Symantec Access Management

Hi All,

Im facing similar issue here SP initiated flow is failing with 500 error. I applied unlimited jce patches in java 1.8 . I can see response getting generated in smps log but in fws trace log  SAML2Response=NO

I have Policy server 12.52 sp02 and secure proxy server 12.52

FWS trace.log

[Received the following response from SAML2 assertion generator: SAML2Response=NO.]

[03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][SSO.java][processAssertionGeneration][Transaction with ID: e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857 failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

[03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

[03/24/2016][17:13:42][2220][5180][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[03/24/2016][17:13:42][2220][5180][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[03/24/2016][17:13:42][2220][5180][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[03/24/2016][17:13:42][2220][5180][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

SMPS log

[5156/5432][Thu Mar 24 2016 10:13:42][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_d467f1f328777a88ad31bf236d13273a492e" InResponseTo="_2CAAAAVQ50PejME8wMjgwMDAwMDA0Qzk2AAAAyK6oCuOrboF0UGjccjsCmQMs7dNnQf6RtHK0Vzv1ysUJYHQbW_DzD2pIPUXypgIcq1RzVeBfGzD83Sy4h116bOMs3kuakfYsnlNSs9NRNzVdm7Mw_Opd6LDsuiwC5cGYVrs40H-tthIbAtVzdsheALo__ypRGuEJg3yOjq_uWwSDqQiyudiNJ6McGk8DWb6jFwiqbc4IWyodkNBTooqar6ojH4sNzhycG5O9sq6-J1pmvL4U9A2FJLp_juFMmDoFdg" IssueInstant="2016-03-24T17:13:42Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://amith.sso1.com</ns1:Issuer>

    <Status>

        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

        <StatusMessage>Configuration error.</StatusMessage>

    </Status>

</Response>

Hi,

It looks like your server is failing to generate the assertion. Please verify if assertion URL is correct. If that is correct, then recreating the SAML profile from scratch can help.  I had faced similar issue and  recreating(after deleting the existing SAML profile) SAML profile in siteminder admin UI has helped.

Regards,

Vikash

Hi Amith,

Assertion generation is failing. Enable PS trace with IdP template and check on the user authentication and assertion generation flow.

Hi Wonsa03,

Received this in PS traces The assertion generation failing here with some preprocess method which im aint sure . Please look at last part.

[03/25/2016][07:47:31.399][07:47:31][5728][4856][AuthnRequestProtocol.java][getSPProperties][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Loading the configration data for the Service Provider with ID "https://amithsso.my.salesforce.com" ...]

[03/25/2016][07:47:31.399][07:47:31][5728][4856][AssertionHandlerSAML20.java][preProcess][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Start to validate the SAML2.0 Authn request.]

[03/25/2016][07:47:31.399][07:47:31][5728][4856][AuthnRequestProtocol.java][validateRequest][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Validating the Request...All the properties:

