Layer7 Access Management

Expand all | Collapse all

SP initiated flow fails with 500 error

Jump to Best Answer
  • 1.  SP initiated flow fails with 500 error

    Posted 03-24-2016 01:42 PM

    Hi All,

     

    Im facing similar issue here SP initiated flow is failing with 500 error. I applied unlimited jce patches in java 1.8 . I can see response getting generated in smps log but in fws trace log  SAML2Response=NO

     

    I have Policy server 12.52 sp02 and secure proxy server 12.52

     

    FWS trace.log

    [Received the following response from SAML2 assertion generator: SAML2Response=NO.]

    [03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][SSO.java][processAssertionGeneration][Transaction with ID: e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857 failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

    [03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

     

    SMPS log

     

    [5156/5432][Thu Mar 24 2016 10:13:42][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_d467f1f328777a88ad31bf236d13273a492e" InResponseTo="_2CAAAAVQ50PejME8wMjgwMDAwMDA0Qzk2AAAAyK6oCuOrboF0UGjccjsCmQMs7dNnQf6RtHK0Vzv1ysUJYHQbW_DzD2pIPUXypgIcq1RzVeBfGzD83Sy4h116bOMs3kuakfYsnlNSs9NRNzVdm7Mw_Opd6LDsuiwC5cGYVrs40H-tthIbAtVzdsheALo__ypRGuEJg3yOjq_uWwSDqQiyudiNJ6McGk8DWb6jFwiqbc4IWyodkNBTooqar6ojH4sNzhycG5O9sq6-J1pmvL4U9A2FJLp_juFMmDoFdg" IssueInstant="2016-03-24T17:13:42Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

        <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://amith.sso1.com</ns1:Issuer>

        <Status>

            <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

            <StatusMessage>Configuration error.</StatusMessage>

        </Status>

    </Response>



  • 2.  Re: SP initiated flow fails with 500 error

    Posted 03-24-2016 03:03 PM

    Hi,

     

    It looks like your server is failing to generate the assertion. Please verify if assertion URL is correct. If that is correct, then recreating the SAML profile from scratch can help.  I had faced similar issue and  recreating(after deleting the existing SAML profile) SAML profile in siteminder admin UI has helped.

     

    Regards,

    Vikash



  • 3.  Re: SP initiated flow fails with 500 error

    Posted 03-24-2016 11:06 PM

    Hi Amith,

     

    Assertion generation is failing. Enable PS trace with IdP template and check on the user authentication and assertion generation flow.



  • 4.  Re: SP initiated flow fails with 500 error

    Posted 03-25-2016 11:03 AM

    Hi Wonsa03,

     

    Received this in PS traces The assertion generation failing here with some preprocess method which im aint sure . Please look at last part.

     

    [03/25/2016][07:47:31.399][07:47:31][5728][4856][AuthnRequestProtocol.java][getSPProperties][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Loading the configration data for the Service Provider with ID "https://amithsso.my.salesforce.com" ...]

    [03/25/2016][07:47:31.399][07:47:31][5728][4856][AssertionHandlerSAML20.java][preProcess][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Start to validate the SAML2.0 Authn request.]

    [03/25/2016][07:47:31.399][07:47:31][5728][4856][AuthnRequestProtocol.java][validateRequest][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Validating the Request...All the properties:

