ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error 500 : federation auth scheme without fed auth scheme credentials

book

Article ID: 51120

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

How to redirect bad request to the IdP to an authentication page
instead of the 500 error page ? Can this be achieved ?

Mainly, Traditional Authentication Scheme differs from SAML 2.0
Authentication Scheme as the authentication is done basically with
username and password by Traditional Authentication Scheme and with an
Assertion by the SAML 2.0 Authentication Scheme.

Traditional Authentication Scheme is configured on a realm. Requesting
a resource protected by this realm, then the request goes to the
Authentication Scheme to get credentials. The realm resources
protected by Siteminder will add in the request all information to
bring the user to the right place after authentication and
authorization process. This scheme is located on the Web Agent.

SAML 2.0 authentication scheme

Requesting a resource protected by this realm at SP, request goes
first to the AuthnRequest server will all needed information at SP
which is redirected to the IdP to get an SAML 2.0 Assertion. The IdP
returns the Assertion to the SP Assertion Consumer Service. The SP
Assertion Consumer Service (Web Agent Option Pack) passes the
Assertion to the Policy Server. The Policy Server then request the
SAML 2.0 Authentication Scheme as it passes the Assertion as
credentials. Authentication goes in a disambiguation process that
could involve according to the selected method, signatures
verifications among the others.

This scheme is processed on the Policy Server.

By the error seen :

When hitting a resource @ SP side protected by a SAML 2.0
authentication scheme the Web Agent log message of the form :

  "User is trying to access a resource protected with federation auth
  scheme without fed auth scheme credentials. No way to challenge the
  user"

And the Web Server returns a 500 error to the browser.

 

Resolution

 

This error is thrown because there is no assertion to handle in the
call received at the SP Assertion Consumer Service. Somehow, the
request bypassed the AuthnRequest and Idp to get the Assertion. As
mentioned before, a configuration of hard-coded link to the
AuthnRequest service is needed, and this explains what's seen in the
browser :

  The request doesn't go to the AuthnRequest Service on itself.

That link should be manually configured. That is the only way to do
it. So each protected realm resources will send the user to the
AuthnRequest Service.

For the cases where the user request directly the Assertion Consumer
Services or other type of resource, there is no way out-of-the-box to
send them but configuring this parameter ServerErrorFile with a page
that will send the information to the AuthnRequest. But as the initial
target was a service only, a generic page can be chosen where to send
the user and then protect that page.