Layer7 Access Management

Expand all | Collapse all

SP Init fails with POST not valid

Jump to Best Answer
  • 1.  SP Init fails with POST not valid

    Posted 07-13-2016 11:39 PM

    Friends,

    We use SiteMinder federation Services for SAML integrations.

    I am trying to setup SP Initiated authentication with Tableu Server. Entities are created, partnership is enabled with  HTTP-POST binding. When user access service, they get redirected to IDP SSO Service via POST.

    Header shows: POST /affwebservices/public/saml2sso HTTP/1.1

    There is no Query String. POSTData shows relaystate and SAMLRequest parameter. Decoding SAMLRequest points to correct SPID and some other info.

     

    SPS fails with a 403.

    FWS log shows:

     

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][SAML2 Single Sign-On Service received POST request.]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][FWSBase.java][doRequestLog][Requesting Host: x.x.x.x. Requesting Host IP: x.x.x.x Request protocol: HTTP/1.1 Request was secure: true Authentication type: null]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][POST data: ]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][parseMessage][Exception while parsing message.]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][Transaction with ID: 29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b failed. Reason: SAML2_UNSUPPORTED_POST_REQUEST]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][SAML2 Single Sign-On Service does not support POST requests.]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][SSO.java][doPost][Ending SAML2 Single Sign-On Service request processing with HTTP error 403]

    [07/14/2016][03:03:56][1184][2593799024][29e87cee-cec29aa8-5f309a1e-9821db22-1d03afdd-3b][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 403 ]

    [07/14/2016][03:04:11][1184][2592803696][][CustomPostPageCache][performUpdate][Checking for updates]

     

     

     

     

    Appreciate if anyone can throw some light on this.



  • 2.  Re: SP Init fails with POST not valid

    Posted 07-13-2016 11:49 PM

    If I try IDP initiated, I get this error:

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Transaction with ID: 1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70 failed. Reason: FAILED_AUTHEX]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][SSO.java][processAssertionGeneration][Sending 500 error]

    [07/14/2016][03:46:25][1184][2594130800][1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

     

    Is there a place where I can see what each of value of authorizeEx is? In this case it says iauthorizeEx call is: 2.

     

    Thanks in advance.



  • 3.  Re: SP Init fails with POST not valid

    Posted 07-14-2016 06:24 AM

    Hello Sam,

     

    Maybe you can check the policy server traces for the same transaction : 1bd35d17-e3aca029-23a83776-92c651b6-710f58b6-70

     

    > It will give you more information on the failure.

    > Is it a new setup or was it working before ?

     

    Hope it helps,

    Julien



  • 4.  Re: SP Init fails with POST not valid

    Posted 07-14-2016 01:55 AM

    Hi,

     

    This just for your information.

    The document TEC1351614 states SAML 2.0 HTTP-POST Authentication Binding. While the reason UNSUPPORTED_AUTHN_REQUEST_BINDING is not matched with your SAML2_UNSUPPORTED_POST_REQUEST, it explains some check points which might help.

     

    Regards,

    Koichi



  • 5.  Re: SP Init fails with POST not valid
    Best Answer

    Posted 07-21-2016 12:55 PM

    Thank You. I needed to upgrade to R12.52 to get the HTTP-Redirect option for authentication binding. Thanks everyone.