Symantec Access Management

Back to discussions

Expand all | Collapse all

SiteMinder Federation Messages Examples: To help with 3rd party interop

1. SiteMinder Federation Messages Examples: To help with 3rd party interop

2 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Jul 17, 2012 11:35 AM

Reply Reply Privately
We will use this thread to post various Federation related SAML messages and their encoding details that can be useful when it comes to SiteMinder interop with 3rd party Federation implementation (custom or a standard SAML compliant product). SiteMinder follows SAML standard and is SAML compliant yet sometimes it may become defficult to decipher the spec and apply to making two products (SiteMidner Federation at one partner and some other product/implementation at the other partner).

First one in the series is a simple SAML 2.0 POST Response as a result of the IDP initiated request and it is being posted in reply to this post.
2. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Jul 17, 2012 11:38 AM

Reply Reply Privately
SAML 2.0 response is sent by FWS in an auto-post form back to the browser. This POST parameter can be seen in the HTTP header traces and is called, "SAMLResponse". SAMLResponse is Base 64 and URL encoded and if for some reason the transaction fails it can be decode using online encoder/decoder tools or un-encoded assertion or this SAML response can also be see in the FWS traces prior to it being sent out, if we scroll up just slightly in the traces from the end of the transaction.

Below is from the HTTP Header traces when the auto-post form posts the SAMLResponse containing the encoded assertion to the SP side:

POST /affwebservices/public/saml2assertionconsumer HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://idp.my.com/affwebservices/public/saml2sso?SPID=sp.ca.com&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; GIS IE 6.0 Build 20060616; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sp.ca.com
Content-Length: 2661
Connection: Keep-Alive
Cache-Control: no-cache

SAMLResponse=PFJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuY2EuY29tL2FmZndlYnNlcnZpY2VzL3B1%0D%0AYmxpYy9zYW1sMmFzc2VydGlvbmNvbnN1bWVyIiBJRD0iXzg4MTUyZjQ1YTRhNzM2ZmIyMDc5NjRl%0D%0AZmUxYmM2MmM0N2RlNSIgSXNzdWVJbnN0YW50PSIyMDEyLTA3LTE3VDE1OjI4OjI0WiIgVmVyc2lv%0D%0Abj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4KICAg%0D%0AIDxuczE6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1m%0D%0Ab3JtYXQ6ZW50aXR5IiB4bWxuczpuczE9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3Nl%0D%0AcnRpb24iPmlkcC5teS5jb208L25zMTpJc3N1ZXI%2BCiAgICA8U3RhdHVzPgogICAgICAgIDxTdGF0%0D%0AdXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3Mi%0D%0ALz4KICAgIDwvU3RhdHVzPgogICAgPG5zMjpBc3NlcnRpb24gSUQ9Il81NTQ1ZjA0OWJiMDhmYWEz%0D%0AZjk0YTIyZWMwM2YwZWU4NzRjODEiIElzc3VlSW5zdGFudD0iMjAxMi0wNy0xN1QxNToyODoyNFoi%0D%0AIFZlcnNpb249IjIuMCIgeG1sbnM6bnMyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNz%0D%0AZXJ0aW9uIj4KICAgICAgICA8bnMyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT%0D%0AQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI%2BaWRwLm15LmNvbTwvbnMyOklzc3Vlcj4KICAg%0D%0AICAgICA8bnMyOlN1YmplY3Q%2BCiAgICAgICAgICAgIDxuczI6TmFtZUlEIEZvcm1hdD0idXJuOm9h%0D%0Ac2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmdhbm1hMDI8%0D%0AL25zMjpOYW1lSUQ%2BCiAgICAgICAgICAgIDxuczI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9%0D%0AInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPgogICAgICAgICAgICAgICAg%0D%0APG5zMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTItMDctMTdUMTU6%0D%0AMzA6MjNaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5jYS5jb20vYWZmd2Vic2VydmljZXMvcHVibGlj%0D%0AL3NhbWwyYXNzZXJ0aW9uY29uc3VtZXIiLz4KICAgICAgICAgICAgPC9uczI6U3ViamVjdENvbmZp%0D%0Acm1hdGlvbj4KICAgICAgICA8L25zMjpTdWJqZWN0PgogICAgICAgIDxuczI6Q29uZGl0aW9ucyBO%0D%0Ab3RCZWZvcmU9IjIwMTItMDctMTdUMTU6Mjc6MjNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTItMDctMTdU%0D%0AMTU6MzA6MjNaIj4KICAgICAgICAgICAgPG5zMjpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgICAg%0D%0AICAgICAgICAgPG5zMjpBdWRpZW5jZT5zcC5jYS5jb208L25zMjpBdWRpZW5jZT4KICAgICAgICAg%0D%0AICAgPC9uczI6QXVkaWVuY2VSZXN0cmljdGlvbj4KICAgICAgICA8L25zMjpDb25kaXRpb25zPgog%0D%0AICAgICAgIDxuczI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEyLTA3LTE3VDE1OjI4%0D%0AOjA5WiIgU2Vzc2lvbkluZGV4PSIzcVp1cXFxTE56c3JwUEZxNGdOdkVwSElXNUE9OUs3MHlBPT0i%0D%0AIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTItMDctMTdUMTU6MzA6MjNaIj4KICAgICAgICAgICAg%0D%0APG5zMjpBdXRobkNvbnRleHQ%2BCiAgICAgICAgICAgICAgICA8bnMyOkF1dGhuQ29udGV4dENsYXNz%0D%0AUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9uczI6%0D%0AQXV0aG5Db250ZXh0Q2xhc3NSZWY%2BCiAgICAgICAgICAgIDwvbnMyOkF1dGhuQ29udGV4dD4KICAg%0D%0AICAgICA8L25zMjpBdXRoblN0YXRlbWVudD4KICAgIDwvbnMyOkFzc2VydGlvbj4KPC9SZXNwb25z%0D%0AZT4KCg%3D%3D

Now the above SAMLResponse value when decoded (URL decoded and then Base 64 decoded) would like below. This is a simple assertion generated by SiteMinder FSS for an IDP initiated SAML 2.0 POST transaction.

<Response Destination="http://sp.ca.com/affwebservices/public/saml2assertionconsumer" ID="_88152f45a4a736fb207964efe1bc62c47de5" IssueInstant="2012-07-17T15:28:24Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">idp.my.com</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:Assertion ID="_5545f049bb08faa3f94a22ec03f0ee874c81" IssueInstant="2012-07-17T15:28:24Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">idp.my.com</ns2:Issuer>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ganma02</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData NotOnOrAfter="2012-07-17T15:30:23Z" Recipient="http://sp.ca.com/affwebservices/public/saml2assertionconsumer"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2012-07-17T15:27:23Z" NotOnOrAfter="2012-07-17T15:30:23Z">
<ns2:AudienceRestriction>
<ns2:Audience>sp.ca.com</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2012-07-17T15:28:09Z" SessionIndex="3qZuqqqLNzsrpPFq4gNvEpHIW5A=9K70yA==" SessionNotOnOrAfter="2012-07-17T15:30:23Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
</ns2:Assertion>
</Response>
3. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Jul 17, 2012 12:26 PM

Reply Reply Privately
Example of SAML 2.0 POST transaction SP initiated ( starts at the Service Provider and carries the AuthNRequest to the IDP). SiteMinder FSS is IDP and SP in this case.

1) User first clicks on the SP initiated link: http://sp.ca.com/affwebservices/public/saml2authnrequest?ProviderID=idp.my.com and goes to SP saml2authnrequest service in FWS under the public realm of FederationWebServices domain (comes with PSOP part of the installation).

GET /affwebservices/public/saml2authnrequest?ProviderID=idp.my.com HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://idp.my.com/idprovider/
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; GIS IE 6.0 Build 20060616; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sp.ca.com
Connection: Keep-Alive
Cookie: SMSESSION=zRk05O3GKXT2waTecn87AZ8N8OoyBNCaXdnJwOxHfm8qOKCg2C3HP/1mW9+I3rk8IJzMGxSpQUF2MSouskSGUZLbLlTdFUlszZVdpikHeNaxmrW+RP8WgEPD5N4oQypnCsX8UKHdagKK6mvwj3kNxSEFp6aldbUeT5oEizoc1+sAUr3mvJ0giC0p1udeBDGGygq39nLtPkyiJg7wJK41Y0Cc0q4lYovbpZy6TlWsuFqfaYvGj1g+0W9XZRCZ1Imh4/414O2rm/PiFW32Eu8ejSqR4Z13FzAi37s/tyoc/qMDF5PNSlVoEh5NeeQcI506dOQRCgxSx6hrPzHkAl2hbmdayRoTSG6Koku4lBf//xsvpWYb5nhQhhajTP5xWUsUkgYURcWT9i6uNMEn0yK7TOH60T1yCHGtioEE1vLyLjgtuIoyx2OTxpODhO9COavu+cWumi2SxcvMxh4CEKFa/EAzIcFz0iwnTISqm6q4orikAmLQQwjdjastNAe64wUkjtPRgDrpHD0YhFsEOJIAPNUKAzOTktEKOTrZidv50kkS0Z57Nnx9TpbZBYTUuEFihTSO6+0nFQjk+d/9W1D0Yqxo1K0gQwIV9GTKQlh+GgUV+BUlmsB5AsNExiY9Lc6gI0AsK5BBZ1hF9egKgTepZJGVeUwBGLTxfbajnW4wXlhQA3XNYR2mj5IPjRf02LJKginx4zpk0MWiesA1+l9j7XYzusBx8aEzvoPSxuy+vTuDOG72yTXAcEJ3RmcZL0Mdjgm+iM/eS/UNfSXxy9CADsczud3jXP2i+Uo8pGXnmlLVXco/WLwTji6S4QBQMx6qT3eybHi9u8X5lvx4kv1dybSsZJ8KvsdvWJ7Wo9Xkw0C33KHoogEvZxH0B90PJ46ebfmIA1oDVB3lWxRbqZTcyTmhM0ouSsKicUEAj02bs5+sub6jHUulOAnFwXGHlI4wXJJzaytOM9vgu2UU7OJ2a8N0ymsC/HClSRy1BlBHXrMv2rXW7oYcIOPj8SA+3rmD; ASPSESSIONIDAAATSBTA=AJFPFCMCJKJEFNHGGIGGKPLH

2) SiteMinder SP in this case prepares an SAML specification based AuthNrequest as a HTTP Get query paramter and sends it to saml2sso service. This query parameter name is: "SAMLRequest". This SAMLRequest query parameter value is encode using The query string is
encoded using the DEFLATE encoding. A HTTP redirect message is used to deliver the SAML <AuthnRequest> to the Identity Provider and a HTTP POST is used to return the SAML response.

