Symantec Access Management

Hi,

Multiple users are getting error when accessing the application, after refreshing an existing valid session.

PFB the logs getting generated in affwebserv

FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][FWSBase.java][createSessionCookie][Validating input...]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][FWSBase.java][createSessionCookie][Creating the smsession cookie for SP domain [CHECKPOINT = SSO_SMSESSIONFORSPDOMAIN_REQ]]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][FWSBase.java][createSessionCookie][Recived valid input. Attempting to create SESSION cookie.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][FWSBase.java][createSessionCookie][session id is: Q/lH5uZfDs9n+2Sp/Ft6sAbxBIU=]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][FWSBase.java][createSessionCookie][About to create SESSION cookie.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][FWSBase.java][createSessionCookie][Placing smsession in browser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processRequest][Force Authn is disabled.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processRequest][Current session state is: true]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processApplicationRedirect][No application URL defined - not redirecting.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][getLocalServiceURL][Enter getLocalServiceURL]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][getLocalServiceURL][Using Proxy URL for local SSO service: https://fss.ericsson.net/affwebservices/public/saml2sso]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][getACSURLFromSSORequestContext][Using the Assertion Consumer Service URL provided: https://prevention.afa.se/PreventionSSO/Login/ericsson/Shibboleth.sso/SAML2/POST]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Enforce Force Authn Timeouts is set to: false]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][resource is: /SAMLRequest=fVLLcoIwFP0VJnsJoPjICDNUF3XGVkZsF910QrxoZjChuUHbvy9ItXZRl0nOuedxM0V%2BKCuW1Hav1vBRA1rn81AqZOeHiNRGMc1RIlP8AMisYFnytGSB67HKaKuFLomTIIKxUquZVlgfwGRgjlLAy3oZkb21FTJKKwNHUC3K5QV3EWh6vcmyFV3qnVQUjBSIWtFsL%2FNcl2D3bnOmrWpA01W2Ic68sSkVb4m%2F4wtE90J2FVjKi%2BIEOXZOkFZ1XkpB21xBgyHOYh6R92G%2BnYTBeDgI%2B2E46XMh%2BGQyGnqhNxgKCKCBIdawUGi5shEJPH%2FU8%2Fo9b7zxPeaPmT94I07608SDVFupdvdryzsQssfNJu11iV7B4DlNAyDxtDXJzsLmZh33x%2FLLDkj8f%2BN4LXVKb0Q6xYo9N1MX81Q3RX05SVnq08wAtxARn9C4o%2Fz9LfE3&RelayState=https%3A%2F%2Fprevention.afa.se%2FPreventionSSO%2FLogin%2Fericsson&SSOUrl=https://fss.ericsson.net/affwebservices/public/saml2sso&Oid=21-deb44e85-b98d-4adf-90c9-b658a91dfb71]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[https://prevention.afa.se/PreventionSSO/Login/ericsson/Shibboleth.sso/SAML2/POST]]></Var><Var name="FederationAPIVersion" rtype="2"><![CDATA[1]]></Var></RVARS>]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Transient IP check: false]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Transaction with ID: 3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21 failed. Reason: FAILED_AUTHEX]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][SSO.java][processAssertionGeneration][Sending 500 error]
FWSTrace_20170308_112357.log:[03/08/2017][10:18:15][32131][74009456][3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

Also checked in the link with similar error, but could not find anything helpful

SiteMinder IDP Certificate issue 

Can someone please assist on the issue.

Policy server is not authorizibg the request.

You will need to check Policy server trace log for the matching transaction with ID : 3cb9911d-b689ab74-0d600386-8ec5190b-07b395f7-21 to identify why it didn't authorize the request.

Hi Team,

I have checked the policy server logs and can see the user is not authorized hence this error is being thrown. My query here is that this error does not come when the user access the application in a new browser/session i.e. first login, but is thrown when the user refreshes the existing session.

Hi Pankaj,

Did you check policy server trace logs and find out why authorization is failing ?

As per my understanding, SM is acting as IDP and Shibboleth is SP.

When you login for the first time, SM is able to create SMSESSION and generate Assertion without any issues and able post it to SP. SP is consuming it and creating SP Session and finally redirecting to Target.

But when you refresh the page, you will be at SP end and you will have SP session created, But why SP is sending the request back to IDP (SM) ?

Also I feel that it is making SP Initiated transaction and did you check for any issues While validating Authnrequest by policy server ?

Thanks,

Sharan

Yes, so to find that out you will need to check the PS trace logs and compare what different is happening between the first and the second visit (after refresh)

Hi Pankaj,

Is this issue resolved?we are experiencing the similar issue.