    {AuthenticationLevel=5, AttrSvcPartnershipAAProtEnabled=1, SessionNotOnOrAfterType=0, PartnershipArtifactProtEnabled=1, AssertionConsumerSvcURL_0=0|HTTP-Post|https://amithsso.my.salesforce.com?so=00D28000001GVDU, AttrSvcSignResponse=0, SAML2.AuthnRequestProtocolManager=com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol@d09906, EncryptNameID=0, UseStateCookie=1, UseSecureAuthURL=0, AllowTransactionType=3, InvalidRequestRedirectMode=0, EnableSSOECPProfile=0, AttrSvcLegacyAAProtEnabled=0, EnableAuthnRequestRedirect=1, AuthnContextRowCount=0, MniEnablePostBinding=0, IdPSourceID=44d3bb1089b6dae4163b127a8c7418b65cef907e, EnableSLOSOAPBinding=0, EnableAttributeService=1, MniNotifyUserName=*, AssertionConsumerDefaultURL=https://amithsso.my.salesforce.com?so=00D28000001GVDU, UnauthorizedAccessRedirectURL=, NameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, SLOServiceValidityDuration=60, DSigningAlias=amith.sso1.com, SignatureAlgo=1, SkewTime=30, IgnoreRequestedAuthnContext=0, ServerErrorRedirectURL=, SignArtifactResponse=0, CompareUserDNForSMC=1, MniRequireEncryptedNameID=0, CustomTimeout=60, IdPID=http://amith.sso1.com, ValidityDuration=60, DSigVerInfoSerialNumber=4382b137b13768018fd6ba70426ea067, ReuseSessionIndex=0, MniRequireSignedResponse=0, EnableSMC=0, AcceptIncomingAcsUrl=0, MniEncryptNameID=0, MniEnableNotification=0, KEY_SPID=https://amithsso.my.salesforce.com, Policy=@04-89072fe0-bfbc-4935-826b-260c18542743, PartnershipSource=3, EncryptionBlockAlgorithm=tripledes, RelayStateOverridesSloConfirm=0, AttrSvcSignAssertion=0, EnableSSOArtifactBinding=0, HidingMask=1, DisableSignatureProcessing=0, RequireSignedAuthnRequests=0, ArtifactSignatureOption=3, EnableUnauthorizedRequestURL=0, ServerErrorRedirectMode=0, Name=salesforce, InvalidRequestRedirectURL=, MniNotificationAuthType=1, OneTimeUse=0, MniNotifyTimeout=60, AuthenticationType=1, PersistentCookie=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniDeleteNameID=0, BackChannelAuthType=2, MniRetryBoundary=15, Oid=21-582b117f-2cfa-481b-b291-d55d373d04ed, AuthnContextType=1, EnableInvalidRequestURL=0, ProxyServer=http://amith.sso1.com, EnableIPD=0, DSigVerInfoIssuerDN=CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US, AttrSvcValidityDuration=60, AE_PARAM_SAML2=-AssertionHandler:SAML20, Domain=@03-cc4eb1ac-b6fb-42e6-bd76-dc7ccf05a5fb, NameIdType=1, NameIdAttrName=mail, UnauthorizedAccessRedirectMode=0, MniEnableSOAPBinding=0, IsActive=1, ArtifactEncoding=URL, EnableServerErrorURL=0, AttrSvcRequireSignedQuery=0, MniAllowUserSelfService=0, MniRetryCount=3, OutgoingBackChannelAuthType=2, RequireSignedArtifactResolve=0, EnableUserConsent=0, AssertionConsumerSvcDefaultIndex=0, SAMLMajorVersion=2, EnableAuthnRequestPost=1, MniSOAPTimeout=60, MniSignRequest=0, AllowOFCAuthnContextOverride=0, Realm=@06-084f342d-413e-4f69-8ddb-c10f94559847, PostSignatureOption=0, EnableNegAuthResp=0, AttrSvcEnableProxiedQuery=0, AllowCreationOfUserIdentifier=0, EnableSLORedirectBinding=0, AssertionConsumerSvcRowCount=1, EncryptAssertion=0, EnforceForceAuthnSessionTimeouts=0, MniSignResponse=0, MniEnableRedirectBinding=0, MniRequireSignedRequest=0, EnableSSOPostBinding=1, SAMLMinorVersion=0, LegacyArtifactProtEnabled=0, EncryptNameIDForSLOSOAP=0, NetegrityAffiliateMinderAuthURL=http://amith.sso1.com/affwebservices/redirectjsp/redirect.jsp, EncryptionKeyAlgorithm=rsa-v15}]

    [03/25/2016][07:47:33.929][07:47:33][5728][5400][PolicyCache.cpp:1301][][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-Server-02880] Building policy cache ...]

    [03/25/2016][07:47:33.929][07:47:33][5728][5400][PolicyCache.cpp:1394][][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-Server-02890] Building policy cache done]

    [03/25/2016][07:47:33.929][07:47:33][5728][4856][AuthnRequestProtocol.java][verifySignatureOnRequest][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Certificate not found for issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US serial number: 4382b137b13768018fd6ba70426ea067]

    [03/25/2016][07:47:33.929][07:47:33][5728][4856][AssertionGenerator.java][invoke][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

     

    Im authenticated on redirect.jsp

    as seen below

     

    [03/25/2016][07:47:31.399][07:47:31][5728][4652][Sm_Auth_Message.cpp:5154][CSm_Auth_Message::FormatAttribute][s2/r96][amith.sso1.com][][amithnaik][][redirect.jsp][redirectjsp][Democorp][][][][][][][][][][][][LDAP:][Send response attribute 215, data size is 5]

    [03/25/2016][07:47:31.399][07:47:31][5728][4652][Sm_Auth_Message.cpp:4651][CSm_Auth_Message::SendReply][s2/r96][amith.sso1.com][][amithnaik][][redirect.jsp][redirectjsp][Democorp][][][][][][][][][][][][][** Status: Authenticated. ]

    [03/25/2016][07:47:31.399][07:47:31][5728][4652][Sm_Auth_Message.cpp:4655][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]



  • 5.  Re: SP initiated flow fails with 500 error

    Posted 03-28-2016 02:26 AM

    Hi Amith,

     

    Please check if you can locate cert with serial# 4382b137b13768018fd6ba70426ea067 from the "smkeytool -listcerts" command output.

     

    Also, check if there's escape character within the issuer DN e.g: VeriSign\, Inc. There's a known issue with the escape character within the issuer DN causing the mismatch.

     

    Is this Federation Manager, SPS  or WAOP? version?



  • 6.  Re: SP initiated flow fails with 500 error

    Posted 03-28-2016 07:37 AM

    Hi Wonsa03,

     

    Yeah its there how do i remove this ? Its SPS here.

