Layer7 Access Management

Expand all | Collapse all

Getting 500 Error with Transaction ID for a SP Initiated SSO

Jump to Best Answer
  • 1.  Getting 500 Error with Transaction ID for a SP Initiated SSO

    Posted 11-18-2016 04:45 PM

    Hi

     

    We are getting below error in the smps.log in the SP Initiated SSO Call for one of our on-premise partner:

     

    [AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_37bf9cd57f08587fa174a8bcadbc3137abe2" InResponseTo="_15b9ce6e5fad2789c8cdc011225cca16" IssueInstant="2016-11-18T21:24:37Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IDP Entity ID</ns1:Issuer>
    <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
    </StatusCode>
    <StatusMessage>Request did not fulfill security requirements!</StatusMessage>
    </Status>
    </Response>

     

    Could anyone suggest me / share your thoughts on this federation issue.

     

    Thanks!



  • 2.  Re: Getting 500 Error with Transaction ID for a SP Initiated SSO

    Posted 11-18-2016 04:58 PM

    Hi Teja,


    Look at policy server trace log , it should have more indication of what happened and why it failed.


    This thread may also be related :

    https://communities.ca.com/thread/241753845


    Regards,

    Ujwol



  • 3.  Re: Getting 500 Error with Transaction ID for a SP Initiated SSO

    Posted 11-19-2016 12:19 PM

    I am seeing [** Status: Authorized. ] in the profiler logs,  but the SAML Response is not getting generated.



  • 4.  Re: Getting 500 Error with Transaction ID for a SP Initiated SSO

    Posted 11-19-2016 04:58 PM

    Hi Teja,


    We will need full smtrace. If you can't attach it here, do you mind sending it via email (communities)?


    Regards,

    Ujwol



  • 5.  Re: Getting 500 Error with Transaction ID for a SP Initiated SSO

    Posted 11-20-2016 06:02 PM

    Copy response from duplicate thread :

    Hi Teja,

     

    Logs shared in Communities Post is accessible by everyone.

     

    The security requirement fulfilment error may relate to signed AuthNRequest. IdP needs the matching public certificate to verify the SP signature. To confirm if that's cause, please test with disabled AuthNRequest signing.

     

    Common causes of the error -- IDP either does not have the certificate to verify the signature of the authNrequest or the certificate selected on IDP partnership has certIssuerDN and certserial value equal to null. 



  • 6.  Re: Getting 500 Error with Transaction ID for a SP Initiated SSO
    Best Answer

    Posted 11-20-2016 06:54 PM

    Hi Teja,

     

    I was able to replicate the issue in my lab.

     

    It seems that you have Signed Authentication request requirement set to YES at IDP :

     

    However, the AuthnRequest sent by SP is not signed.

    You can verify this by reviewing the fiddler. If the AuthNRequest is signed you should see the signature as below :

     

     

                                                           Fig. Signed AuthNRequest

     

    In case of unsigned AuthnRequest , you will NOT see the Signature , see below :

     

                                                            Fig. Un Signed AuthNRequest

     

    Also, if you have the detailed tracing enabled on Policy server you should see the exact error message like this on IDP smtrace log :

     

    [11/21/2016][10:35:05][4788][a15a8888-d72d7f92-b17b0803-fc600ef2-0050a3e4-d3][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Authnrequests are required to be signed but the request did not contain a required query parameter: Signature, or SigAlg is missing.]
    [11/21/2016][10:35:05][4788][a15a8888-d72d7f92-b17b0803-fc600ef2-0050a3e4-d3][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

     

    Solution :

     

    Configure SP to sign AuthNRequest. If SP is CA SSO you can do this as below on SP side of partnership :

     

    Let me know if this works for you.

     

    Regards,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog 



  • 7.  Re: Getting 500 Error with Transaction ID for a SP Initiated SSO

    Posted 11-20-2016 08:26 PM

    I disabled the Signed Authentication Requests, and it works fine.

     

     

    Thanks for all your help! I will enable the IDP SMTrace so that it will write the detailed logging.