Getting error "ACS_FAILED_PROCESS_FAILURE"
search cancel

Getting error "ACS_FAILED_PROCESS_FAILURE"

book

Article ID: 188681

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Federation Services as SP (Service Provider) and when
the browser comes back to the Assertion Consumer page on our SP
(Service Provider) after having successfully authenticated at IdP
(Identity Provider), then the Federation Service returns error 500 to
the browser.

  https://mysp.example-sp.com/affwebservices/public/saml2assertionconsumer

  HTTP Status 500 - Internal Error occured while trying to process the
  request. Transaction ID: <Transaction ID> failed.

  The Federation Service shows error :

    "ACS_FAILED_PROCESS_FAILURE"

How can we fix this ?

Environment


  CA Access Gateway (SPS) 12.8SP0 on Windows 2016;
  Policy Server 12.8SP1 on Windows 2016;

Cause


The error that the Policy Server reports there's no signature to
verify :

  Assertion rejected (id#############): POST binding
  request, but no signatures on assertion or request

and it uses that configuration :

  Description=SP to IDP partnership
  Name=mypartnership,
  DisableSignatureProcessing=0,
  DSigVerInfoSerialNumber=1441125s555w5,
  DSigVerificationAlias=mycert,

  [email protected], CN=mysp,
  OU=myidp, myteam, L=xxx, ST=xxx, C=US,

which is reflected here, you haven't disable the signature
processing :

pstore.xml  :

        <Object Class="CA.FED::PartnershipBase"
        Xid="CA.FED::PartnershipBase@ff2f5e09-########################"
        CreatedDateTime="2020-03-24T10:45:47"
        ModifiedDateTime="2020-03-25T13:08:23" UpdatedBy="<admin name>"
        UpdateMethod="GUI" ExportType="Replace">

            <Property Name="CA.FED::PartnershipBase.Name">
                <StringValue>mypartnership</StringValue>
            <Property Name="CA.FED::PartnershipBase.DisableSignatureProcessing">
                <BooleanValue>false</BooleanValue>
            <Property Name="CA.FED::PartnershipBase.Description">
                <StringValue>SP to IDP partnership</StringValue>

The configuration from the IdP have signature disabled :

  Assertion Signature Unsigned

Detail of the full error :

fiddler.saz :

Line 1 :

GET https://myidp.example-idp.com/app/my_oktasamlapplication_1/xxxx/sso/saml?SAMLRequest=pVHLboMwELzn.................................Of759%2FIb

  HTTP/1.1 200 OK
  Date: Tue, 07 Apr 2020 08:43:01 GMT
  Server: Apache

Line 2 :

POST https://mysp.example-sp.com/affwebservices/public/saml2assertionconsumer
SAMLResponse=rVXBbtpAED23Uv%2FB8.................................................................................b2ruwWa%2FAY%3D

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 07 Apr 2020 08:43:02 GMT
  Server: Apache/2.4.29 (Win64) OpenSSL/1.0.2l-fips mod_jk/1.2.42

  HTTP Status 500 - Internal Error occured while trying to process the
  request. Transaction ID: <Transaction ID> failed.

affwebserv.log

  [2844/8752][Tue Apr 07 2020
  08:43:02][FWSBase.java][ERROR][sm-FedClient-00360] SAML Assertion
  based user authentication failed. ()

  [2844/8752][Tue Apr 07 2020
  08:43:02][AssertionConsumer.java][ERROR][sm-FedClient-02890]
  Transaction with ID: <Transaction ID> failed. Reason:
  ACS_FAILED_PROCESS_FAILURE (, , )

FWSTrace.log :

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][auth
  enticateUser][Passing response message through login call [CHECKPOINT =
  SSO_RESPONSEMESSAGEINLOGIN_REQ]]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][auth
  enticateUser][result code from AgentAPI login call: 2]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][auth
  enticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][FWSBase.java][pro
  cessFailedAuthentication][SAML Assertion based user authentication failed.]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
  .java][processSAMLResponse][authenticateUser failed: 1]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
  .java][redirectLoginFailure][AuthReason=50]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
  .java][redirectLoginFailure][Redirect Mode="0" URL="null"]

  [04/07/2020][08:43:02][2844][8752][<Transaction ID>][AssertionConsumer
  .java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service
  request processing with HTTP error 500]

smtracedefault.log<SM2> :

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][SmMessage.cpp:557][CS
  mMessage::ParseAgentMessage][s17311/r644][][][][][][][][][][][][][][][
  ][][][][<Transaction ID>][Receive requ
  est attribute 221, data size is 48][][][][][][][][][][][][][][][][][][
  ][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Sm_Auth_Message.cpp:7
  80][CSm_Auth_Message::AuthenticateUser][<Transaction ID>]
  [samlidp:mypartnership][/][][][samlidp:mypartnership][samlidp:p
  n-okta][][][][][][][][][][][][][][Authenticating user.][][][][][][5][0
  ][samlidp:mypartnership_auth][][][][][][][][][06-.....................
  1f9f1be6e][][][][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
  getConfig][<Transaction ID>][][][][][]
  [][][][][][][][][][][][][][][samlConfigData: {NameIDPolicyFormat=urn:o
  asis:names:tc:SAML:1.1:nameid-format:unspecified,  [...] Description=S
  P to IDP partnership, [...] DSigVerInfoSerialNumber=17096e23d
  8a, [...] DSigVerificationAlias=mycert, [...] DisableSignatureP
  rocessing=0, [...] Name=mypartnership, [...] DSigVerInfoIssuerDN=EMAILADDRES
  [email protected], CN=mysp, OU=myidp, myteam, L=xxx, ST=xxx, C=US,
  [...] ][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
  stripWrapper][<Transaction ID>][][][][
  ][][][][][][][][][][][][][][][][Response message being processed: <Use
  rCredentials><?xml version="1.0" encoding="UTF-8"?><saml2p:Response De
  [...] </UserCredentials][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.260][10:43:03][3056][3536][Saml2Validator.java][
  checkAssertion][<Transaction ID>][][][
  ][][][][][][][][][][][][][][][][][Assertion rejected (id17919213888224
  ............): POST binding request, but no signatures on assertion or
  request][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][]

  [04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:1295][
  ][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-log-0000
  0] SmAuthenticateJNI() failed. ][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][]

  [04/07/2020][10:43:03.276][10:43:03][3056][3536][SmAuthSaml.cpp:2027][
  SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SAML Auth Sche
  me returning auth state: 3, auth reason: 50.][][][][][][][][][][][][][
  ][][][][][][][][][][][][][][][][][][][][][][][][][]

smps.log :

  [3056/3536][Tue Apr 07 2020
  10:43:03][SmAuthSaml.cpp:1295][INFO][sm-log-00000]
  SmAuthenticateJNI() failed.

Resolution


- Disable signature processing in the Partnership "mypartnership" or ask the
  IdP side to sign the SAMLResponse Assertions.

  DisableSignatureProcessing should be set to 1
Powered by Wolken Software