"GET /affwebservices/public/saml2sso?SAMLRequest=fZC7bsMwDEX3fIWhPdbDlpMQtoEAWQK0S1t06FLIsowIsCRXlPv4%2Byrp0E7lwIG4vLyH7XFNF%2F9g3laDqTjlZr1KNviOXFJagFI7LqX7KnVwVE3ThxnQxHerDdJlHWarKSo3C8RAivOpI69jo6TcczZI3tTT3oxTJeWhYk0j6soIMSk9Zinias4ek%2FKpI4JxsWW7Ld89cQn1ARh%2FIcWziXhLIkpGik83e%2BzIGj0EhRbBK2cQkobH4%2F0dZA0sMaSgw0z6TZGr9cjhdij%2BbEMe%2FO%2BgMNNd8UmPS6nVFbulvz79pqV%2FP9Z%2FAw%3D%3D&RelayState=ab9c7c9a618b5baedfcf1c02f1edfe32edeacfef HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://idp.my.com/idprovider/
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; GIS IE 6.0 Build 20060616; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Cookie: SMSESSION=Wcpk1+y0wdFgrfPPC5mBvGougR9Ioc6Y7kmDuiuNpbUrXzNXmG6lDsuC4oOA/3JTadFeY9cijrStJd+jvCinR12ez53yEY8eQ3cgdAlcpVGMrH2t07npT7vODu0ZvCLJ7pHtV9ibQPVd/VvDM7yp01Vu3YHKkss5+TzX0mECgw6GLuzAB/uSGD8OHSs136F1NPBrfuIH17BkyEOv7vi8e26qvmYPDKfS1QCzCIFQq4RMuUOitd27pspSvmkBrXZGqL9RQu7i/ZXhx4cNMOSNQAh+6akDyuF28fXJy7FpwZo/JV8hgmlZ5lu4qSIeSYTH2uVzODyLA15zJKw0XjKBO3eHbS/vEI8XpH3BOeQG0JUiI1t0itAtpnTzdqCYuWtyDGPTlcgig99SmIh3DEKZE7VoP3kqOtGDNG7pEw9RIY6L9hO1x4iRSMQ4xcGZ15YltQ2m1qRzoS4ZZIftwSf49IUR9Fwzr5tuO3FqgIWi2VIsd3pg5gzPVYU8ojKx+1tuq7Vu8BzNlKY/+1KnhN4KsP+Bqq1JU6lF4csc0mkeGhqOmvqst6/VIROrCFN/VJmRJwzIVgOVpZft8EpsC98F2q18K9G7hluOq4zkdUrZ3y06k7s6lJT2EFV27xv1G2l+fUIpv6u+tLy8rR9Zq9j+Q/XfXbrecd0LKoJvmv0wRAR14oDRkbUqWYjo88lXkHNNHEt/yG6VIA6ZeHfKt3IvFa17bSMIiJSUrMZCCzdLTgPuQVADvv6R3qaxDKZ7YZMOjTDtURrfB9l3UN+5r14wHOfj1TgcpPVSLmg1nvkXKXMrPkXRoi4a0aPylijY5Z55UxidggXB2PMCI7EoCLWlTQZ6eNn2hXeLUCRdw1zcAC0co6lNd9PCys42dmX9oQJWfI8bR5A19Tf/nuZPVKIttmtUUbbpdie0vgZoOGMxaqlf/6u+sVYjjrHsTiKEA4988SojEGPzCIGfHcO+RjnNHCNvJrdcXIO0gbF9EeKORsKCxxWdJat7SI6vSXXsS/1X
Connection: Keep-Alive
Host: idp.my.com"

3) When this SAMLRequest is decode using a decoder that understands the deflate encoding, it looks like below. Deflate encoding as described at many places means that the AuthnRequest XML has to get compressed using the DEFLATE encoding and then it would get Base64 encode and then URL encoded. Its a simple AuthNrequest message and it can have more elements to it as well can get more complexed like including signature, etc.

"<AuthnRequest Destination="http://idp.my.com/affwebservices/public/saml2sso" ID="_d6a55810b5164f8edf35593066243e22facd" IssueInstant="2012-07-17T15:49:01Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sp.ca.com</ns1:Issuer>
</AuthnRequest>"

4) After this SAMLRequest is successfully processed by SiteMinder IDP, it will send a SAMLResponse to the SP like mentioned in the earlier post.

Note: As of now saml2sso service (under public realm of FederationWebServices domain) supports only HTTP Redirect binding for authnrequest.
4. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
System
Posted Jul 17, 2012 08:27 PM

Reply Reply Privately
Thanks for posting all this great info Manjari! :grin:
5. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Jul 31, 2012 03:36 PM

Reply Reply Privately
[Example of Application URL Use Case: For passing User Attributes to the saml2sso service and to be able to use these attributes as part of the assertion using AGP/Assertion Generator Plug-in]

1) Configured the optional Application URL in the SAML 2.0 SP properties at the SMFSS IDP as, http://idp.my.com/affwebservices/public/sample_application.jsp
2) This sample JSP page is provided as part of WAOP under affwebservices\public folder

[Example of IDP Initiated traces in FWS trace log]:

[07/31/2012][14:07:19][1368][2884][101e8841-b04a2615-91890097-aad0eed6-4647f3be-c86][SSO.java][processApplicationRedirect][Redirecting to ApplicationURL: http://idp.my.com/affwebservices/public/sample_application.jsp?SMPORTALURL=http%3A%2F%2Fidp.my.com%2Faffwebservices%2Fpublic%2Fsaml2sso&SMPORTALSTATE=U01BU1NFUlRJT05SRUY9UVVFUlkmU1BJRD1zcC5jYS5jb20mUHJvdG9jb2xCaW5kaW5nPXVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1Q%3D]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][SSO.java][doPost][SAML2 Single Sign-On Service received POST request.]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][FWSBase.java][doRequestLog][Requesting Host: 127.0.0.1 Requesting Host IP: 127.0.0.1 Request protocol: HTTP/1.1 Request was secure: false Authentication type: null]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][Processing parameter: NUM...]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][   Value: 435654]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][Processing parameter: LANG...]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][   Value: English]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][Processing parameter: SMPORTALSTATE...]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][
QUERY STRING:
SMASSERTIONREF=QUERY&SPID=sp.ca.com&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][
paramValue:
QUERY
]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][
paramValue:
sp.ca.com
]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][
paramValue:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][Processing parameter: SMPORTALURL...]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][PostRequestWrapper][initialize][   Value: http://idp.my.com/affwebservices/public/saml2sso]
[07/31/2012][14:07:34][1368][2884][5df301b8-0e286543-0e9f8b8a-72b7977f-286d9013-be][SSO.java][doPost][This is a POST from an Application - processing as a GET request.]
[07/31/2012][14:07:34][1368][2884][e6ae1ea5-58270fed-bf6bda28-fe4c70a7-bd675524-49][SSO.java][doGet][SAML2 Single Sign-On Service received GET request.]
[07/31/2012][14:07:34][1368][2884][e6ae1ea5-58270fed-bf6bda28-fe4c70a7-bd675524-49][FWSBase.java][doRequestLog][Requesting Host: 127.0.0.1 Requesting Host IP: 127.0.0.1 Request protocol: HTTP/1.1 Request was secure: false Authentication type: null]
[07/31/2012][14:07:34][1368][2884][e6ae1ea5-58270fed-bf6bda28-fe4c70a7-bd675524-49][SSO.java][doGet][Query String: NUM=435654&LANG=English&SMASSERTIONREF=QUERY&SPID=sp.ca.com&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&SMPORTALURL=http://idp.my.com/affwebservices/public/saml2sso]
[07/31/2012][14:07:34][1368][2884][e6ae1ea5-58270fed-bf6bda28-fe4c70a7-bd675524-49][SSO.java][doGet][Request is UNSOLICITED!]

[Example of SP Initiated or AUthNRequest Traces]:
[07/31/2012][14:09:15][1368][2884][3879592f-35f467ca-41bb3dac-f949b936-f3918fca-b78][SSO.java][processApplicationRedirect][Redirecting to ApplicationURL: http://idp.my.com/affwebservices/public/sample_application.jsp?SMPORTALURL=http%3A%2F%2Fidp.my.com%2Faffwebservices%2Fpublic%2Fsaml2sso&SMPORTALSTATE=U0FNTFJlcXVlc3Q9ZlpCQlQ4TXdESVh2JTJCeFZWN211YWxOTFdhaXROMm1YU3VBRGl3QVc1bWF0RmFwTlNwd1AlMkJQZGs0d0FrZmZMQ2VuOSUyRm5acmVHczN1azk1VTRKUHZZck1OZ3ZXdkZPWVFacExTbk9aMiUyQlV1TW5pY1B3UVQzVGNyR0dXTTVyUDFvakdhZFJNM3VSSFBhdGVNTzYxeFdWUTEyUXZzT0NxQ3J5S3I4dlQwT3VDc1I2VUloUnlyelN3WEZBRjFxaE02VzNXYm5OMWJPcUlhdEJaYThpZWFHRmIwbDBtb25rY3hvZHQySmRISGhreSUyQkJ3SW9aZzRHbjNjSVNvZ1hueHdScyUyRmltNlR4R29jSzdnZFduNjJJUTclMkJkMENPZEZkODBmR2NHcnhpTiUyRkxYcDlzMDh1JTJGSHVtOCUzRCZSZWxheVN0YXRlPTQ1YTE0ZDY3MTg0MGI5MmMzYmRhM2FlNzE1YzUyZTVjOWUwNGI1YTA%3D]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][SSO.java][doPost][SAML2 Single Sign-On Service received POST request.]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][FWSBase.java][doRequestLog][Requesting Host: 127.0.0.1 Requesting Host IP: 127.0.0.1 Request protocol: HTTP/1.1 Request was secure: false Authentication type: null]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][Processing parameter: NUM...]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][   Value: 2453565456]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][Processing parameter: LANG...]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][   Value: English]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][Processing parameter: SMPORTALSTATE...]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][
QUERY STRING:
SAMLRequest=fZBBT8MwDIXv%2BxVV7mualNLWaitN2mXSuADiwAW5matFapNSpwP%2BPdk4wAkffLCen9%2FnZreGs3uk95U4JPvYrMNgvWvFOYQZpLSnOZ2%2BUuMnicPwQT3TcrGGWM5rP1ojGadRM3uRHPateMO61xWVQ12QvsOCqCryKr8vT0OuCsR6UIhRyrzSwXFAF1qhM6W3WbnN1bOqIatBZa8ieaGFb0l0monkcxodt2JdHHhky%2BBwIoZg4Gn3cISogXnxwRs%2Fim6TxGocK7gdWn62IQ7%2Bd0COdFd80fGcGrxiN%2FLXp9s08u%2FHum8%3D&RelayState=45a14d671840b92c3bda3ae715c52e5c9e04b5a0
]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][
paramValue:
fZBBT8MwDIXv%2BxVV7mualNLWaitN2mXSuADiwAW5matFapNSpwP%2BPdk4wAkffLCen9%2FnZreGs3uk95U4JPvYrMNgvWvFOYQZpLSnOZ2%2BUuMnicPwQT3TcrGGWM5rP1ojGadRM3uRHPateMO61xWVQ12QvsOCqCryKr8vT0OuCsR6UIhRyrzSwXFAF1qhM6W3WbnN1bOqIatBZa8ieaGFb0l0monkcxodt2JdHHhky%2BBwIoZg4Gn3cISogXnxwRs%2Fim6TxGocK7gdWn62IQ7%2Bd0COdFd80fGcGrxiN%2FLXp9s08u%2FHum8%3D
]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][paramValue:
fZBBT8MwDIXv%2BxVV7mualNLWaitN2mXSuADiwAW5matFapNSpwP%2BPdk4wAkffLCen9%2FnZreGs3uk95U4JPvYrMNgvWvFOYQZpLSnOZ2%2BUuMnicPwQT3TcrGGWM5rP1ojGadRM3uRHPateMO61xWVQ12QvsOCqCryKr8vT0OuCsR6UIhRyrzSwXFAF1qhM6W3WbnN1bOqIatBZa8ieaGFb0l0monkcxodt2JdHHhky%2BBwIoZg4Gn3cISogXnxwRs%2Fim6TxGocK7gdWn62IQ7%2Bd0COdFd80fGcGrxiN%2FLXp9s08u%2FHum8%3D
]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][
paramValue:
45a14d671840b92c3bda3ae715c52e5c9e04b5a0
]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][Processing parameter: SMPORTALURL...]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][PostRequestWrapper][initialize][   Value: http://idp.my.com/affwebservices/public/saml2sso]
[07/31/2012][14:09:20][1368][2884][141a2d17-f69560bb-a37bc268-92adacdf-c0a66724-e592][SSO.java][doPost][This is a POST from an Application - processing as a GET request.]
[07/31/2012][14:09:20][1368][2884][b7e881c9-28a6ab3e-8c6d890a-6fb0aaf7-43f939cd-51][SSO.java][doGet][SAML2 Single Sign-On Service received GET request.]
[07/31/2012][14:09:20][1368][2884][b7e881c9-28a6ab3e-8c6d890a-6fb0aaf7-43f939cd-51][FWSBase.java][doRequestLog][Requesting Host: 127.0.0.1 Requesting Host IP: 127.0.0.1 Request protocol: HTTP/1.1 Request was secure: false Authentication type: null]
[07/31/2012][14:09:20][1368][2884][b7e881c9-28a6ab3e-8c6d890a-6fb0aaf7-43f939cd-51][SSO.java][doGet][Query String: NUM=2453565456&LANG=English&SAMLRequest=fZBBT8MwDIXv%2BxVV7mualNLWaitN2mXSuADiwAW5matFapNSpwP%2BPdk4wAkffLCen9%2FnZreGs3uk95U4JPvYrMNgvWvFOYQZpLSnOZ2%2BUuMnicPwQT3TcrGGWM5rP1ojGadRM3uRHPateMO61xWVQ12QvsOCqCryKr8vT0OuCsR6UIhRyrzSwXFAF1qhM6W3WbnN1bOqIatBZa8ieaGFb0l0monkcxodt2JdHHhky%2BBwIoZg4Gn3cISogXnxwRs%2Fim6TxGocK7gdWn62IQ7%2Bd0COdFd80fGcGrxiN%2FLXp9s08u%2FHum8%3D&RelayState=45a14d671840b92c3bda3ae715c52e5c9e04b5a0&SMPORTALURL=http://idp.my.com/affwebservices/public/saml2sso]
[07/31/2012][14:09:20][1368][2884][b7e881c9-28a6ab3e-8c6d890a-6fb0aaf7-43f939cd-51][SSO.java][getAuthnRequestData][AuthnRequest: <AuthnRequest Destination="http://idp.my.com/affwebservices/public/saml2sso" ID="_a9b28e7f95e24a5ee8538367df315aa9f1aa" IssueInstant="2012-07-31T19:09:10Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sp.ca.com</ns1:Issuer>

