Symantec Access Management

Hi there,

I'm stuck trying to integrate SharePoint with Siteminder using WS-Federation. 

Some details: 

## PolicyServer ##

Version=12.51
Update=00.08
Label=1542
Crypto=128

SO: RHEL 6.8 (Santiago)

## Siteminder Agent for SharePoint ##

FullVersion=12.52.100.499
Version=12.52
Update=100
Build Number=499

SO: SunOS

## Directory ##

DXserver r12.0.16 (build 11032)

OS: Solaris/DXgrid 64-Bit

What is done until now:

SharePoint Agent installed and proxy rules configured

Application is created to protect the affwebservices/redirectjsp/redirectjsp 

Using Forms in AuthenticationSchemes

WSFED Token signing certificate imported to WAM UI

WSFED Token signing exported and inported to SharePoint Agent and SharePoint trust.

TIP created after running SPConnectionWizard

WebApplication and site collection created and assigned to TIP

Now, when trying to access the SharePoint application im redirect to login page. After login, the SMSESSION cookie is created and get this error: HTTP Status 500 - Internal Error occured while trying to process the request. Transaction ID: 8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8 failed. in https://login.gcd.net/affwebservices/public/wsfedsso/?SMASSERTIONREF=QUERY&wa=wsignin1.0&wtrealm=urn%3asharepoint%3acq-icat.grupocgd.net&wctx=http%3a%2f%2fcq-icat.grupocgd.net%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F&wreply=http%3a%2f%2fcq-icat.grupocgd.net%2f_trust%2fdefault.aspx&SAMLTRANSACTIONID=26747ac2-5621ae4a-2948286f-7ce1342f-1c0093f4-c6

In the smtracedefault.log i get this exception:

[03/28/2017][16:59:09.845][16:59:09][6154][4025670512][SignInProtocol.java][processRequest][8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8][][][][][][][][][][][][][][][][][][][][RETURNING RESPONSE:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSecurityTokenResponse xmlns="http://schemas.xmlsoap.org/ws/2005/02/trust">
<RequestedSecurityToken>
<ns1:Assertion MinorVersion="1" MajorVersion="1" Issuer="SP-ACC-urn:sharepoint:cq-icat.grupocgd.net" IssueInstant="2017-03-28T15:59:09.841Z" AssertionID="SM29e81a61b6f3bf06c766a20676868349802f119dfa" xmlns:ns1="urn:oasis:names:tc:SAML:1.0:assertion">
<ns1:Conditions NotOnOrAfter="2017-03-28T16:09:19.840Z" NotBefore="2017-03-28T15:58:59.840Z">
<ns1:AudienceRestrictionCondition>
<ns1:Audience>urn:sharepoint:cq-icat.grupocgd.net</ns1:Audience>
</ns1:AudienceRestrictionCondition>
</ns1:Conditions>

<ns1:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:classes:password" AuthenticationInstant="2017-03-28T15:59:09.000Z">
<ns1:Subject>
<ns1:NameIdentifier NameQualifier="" Format="http://schemas.xmlsoap.org/claims/UPN">3115681</ns1:NameIdentifier>
</ns1:Subject>
</ns1:AuthenticationStatement>

<ns1:AttributeStatement>
<ns1:Subject>
<ns1:NameIdentifier NameQualifier="" Format="http://schemas.xmlsoap.org/claims/UPN">3115681</ns1:NameIdentifier>
</ns1:Subject>

<ns1:Attribute AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="useridentifier">
<ns1:AttributeValue>3115681</ns1:AttributeValue>
</ns1:Attribute>
</ns1:AttributeStatement>
</ns1:Assertion>
</RequestedSecurityToken>
</RequestSecurityTokenResponse>

][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/28/2017][16:59:09.846][16:59:09][6154][4025670512][AssertionGenerator.java][invoke][8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8][][][][][][][][][][][][][][][][][][][][AssertionHandler process() succeeds, it returns:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSecurityTokenResponse xmlns="http://schemas.xmlsoap.org/ws/2005/02/trust">
<RequestedSecurityToken>
<ns1:Assertion MinorVersion="1" MajorVersion="1" Issuer="SP-ACC-urn:sharepoint:cq-icat.grupocgd.net" IssueInstant="2017-03-28T15:59:09.841Z" AssertionID="SM29e81a61b6f3bf06c766a20676868349802f119dfa" xmlns:ns1="urn:oasis:names:tc:SAML:1.0:assertion">
<ns1:Conditions NotOnOrAfter="2017-03-28T16:09:19.840Z" NotBefore="2017-03-28T15:58:59.840Z">
<ns1:AudienceRestrictionCondition>
<ns1:Audience>urn:sharepoint:cq-icat.grupocgd.net</ns1:Audience>
</ns1:AudienceRestrictionCondition>
</ns1:Conditions>