     

     

    Alias Name: salesforcecert1

    Type: CertificateEntry

    Subject: CN=proxy.salesforce.com,OU=Applications,O=Salesf

    Issuer: CN=VeriSign Class 3 International Server CA - G3,

    gn Trust Network,O=VeriSign\, Inc.,C=US

    Serial Number: 4382B137B13768018FD6BA70426EA067

    Valid from: Thu Oct 17 17:00:00 PDT 2013  until: Tue Oct

    Revocation Status: Revocation is not configured.



  • 7.  Re: SP initiated flow fails with 500 error

    Posted 03-28-2016 07:43 AM

    Alias Name: salesforcecert1

    Type: CertificateEntry

    Subject: CN=proxy.salesforce.com,OU=Applications,O=Salesforce.com\, Inc.,L=San Francisco,ST=California,C=US

    Issuer: CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSi

    gn Trust Network,O=VeriSign\, Inc.,C=US

    Serial Number: 4382B137B13768018FD6BA70426EA067

    Valid from: Thu Oct 17 17:00:00 PDT 2013  until: Tue Oct 17 16:59:59 PDT 2017

    Revocation Status: Revocation is not configured.



  • 8.  Re: SP initiated flow fails with 500 error

    Posted 03-28-2016 06:23 PM

    Hi Amith,

     

    Try with the following:

    1. Go to XPSExplorer

    2. Select Certificate option under FED

    3. Search and select the specific certificate (serial# 4382b137b13768018fd6ba70426ea067)

    4. "W" - Get writable copy

    5. Enter the "Issuer DN" option

    6. Enter the Issuer DN value - CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US

    7. "U" - Update record

    8. "Q", "Q", "Q", "P" - Synchronize with PS, then quit XPSExplorer

    9. Restart SPS and test again.

     

    If it still failed with same error, please deactivate the partnership, remove the certificate, complete the update and go back in to add the certificate again.



  • 9.  Re: SP initiated flow fails with 500 error

    Posted 04-01-2016 01:38 PM

    Hi Wonsa03,

    unfortunately both renaming the Issuer dn and recreating entire setup is not working some how.



  • 10.  Re: SP initiated flow fails with 500 error
    Best Answer

    Posted 04-03-2016 08:13 PM

    Hi Amith,

     

    From the code review, the exception is thrown when PS is unable to locate certificate from certificate data store that matches the serial number the issuer DN from the assertion.

     

    Do open a support ticket with CA Support to get this issue address. The suggested approach was to intend to workaround the issue but this should be officially addressed.



  • 11.  Re: SP initiated flow fails with 500 error

    Posted 05-04-2016 05:17 PM

    One thing to add, is that we have found that if a federation partnership is active, you will need to disable the partnership and check the "Disable Signature Processing" box before implementing the workaround, and uncheck the "Disable Signature Processing" box afterwards, and re-enable the partnership.



  • 12.  Re: SP initiated flow fails with 500 error

    Posted 05-06-2016 01:28 AM

    Hi Amith ,

     

    Can you please let me know if you were able to fix the issue as we are having same issue when we are migrating from R12.50 to R12.52.

     

    Thanks



  • 13.  Re: SP initiated flow fails with 500 error

    Posted 12-23-2016 11:48 AM

    I'm also having same issue where SP Initiated flow fails but IDP initiated works fine. I see the following error in the Smtracedefault log on Policy Server:

     

    [12/22/2016][11:44:24][356][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.241.164 with Port No 59527. Current count is 0]
    [12/22/2016][11:44:24][5108][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.241.164 with Port No 59527. Current count is 0]
    [12/22/2016][11:44:24][5108][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
    [12/22/2016][11:44:24][836][416f28b1-1c0dc737-a9c60408-a38e8c86-f617cabb-e][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Certificate not found for issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US serial number: 4382b137b13768018fd6ba70426ea067]



  • 14.  Re: SP initiated flow fails with 500 error

    Posted 12-23-2016 12:13 PM

    Strange thing. We have same setup in our UAT environment and it works fine. So Were you able to find if this is an issue on Saleforce or SM? I see that the Serial number and Issuer DN are not matching when i look at the same cert file. 

     

    Any help is greatly appreciated.

     

    Thanks



  • 15.  Re: SP initiated flow fails with 500 error

    Posted 12-23-2016 12:43 PM

    Please refer below where I have posted the solution for the issue:

     

    https://communities.ca.com/thread/241753845

     

    Thanks,

    Kanishak



  • 16.  Re: SP initiated flow fails with 500 error

    Posted 12-27-2016 10:00 AM

    We found the root cause for this issue was that the Certificate's issuer DN was having an escape character in it ( CA Support told us this is a known issue they are aware of ). 

     

    Once we got a new certificate with no escape Characters in the Issuer DN, the issue resolved.  We asked the question on when they would be fixing this bug as the version we were using 12.52 SP1 CR05. still waiting to hear back from them.

     

    Thanks