[SMPS traces for the user attribute provided via the application URL]:
[07/31/2012][14:09:20.726][2188][2292][AuthnRequestProtocol.java][init][Attributes being passed to Assertion Generator Plug-in:
{SMPORTALURL=http://idp.my.com/affwebservices/public/saml2sso, LANG=English, NUM=2453565456}
][][][][][][][][][][][b7e881c9-28a6ab3e-8c6d890a-6fb0aaf7-43f939cd-51][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[07/31/2012][14:09:20.742][2188][2292][AuthnRequestProtocol.java][init][

[Key concepts]
1) saml2sso service converts the HTTP POST request into GET before moving forward
2) The user provided attributes can be used to customize the assertion at IDP by making use of these in the custom written AGP (Assertion Generator Plug-in).
6. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Saju Gopinathan
Posted Aug 07, 2012 02:16 AM

Reply Reply Privately
Hello Manjari,

Wanted to understand on your 4th point on DEFLATE encoding, is this something automatically taken care of by Siteminder or it requires some sort of customization? I am working on a setup with one of our vendor (SP) and on our side we are using Siteminder as IDP (6.0.5.35), the issue I have is when SP is initiating, the request comes in this format, and it breaks, giving 400 error

>
https://xxxx.xx.com/affwebservices/public/saml2sso?SPID=Clarizen&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBJRD0iXzc3ZWFmYmI2LTE2OWQtNGYxZi05NmVjLWU3MmJlNmE0ZGM2MyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTItMDgtMDZUMTM6Mjc6MTBaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly9hcHAuY2xhcml6ZW4uY29tL0NsYXJpemVuL1BhZ2VzL0ludGVncmF0aW9ucy9TQU1ML1NhbWxSZXNwb25zZS5hc3B4P0VudGl0eUlkPTIyNzE4MSIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2bPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPkNsYXJpemVuPC9zYW1sOklzc3Vlcj48c2FtbHA6TmFtZUlEUG9saWN5IEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiIEFsbG93Q3JlYXRlPSJ0cnVlIiAvPjxzYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQgQ29tcGFyaXNvbj0iZXhhY3QiIC8%2bPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWYgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2bdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2bPC9zYW1scDpBdXRoblJlcXVlc3Q%2b&RelayState=/Clarizen/default.aspx

If SAMLRequest string is eliminated, it just works fine. On the federation logs I see this error:
>
[SSO.java][doGet][The SAMLRequest parameter was not encoded properly.]
[08/07/2012][06:06:57][4933][70][bf36d7fc-3f7e6d0a-884e31b8-f8bf4565-65537b88-67][SSO.java][doGet][Ending SAML2 Single Sign-On Service request processing with HTTP error 400]
[08/07/2012][06:06:57][4933][70][bf36d7fc-3f7e6d0a-884e31b8-f8bf4565-65537b88-67][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 400 ]

One workaround I see is to modify redirect.jsp and modify the query string, but since this setup is common to rest of the vendors, not quiet sure if I should do that as. Breaking any of them would bring in huge impact.

Can you please advice?

Thank you

Regards,
Saju
7. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Aug 16, 2012 07:52 PM

Reply Reply Privately
Hello Saju,

I missed your post for many days now. I am not sure if you have opened a support ticket or not on this and you may have.

When I decode the SAMLRequest in online decoders I get it decoded successfully. Do you see it getting decoded at all? Also please make sure that there is a Destination attribute pointing to the saml2sso service in the authnrequest from your 3rd party SP.

Thanks,
-----Manjari.
8. Re: RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
Anon Anon
Posted Sep 14, 2014 07:55 AM

Reply Reply Privately
Hi Saju, Manajari,

Were you able to solve the issue with "The SAMLRequest parameter was not encoded properly". I have the exact same error for an SP initiated SSO when I am using a custom auth scheme (asp) to post to my login.fcc file. Somehow, the SAML authnrequest is lost after posting to login.fcc and sending the request back to redirect.jsp. FYI - the SSO works fine when I use SiteMinder OOTB auth schemes.

Is there a way to handle this in the redirect.jsp file?
9. Re: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Sep 15, 2014 02:05 PM

Reply Reply Privately
Hello pbiswas,

If SAML authnrequest is being lost with the custom asp form page but works fine with the OOTB html form login.fcc page, we just need to figure out, where exactly is it being dropped, at the asp page or the web agent. Redirect.jsp page does handle the SAML AuthNRequest and should work without any modifications to it.

I would suggest a support issue, with fiddler and webagent traces.

Thanks & Regards,
10. Re: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
Anon Anon
Posted Sep 15, 2014 03:02 PM

Reply Reply Privately
Hi Manjari,

Thanks for responding. Yes, I do have a support case opened along with the fiddler logs, trace and code for the login page. is there any other hidden variable that needs to be passed from the custom login page to login.fcc in addition to Target and SMAuthReason?
11. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Aug 24, 2012 07:48 AM

Reply Reply Privately
[Example of a SAMLResponse from SiteMinder Federation (SMFSS) when an error happens at the IDP e.g. NameID could not be successfully validated]

SAMLResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response ID="_4e7c2d2fe9608fe60400303ba6f8cb6a27dc" InResponseTo="_af3d75c32663d823941a154718203868073c" IssueInstant="2012-08-23T23:07:07.985-04:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">r12sp3idp</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></Status></Response>

[Key Concepts]
1) Above specific example happens when the NameID attribute itself is incorrect or has a typo in it and you would see following errors in the SMPS traces:
[08/23/2012][23:07:07][3108][5868][Leave function GetDsUserProp][SmAuthUser.cpp:488][GetDsUserProp][23:07:07.985][0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[08/23/2012][23:07:07][3108][5868][Configured NameID: value of the User Attribute "samacountname"][AuthnRequestProtocol.java][retrieveNameID][23:07:07.985][][][][][][][][][][][1939bda8-7b9f38cf-f6381605-87cf7745-78b7737d-f45][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[08/23/2012][23:07:07][3108][5868][Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated.][AuthnRequestProtocol.java][retrieveNameID][23:07:07.985][][][][][][][][][][][1939bda8-7b9f38cf-f6381605-87cf7745-78b7737d-f45][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

2) The key point when working with a 3rd party product is that SMFSS IDP when it sends a response like in the above example, look for the "Status" block in the SAML Response and in this case, "urn:oasis:names:tc:SAML:2.0:status:Responder", means that an error happened at the SAML Responder (in this use case the Responder is SMFSS IDP).
12. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Aug 24, 2012 08:02 AM

Reply Reply Privately
[Example of an Assertion with signature from the SMFSS IDP]