<ns1:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:classes:password" AuthenticationInstant="2017-03-28T15:59:09.000Z">
<ns1:Subject>
<ns1:NameIdentifier NameQualifier="" Format="http://schemas.xmlsoap.org/claims/UPN">3115681</ns1:NameIdentifier>
</ns1:Subject>
</ns1:AuthenticationStatement>

<ns1:AttributeStatement>
<ns1:Subject>
<ns1:NameIdentifier NameQualifier="" Format="http://schemas.xmlsoap.org/claims/UPN">3115681</ns1:NameIdentifier>
</ns1:Subject>

<ns1:Attribute AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="useridentifier">
<ns1:AttributeValue>3115681</ns1:AttributeValue>
</ns1:Attribute>
</ns1:AttributeStatement>
</ns1:Assertion>
</RequestedSecurityToken>
</RequestSecurityTokenResponse>
][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/28/2017][16:59:09.846][16:59:09][6154][4025670512][AssertionGenerator.java][invoke][8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8][][][][][][][][][][][][][][][][][][][][No Plugin callout is configured.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/28/2017][16:59:09.846][16:59:09][6154][4025670512][AssertionHandlerWSFED10.java][postProcess][8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8][][][][][][][][][][][][][][][][][][][][Start to wrap-up the WSFED response.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/28/2017][16:59:09.848][16:59:09][6154][4025670512][SignInProtocol.java][closeupProcess][8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8][][][][][][][][][][][][][][][][][][][][Error while signing Assertion! Exception:
com.ca.siteminder.ws.WSWrapperException: An error occurred while unmarshalling the response.
at com.ca.siteminder.ws.WSRequestSecurityTokenResponseWrapper.unmarshal(WSRequestSecurityTokenResponseWrapper.java:915)
at com.ca.siteminder.ws.WSRequestSecurityTokenResponseWrapper.getSAMLAssertionAsDOM(WSRequestSecurityTokenResponseWrapper.java:487)
at com.netegrity.assertiongenerator.wsfed.SignInProtocol.closeupProcess(SignInProtocol.java:887)
at com.netegrity.assertiongenerator.wsfed.AssertionHandlerWSFED10.postProcess(AssertionHandlerWSFED10.java:275)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:380)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)
Caused by: java.lang.NoSuchMethodError: javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V
at com.sun.xml.bind.v2.util.XmlFactory.createDocumentBuilderFactory(XmlFactory.java:176)
at com.sun.xml.bind.marshaller.SAX2DOMEx.<init>(SAX2DOMEx.java:116)
at com.ca.siteminder.wsgen.impl.runtime.W3CDOMUnmarshallingEventHandler.<init>(W3CDOMUnmarshallingEventHandler.java:52)
at com.ca.siteminder.wsgen.impl.RequestedSecurityTokenTypeDOMImpl$Unmarshaller.enterElement(RequestedSecurityTokenTypeDOMImpl.java:147)
at com.ca.siteminder.wsgen.impl.runtime.AbstractUnmarshallingEventHandlerImpl.spawnHandlerFromEnterElement(AbstractUnmarshallingEventHandlerImpl.java:300)
at com.ca.siteminder.wsgen.impl.RequestedSecurityTokenImpl$Unmarshaller.enterElement(RequestedSecurityTokenImpl.java:170)
at com.ca.siteminder.wsgen.impl.runtime.SAXUnmarshallerHandlerImpl.startElement(SAXUnmarshallerHandlerImpl.java:147)
at org.xml.sax.helpers.XMLFilterImpl.startElement(Unknown Source)
at com.sun.xml.bind.unmarshaller.InterningXMLReader.startElement(InterningXMLReader.java:106)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:244)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:281)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:250)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:281)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:250)
at com.sun.xml.bind.unmarshaller.DOMScanner.parse(DOMScanner.java:154)
at com.ca.siteminder.wsgen.impl.runtime.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:190)
at com.ca.siteminder.ws.WSRequestSecurityTokenResponseWrapper.unmarshal(WSRequestSecurityTokenResponseWrapper.java:876)
... 5 more
][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/28/2017][16:59:09.848][16:59:09][6154][4025670512][AssertionGenerator.java][invoke][8b7a61ee-b7492294-41625457-3533e36d-324f3b23-a8][][][][][][][][][][][][][][][][][][][][Error happens in running Assertionhandler postProcess(). Leaving Assertion Generator Framework. Exception:
com.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion! Exception:
com.ca.siteminder.ws.WSWrapperException: An error occurred while unmarshalling the response.
at com.ca.siteminder.ws.WSRequestSecurityTokenResponseWrapper.unmarshal(WSRequestSecurityTokenResponseWrapper.java:915)
at com.ca.siteminder.ws.WSRequestSecurityTokenResponseWrapper.getSAMLAssertionAsDOM(WSRequestSecurityTokenResponseWrapper.java:487)
at com.netegrity.assertiongenerator.wsfed.SignInProtocol.closeupProcess(SignInProtocol.java:887)
at com.netegrity.assertiongenerator.wsfed.AssertionHandlerWSFED10.postProcess(AssertionHandlerWSFED10.java:275)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:380)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)
Caused by: java.lang.NoSuchMethodError: javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V
at com.sun.xml.bind.v2.util.XmlFactory.createDocumentBuilderFactory(XmlFactory.java:176)
at com.sun.xml.bind.marshaller.SAX2DOMEx.<init>(SAX2DOMEx.java:116)
at com.ca.siteminder.wsgen.impl.runtime.W3CDOMUnmarshallingEventHandler.<init>(W3CDOMUnmarshallingEventHandler.java:52)
at com.ca.siteminder.wsgen.impl.RequestedSecurityTokenTypeDOMImpl$Unmarshaller.enterElement(RequestedSecurityTokenTypeDOMImpl.java:147)
at com.ca.siteminder.wsgen.impl.runtime.AbstractUnmarshallingEventHandlerImpl.spawnHandlerFromEnterElement(AbstractUnmarshallingEventHandlerImpl.java:300)
at com.ca.siteminder.wsgen.impl.RequestedSecurityTokenImpl$Unmarshaller.enterElement(RequestedSecurityTokenImpl.java:170)
at com.ca.siteminder.wsgen.impl.runtime.SAXUnmarshallerHandlerImpl.startElement(SAXUnmarshallerHandlerImpl.java:147)
at org.xml.sax.helpers.XMLFilterImpl.startElement(Unknown Source)
at com.sun.xml.bind.unmarshaller.InterningXMLReader.startElement(InterningXMLReader.java:106)
at com.sun.xml.bind.unmarsha

