Symantec Access Management

 View Only
  • 1.  Error while making sp initiated request.

    Posted Nov 19, 2014 03:20 AM

    Hi,

          I am trying to make sp initiated saml request. A samlrequest is generated and is sent to siteminder. i have the following log traces from siteminder. Please help me in understanding what this actually means?

     

    traces from smps.log file

    [AssertionGenerator.java][ERROR] preProcess() returns fatal error. <Response ID="............." InResponseTo="_............." IssueInstant="2014-11-18T15:14:56Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

        <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">...................</ns1:Issuer>

        <Status>

            <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

            <StatusMessage>Configuration error.</StatusMessage>

        </Status>

    </Response

     

     

    traces from FWS trace

     

    [SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]

    SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

    [SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

    [475d7eda-46c50a82-6906b27d-2193b866-085ab08c-cf][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

     

    i want to know what does result of authorizeEx call = 1 means? it is success or failure?

    also what can be possible causes of configuration error?

    Any help in this regard would be appreciated.?



  • 2.  Re: Error while making sp initiated request.

    Posted Nov 19, 2014 12:25 PM

    Anshul Anshul_Arzare

     

    What version of siteminder is this?

    Have you applied the unlimited JCE patches on Java and restarted the Policy Server process?

    Are you signing / encrypting the Assertion? Disable signature processing for testing purpose and check the result.

    Though this is failing during assertion generation stage in IdP, I don't think it is related to User Policy (User not granted access), but check user.

     

    A little more lines of the smtracedefault.log would help, after cleaning off sensitive assertion information.

     

    Regards

     

    Hubert



  • 3.  Re: Error while making sp initiated request.

    Posted Nov 20, 2014 01:45 AM

    Hi HubertDennis,

                              Yes we are signing the assertion, if we disable signing it works. Also idp initiated flow works fine for the same user.  I believe unlimited JCE patches are applied.

                                i dnt know about siteminder version, but will try to get if that is necessary.

     

     

    [FWSBase.java][isValidSession][Calling login to validate SMSESSION cookie data.]

    [FWSBase.java][isValidSession][Result of login call is: 1.]

    [FWSBase.java][isValidSession][Request has valid SMSESSION cookie.]

    [SSO.java][processRequest][Force Authn is disabled.]

    [SSO.java][processRequest][Current session state is: true]

    [SSO.java][processApplicationRedirect][No application URL defined - not redirecting.]

    [SSO.java][getLocalServiceURL][Enter getLocalServiceURL]

    [SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    [SSO.java][processAssertionGeneration][ authorizeEx call is: 1.]

    [SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

    [SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

    [ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]



  • 4.  Re: Error while making sp initiated request.

    Posted Nov 20, 2014 08:02 AM

    Anshul,

     

    If the information is sensitive -> open a case

     

    If you open a case, or are serious about getting help, you need to understand the following are absolutely necessary to share for people to know what you're doing and what capabilities you have:

     

    Version of SiteMInder -- major version (eg: 12.0), service pack (eg 3) and cumulative release (eg 12)

    What version of Java this is using (eg: 1.4)

     

    This allows one to know "are you using the wrong version of java?" which is important as the Federation calls are highly version dependent.

    By "highly version dependent" I mean that CA knows for a fact with how they write the federation calls, if it's not a version of java they certify the policy server with, it will fail in at least some cases.

     

    Next there's detailing the issue. either do this with end to end logging, or by writing more than "what does x mean?"

    even if I knew and told you what the 1 meant, it wouldn't help resolve the issue. we don't know the issue because you haven't told us the issue.

     

    From what you have shared I would be more concerned with the line "SSO.java][processApplicationRedirect][No application URL defined - not redirecting.]"

    and the line "[SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]"

     

    until these are resolved, it doesn't matter if you're authorized.

     

    if you're not sure how to configure the traces, either enable EVERYTHING, or go here: https://communities.ca.com/thread/101076074

    that should have a write up on logging that's nearly complete. I've put a ticket in for an update. more wouldn't hurt.

     

    that being said, the next hurdle is learning how to correlate logs.

     

    do you know how to do that or do you need your company to send you to training?

    sorry for the phrasing, but log correlation is something they should  be teaching in the SM 1 course....

     

    -josh



  • 5.  Re: Error while making sp initiated request.

    Posted Nov 24, 2015 01:28 AM

    Hi Anshul,

     

    I am facing similar issue in my environment, Can you let me know the process to resolve this issue.

     

    Thanks,

    Narendra    



  • 6.  Re: Error while making sp initiated request.

    Posted Mar 24, 2016 01:38 PM

    Hi All,

     

    Im facing similar issue here SP initiated flow is failing with 500 error. I applied unlimited jce patches in java 1.8 . I can see response getting generated in smps log but in fws trace log  SAML2Response=NO

     

    I have Policy server 12.52 sp02 and secure proxy server 12.52

     

    FWS trace.log

    [Received the following response from SAML2 assertion generator: SAML2Response=NO.]

    [03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][SSO.java][processAssertionGeneration][Transaction with ID: e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857 failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

    [03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [03/24/2016][17:13:42][2220][5180][e156504c-892b9a8c-8cee651c-dafa9512-3f4e1857][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

     

    SMPS log

     

    [5156/5432][Thu Mar 24 2016 10:13:42][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_d467f1f328777a88ad31bf236d13273a492e" InResponseTo="_2CAAAAVQ50PejME8wMjgwMDAwMDA0Qzk2AAAAyK6oCuOrboF0UGjccjsCmQMs7dNnQf6RtHK0Vzv1ysUJYHQbW_DzD2pIPUXypgIcq1RzVeBfGzD83Sy4h116bOMs3kuakfYsnlNSs9NRNzVdm7Mw_Opd6LDsuiwC5cGYVrs40H-tthIbAtVzdsheALo__ypRGuEJg3yOjq_uWwSDqQiyudiNJ6McGk8DWb6jFwiqbc4IWyodkNBTooqar6ojH4sNzhycG5O9sq6-J1pmvL4U9A2FJLp_juFMmDoFdg" IssueInstant="2016-03-24T17:13:42Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

        <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">http://amith.sso1.com</ns1:Issuer>

        <Status>

            <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>

            <StatusMessage>Configuration error.</StatusMessage>

        </Status>

    </Response>



  • 7.  Re: Error while making sp initiated request.

    Posted Mar 23, 2017 01:19 PM

    Hi All

     

    Was there any root cause and resolution identified? I faced exact same issue yesterday and a simple policy server restart resolved it. But still curious about the complete RCA on this. I can open a case with CA but the problem is I dont have smtrace enabled as this is a prod environment.