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://sp.ca.com/affwebservices/public/saml2assertionconsumer"
ID="_5d36be8f35ab787f036f7f5c1f489baafbfa"
IssueInstant="2012-08-21T20:23:31Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">idp.my.com</ns1:Is
suer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_d30f68b02c77eacc5adcdcd883d5607f298d"
IssueInstant="2012-08-21T20:23:31Z" Version="2.0">
<ns2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">idp.my.com</ns2:Is
suer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_d30f68b02c77eacc5adcdcd883d5607f298d"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">vDK+6T2YqsnllankDfGleHi9VhU=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
OVKWkIb/k2vLgo+fYQsTmO2D0LChdNYnjE/w7KpUetZ76QgqF/TWNZPr52ZM6P6UIRlSFBcZSMjv
PQqgRiLPqCgkBqMqEKTIfcNtZQArSiUyzYEepipCp7wpyPRSzeD2Y4XOjTG3mwwbMp1AUq9JX4C6
v8Zp1Xb/9Gr233LmLXXU3D3OH6Wcsq7WN+cY+eRhwT7dxX2wLP95MOCzC2HOPSSfBNbBgZ99dTQc
MMurRQQutN9h7E2SuDBJSEhgf/ZaP8Wa/s8VQI9ehjrPrXGjO7VHiKDfewPTcsVm+5R6PSGRP9EZ
Tf+jUCSGlaCiAVGdvTmhxb91kUDJjTysvXLQBQ==
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIEOTCCAyGgAwIBAgIKEm+muQAAAAAAGTANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwppZHAu
Y2EuY29tMB4XDTEyMDgxNjIzNDYxNFoXDTEzMDcyOTE1NDI1N1owfTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlRYMQ4wDAYDVQQHEwVQbGFubzELMAkGA1UEChMCQ0ExEDAOBgNVBAsTB1N1cHBvcnQx
EzARBgNVBAMTCmlkcC5teS5jb20xHTAbBgkqhkiG9w0BCQEWDmdhbm1hMDJAY2EuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqE+CHU9qH4sCdvRAlpUx30cDSRKM+20ESwZ1AO1Y
3HfGnCriUFVuWm4F+jD/9KvuEOHqK0WE0uSNM1qEZp7h0QW+0VgcUnUzk67B9y1mVZLnu+Sc7Iq8
3pThogIg1N18OJ4Q8AkNHsGv3tDu1BRa+fvrdfAiBeEKc+A8E5Zks3YUZfFP2ppAuJRq3E6FHp1d
QxeTyUEoiIeKYLLEZZiQHCMTjS11bslHivPcTfsQoWbUQOvS7+xFWXiFsmaZHCsHYMBf3F2rjIDs
kj4QrEt/e+pNkJ4io/pumFIodKG+c6y5JuWkgIF2gZbH3FUS6lHJSAPsEVJMN0v4o8zcmp8u9wID
AQABo4IBITCCAR0wHQYDVR0OBBYEFGfP/fGeIQpavPuVtNiecUJimlyuMB8GA1UdIwQYMBaAFGaI
P4cJtg9/rdbr1Jd3wN3JL44nMF0GA1UdHwRWMFQwUqBQoE6GJGh0dHA6Ly9pZHAvQ2VydEVucm9s
bC9pZHAuY2EuY29tLmNybIYmZmlsZTovL1xcaWRwXENlcnRFbnJvbGxcaWRwLmNhLmNvbS5jcmww
fAYIKwYBBQUHAQEEcDBuMDQGCCsGAQUFBzAChihodHRwOi8vaWRwL0NlcnRFbnJvbGwvaWRwX2lk
cC5jYS5jb20uY3J0MDYGCCsGAQUFBzAChipmaWxlOi8vXFxpZHBcQ2VydEVucm9sbFxpZHBfaWRw
LmNhLmNvbS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAICsrHSIk/M6oRqIfmtriWkTZbA41fcFQ5nH
B2pP59yrwcNbtn4rj3gM0NcXVEw1GH4Pvo488ODVwHMb2RTGnInRlbb7gXM7hAZrdMLxh54eYCuI
5paO2dcx69ZFTXJ7AVSQ5znjKhDcng7pWa1nE5gKmjNzqYkJxA4VLA2JDuyAbaUuMwBcZdJiXaei
q0nDXl4AH8nmIrXreywKxo4DaQl6T0Lj4D2sotsvU9Z439zYd99o3sGqVL14fbVBeDKhlXI2RQ9V
xXkNuzsqddbUdthHHLBhPGGvd/rTp61OvaXhV7rFKArBM7l5c4WU8GVV62PlbxWP8AcSES+/THwI
6W8=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<ns2:Subject>
<ns2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ganma02</ns2:
NameID>
<ns2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData
NotOnOrAfter="2012-08-21T20:25:31Z"
Recipient="https://sp.ca.com/affwebservices/public/saml2assertionconsumer"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2012-08-21T20:22:31Z"
NotOnOrAfter="2012-08-21T20:25:31Z">
<ns2:AudienceRestriction>
<ns2:Audience>sp.ca.com</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2012-08-21T20:23:21Z"
SessionIndex="LV0MQcJjyBZNKdKFJT1boqI31sI=jJRz3w=="
SessionNotOnOrAfter="2012-08-21T20:25:31Z">
<ns2:AuthnContext>

<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</n
s2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="empid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>12345</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>

[Key concepts]
1) In an assertion with signature, it is important to remember that assertion itself would be visible in clear text and in addition to that it would have a signature block as well as the public cert from the IDP.
2) IDP uses its private key to produce the signature and sends the corresponding public cert as part of the signed assertion SAML response. The same public cert should be added at the SP for signature verification, most likely through a prior out-of-the-band exchange with the SP partner.
3) SP would need to use the exact same public cert/key to verify the signature
4) Signature algorithm (based on the version of SMFSS) can be chosen in the configuration and there should be an agreement between the partners as to which algorithm would be used to produce the signature and then at the other partner same would be used to veriy the signature.
5) In the above example the block below conatins all the information about the algorithm/s being used to produce the signature, digest, etc:
"<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_d30f68b02c77eacc5adcdcd883d5607f298d"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">vDK+6T2YqsnllankDfGleHi9VhU=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
"

6) The actual signature block is as below and it is produced based on what is configured at the SMFSS IDP (SP/Service Provider object) and it could be configured to sign just the assertion or Response or both and based on that the Hash/MessageDigest would be produced and then signed by the private key of the IDP to produce the signature:
"<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
OVKWkIb/k2vLgo+fYQsTmO2D0LChdNYnjE/w7KpUetZ76QgqF/TWNZPr52ZM6P6UIRlSFBcZSMjv
PQqgRiLPqCgkBqMqEKTIfcNtZQArSiUyzYEepipCp7wpyPRSzeD2Y4XOjTG3mwwbMp1AUq9JX4C6
v8Zp1Xb/9Gr233LmLXXU3D3OH6Wcsq7WN+cY+eRhwT7dxX2wLP95MOCzC2HOPSSfBNbBgZ99dTQc
MMurRQQutN9h7E2SuDBJSEhgf/ZaP8Wa/s8VQI9ehjrPrXGjO7VHiKDfewPTcsVm+5R6PSGRP9EZ
Tf+jUCSGlaCiAVGdvTmhxb91kUDJjTysvXLQBQ==
</ds:SignatureValue>
"

7) This block below is the actual x509 public cert/key block and the value can be saved to verify the public cert information (on windows as .cer file):

"<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIEOTCCAyGgAwIBAgIKEm+muQAAAAAAGTANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwppZHAu
Y2EuY29tMB4XDTEyMDgxNjIzNDYxNFoXDTEzMDcyOTE1NDI1N1owfTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlRYMQ4wDAYDVQQHEwVQbGFubzELMAkGA1UEChMCQ0ExEDAOBgNVBAsTB1N1cHBvcnQx
EzARBgNVBAMTCmlkcC5teS5jb20xHTAbBgkqhkiG9w0BCQEWDmdhbm1hMDJAY2EuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqE+CHU9qH4sCdvRAlpUx30cDSRKM+20ESwZ1AO1Y
3HfGnCriUFVuWm4F+jD/9KvuEOHqK0WE0uSNM1qEZp7h0QW+0VgcUnUzk67B9y1mVZLnu+Sc7Iq8
3pThogIg1N18OJ4Q8AkNHsGv3tDu1BRa+fvrdfAiBeEKc+A8E5Zks3YUZfFP2ppAuJRq3E6FHp1d
QxeTyUEoiIeKYLLEZZiQHCMTjS11bslHivPcTfsQoWbUQOvS7+xFWXiFsmaZHCsHYMBf3F2rjIDs
kj4QrEt/e+pNkJ4io/pumFIodKG+c6y5JuWkgIF2gZbH3FUS6lHJSAPsEVJMN0v4o8zcmp8u9wID
AQABo4IBITCCAR0wHQYDVR0OBBYEFGfP/fGeIQpavPuVtNiecUJimlyuMB8GA1UdIwQYMBaAFGaI
P4cJtg9/rdbr1Jd3wN3JL44nMF0GA1UdHwRWMFQwUqBQoE6GJGh0dHA6Ly9pZHAvQ2VydEVucm9s
bC9pZHAuY2EuY29tLmNybIYmZmlsZTovL1xcaWRwXENlcnRFbnJvbGxcaWRwLmNhLmNvbS5jcmww
fAYIKwYBBQUHAQEEcDBuMDQGCCsGAQUFBzAChihodHRwOi8vaWRwL0NlcnRFbnJvbGwvaWRwX2lk
cC5jYS5jb20uY3J0MDYGCCsGAQUFBzAChipmaWxlOi8vXFxpZHBcQ2VydEVucm9sbFxpZHBfaWRw
LmNhLmNvbS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAICsrHSIk/M6oRqIfmtriWkTZbA41fcFQ5nH
B2pP59yrwcNbtn4rj3gM0NcXVEw1GH4Pvo488ODVwHMb2RTGnInRlbb7gXM7hAZrdMLxh54eYCuI
5paO2dcx69ZFTXJ7AVSQ5znjKhDcng7pWa1nE5gKmjNzqYkJxA4VLA2JDuyAbaUuMwBcZdJiXaei
q0nDXl4AH8nmIrXreywKxo4DaQl6T0Lj4D2sotsvU9Z439zYd99o3sGqVL14fbVBeDKhlXI2RQ9V
xXkNuzsqddbUdthHHLBhPGGvd/rTp61OvaXhV7rFKArBM7l5c4WU8GVV62PlbxWP8AcSES+/THwI
6W8=
</ds:X509Certificate>
"

8) The cert above should match exactly in every way with the cert actually being used to verify the signature at the SP. The values like IssuerDN, Subject DN, Validity, serial number, bit length (2048 etc.)
13. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Aug 24, 2012 08:43 AM

Reply Reply Privately
to be migrated
14. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Aug 24, 2012 08:45 AM

Reply Reply Privately
[Formual to make it easier for what is needed for Signature and Encryption]

Signature Formula:
Signing party needs == own private key (gives the corresponding public key to verifying party)
Verifying party needs== public key/cert form the signing party

Encryption Formula:
Encrypting party needs == public key/cert from the decrypting party
Decrypting party needs== its own private key (gives the corresponding public key to encrypting party)

Note: For SMFSS you would always add the private Key + Cert pair into the smkeydatabase for both signature and encryption at the side to which the private key belongs to and add the same public key/cert on the other side.
15. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Aug 29, 2012 03:46 PM

Reply Reply Privately
Hi Manjari,

Just want to know how other companies working with the SLO setup

The setup will be like this

IDP authenicate the user, SAML response sent to SP. SP authenicate user, let the user get into the application.
If we are using a Siteminder connector at SP, there won't be any reference to the IDP's SLO URL or Partnership at this point in the application. The log out button will be common to the other users who came from the Federated and Siteminder.

My question is, there might be multiple muliple IDPs and they might be using different Identity Management tools but all are coming to the same SP.
How does SP know which SLO url to use when user wants to log off? At this point from Application perspective, it doesn't have any handle to the partnership that we created in SP or SLO url to use

I am thinking of adding the partnership name/SLO url in the cookie and pass it to application and use the same for logoff functionality. Is there any better way doing this?

Thanks in advance,
Matheen
16. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Nov 28, 2012 05:17 PM

Reply Reply Privately
Hi Manjari,

As SDP, How can I have multiple target urls for the different Audience that IDP is sending in the SAML?
I don't think FM will allow to create the two different partnerships for the same remote IDP id and you don't have a option to enter the multiple target urls for the same partnership. How can we handle this type of situation?

