Symantec Access Management

  • Private Community
 View Only

  • 1.  CA SSO OpenID Connect Provider configuration issue

    Posted Nov 22, 2018 07:56 AM

    I am configuring CA SSO OpenID Connect Provider with Apache open ID client using doc - CA SSO OpenID Connect Provider - with Apache OpenID Client 

     

    below are details of my infrastructure -

    RHEL 7.4

    Policy Server R12.7 

    Access Gateway R12.7 

    Installed Apache 2.4 

    Installed mod_auth_openidc

     

    OpenIDC Client  : http://*********.xxxx.******/example/redirect

    OpenIDC Connect Provider : http://******.xxxx.xxxx/affwebservices/secure/secureredirect

     

    when I access URL openIDC client side http://*********.xxxx.******/example/index.html page I get error 400 bad request

     

    below are the logs I get in spstrace and policy server trace logs 

     

    Policy server trace logs

     

    [11/22/2018][06:48:07.257][IsProtected.cpp:98][CSm_Az_Message::IsProtected][13286][140130924869376][][][][fed_qa_dmz][][][][][][][][][GET][/affwebservices/CASSO/oidc/authorize?response_type=code&scope=openid%20uid%20email&client_id=00074f98-1f86-1bf5-ac7e-2de60a690000&state=EIZTCaUhTrzUjaHlRl7Q7RAulmM&redirect_uri=http%3A%2F%2Fabc.pqr.com%3A8001%2Fexample%2Fredirect&nonce=DJa-j41HoGKzw7NKwP6b4QSKbyMbWYw7A0W75uTxIOM][][][][][Starting IsProtected processing.][][][][][]
    [11/22/2018][06:48:07.257][SmAuthorization.cpp:642][CSmAz::IsProtected][13286][140130924869376][][][][][][][][][][][][][][/affwebservices/casso/oidc/authorize?response_type=code&scope=openid%20uid%20email&client_id=00074f98-1f86-1bf5-ac7e-2de60a690000&state=eiztcauhtrzujahlrl7q7raulmm&redirect_uri=http%3a%2f%2fabc.pqr.com%3a8001%2fexample%2fredirect&nonce=dja-j41hogkzw7nkwp6b4qskbymbwyw7a0w75utxiom][][][][][Not Protected: No matching rules found for resource.][][][][][]

     

    SPS trace log

     

    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmSessionManager::EstablishSession][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmSessionManager::EstablishSession][Calling SM_WAF_AG_PLUGIN->EstablishSession.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmSessionManager::EstablishSession][SM_WAF_AG_PLUGIN->EstablishSession returned SmNoAction.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][IsResourceProtected][Resource is not protected from Policy Server.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][Calling SM_WAF_AG_PLUGIN->ProcessResponses.]
    [11/22/2018][06:48:07][16190][140013987833600][299477e5-df7513c7-c46d9a4c-8c475fe9-7534df75-a0][ProcessResponses][SM_WAF_AG_PLUGIN->ProcessResponses returned SmNoAction.]

     

     

    I noticed below point from doc so I unprotected /affwebservices/CASSO/oidc/  in realm but still instead of showing login pop-up it directly thows 400 bad request error

     

    Below is my apache oidc module configuration -

     

    OIDCSSLValidateServer Off
    OIDCProviderIssuer https://xyz.abc.com
    OIDCClientID ***************************
    OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    OIDCProviderAuthorizationEndpoint https://xyz.abc.com/affwebservices/CASSO/oidc/authorize
    OIDCProviderTokenEndpoint https://xyz.abc.com/affwebservices/CASSO/oidc/token
    OIDCRedirectURI http://abc.pqr.com:8001/example/redirect
    OIDCCryptoPassphrase *********
    OIDCProviderTokenEndpointAuth client_secret_post
    OIDCProviderJwksUri https://xyz.abc.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=ABCCorp
    OIDCScope "openid uid email"
    OIDCProviderUserInfoEndpoint https://xyz.abc.com/affwebservices/CASSO/oidc/userinfo
    <Location /example/>
    AuthType openid-connect
    Require valid-user
    </Location>
    AddHandler cgi-script .bat
    Options +Indexes +FollowSymLinks +ExecCGI

     

    Can someone please help me where I am missing ?

     

    Regards

    Prashant



  • 2.  Re: CA SSO OpenID Connect Provider configuration issue

    Broadcom Employee
    Posted Nov 22, 2018 08:40 AM

    Yes, you are not supposed to protect - "/affwebservices/CASSO/oidc/authorize?".

     

    However you need to setup policy configurations to protect "/affwebservices/secure/secureredirect" as mentioned in the Mark's article at Step # 3) Policy to Protect the login realm 

     

    Can you make sure that you have correct configurations ?



  • 3.  Re: CA SSO OpenID Connect Provider configuration issue

    Posted Nov 22, 2018 09:08 AM

    Hi Ashok yes already configured Realm  to protect "/affwebservices/secure/secureredirect" 

     

     

    Also tested policy setup via access :  http://abc.pqr.com/affwebservices/secure/secureredirect/ and after basic login prompt we get 400 bad request error.

     

    Regards

    Prashant



  • 4.  Re: CA SSO OpenID Connect Provider configuration issue
    Best Answer

    Posted Nov 23, 2018 09:02 AM

    Thanks Community I was able to resolve issue, it was RedirectURI (changed https - http) which was mismatch while redirecting to OP.