Symantec Access Management

Tech Tip : CA Single Sign-On : Running CA Access Gateway (SPS), randomly users gets return code 403 in the browser

  • 1.  Tech Tip : CA Single Sign-On : Running CA Access Gateway (SPS), randomly users gets return code 403 in the browser

    Broadcom Employee
    Posted Apr 18, 2019 03:53 AM

    Issue:

     

    We're running CA Access Gateway (SPS), randomly users gets return code 403
    in the browser and we want to know why and how to fix this.

     

    Cause:

     

    The 403 errors are mainly due to unexisting SPID that the browser sends.

     

    "myspecifichostname.mydomain.com"

     

    in the Policy Store. As there's no configuration for that SPID, so the
    Federation Services return error 400 (bad request) and as there no
    redirection configured, SPS Web Server returns to the browser
    error 403.

     

    You can see that from the traces :

     

    Look in FWSTrace.log, and you'll find this request :

     

    [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
    2a41ff5b-cbf95872-1d88d7c2-1f][SSO.java][getAuthnRequestData][AuthnRequest:
    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_9e918f16c2f102fcff36fbb74a672f9a82a6eebf68" Version="2.0"
    IssueInstant="2019-04-16T13:39:42Z"
    Destination="https://myprodserver.mydomain.com/affwebservices/public/saml2sso"
    ForceAuthn="true"
    AssertionConsumerServiceURL="https://myspecifichostname.mydomain.com/myapp"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
    <saml:Issuer>myspecifichostname.mydomain.com</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
    </samlp:AuthnRequest>]

     

    which shows the issuer as myspecifichostname.mydomain.com.

    The Federation Service ask the Policy Server to get all configuration
    data for that Issuer, and as the Policy Server doesn't find it in the
    Policy Store data :

     

    [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
    2a41ff5b-cbf95872-1d88d7c2-1f][SAMLTunnelClient.java][getSe
    rviceProviderInfoByID][Provider
    ID: myspecifichostname.mydomain.com.]

    [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
    2a41ff5b-cbf95872-1d88d7c2-1f][SAMLTunnelClient.java][getSe
    rviceProviderInfoByID][SAMLTunnelStatus:
    5, Failed to obtain Service Provider data by provider ID. Provider
    ID: myspecifichostname.mydomain.com]

     

    [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145- 

    2a41ff5b-cbf95872-1d88d7c2-1f][SAML2Base.java][getServiceProviderInfo][Could
    not find service provider information for sp: mediab2e.group.echonet
    Message: Failed to obtain Service Provider data by provider
    ID. Provider ID: myspecifichostname.mydomain.com.]

    [04/16/2019][13:39:45][21468][107805552][36fca6de-d6516145-
    2a41ff5b-cbf95872-1d88d7c2-1f][SSO.java][processRequest][Ending
    SAML2 Single Sign-On Service request processing with HTTP error 400]

    And you'll see in the resulting access log of the CA Access Gateway
    (SPS) Web Server which shows a SAMLRequest ending in 403
    (HTTP/1.1" 403) :

     

    access_log

     

    192.168.1.1 - - [16/Apr/2019:13:39:01 +0200] "GET
    /affwebservices/public/saml2sso?SAMLRequest=fZJBb9swDIX%2Fi
    qG7LSuuW0dIAmQNhgXotqDJduilkGQ6EWBLmiit27%2BfbHdYN3Q9ESD53g
    M%2FcIVi6B3fxnAx9%2FAtAobsx9Ab5NNgTaI33ArUyI0YAHlQ%2FLj9eMc
    [...]
    ieNurYhUIXrkJuDY%2F7JValOdFChosJiqCvNuaI%3D
    HTTP/1.1" 403 1075 27918 0 -

    Resolution:

     

    Configure properly partnership for the SP issuer
    "myspecifichostname.mydomain.com" in order to be able to handle these
    requests.

     

    KB : KB000131096