Symantec Access Management

Hi,

I am trying to federate SM and office 365. I followed the runbook to the letter.

I have STS installed and initialized correctly.

I have the partnership created and mapped as per the runbook.

But when I go to IDP initiated or SP initiated URLs, I get a 403 error. and the SPS affwebserv.log says this.

[1468/3940][Wed Jul 01 2015 18:24:55][SSO.java][ERROR][sm-FedClient-02890] sm-FedClient-02890 (10645ca6-560e615c-20253e1b-beb5ab0a-f140c671-da, WSFED_SSO_NO_PROVIDER_ID, , , )

[1468/3940][Wed Jul 01 2015 18:24:55][SSO.java][ERROR][sm-FedClient-02650] sm-FedClient-02650 (urn:federation:MicrosoftOnline|||samlsso)

Is this something anyone has encountered before? does this mean this is looking for remote entity id urn:federation:MicrosoftOnline|||samlsso?

I have the entity ID defined as urn:federation:MicrosoftOnline as mentioned in the runbook.

Regards,

Anand.

okay I figured out that error. I had to have the disambiguation ID as samlsso. then it works.

But now it doesn't authorize the user upon login. policy server trace shows this.

[07/01/2015][20:05:04.620][20:05:04][4876][4560][IsAuthorized.cpp:688][CSm_Az_Message::IsAuthorized][2060f4d7-a82cf3bc-6440db26-c6e402b0-ddbcb6f2-f85][WSFEDrp:office365][][agrao][][wsfedrp:office365_az][wsfedrp:office365][][][][][][][][][][][][][][Authorizing user...]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1409][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1447][CSmAz::IsOk][][][][agrao][][wsfedrp:office365_az][wsfedrp:office365][][][][][][][][][][][][][][Start of user policy analysis for realm.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1545][CSmAz::IsOk][][][][][][][wsfedrp:office365][][wsfedrp:office365][][][][][][][][][][][][Check the Policy.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1588][CSmAz::IsOk][][][][][][][wsfedrp:office365][][][][wsfedrp:office365_az][][][][][][][][][][Check the Rule]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:666][CSmAz::TestRule][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::TestRule]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:771][CSmAz::TestRule][][][][][][][][][][][][][true][][][][][][][][Leave function CSmAz::TestRule]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:778][CSmAz::TestPolicy][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::TestPolicy]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:797][CSmAz::TestPolicy][][][][][][][wsfedrp:office365][][wsfedrp:office365][][][][][][][][][][][][Evaluating policy...]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:812][CSmAz::TestPolicy][][][][][][][wsfedrp:office365][][wsfedrp:office365][][][][][][][][][][][][Policy is blocked by time]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:814][CSmAz::TestPolicy][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::TestPolicy]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1731][CSmAz::IsOk][][][][][][][wsfedrp:office365][][wsfedrp:office365][][wsfedrp:office365_az][][][][][][][][][][Policy is not applicable. Skipped.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1862][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1864][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][IsAuthorized.cpp:1047][CSm_Az_Message::InitAuthUser][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::InitAuthUser]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][IsAuthorized.cpp:1068][CSm_Az_Message::InitAuthUser][][][][][][][][][][][][][true][][][][][][][][Leave function CSm_Az_Message::InitAuthUser]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][IsAuthorized.cpp:945][CSm_Az_Message::IsAuthorized][s5/r4][WSFEDrp:office365][][agrao][][wsfedrp:office365_az][wsfedrp:office365][][][][][][][][][][][][][][Evaluating OnAccessReject policy in the realm.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1409][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1447][CSmAz::IsOk][][][][agrao][][wsfedrp:office365_az][wsfedrp:office365][][][][][][][][][][][][][][Start of user policy analysis for realm.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1862][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1864][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:2311][CSmAz::IsOkGlobal][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOkGlobal]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:2333][CSmAz::IsOkGlobal][][][][agrao][][wsfedrp:office365_az][wsfedrp:office365][][][][][][][][][][][][][][Evaluating OnAccessReject global policies in the realm.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1409][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1447][CSmAz::IsOk][][][][agrao][][wsfedrp:office365_az][wsfedrp:office365][][][][][][][][][][][][][][Start of user policy analysis for realm.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1862][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:1864][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthorization.cpp:2347][CSmAz::IsOkGlobal][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOkGlobal]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][Sm_Az_Message.cpp:406][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::SendReply]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthAnon.cpp:44][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthQuery]

[07/01/2015][20:05:04.620][20:05:04][4876][4560][SmAuthAnon.cpp:63][SmAuthQuery][][][][][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Leave function SmAuthQuery]

any idea?