{AuthenticationLevel=5, AttrSvcPartnershipAAProtEnabled=1, SessionNotOnOrAfterType=0, PartnershipArtifactProtEnabled=1, AssertionConsumerSvcURL_0=0|HTTP-Post|https://amithsso.my.salesforce.com?so=00D28000001GVDU, AttrSvcSignResponse=0, SAML2.AuthnRequestProtocolManager=com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol@d09906, EncryptNameID=0, UseStateCookie=1, UseSecureAuthURL=0, AllowTransactionType=3, InvalidRequestRedirectMode=0, EnableSSOECPProfile=0, AttrSvcLegacyAAProtEnabled=0, EnableAuthnRequestRedirect=1, AuthnContextRowCount=0, MniEnablePostBinding=0, IdPSourceID=44d3bb1089b6dae4163b127a8c7418b65cef907e, EnableSLOSOAPBinding=0, EnableAttributeService=1, MniNotifyUserName=*, AssertionConsumerDefaultURL=https://amithsso.my.salesforce.com?so=00D28000001GVDU, UnauthorizedAccessRedirectURL=, NameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, SLOServiceValidityDuration=60, DSigningAlias=amith.sso1.com, SignatureAlgo=1, SkewTime=30, IgnoreRequestedAuthnContext=0, ServerErrorRedirectURL=, SignArtifactResponse=0, CompareUserDNForSMC=1, MniRequireEncryptedNameID=0, CustomTimeout=60, IdPID=http://amith.sso1.com, ValidityDuration=60, DSigVerInfoSerialNumber=4382b137b13768018fd6ba70426ea067, ReuseSessionIndex=0, MniRequireSignedResponse=0, EnableSMC=0, AcceptIncomingAcsUrl=0, MniEncryptNameID=0, MniEnableNotification=0, KEY_SPID=https://amithsso.my.salesforce.com, Policy=@04-89072fe0-bfbc-4935-826b-260c18542743, PartnershipSource=3, EncryptionBlockAlgorithm=tripledes, RelayStateOverridesSloConfirm=0, AttrSvcSignAssertion=0, EnableSSOArtifactBinding=0, HidingMask=1, DisableSignatureProcessing=0, RequireSignedAuthnRequests=0, ArtifactSignatureOption=3, EnableUnauthorizedRequestURL=0, ServerErrorRedirectMode=0, Name=salesforce, InvalidRequestRedirectURL=, MniNotificationAuthType=1, OneTimeUse=0, MniNotifyTimeout=60, AuthenticationType=1, PersistentCookie=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniDeleteNameID=0, BackChannelAuthType=2, MniRetryBoundary=15, Oid=21-582b117f-2cfa-481b-b291-d55d373d04ed, AuthnContextType=1, EnableInvalidRequestURL=0, ProxyServer=http://amith.sso1.com, EnableIPD=0, DSigVerInfoIssuerDN=CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US, AttrSvcValidityDuration=60, AE_PARAM_SAML2=-AssertionHandler:SAML20, Domain=@03-cc4eb1ac-b6fb-42e6-bd76-dc7ccf05a5fb, NameIdType=1, NameIdAttrName=mail, UnauthorizedAccessRedirectMode=0, MniEnableSOAPBinding=0, IsActive=1, ArtifactEncoding=URL, EnableServerErrorURL=0, AttrSvcRequireSignedQuery=0, MniAllowUserSelfService=0, MniRetryCount=3, OutgoingBackChannelAuthType=2, RequireSignedArtifactResolve=0, EnableUserConsent=0, AssertionConsumerSvcDefaultIndex=0, SAMLMajorVersion=2, EnableAuthnRequestPost=1, MniSOAPTimeout=60, MniSignRequest=0, AllowOFCAuthnContextOverride=0, Realm=@06-084f342d-413e-4f69-8ddb-c10f94559847, PostSignatureOption=0, EnableNegAuthResp=0, AttrSvcEnableProxiedQuery=0, AllowCreationOfUserIdentifier=0, EnableSLORedirectBinding=0, AssertionConsumerSvcRowCount=1, EncryptAssertion=0, EnforceForceAuthnSessionTimeouts=0, MniSignResponse=0, MniEnableRedirectBinding=0, MniRequireSignedRequest=0, EnableSSOPostBinding=1, SAMLMinorVersion=0, LegacyArtifactProtEnabled=0, EncryptNameIDForSLOSOAP=0, NetegrityAffiliateMinderAuthURL=http://amith.sso1.com/affwebservices/redirectjsp/redirect.jsp, EncryptionKeyAlgorithm=rsa-v15}]

[03/25/2016][07:47:33.929][07:47:33][5728][5400][PolicyCache.cpp:1301][][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-Server-02880] Building policy cache ...]

[03/25/2016][07:47:33.929][07:47:33][5728][5400][PolicyCache.cpp:1394][][][][][][][][][][][][][][][][][][][][][][LogMessage:INFO:[sm-Server-02890] Building policy cache done]

[03/25/2016][07:47:33.929][07:47:33][5728][4856][AuthnRequestProtocol.java][verifySignatureOnRequest][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][Certificate not found for issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US serial number: 4382b137b13768018fd6ba70426ea067]

[03/25/2016][07:47:33.929][07:47:33][5728][4856][AssertionGenerator.java][invoke][1bb29775-2c4ddebd-87467e94-844fc82b-a9993687-4ad][][][][][][][][][][][][][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

Im authenticated on redirect.jsp

as seen below

[03/25/2016][07:47:31.399][07:47:31][5728][4652][Sm_Auth_Message.cpp:5154][CSm_Auth_Message::FormatAttribute][s2/r96][amith.sso1.com][][amithnaik][][redirect.jsp][redirectjsp][Democorp][][][][][][][][][][][][LDAP:][Send response attribute 215, data size is 5]

[03/25/2016][07:47:31.399][07:47:31][5728][4652][Sm_Auth_Message.cpp:4651][CSm_Auth_Message::SendReply][s2/r96][amith.sso1.com][][amithnaik][][redirect.jsp][redirectjsp][Democorp][][][][][][][][][][][][][** Status: Authenticated. ]

[03/25/2016][07:47:31.399][07:47:31][5728][4652][Sm_Auth_Message.cpp:4655][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply]

Hi Amith,

Please check if you can locate cert with serial# 4382b137b13768018fd6ba70426ea067 from the "smkeytool -listcerts" command output.