Thanks,
Matheen
17. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Nov 28, 2012 05:53 PM

Reply Reply Privately
Hello Matheen,

As SP, if you are able to send the AuthNRequest or do a SP initiated or solicited transaction, then you could using your own logic generate dynamic Target URL as the RelayState parameter that IDP would have to maintain and send it back to you.

For the same remote IDP, I agree FEDMA (if that is what you are using or are you using r12.5 partnership model) may not allow to create multiple partnership, and you can give it a try. I think above would work and is commonly used solution to handle dynamic target situation.

Also, your questions are great so I would really suggest you to post it outside of this thread since others may benefit as well as this thread has a title which may or may not be looked at by folks.

Thanks for all the good questions.
----- Manjari.
18. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Nov 28, 2012 06:20 PM

Reply Reply Privately
Hello Matheen,

Sorry I missed this one and am much late in the reply and would also suggest to post it outside of this thread as well so others may have an input on it too.

For Federated users as SP, SLO would be tricky you are right and there would be a need to be able to differentiate the regular users from federation users and then you are right typically the user account or some other session mechanism should maintain the SLO related URL and required parameters needed.

Others in the communities may have more creative approaches.

Thanks,
----- Manjari.
19. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
John Schwartz
Posted Jun 17, 2013 12:47 PM

Reply Reply Privately
Manjari, I have a question I hope you can answer. We have many outgoing SSO's where are configure for an IDP intiated request. We are being asked by a vendor using sharepoint to support an SP intiated request.

Can you let me know what the differences are both in configuration and flow? Trying to see if it is somthing we can easily support and what the effort would be. Also if there is any downside to this type of request.

Thanks,

John
20. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Jun 26, 2013 11:37 AM

Reply Reply Privately
Hello John,

Sorry about the delay. Below is my reply to your questions.

1) We have many outgoing SSO's where are configure for an IDP initiated request. We are being asked by a vendor using SharePoint to support an SP initiated request.
---> SP initiated request coming from the SharePoint SP partner, should work just fine. CA SiteMinder Federation supports the SP initiated request and in this case the saml2sso service which acts as an entry point for the IDP initiated request also act as an entry point for the SP initiated request.

2) Can you let me know what the differences are both in configuration and flow?
---> Primary differences are:
1) saml2sso service would look for a query parameter of SAMLRequest which would hold the Redirect Binding based and encoded AuthNREquest that SP side would be responsible for sending . IDP initiated request does not have this parameter and instead has other ones like SPID, etc...
2) saml2sso service would do a step of decoding the AuthNRequest first for SP initiated which would not be present for the IDP initiated
3) Once AuthNRequest is decoded and processed successfully, the transaction proceeds much like the IDP initiated.

3)Trying to see if it is something we can easily support and what the effort would be. Also if there is any downside to this type of request.
----> SP initiated is supported by the product just like IDP initiated and for the effort aspect the configuration changes should not be required for the SM Federation IDP side as such as long as in the AuthNRequest SP side is not asking for any specific things which might be different than what is configured currently and works for the same SP but in the IDP initiated request. Example would be let's say currently NameID format is unspecified in the config at your IDP side but let's SP for some reason has some other format noted in the AuthNRequest like email, etc., due to mis-match this would fail and would require either side to make the change such that what is requested matches with what is configured.
----> One important thing to keep in mind is that, SAML2SSO service only supports HTTP Redirect binding and does not support HTTP POST yet so SP initiated request would have to come to it as HTTP GET with SAMLREquest as a query parameter and not as HTTP POST with the SAMLREquest as a POST parameter. We would have future release which may support HTTP POST.

Hope this helps and again, sorry about the delay in the reply.
------Manjari.
21. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
John Schwartz
Posted Jun 27, 2013 10:11 PM

Reply Reply Privately
thank you!
22. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
Anon Anon
Posted Mar 21, 2014 12:22 AM

Reply Reply Privately
Hi Manjari,

Can you please help me out with below issue ?

Environment:

CA Federation manager used as IDP and some thrid party SP will be consumer(I do not have access to SP so, I am using Shebboleth as SP to test my IDP setup.)

Here is the my SAML response from IDP:

Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response ID="_332294082fdea45e2f7ea131aaefe27622aa" InResponseTo="_358e0b8731e7395a62c92d87bad3204a" IssueInstant="2014-03-21T14:47:01.198+11:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://dev.idp.virginmobile.com.au</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></Status></Response>

Please check highlighted on.

Error message:

[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][getLocalServiceURL][Enter getLocalServiceURL]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][getLocalServiceURL][Using request URL: http://dev.idp.virginmobile.com.au/affwebservices/public/saml2sso]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][resource is: /SAMLRequest=fZLNboMwEIRfBfkeDCa%2FVkCiyaGR0hYF2kMvlYFNsAQ29ZqkffuSkEqpVOW8s9%2FsjL1E0dQtjztbqR18doDW%2BWpqhfwyCElnFNcCJXIlGkBuC57GT1vOXI%2B3Rltd6Jo4MSIYK7VaaYVdAyYFc5QFvO62IamsbZFTWsLRxdY9SnOQqtG5rMEtdOOKjqaVzHNdg61cRE3PDowmL2lGnHV%2FklTiDB9QV5Is%2F0eJ%2Ff4EOQ7%2BSNsur2VBz2lYjybOZh2Sj2AyBy%2BfzwIfZsFiIqasWLByPstFGTBvLHoZYgcbhVYoGxLm%2BeORF4yYn3kBH0%2F5ZPpOnOSa%2F0GqUqrD%2FbLyQYT8McuS0ZDtDQxecvUCEi3PR%2FKLsbl5hPtY8ds8iW7K%2Bb%2FmJb1xGOxa%2FtwjN%2BtE9y19O3Fd69PKgLAQEp%2FQaFj5%2B0GiHw%3D%3D&RelayState=cookie%3A253b1f1e&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=LMWNHI07xr19x4yWLKWL1yz438vRrtu5sPK7CwCHOORgfhgfzxIrnIOumFWzEK4m76fh%2F4iXEVRwzFB9cAYYvyMpJxjaDQi4xu9j8DgAb9gm3HkO1ExAopOMGHH3l%2FrQr9%2FpiILdYCi5lUntQyqMKkxo609Y%2Fis4ULR8gWRi9rhl0D%2FuxREaR1Q6BfZT6qBVXgZebUGF4%2Frn3v3b1Nc%2FXV%2B49zexfALY%2B6qXcnta9C0gNWLPNfI4KFmqnalg5010z3REdjTiOXI5fjgVNREkseVbmzOagLxD9BE5eUS%2F2DoAtUKZ%2BiurnvbBWE9jHEQmUaJck7JENvZZVPFaI%2F3dug%3D%3D&SSOUrl=http://dev.idp.virginmobile.com.au/affwebservices/public/saml2sso]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[https://dev.sp.virginmobile.com.au/Shibboleth.sso/SAML2/POST]]></Var></RVARS>]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Transaction with ID: 29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef failed. Reason: FAILED_NO_ATTR_RETURNED]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Denying request due to no attribute returned from SAML2 assertion generator.]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Sending SAML Response]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][sendSAMLResponse][AssertionConsumerURL: https://dev.sp.virginmobile.com.au/Shibboleth.sso/SAML2/POST]

If you can assist, that will be really great. Let me know if you need more details.
23. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

0 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Mar 21, 2014 12:58 AM

Reply Reply Privately
Hello sasikumar_42,

To debug an authorizeex failure, we should look at the detailed smps traces for the assertion generation. It seems like there was some failure at the SMPS/PSOP such that it did not return any assertion in the response attributes back to the FWS. Also please confirm back the versions of the components in this setup.

This is what the errors from FWS that you posted would mean:

“[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
---> Its calling authorizeex which goes to SMPS

[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
---> Authorizeex returned 1

[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Transaction with ID: 29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef failed. Reason: FAILED_NO_ATTR_RETURNED]
--->authorizex did not return any attributes and therefore no assertion and we can use this transaction id to check the transaction at the smps traces

[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Denying request due to no attribute returned from SAML2 assertion generator.]
---> FWS is denying the request since it has nothing to send

[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Sending SAML Response]”
-->It prepares and sends the SAML Response (most likely it would have Status of Error in it), not sure it would be in the next few lines in the FWS traces.

Thanks & Regards,
------ Manjari

From: CA Security Global User CommunityMessage Boards [mailto:CommunityAdmin@communities-mail.ca.com]
Sent: Thursday, March 20, 2014 11:22 PM
To: mb_message.2253364.111540113@myca-email.ca.com
Subject: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

Hi Manjari,

Can you please help me out with below issue ?

Environment:

CA Federation manager used as IDP and some thrid party SP will be consumer(I do not have access to SP so, I am using Shebboleth as SP to test my IDP setup.)

Here is the my SAML response from IDP:

Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response ID="_332294082fdea45e2f7ea131aaefe27622aa" InResponseTo="_358e0b8731e7395a62c92d87bad3204a" IssueInstant="2014-03-21T14:47:01.198+11:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://dev.idp.virginmobile.com.au</ns1:Issuer><Status><StatusCode<https://dev.idp.virginmobile.com.au%3c/ns1:Issuer%3e%3cStatus%3e%3cStatusCode> Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></Status></Response>

Please check highlighted on.

Error message:

[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][getLocalServiceURL][Enter getLocalServiceURL]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][getLocalServiceURL][Using request URL: http://dev.idp.virginmobile.com.au/affwebservices/public/saml2sso]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][resource is: /SAMLRequest=fZLNboMwEIRfBfkeDCa%2FVkCiyaGR0hYF2kMvlYFNsAQ29ZqkffuSkEqpVOW8s9%2FsjL1E0dQtjztbqR18doDW%2BWpqhfwyCElnFNcCJXIlGkBuC57GT1vOXI%2B3Rltd6Jo4MSIYK7VaaYVdAyYFc5QFvO62IamsbZFTWsLRxdY9SnOQqtG5rMEtdOOKjqaVzHNdg61cRE3PDowmL2lGnHV%2FklTiDB9QV5Is%2F0eJ%2Ff4EOQ7%2BSNsur2VBz2lYjybOZh2Sj2AyBy%2BfzwIfZsFiIqasWLByPstFGTBvLHoZYgcbhVYoGxLm%2BeORF4yYn3kBH0%2F5ZPpOnOSa%2F0GqUqrD%2FbLyQYT8McuS0ZDtDQxecvUCEi3PR%2FKLsbl5hPtY8ds8iW7K%2Bb%2FmJb1xGOxa%2FtwjN%2BtE9y19O3Fd69PKgLAQEp%2FQaFj5%2B0GiHw%3D%3D&RelayState=cookie%3A253b1f1e&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=LMWNHI07xr19x4yWLKWL1yz438vRrtu5sPK7CwCHOORgfhgfzxIrnIOumFWzEK4m76fh%2F4iXEVRwzFB9cAYYvyMpJxjaDQi4xu9j8DgAb9gm3HkO1ExAopOMGHH3l%2FrQr9%2FpiILdYCi5lUntQyqMKkxo609Y%2Fis4ULR8gWRi9rhl0D%2FuxREaR1Q6BfZT6qBVXgZebUGF4%2Frn3v3b1Nc%2FXV%2B49zexfALY%2B6qXcnta9C0gNWLPNfI4KFmqnalg5010z3REdjTiOXI5fjgVNREkseVbmzOagLxD9BE5eUS%2F2DoAtUKZ%2BiurnvbBWE9jHEQmUaJck7JENvZZVPFaI%2F3dug%3D%3D&SSOUrl=http://dev.idp.virginmobile.com.au/affwebservices/public/saml2sso]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[https://dev.sp.virginmobile.com.au/Shibboleth.sso/SAML2/POST]]></Var></RVARS>]
[03/21/2014][03:47:00][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Transaction with ID: 29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef failed. Reason: FAILED_NO_ATTR_RETURNED]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Denying request due to no attribute returned from SAML2 assertion generator.]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][processAssertionGeneration][Sending SAML Response]
[03/21/2014][03:47:01][3082][3431762832][29f9c5d7-ba9d5170-1db01cce-0a1f5d7b-8474438b-ef][SSO.java][sendSAMLResponse][AssertionConsumerURL: https://dev.sp.virginmobile.com.au/Shibboleth.sso/SAML2/POST]

If you can assist, that will be really great. Let me know if you need more details.