ller.DOMScanner.visit(DOMScanner.java:244)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:281)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:250)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:281)
at com.sun.xml.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:250)
at com.sun.xml.bind.unmarshaller.DOMScanner.parse(DOMScanner.java:154)
at com.ca.siteminder.wsgen.impl.runtime.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:190)
at com.ca.siteminder.ws.WSRequestSecurityTokenResponseWrapper.unmarshal(WSRequestSecurityTokenResponseWrapper.java:876)
... 5 more

at com.netegrity.assertiongenerator.wsfed.SignInProtocol.closeupProcess(SignInProtocol.java:906)
at com.netegrity.assertiongenerator.wsfed.AssertionHandlerWSFED10.postProcess(AssertionHandlerWSFED10.java:275)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:380)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

What im doing wrong? Any clue?

Thanks,

TP

Hello,

There has been a long standing Compatibility prerequisite between Policy Server and Agents. 

That is, "CA SiteMinder12.52 Policy Server supports Web Agents at a higher CR (cumulative release) number than the Policy Server provided both are the same level Service Pack."

Your policy server is in much older release than share point agent, it is possible the FWS code bases are not compatible.

Try with same Service Pack may give you better luck in this integration.

Caused by: java.lang.NoSuchMethodError: javax.xml.parsers.DocumentBuilderFactory.setFeature(Ljava/lang/String;Z)V

Also check if you have customized jar files loaded in SSO setup that could interfere with xml parsing, but chances are rare.

Thanks,

Hongxu

Hi liuho03,

Thanks for your feedback, i'm trying a Agent with the same Service Pack.

Thanks,

TP

New update:

After reverting the Agent Siteminder for SharePoint to version 12.51 the error continue exactly the same. 

liuho03 what do you mean with this "Also check if you have customized jar files loaded in SSO setup that could interfere with xml parsing, but chances are rare."

Thanks,

TP

TP,

From your log, it says "No Plugin callout is configured.", so I guess no customization jars used for federation.

Usually they can be loaded from JVMOptions.txt file.
The transaction passed assertion generation, but failed at signing using certificate.
Exception:
com.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion! Exception:

Do you have certificate configured to sign the assertion?

Thanks,
Hongxu

Hi Hongxu, 

Yes, i have configured the certificate for sign in assertion. 

New Update: Checking the JVMOptions.txt, i don't see nothing wrong, but for test propouses i add all the jar is the siteminder folder to Djava.class.path. After that the erro disappear and i have now a new error:

[CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.assertiongenerator.AssertionGenerator -AssertionHandler:WSFED10 NameValue:useridentifier=<%userattr="uid"%>' failed with error 'java.lang.NullPointerException: null']

Now, i have to understand what jar make the diference. 

Thanks,

TP

Hi TP,

It seems like UID is coming as NULL from the directory while collecting the useridentifier by the policy server, Hence the active expression is throwing NullPointerException. Kindly check whether UID attribute is having some value for this user?

Or try with different user where UID attribute is set properly.

Thanks,

Sharan