Also, check if there's escape character within the issuer DN e.g: VeriSign\, Inc. There's a known issue with the escape character within the issuer DN causing the mismatch.

Is this Federation Manager, SPS  or WAOP? version?

Hi Wonsa03,

Yeah its there how do i remove this ? Its SPS here.

Alias Name: salesforcecert1

Type: CertificateEntry

Subject: CN=proxy.salesforce.com,OU=Applications,O=Salesf

Issuer: CN=VeriSign Class 3 International Server CA - G3,

gn Trust Network,O=VeriSign\, Inc.,C=US

Serial Number: 4382B137B13768018FD6BA70426EA067

Valid from: Thu Oct 17 17:00:00 PDT 2013  until: Tue Oct

Revocation Status: Revocation is not configured.

Alias Name: salesforcecert1

Type: CertificateEntry

Subject: CN=proxy.salesforce.com,OU=Applications,O=Salesforce.com\, Inc.,L=San Francisco,ST=California,C=US

Issuer: CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSi

gn Trust Network,O=VeriSign\, Inc.,C=US

Serial Number: 4382B137B13768018FD6BA70426EA067

Valid from: Thu Oct 17 17:00:00 PDT 2013  until: Tue Oct 17 16:59:59 PDT 2017

Revocation Status: Revocation is not configured.

Hi Amith,

Try with the following:

1. Go to XPSExplorer

2. Select Certificate option under FED

3. Search and select the specific certificate (serial# 4382b137b13768018fd6ba70426ea067)

4. "W" - Get writable copy

5. Enter the "Issuer DN" option

6. Enter the Issuer DN value - CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US

7. "U" - Update record

8. "Q", "Q", "Q", "P" - Synchronize with PS, then quit XPSExplorer

9. Restart SPS and test again.

If it still failed with same error, please deactivate the partnership, remove the certificate, complete the update and go back in to add the certificate again.

Hi Wonsa03,

unfortunately both renaming the Issuer dn and recreating entire setup is not working some how.

Hi Amith,

From the code review, the exception is thrown when PS is unable to locate certificate from certificate data store that matches the serial number the issuer DN from the assertion.

Do open a support ticket with CA Support to get this issue address. The suggested approach was to intend to workaround the issue but this should be officially addressed.

One thing to add, is that we have found that if a federation partnership is active, you will need to disable the partnership and check the "Disable Signature Processing" box before implementing the workaround, and uncheck the "Disable Signature Processing" box afterwards, and re-enable the partnership.

Hi Amith ,

Can you please let me know if you were able to fix the issue as we are having same issue when we are migrating from R12.50 to R12.52.

Thanks

I'm also having same issue where SP Initiated flow fails but IDP initiated works fine. I see the following error in the Smtracedefault log on Policy Server:

[12/22/2016][11:44:24][356][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.241.164 with Port No 59527. Current count is 0]
[12/22/2016][11:44:24][5108][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.241.164 with Port No 59527. Current count is 0]
[12/22/2016][11:44:24][5108][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[12/22/2016][11:44:24][836][416f28b1-1c0dc737-a9c60408-a38e8c86-f617cabb-e][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Certificate not found for issuer DN: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US serial number: 4382b137b13768018fd6ba70426ea067]

Strange thing. We have same setup in our UAT environment and it works fine. So Were you able to find if this is an issue on Saleforce or SM? I see that the Serial number and Issuer DN are not matching when i look at the same cert file. 

Any help is greatly appreciated.

Thanks

Please refer below where I have posted the solution for the issue:

https://communities.ca.com/thread/241753845

Thanks,

Kanishak

We found the root cause for this issue was that the Certificate's issuer DN was having an escape character in it ( CA Support told us this is a known issue they are aware of ). 

Once we got a new certificate with no escape Characters in the Issuer DN, the issue resolved.  We asked the question on when they would be fixing this bug as the version we were using 12.52 SP1 CR05. still waiting to hear back from them.

Thanks