Posted by:sasikumar_42
--
CA Communities Message Boards
111542653
mb_message.2253364.111540113@myca-email.ca.com<mailto:mb_message.2253364.111540113@myca-email.ca.com>
https://communities.ca.com
24. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

0 Recommend
Anon Anon
Posted Mar 23, 2014 10:12 PM

Reply Reply Privately
Hi Manjari,

Thanks a lot for your quick trun around.

version of Policy server : Version 12 Build 547 Update 03.09 and GUI : 12.0

here is my SAML Response without assertion:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response ID="_d063a95ffefa8e9978962216a3157ee26de8" InResponseTo="_00195ac92a04f75e7f5d0b54f191b53a" IssueInstant="2014-03-24T12:39:19.641+11:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">https://dev.idp.virginmobile.com.au</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></Status></Response>

Here is the error from FWSTrace.log:

[03/24/2014][01:39:19][29598][3436923792][176463df-687613a4-a6735dcb-65713f50-7f726813-3d][SSO.java][processAssertionGeneration][Transaction with ID: 176463df-687613a4-a6735dcb-65713f50-7f726813-3d failed. Reason: FAILED_NO_ATTR_RETURNED]

Here is the SMPS:

I do not see any error messages on SMPS log. Can you please help me to add more debug messages on SMPS logs to trace exact error message ?

Here is SMtrace log error messages:

[12:39:13][Leave function CSmActiveExprLibrary::GetActiveValue][][][][][][SmActiveExpr.cpp:907][6064][588][03/24/2014][12:39:13.229][CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][Active Expression GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.assertiongenerator.AssertionGenerator -AssertionHandler:SAML20 unspecified:username=alan0001 returned NULL][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Leave function CSmAzRespAttr][][][][][][SmAuthorization.cpp:378][6064][588][03/24/2014][12:39:13.229][CSmAzRespAttr][ok][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Leave function CSmAz::Process_Response_List][][][][][][SmAuthorization.cpp:1865][6064][588][03/24/2014][12:39:13.229][CSmAz::Process_Response_List][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][IsOk? Yes, Return 0 responses with 0 attributes added.][][][][][][SmAuthorization.cpp:1587][6064][588][03/24/2014][12:39:13.229][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Leave function CSmAz::IsOk][][][][][][SmAuthorization.cpp:1589][6064][588][03/24/2014][12:39:13.229][CSmAz::IsOk][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Enter function CSm_Az_Message::SendReply][][][][][][Sm_Az_Message.cpp:342][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Look up a cached object.][][][][][][SmObjCache.cpp:918][6064][588][03/24/2014][12:39:13.229][CSmObjCache::Lookup][][][][][][][][][][][][][][][03-c219abd2-25a8-4457-a9a9-e160a586ecc9][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Enter function SmAuthQuery][][][][][][SmAuthAnon.cpp:24][6064][588][03/24/2014][12:39:13.229][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Leave function SmAuthQuery][][][][][][SmAuthAnon.cpp:43][6064][588][03/24/2014][12:39:13.229][SmAuthQuery][Sm_AuthApi_Success][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12:39:13][Send response attribute 153, data size is 4][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][S/..][53 2f 8c c1 ][][][][][][][][][]
[12:39:13][Send response attribute 154, data size is 4][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][S/..][53 2f 8c c0 ][][][][][][][][][]
[12:39:13][Send response attribute 155, data size is 4][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][S/..][53 2f 8c c1 ][][][][][][][][][]
[12:39:13][Send response attribute 225, data size is 4][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][....][00 00 0e 10 ][][][][][][][][][]
[12:39:13][Send response attribute 226, data size is 4][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][... ][00 00 1c 20 ][][][][][][][][][]
[12:39:13][Send response attribute 205, data size is 28][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][+Hl6WMeLz/KCh8EeJSMu1oV0Ptw=][2b 48 6c 36 57 4d 65 4c 7a 2f 4b 43 68 38 45 65 4a 53 4d 75 31 6f 56 30 50 74 77 3d ][][][][][][][][][]
[12:39:13][Send response attribute 146, data size is 0][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][][][][][][][][][][][]
[12:39:13][Send response attribute 147, data size is 127][samlsp:https://dev.sp.virginmobile.com.au][][alan0001][][][Sm_Az_Message.cpp:735][6064][588][03/24/2014][12:39:13.229][CSm_Az_Message::FormatAttribute][][][][samlsp:https://dev.sp.virginmobile.com.au][][][][][s53/r86][][][][][][][][][][][][][][][][HzgXJVvljofw8uc/J9yzpeHq1Zn5M5NKD8o+Ay6/I1e3hPmLshTJZwZoTRH3QaC7vdNB4WAmjzq8K561nG9PsR0TbZFhXwuxyu4zBNM9AH9Rmxz7fyHaslkjc+edLPXGncFksIobw/Y9Devfr0onjUQ7CpOZJmiB1F7YzGm0oLyIOAjs13ubmYroFTL+scI2uiE7zVJX8Q4isaurgTQOunWRD6uNn5qQFMZ3YXHI3PxPC19UbOJght0PSM5hh9GRiiSdPzXWNEVCHs/tOrNTdfVVLAW0gWImQAZkTwe3/pwKXD0yNgzgtOeJc679v3G7gm5A5gOYvuUB4gpC4JlyChiXH2JCxCJ2skR0fGsG6VlWNPBh4MHHo18dvaYQgjObg2ennnBQ0nYZmz/D3Jsv/H2+ZDuoVXHOiOVnBoxPyJW1/mQLJ5c1wA==][][][cn=15012213,OU=Users,OU=Optus,dc=web,dc=optus,dc=com,dc=au][][][][][][][][][][][][AuthorizeEx][<RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[https://dev.sp.virginmobile.com.au/Shibboleth.sso/SAML2/POST]]></Var></RVARS>][3c 52 56 41 52 53 3e 3c 56 61 72 20 6e 61 6d 65 3d 22 43 6f 6e 73 75 6d 65 72 55 52 4c 22 20 72 74 79 70 65 3d 22 33 22 3e 3c 21 5b 43 44 41 54 41 5b 68 74 74 70 73 3a 2f 2f 64 65 76 2e 73 70 2e 76 69 72 67 69 6e 6d 6f 62 69 6c 65 2e 63 6f 6d 2e 61 75 2f 53 68 69 62 62 6f 6c 65 74 68 2e 73 73 6f 2f 53 41 4d 4c 32 2f 50 4f 53 54 5d 5d 3e 3c 2f 56 61 72 3e 3c 2f 52 56 41 52 53 3e ][][][][][][][][][]

Thanks for your help and let me know if there are some more info required.
25. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

0 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Mar 27, 2014 09:55 AM

Reply Reply Privately
My email based reply somehow did not make it in this post. What I meant below was that we would need to scroll up in the smps traces to see why assertion was not generated. You might want to also open the support ticket for tracking this.

From: Gangwar-Warty, Manjari K
Sent: Monday, March 24, 2014 11:04 AM
To: mb_message.2253364.111627769@myca-email.ca.com
Subject: RE: [CA SiteMinder General Discussion] RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

You would need to look up in the smps traces to find the root cause as the assertion generation itself was not successful. Do you have custom assertion generator plug-in?

GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.assertiongenerator.AssertionGenerator -AssertionHandler:SAML20 unspecified:username=alan0001 returned NULL

Thanks & Regards,

----- Manjari
26. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

0 Recommend
Anon Anon
Posted Apr 03, 2014 01:56 AM

Reply Reply Privately
Hi Manjari,

Thanks for your response. last issue was with SLO configuration caused issue. Assertion getting generated fine.

Intially i used basic authentication scheme to protect redirect url. With basic authentication, everything perfect.

Now another problem. When I moved basic authentication scheme to custom authentication scheme, problem started.

here is the flow:

1. Hit url (Anything which rediects to Federation protected url ) which is protected with custom authentication scheme(custom login page).
2. After authentication, that should generated test.com.au and mobile.com.au cookies before forwarding request to assertion generation.

WA Trace log shows : processing is protected response

plugin interface smnoaction
credentialmanager returned smNo or smnoaction or calling challengemanager.

Note : i do not have cookie provider with my environment. how should I achive cross domain without cookie provider ?
Please help me to find some lead.
27. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Jul 31, 2012 04:55 PM

Reply Reply Privately
Manjari,

This is excellent post. Thanks for sharing.

We are implementing the Federation Manager and for IDP customers are using IBM's Trivoli. I was able to successfully process the request with both being the CA product. Now I have to test my environment such a way that the stand alone application will be posting the SAML and my SP will consumes it.I wrote one sample html where I am posting my saml to <SP>/affwebservices/public/saml2assertionconsumer. I am not sure what format to use. I was just playing with different response message that I was seeing in the SP logs when I used CA products for both IDP nd SP.