Regards,

Anand.

okay the time error was because of some reason there was time restriction on the partnership. Once i removed that, it was fine.

Now I have IDP initiated and SP initiated working. But I'm having trouble with Active Profile.

I'm using a disambiguation ID in my local WSFED entity. Once i did that, the STS is not initializing. Do I have to mention the disambiguation ID somewhere in the STS config?

The STS says can't find ACO for the partnership name in the PS.

2015-07-01 22:36:57,756 SEVERE [sts=Office365] [txn=] [com.ca.soa.agent.core.EvaluatorFactory] SM_WSA_01090 - Failed to get agent configuration for Office365 from the Policy Server Factory name: agent@"C:\\CA\\secure-proxy\\proxy-engine\\conf\\sts-config\\Office365"

My partnership is named "Office365"

Regards,

Anand.

Okay I fixed it. Now I don't have the error anymore. For whatever reason, the partnership didn't have STS active profile check box enabled. Now the STS is initialized without error.

However, my Active profile is still not working. I don't see any logs of when O365 is trying to call my service. Any ideas on how to troubleshoot?

I have a self signed cert on my STS. Is a well known CA Signed certificate an absolute must for this to work?

Regards,

Anand.

Alright. Final hurdle. I bought a certificate and put that in the SPS. Now I don't get the cert error anymore.

But my Active profile still doesn't work. This is what I get in my STS log.

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.SAMLSessionTicketResponseHandler] SM_WSC_01801 - STS Mode enabled. SAML ST Responses not honored.

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.WSSecurityUsernameResponseHandler] SM_WSC_02603 - STS Mode enabled. WS-Security Responses not honored.

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.WSSecurityX509ResponseHandler] SM_WSC_02701 - STS Mode enabled. WS-Security Responses not honored.

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.WSSecuritySAMLResponseHandler] SM_WSC_02502 - STS Mode enabled. WS-Security Responses not honored.

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.STSX509ResponseHandler] SM_WSC_02305 - No X.509 token response found; X.509 handler declining response request

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.STSWSSAMLResponseHandler] SM_WSC_02205 - No txm_wssec_affiliate name value available for SAML assertion to be created; SAML handler declining response request

2015-07-02 04:50:00,834 INFO  [sts=Office365] [txn=1] [com.netegrity.tm.contenthelper.handler.response.SmSessionXMLResponseHandler] SM_WSC_01901 - SMSESSION token values not all present. Request not honored.

2015-07-02 04:50:00,866 INFO  [sts=Office365] [txn=1] [com.ca.soa.services.sts.handler.SOASMWebServiceHandler] SM_WST_00084 - Authentication or Authorization failed.: SM_WSA_01578 - Authentication failed

has anyone encountered this before?

Regards,

Anand.

Hi Anand,

Please verify that the ImmutableID and the UPN attributes exist for federation users. The values for these attributes in the on-premise user directory must match what is in the Office 365 directory.

The Immutable ID and the UPN are required. Supply these values when you configure the WS-Federation partnership.

Best regards,

Kelly

wonsa03

Thanks for your reply. For testing purposes, I'm not doing a full directory sync.

My user directory has mail attribute as username@test.com. In the partnership, I've set the mail attribute as the name ID, Immutable ID and UPN parameters.

The UPN and Immutable ID on Office 365 end is also set to username@test.com.

What other attributes are needed to be set on Office 365 end?

Regards,

Anand.

Hi Anand,

Just to confirm, do you have attributes named 'ImmutableID' and 'UPN' in the user directory itself?

Best regards,

Kelly

wonsa03

I don't have attributes named ImmutableID and UPN in the user directory.

But I have ImmutableID and UPN in the assertion and the value is set as "user attribute" and it's picking the mail attribute from the user directory and populating it.

Is that not the correct way?

Regards,

Anand.

Hi Anand,

It does not have to be a physical attribute.

Is it possible for you to open a support ticket with CA, provide us with the complete STS log and corresponding FWSTrace.log.

Best regards,

Kelly

Hi Kelly,

I have the ticket open. 00130937

Regards,

Anand.

Active profile started working after we update the user directory lookup to match the assertion attribute.