Symantec Access Management

Expand all | Collapse all

OpenID Authentication Scheme - Google & Yahoo Provider - CA Single Sign-On (formerly CA Siteminder)

  • 1.  OpenID Authentication Scheme - Google & Yahoo Provider - CA Single Sign-On (formerly CA Siteminder)

    Posted 02-11-2016 08:19 PM

    Reference docs

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1814733.html

    https://docops.ca.com/ca-single-sign-on-1252sp2/en/configuring/policy-server-configuration/authentication-schemes/openid-authentication-scheme

     

    Question: Yahoo provider works. But google doesn't as OpenID Authentication Scheme.

    I am trying to use Google as the OpenID provider. Seems like the google url in C:\Program Files\CA\webagent\win64\samples\forms\openid.fcc on WebServer is not correct.

    var providers_large = {

        google : {

            name : 'Google',

            url : 'https://www.google.com/accounts/o8/id'

        },

    Is this an URL issue or something. Can somebody spot the issue?

    If it is URL issue, what should the url be?

    There has been discussion over url here. Tried both.

    Two Different Google OpenID URLs - Stack Overflow

     

    On SM VM, C:\Program Files (x86)\CA\siteminder\config\properties\Openidproviders.xml has required claim as email for google provider, similar to yahoo.

    <TrustedOpenIDProviders>

    <OpenIDProvider >

    <ProviderName>

    google.com

    </ProviderName>

    <RequiredClaims>

    <claim>

    <URI>

    http://axschema.org/contact/email

    </URI>

    <alias>

    email

    </alias>

    </claim>

    </RequiredClaims>

    <OptionalClaims>

    </OptionalClaims>

    <Pape>

    <max_auth_age>

    0

    </max_auth_age>

    <Policies>

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier

    </Policies>

    </Pape>

    </OpenIDProvider>

    <OpenIDProvider RequestType="ax">

    <ProviderName>yahooapis.com</ProviderName>

    <RequiredClaims>

    <claim>

    <URI>http://axschema.org/contact/email</URI>

    <alias>email</alias>

    </claim>

    </RequiredClaims>

    <OptionalClaims>

    </OptionalClaims>

    <Pape>

    <max_auth_age>

    0

    </max_auth_age>

    <Policies>

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier,

    http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf

    </Policies>

    </Pape>

    </OpenIDProvider>

     

     

    Getting the following error.

    [02/11/2016][19:40:46.691][19:40:46][4692][2884][Sm_Auth_Message.cpp:416][CSm_Auth_Message::AuthenticateUser][000000000000000000000000030da8c0-0188-56bd2a0e-0b38-02ac3a2d][iis_agent][/transpolar/employee/employee.jsp][][][EmployeeArea][][][][][][][][][][][][][][][Authenticating user.]

    [02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthUser.cpp:649][ServerTrace][][][][][][][][][][][][][][][][][][][][Exception occured while discovery for identifierhttps://www.google.com/accounts/o8/id][SMAuthOpenID:preAuthenticate: Exception occured while discovery for identifierhttps://www.google.com/accounts/o8/id]

    [02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthUser.cpp:649][ServerTrace][][][][][][][][][][][][][][][][][][][][Exception Message:0x706: GET failed on https://www.google.com/accounts/o8/id : 404][SMAuthOpenID:preAuthenticate: Exception Message:0x706: GET failed on https://www.google.com/accounts/o8/id : 404]

    [02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthUser.cpp:649][ServerTrace][][][][][][][][][][][][][][][][][][][][Discovery failed for the identifier https://www.google.com/accounts/o8/id][SMAuthOpenID:preAuthenticate: Discovery failed for the identifier https://www.google.com/accounts/o8/id]

    [02/11/2016][19:40:46.694][19:40:46][4692][2884][Sm_Auth_Message.cpp:1271][CSm_Auth_Message::AuthenticateUser][000000000000000000000000030da8c0-0188-56bd2a0e-0b38-02ac3a2d][iis_agent][/transpolar/employee/employee.jsp][][][EmployeeArea][][AD_Directory][][][][][][][][][][][][][Evaluating OnAuthAttempt policy...]

    [02/11/2016][19:40:46.694][19:40:46][4692][2884][SmAuthorization.cpp:1237][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]



  • 2.  Re: OpenID Authentication Scheme - Google & Yahoo Provider - CA Single Sign-On (formerly CA Siteminder)

    Posted 02-12-2016 09:36 AM

    MyOpenID.com was permanently shut down around Feb 2014. Google has also removed support for openid in April 2015. I do know that as of today, Yahoo still supports OpenID, but who knows for how long. You should probably migrate to OAuth Partnership Federation (you can use the CA Access Gateway easily for this - r12.52 and greater). There are several runbooks in the runbook library, and we have training in the SiteMinder 12.52 Differences Course and more detailed training and labs in the just-released CA SSO 12.52.x Advanced Foundations 200 course. I see your realm is Transpolar, so I assume you are using an older training course that used the Transpolar web site. It has since (in the newer courses) been replaced with Voonair Airlines as the demo company site. I hope this helps.



  • 3.  Re: OpenID Authentication Scheme - Google & Yahoo Provider - CA Single Sign-On (formerly CA Siteminder)

    Posted 02-12-2016 12:54 PM

    Thanks Pat. Very much appreciated.

    Will try those options.