We're running a Federation Services as SP (Service Provider) and when
the browser comes back to the Assertion Consumer page on our SP
(Service Provider) after having successfully authenticated at IdP
(Identity Provider), then the Federation Service returns error 500 to
the browser.
https://mysp.example-sp.com/affwebservices/public/saml2assertionconsumer
HTTP Status 500 - Internal Error occured while trying to process the
request. Transaction ID: <Transaction ID> failed.
The Federation Service shows error :
"ACS_FAILED_PROCESS_FAILURE"
How can we fix this ?
The error that the Policy Server reports there's no signature to
verify :
Assertion rejected (id#############): POST binding
request, but no signatures on assertion or request
and it uses that configuration :
Description=SP to IDP partnership
Name=mypartnership,
DisableSignatureProcessing=0,
DSigVerInfoSerialNumber=1441125s555w5,
DSigVerificationAlias=mycert,
[email protected], CN=mysp,
OU=myidp, myteam, L=xxx, ST=xxx, C=US,
which is reflected here, you haven't disable the signature
processing :
pstore.xml :
<Object Class="CA.FED::PartnershipBase"
Xid="CA.FED::PartnershipBase@ff2f5e09-########################"
CreatedDateTime="2020-03-24T10:45:47"
ModifiedDateTime="2020-03-25T13:08:23" UpdatedBy="<admin name>"
UpdateMethod="GUI" ExportType="Replace">
<Property Name="CA.FED::PartnershipBase.Name">
<StringValue>mypartnership</StringValue>
<Property Name="CA.FED::PartnershipBase.DisableSignatureProcessing">
<BooleanValue>false</BooleanValue>
<Property Name="CA.FED::PartnershipBase.Description">
<StringValue>SP to IDP partnership</StringValue>
The configuration from the IdP have signature disabled :
Assertion Signature Unsigned
Detail of the full error :
fiddler.saz :
Line 1 :
GET https://myidp.example-idp.com/app/my_oktasamlapplication_1/xxxx/sso/saml?SAMLRequest=pVHLboMwELzn.................................Of759%2FIb
HTTP/1.1 200 OK
Date: Tue, 07 Apr 2020 08:43:01 GMT
Server: Apache
Line 2 :
POST https://mysp.example-sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8.................................................................................b2ruwWa%2FAY%3D
HTTP/1.1 500 Internal Server Error
Date: Tue, 07 Apr 2020 08:43:02 GMT
Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42
HTTP Status 500 - Internal Error occured while trying to process the
request. Transaction ID: <Transaction ID> failed.
affwebserv.log
[2844/8752][Tue Apr 07 2020
08:43:02][FWSBase.java][ERROR][sm-FedClient-00360] SAML Assertion
based user authentication failed. ()
[2844/8752][Tue Apr 07 2020
08:43:02][AssertionConsumer.java][ERROR][sm-FedClient-02890]
Transaction with ID: <Transaction ID> failed. Reason:
ACS_FAILED_PROCESS_FAILURE (, , )
FWSTrace.log :
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][auth
enticateUser][Passing response message through login call [CHECKPOINT =
SSO_RESPONSEMESSAGEINLOGIN_REQ]]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][auth
enticateUser][result code from AgentAPI login call: 2]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][auth
enticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][pro
cessFailedAuthentication][SAML Assertion based user authentication failed.]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
.java][processSAMLResponse][authenticateUser failed: 1]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
.java][redirectLoginFailure][AuthReason=50]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
.java][redirectLoginFailure][Redirect Mode="0" URL="null"]
[04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service
request processing with HTTP error 500]
smtracedefault.log<SM2> :
[04/07/2020][10:43:03.260][10:43:03][3056][3536][SmMessage.cpp:557][CS
mMessage::ParseAgentMessage][s17311/r644][][][][][][][][][][][][][][][
][][][][<Transaction ID>][Receive requ
est attribute 221, data size is 48][][][][][][][][][][][][][][][][][][
][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Sm_Auth_Message.cpp:7
80][CSm_Auth_Message::AuthenticateUser][<Transaction ID>]
[samlidp:mypartnership][/][][][samlidp:mypartnership][samlidp:p
n-okta][][][][][][][][][][][][][][Authenticating user.][][][][][][5][0
][samlidp:mypartnership_auth][][][][][][][][][06-.....................
1f9f1be6e][][][][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
getConfig][<Transaction ID>][][][][][]
[][][][][][][][][][][][][][][samlConfigData: {NameIDPolicyFormat=urn:o
asis:names:tc:SAML:1.1:nameid-format:unspecified, [...] Description=S
P to IDP partnership, [...] DSigVerInfoSerialNumber=17096e23d
8a, [...] DSigVerificationAlias=mycert, [...] DisableSignatureP
rocessing=0, [...] Name=mypartnership, [...] DSigVerInfoIssuerDN=EMAILADDRES
[email protected], CN=mysp, OU=myidp, myteam, L=xxx, ST=xxx, C=US,
[...] ][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
stripWrapper][<Transaction ID>][][][][
][][][][][][][][][][][][][][][][Response message being processed: <Use
rCredentials><?xml version="1.0" encoding="UTF-8"?><saml2p:Response De
[...] </UserCredentials][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
checkAssertion][<Transaction ID>][][][
][][][][][][][][][][][][][][][][][Assertion rejected (id17919213888224
............): POST binding request, but no signatures on assertion or
request][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][]
[04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:1295][
][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-0000
0] SmAuthenticateJNI() failed. ][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][]
[04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:2027][
SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Sche
me returning auth state: 3, auth reason: 50.][][][][][][][][][][][][][
][][][][][][][][][][][][][][][][][][][][][][][][][]
smps.log :
[3056/3536][Tue Apr 07 2020
10:43:03][SmAuthSaml.cpp:1295][INFO][sm-log-00000]
SmAuthenticateJNI() failed.