I was getting the error saying "HTTP Status 400 - Bad Request. The request had bad syntax or incorrect parameters. Transaction ID: eec07f52-c917bd74-81f8af56-3096f287-d1cf224c-3e failed."

and here the the reponse that i was using to post to my SP

<UserCredentials>

<Response Destination="https://SP/affwebservices/public/saml2assertionconsumer" ID="_e233828188e7b931cc8686afa8c7d33f0bce" InResponseTo="_206ccc1b7e5c1a55578cd3d0d140a3df3ebd" IssueInstant="2012-07-31T18:40:13Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IdentityProvider</ns1:Issuer>

<Status>

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</Status>

<ns2:Assertion ID="_a2399040fcc69517d480426969dca8f0c938" IssueInstant="2012-07-31T18:40:13Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">

<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IdentityProvider</ns2:Issuer>

<ns2:Subject>

<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">matheen@1sync.org</ns2:NameID>

<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<ns2:SubjectConfirmationData InResponseTo="_206ccc1b7e5c1a55578cd3d0d140a3df3ebd" NotOnOrAfter="2012-07-31T18:41:43Z" Recipient="https://test.dev.1sync.org/affwebservices/public/saml2assertionconsumer"/>

</ns2:SubjectConfirmation>

</ns2:Subject>

<ns2:Conditions NotBefore="2012-07-31T18:39:43Z" NotOnOrAfter="2012-07-31T18:41:43Z">

<ns2:AudienceRestriction>

<ns2:Audience>SPServiceProvider</ns2:Audience>

</ns2:AudienceRestriction>

</ns2:Conditions>

<ns2:AuthnStatement AuthnInstant="2012-07-31T18:40:13Z" SessionIndex="8WgBReOWh9ylEyiLq6Nnf5dp7Fw=TK7yEw==" SessionNotOnOrAfter="2012-07-31T18:41:43Z">

<ns2:AuthnContext>

<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

</ns2:AuthnContext>

</ns2:AuthnStatement>

<ns2:AttributeStatement>

<ns2:Attribute Name="FIRST_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>Matheen</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="LAST_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>Syed</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="EMAIL_ADDRESS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue/>

</ns2:Attribute>

<ns2:Attribute Name="SM_USER" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>matheen@1sync.org</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="SM_USER" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>matheen@1sync.org</ns2:AttributeValue>

</ns2:Attribute>

</ns2:AttributeStatement>

</ns2:Assertion>

</Response>

<Binding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</Binding>

<AssertionConsumerServiceURL>https://SP/affwebservices/public/saml2assertionconsumer</AssertionConsumerServiceURL>
</UserCredentials>

Thanks,
Matheen
28. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Jul 31, 2012 06:02 PM

Reply Reply Privately
To add more to that

Is there are sample form(may be jsp) where we can test our sample SAML 2.0 reposnses just to mimic as if they are coming from the 3rd party IDP.and going to SDP which is CA Federtion product.

Thanks,
Matheen
29. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Jul 31, 2012 06:26 PM

Reply Reply Privately
[Example of the Auto-POST form that automatically posts the SAMLResponse containing the Assertion to the SP/Consumer: Straight from Fiddler traces]

HTTP/1.1 200 OK
Connection: close
Date: Tue, 31 Jul 2012 22:17:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMSESSION=ierGa3qSHk+7Yo05UF+qM9nkLt3hnB1epxRS+rAkoHpdYwH4qIFX8fvJcFHrCGkTWx2RhBrqOvq1Zyzlve5s344RAnZpDs3g5iOS9vjFP7uSHdWcYqG1wZTOtM/9JxmXoDW85vxl3b6gyBoIRIN556Lk/8pfKWeR4g8kDQE7wfg38BzyQUQxeP3Ex/AXpV6jOUAyRhzwxLxT94MRkyWUPwaGmu6R2o46F8/9C9x9JV3YzLnF3JTqqT1czgCm56JrgFVgr1PGrIrD17z1OZ8cLAylwrFYWHgZLcs2K19NCkMxAju3eHIb+dJiNTM1pERZLMmIY58z2vHz6E+0JAJTWecc5MmUNxVOoVpPvoRzxsb8avZnaiZDPQgwcITJtlppX9Bg+SQUmPrvPb81wE+wjeQ4cLFC99RdMFcNWDKRzrQ7K+nj/S9AAL3b4oqrqAYU+lpDI7w1JWBuTHYVBFZsZDeJj5V+Jawy/bfvZL0C8NtP22PV1DEjC2+czEAG4eX6AEXKfBw0h3zuzOR9pL+0Fm/hYKJi5RDDxR4jejkvKgZ53G4g/1AHfcEV1LSRQwoMYR34WjgkzZ3bmuldOqKmbX9Gg3TPP5voYPH+djHojSWk2z+nIlg/nL/r1uWwmEqP7OoOoquq34yaspP7eh0e6Erqj9m6yslLgmsNxpVU8Ra8ss0c8UXwkwIORTA1UoDe0Bgs5Yajy8om7ypH7DlukIRWs2VxRxUvJMkaQFt7S+3tx7TSINRjeElkyr18ab8FoIBC3HOgeJ1Jid1l2XaNVma7j1t82voIbFAnwjp7QEF2IO1cN/sw7JHpDyXIgu7zQtcfhEHPgX0aZcGR7Yag27CJ3NVfbwI+w4UyWsCDo42gu07L1ed6uihAhO01+5j8TIpq3GCLNBgVs1zIDXEDzBPwHEuxJq3hTNUgyT8I3IYOO/DSOYAANc1toPXNMUzTD0wEJ3TjW9OQEWqQc6eYm8UegYcUc2CMwZ4v4knIjffY3MrZUvNkrXX2oWYfxrIk; path=/; domain=.my.com
X-Powered-By: ServletExec/5.0.0.14, Servlet/2.4, JSP/2.0
Content-Type: text/html
Cache-Control: no-cache, no-store, must-revalidate

<html>
<HEAD><META HTTP-EQUIV='PRAGMA' CONTENT='NO-CACHE'><META HTTP-EQUIV='CACHE-CONTROL' CONTENT='NO-CACHE'><TITLE>SAML 2.0 Auto-POST form</TITLE></HEAD>
<body onLoad="document.forms[0].submit()">
<NOSCRIPT>Your browser does not support JavaScript. Please click the 'Continue' button below to proceed. <br><br></NOSCRIPT>
<form action="http://sp.ca.com/affwebservices/public/saml2assertionconsumer" method="POST">
<input type="hidden" name="SAMLResponse" value="PFJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuY2EuY29tL2FmZndlYnNlcnZpY2VzL3B1
YmxpYy9zYW1sMmFzc2VydGlvbmNvbnN1bWVyIiBJRD0iXzM1OWE1YmJhOGE5OGIzYTE4YjUwOTQ1
ZGRmNjFhZTE1ZGIzMiIgSXNzdWVJbnN0YW50PSIyMDEyLTA3LTMxVDIyOjE3OjM3WiIgVmVyc2lv
bj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4KICAg
IDxuczE6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1m
b3JtYXQ6ZW50aXR5IiB4bWxuczpuczE9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3Nl
cnRpb24iPmlkcC5teS5jb208L25zMTpJc3N1ZXI+CiAgICA8U3RhdHVzPgogICAgICAgIDxTdGF0
dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3Mi
Lz4KICAgIDwvU3RhdHVzPgogICAgPG5zMjpBc3NlcnRpb24gSUQ9Il9kMjAzNTJiM2JhMWI1ZGM0
YTAxNGNlM2YxNjQ4YjI4NjAwYWUiIElzc3VlSW5zdGFudD0iMjAxMi0wNy0zMVQyMjoxNzozN1oi
IFZlcnNpb249IjIuMCIgeG1sbnM6bnMyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNz
ZXJ0aW9uIj4KICAgICAgICA8bnMyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT
QU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aWRwLm15LmNvbTwvbnMyOklzc3Vlcj4KICAg
ICAgICA8bnMyOlN1YmplY3Q+CiAgICAgICAgICAgIDxuczI6TmFtZUlEIEZvcm1hdD0idXJuOm9h
c2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmdhbm1hMDI8
L25zMjpOYW1lSUQ+CiAgICAgICAgICAgIDxuczI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9
InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPgogICAgICAgICAgICAgICAg
PG5zMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTItMDctMzFUMjI6
MTk6MzdaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zcC5jYS5jb20vYWZmd2Vic2VydmljZXMvcHVibGlj
L3NhbWwyYXNzZXJ0aW9uY29uc3VtZXIiLz4KICAgICAgICAgICAgPC9uczI6U3ViamVjdENvbmZp
cm1hdGlvbj4KICAgICAgICA8L25zMjpTdWJqZWN0PgogICAgICAgIDxuczI6Q29uZGl0aW9ucyBO
b3RCZWZvcmU9IjIwMTItMDctMzFUMjI6MTY6MzdaIiBOb3RPbk9yQWZ0ZXI9IjIwMTItMDctMzFU
MjI6MTk6MzdaIj4KICAgICAgICAgICAgPG5zMjpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgICAg
ICAgICAgICAgPG5zMjpBdWRpZW5jZT5zcC5jYS5jb208L25zMjpBdWRpZW5jZT4KICAgICAgICAg
ICAgPC9uczI6QXVkaWVuY2VSZXN0cmljdGlvbj4KICAgICAgICA8L25zMjpDb25kaXRpb25zPgog
ICAgICAgIDxuczI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEyLTA3LTMxVDIyOjE3
OjIxWiIgU2Vzc2lvbkluZGV4PSJRTThza3R1bmJ5ckVORWh2MmxseTdOTll0NDA9ZkV3Wmp3PT0i
IFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTItMDctMzFUMjI6MTk6MzdaIj4KICAgICAgICAgICAg
PG5zMjpBdXRobkNvbnRleHQ+CiAgICAgICAgICAgICAgICA8bnMyOkF1dGhuQ29udGV4dENsYXNz
UmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9uczI6
QXV0aG5Db250ZXh0Q2xhc3NSZWY+CiAgICAgICAgICAgIDwvbnMyOkF1dGhuQ29udGV4dD4KICAg
ICAgICA8L25zMjpBdXRoblN0YXRlbWVudD4KICAgICAgICA8bnMyOkF0dHJpYnV0ZVN0YXRlbWVu
dD4KICAgICAgICAgICAgPG5zMjpBdHRyaWJ1dGUgTmFtZT0iZW1waWQiIE5hbWVGb3JtYXQ9InVy
bjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPgog
ICAgICAgICAgICAgICAgPG5zMjpBdHRyaWJ1dGVWYWx1ZT4xMjM0NTwvbnMyOkF0dHJpYnV0ZVZh
bHVlPgogICAgICAgICAgICA8L25zMjpBdHRyaWJ1dGU+CiAgICAgICAgPC9uczI6QXR0cmlidXRl
U3RhdGVtZW50PgogICAgPC9uczI6QXNzZXJ0aW9uPgo8L1Jlc3BvbnNlPgoK">
<NOSCRIPT><INPUT TYPE="SUBMIT" VALUE="Continue"></NOSCRIPT>
</form>
</body>
</html>

[Key Concepts]
1) This form returned can be easily saved as an html or jsp page and as long as the SAMLReponse POST parameter contains a valid assertion and correctly encoded (Base 64 encoding done to substitute the value in this form for the SAMLResponse and browser/web server would, based on my tests, do the URL encoding for the FORM POST data ), it can be used to test/simulated 3rd party IDP posted assertion to SiteMinder.
2) When dealing with testing assertions which are not generated in real time, we should be careful in making sure that the validity duration is still good.
30. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Aug 01, 2012 01:28 PM

Reply Reply Privately
Hi Manjari,

When I tried posting the messages using the html (i did changed the values according to my environment and used https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php site to encrypt), I am seeing the following error in my SP's affwebserv.log

[6501/3435269008][Wed Aug 01 2012 17:05:28][AssertionConsumer.java][ERROR] Transaction with ID: 3e88f603-0ff13a8c-4706b4df-731aa36b-40609995-46 failed. Reason: ACS_BAD_INRESPONSETO

Do you know what might be the issue?

