered by Wolken Software