This the response I am posting

PFJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZGV2YXBwMjguMXN5bmMub3JnOjgwODAvYWZmd2Vic2VydmljZXMvcHVibGljL3NhbWwyYXNzZXJ0aW9uY29uc3VtZXIiIElEPSJfZTIzMzgyODE4OGU3YjkzMWNjODY4NmFmYThjN2QzM2YwYmNlIiBJblJlc3BvbnNlVG89Il8yMDZjY2MxYjdlNWMxYTU1NTc4Y2QzZDBkMTQwYTNkZjNlYmQiIElzc3VlSW5zdGFudD0iMjAxMi0wNy0zMVQxODo0MDoxM1oiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+DQoJPG5zMTpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIHhtbG5zOm5zMT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+S0lkZW50aXR5UHJvdmlkZXI8L25zMTpJc3N1ZXI+DQoJPFN0YXR1cz4NCgkJPFN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KCTwvU3RhdHVzPg0KCTxuczI6QXNzZXJ0aW9uIElEPSJfYTIzOTkwNDBmY2M2OTUxN2Q0ODA0MjY5NjlkY2E4ZjBjOTM4IiBJc3N1ZUluc3RhbnQ9IjIwMTItMDctMzFUMTg6NDA6MTNaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOm5zMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+DQoJCTxuczI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5LSWRlbnRpdHlQcm92aWRlcjwvbnMyOklzc3Vlcj4NCgkJPG5zMjpTdWJqZWN0Pg0KCQkJPG5zMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+bWF0aGVlbkAxc3luYy5vcmc8L25zMjpOYW1lSUQ+DQoJCQk8bnMyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCgkJCQk8bnMyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzIwNmNjYzFiN2U1YzFhNTU1NzhjZDNkMGQxNDBhM2RmM2ViZCIgTm90T25PckFmdGVyPSIyMDEzLTA3LTMxVDE4OjQxOjQzWiIgUmVjaXBpZW50PSJodHRwOi8vZGV2YXBwMjguMXN5bmMub3JnOjgwODAvYWZmd2Vic2VydmljZXMvcHVibGljL3NhbWwyYXNzZXJ0aW9uY29uc3VtZXIiLz4NCgkJCTwvbnMyOlN1YmplY3RDb25maXJtYXRpb24+DQoJCTwvbnMyOlN1YmplY3Q+DQoJCTxuczI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTItMDctMzFUMTg6Mzk6NDNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMzFUMTg6NDE6NDNaIj4NCgkJCTxuczI6QXVkaWVuY2VSZXN0cmljdGlvbj4NCgkJCQk8bnMyOkF1ZGllbmNlPjFTeW5jU2VydmljZVByb3ZpZGVyPC9uczI6QXVkaWVuY2U+DQoJCQk8L25zMjpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KCQk8L25zMjpDb25kaXRpb25zPg0KCQk8bnMyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMi0wNy0zMVQxODo0MDoxM1oiIFNlc3Npb25JbmRleD0iOFdnQlJlT1doOXlsRXlpTHE2Tm5mNWRwN0Z3PVRLN3lFdz09IiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDEzLTA3LTMxVDE4OjQxOjQzWiI+DQoJCQk8bnMyOkF1dGhuQ29udGV4dD4NCgkJCQk8bnMyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9uczI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQoJCQk8L25zMjpBdXRobkNvbnRleHQ+DQoJCTwvbnMyOkF1dGhuU3RhdGVtZW50Pg0KCQk8bnMyOkF0dHJpYnV0ZVN0YXRlbWVudD4NCgkJCTxuczI6QXR0cmlidXRlIE5hbWU9IkZJUlNUX05BTUUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KCQkJCTxuczI6QXR0cmlidXRlVmFsdWU+TWF0aGVlbjwvbnMyOkF0dHJpYnV0ZVZhbHVlPg0KCQkJPC9uczI6QXR0cmlidXRlPg0KCQkJPG5zMjpBdHRyaWJ1dGUgTmFtZT0iTEFTVF9OQU1FIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCgkJCQk8bnMyOkF0dHJpYnV0ZVZhbHVlPlN5ZWQ8L25zMjpBdHRyaWJ1dGVWYWx1ZT4NCgkJCTwvbnMyOkF0dHJpYnV0ZT4NCgkJCTxuczI6QXR0cmlidXRlIE5hbWU9IlNNX1VTRVIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KCQkJCTxuczI6QXR0cmlidXRlVmFsdWU+bWF0aGVlbkAxc3luYy5vcmc8L25zMjpBdHRyaWJ1dGVWYWx1ZT4NCgkJCTwvbnMyOkF0dHJpYnV0ZT4NCgkJPC9uczI6QXR0cmlidXRlU3RhdGVtZW50Pg0KCTwvbnMyOkFzc2VydGlvbj4NCjwvUmVzcG9uc2U+

Thanks,
Matheen
31. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Broadcom Employee

Manjari Gangwar-Warty
Posted Aug 01, 2012 01:39 PM

Reply Reply Privately
Hello Matheen,

If you are doing a SP Initiated transaction, you would need to modify the InResponseTo value in the assertion, to match with your AuthNRequest ID. I think that is what this error means and also please make sure that the Form is not truncating the POST data for some reason.
Please do confirm back if you are able to resolve it.

Thanks,
---- Manjari.
32. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Aug 02, 2012 06:08 PM

Reply Reply Privately
Hi Manjari,

I made this to work with the following saml message. Yes you are correct I am initiating the request from IDP. The right now I am getting other issue. If I use the same SAML again and again, I am getting the following error

[13528/3254455184][Thu Aug 02 2012 16:50:45][SmAuthSaml.cpp:356][ERROR] Could not set Expiry Data for assertion to enforce single use assertion policy. Replay of assertion suspected.
and it is not allowing my to get into my target applications.

<Response Destination="https://test.dev.1sync.org/affwebservices/public/saml2assertionconsumer" ID="_57cd296a2e9b4592befaaf6daacc104b41ec" IssueInstant="2012-08-02T19:53:31Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">KIdentityProvider</ns1:Issuer>

<Status>

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</Status>

<ns2:Assertion ID="_d38f4c904434421e66b3a861d7baa1ef3cdc" IssueInstant="2012-08-02T19:53:31Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">

<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">KIdentityProvider</ns2:Issuer>

<ns2:Subject>

<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">matheen@1sync.org</ns2:NameID>

<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<ns2:SubjectConfirmationData NotOnOrAfter="2013-08-02T19:55:00Z" Recipient="https://test.dev.1sync.org/affwebservices/public/saml2assertionconsumer"/>

</ns2:SubjectConfirmation>

</ns2:Subject>

<ns2:Conditions NotBefore="2012-08-02T19:53:00Z" NotOnOrAfter="2013-08-02T19:55:00Z">

<ns2:AudienceRestriction>

<ns2:Audience>1SyncServiceProvider</ns2:Audience>

</ns2:AudienceRestriction>

</ns2:Conditions>

<ns2:AuthnStatement AuthnInstant="2012-08-02T19:53:30Z" SessionIndex="ED5nYBb0x8F8sf/wr7oCIJg4AEU=1Tkb/g==" SessionNotOnOrAfter="2013-08-02T19:55:00Z">

<ns2:AuthnContext>

<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

</ns2:AuthnContext>

</ns2:AuthnStatement>

<ns2:AttributeStatement>

<ns2:Attribute Name="FIRST_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>Matheen</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="LAST_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>Syed</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="SM_USER" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<ns2:AttributeValue>matheen@1sync.org</ns2:AttributeValue>

</ns2:Attribute>

</ns2:AttributeStatement>

</ns2:Assertion>
</Response>
33. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

1 Recommend
Anon Anon
Posted Aug 16, 2012 02:39 PM

Reply Reply Privately
I figured out how make this work

If you are posting same SAML Response again and again ( with the same ID) you need to delete the ID from ss_expirydata5 table ( if you are using Oracle as a policy store).
34. Re: RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
SungHoon_Kim
Posted Jan 14, 2016 12:40 AM

Reply Reply Privately
The problem you are facing was because you have Single Use Policy.
That setting at the SP is to prevent Assertion Replay.
To do so, SiteMinder stores that ID in the session store so that it will not be accepting the same ID again.

So, it would have been easier if you disabled the Single Use Policy.
35. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

0 Recommend
Sree
Posted Apr 22, 2014 10:30 AM

Reply Reply Privately
Hi manjari,

Symantec Access Management

SiteMinder Federation Messages Examples: To help with 3rd party interop

Manjari Gangwar-WartyJul 17, 2012 11:35 AM

Manjari Gangwar-WartyJul 17, 2012 11:38 AM

Manjari Gangwar-WartyJul 17, 2012 12:26 PM

SystemJul 17, 2012 08:27 PM

Manjari Gangwar-WartyJul 31, 2012 03:36 PM

Saju GopinathanAug 07, 2012 02:16 AM

Manjari Gangwar-WartyAug 16, 2012 07:52 PM

Anon AnonSep 14, 2014 07:55 AM

Manjari Gangwar-WartySep 15, 2014 02:05 PM

Anon AnonSep 15, 2014 03:02 PM

Manjari Gangwar-WartyAug 24, 2012 07:48 AM

Manjari Gangwar-WartyAug 24, 2012 08:02 AM

Manjari Gangwar-WartyAug 24, 2012 08:43 AM

Manjari Gangwar-WartyAug 24, 2012 08:45 AM

Anon AnonAug 29, 2012 03:46 PM

Anon AnonNov 28, 2012 05:17 PM

Manjari Gangwar-WartyNov 28, 2012 05:53 PM

Manjari Gangwar-WartyNov 28, 2012 06:20 PM

John SchwartzJun 17, 2013 12:47 PM

Manjari Gangwar-WartyJun 26, 2013 11:37 AM

John SchwartzJun 27, 2013 10:11 PM

Anon AnonMar 21, 2014 12:22 AM

Manjari Gangwar-WartyMar 21, 2014 12:58 AM

Anon AnonMar 23, 2014 10:12 PM

Manjari Gangwar-WartyMar 27, 2014 09:55 AM

Anon AnonApr 03, 2014 01:56 AM

Anon AnonJul 31, 2012 04:55 PM

Anon AnonJul 31, 2012 06:02 PM

Manjari Gangwar-WartyJul 31, 2012 06:26 PM

Anon AnonAug 01, 2012 01:28 PM

Manjari Gangwar-WartyAug 01, 2012 01:39 PM

Anon AnonAug 02, 2012 06:08 PM

Anon AnonAug 16, 2012 02:39 PM

SungHoon_KimJan 14, 2016 12:40 AM

SreeApr 22, 2014 10:30 AM

1. SiteMinder Federation Messages Examples: To help with 3rd party interop

2. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

3. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

4. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

5. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

6. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

7. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

8. Re: RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

9. Re: SiteMinder Federation Messages Examples: To help with 3rd party interop

10. Re: SiteMinder Federation Messages Examples: To help with 3rd party interop

11. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

12. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

13. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

14. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

15. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

16. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

17. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

18. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

19. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

20. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

21. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

22. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

23. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

24. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

25. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

26. RE: [CA SiteMinder General Discussion] RE: SiteMinder Federation Messages E

27. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

28. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

29. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

30. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

31. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

32. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

33. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

34. Re: RE: SiteMinder Federation Messages Examples: To help with 3rd party interop

35. RE: SiteMinder Federation Messages Examples: To help with 3rd party interop