Issue:
We're running Federation Services and when user logs out, then the
browser recieves a soap message exception in browser like this one :
https://fed.mydomain.com/affwebservices/public/saml2slo?dsadasdefggasdsad [...]
Etat HTTP 500 - Une erreur interne sest produite lors de la
tentative de traitement de la demande de déconnexion. Echec de la
transaction avec lID
1aacc1ea-8bf91faf-3a1fe03e-f78a7787-2b3318f4-1d
Apache Tomcat/7.0.88
We can see in the traces the error and the Web Agent Option Pack
returns code 500 :
[03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
-f78a7787-2b3318f4-1d][SLOService.java][handleLogout][
TUNNEL STATUS:
status : 2
message : No SOAP or Redirect or Post binding configured
for provider Provider ID: myproviderid.mydomain.com]
[03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
-f78a7787-2b3318f4-1d][SLOService.java][doGet][Transaction
with ID: 1aacc1ea-8bf91faf-3a1fe03e-f78a7787-2b3318f4-1d
failed. Reason: SLO_GET_EXCEPTION]
[03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
-f78a7787-2b3318f4-1d][SLOService.java][doGet][Exception
caught in class
com.netegrity.affiliateminder.webservices.saml2.SLOService, method
doGet: java.lang.NullPointerException
java.lang.NullPointerException
at
com.netegrity.affiliateminder.webservices.saml2.SLOService.a
(DashoA10*..:1111)
[03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
-f78a7787-2b3318f4-1d][SLOService.java][doGet][Ending
SAML2 Single Logout Service request processing with HTTP error 500]
Environment:
Web Agent Option Pack 12.52SP1CR09 on Windows;
Policy Server 12.8 on Windows 2016;
Session Store on ODBC;
Cause:
The SAML SLO document that the Web Agent Option Pack recieves is for
the SP "myproviderid.mydomain.com" :
<LogoutRequest
Destination="https://fed.mydomain.com/affwebservices/public/saml2slo"
ID="444444444-4444-4444-4444-444444444444"
IssueInstant="2019-03-20T09:46:29.167Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
<ns2:Issuer>myproviderid.mydomain.com</ns2:Issuer><ns2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">711157
</ns2:NameID><SessionIndex>NaSMsGamadsdqwXqsSs1ALya3Vs61GU=l7fVqg==</SessionIndex>
</LogoutRequest>
The Legacy Federation SP
"myproviderid.mydomain.com" is configured with 2
Endpoints for SLO :
- each EndPoint has the same index;
- each EndPoint is not defined as default, so there's no default;
From the export of the Policy Store :
<ReferenceValue ReferenceId="Ref00444">
<StringValue>myproviderid.mydomain.com</StringValue>
<Object Class="CA.FED::SPBase"
Xid="CA.FED::SPBase@33333333-3333-3333-3333-333333333333"
Name="CA.FED::SPBase.SPID">
<StringValue>myproviderid.mydomain.com</StringValue>
<Property Name="CA.FED::SPBase.Name">
<StringValue>SP_Name</StringValue>
The SP has 2 end points defined :
<Property Name="CA.FED::SPBase.SLOSvcsLink">
<LinkValue>
<XID>CA.FED::Endpoint@11111111-1111-1111-1111-111111111111</XID>
<LinkValue>
<XID>CA.FED::Endpoint@22222222-2222-2222-2222-222222222222</XID>
and each of them isn't set as default and has the index value set to
0 :
<Object Class="CA.FED::Endpoint"
Xid="CA.FED::Endpoint@11111111-1111-1111-1111-111111111111"
UpdatedBy="XPSDictionary::Import" UpdateMethod="Internal"
ExportType="Replace">
<Property Name="CA.FED::Endpoint.Index">
<NumberValue>0</NumberValue>
<Property Name="CA.FED::Endpoint.IsDefault">
<BooleanValue>false</BooleanValue>
<Object Class="CA.FED::Endpoint"
Xid="CA.FED::Endpoint@22222222-2222-2222-2222-222222222222"
UpdatedBy="XPSDictionary::Import" UpdateMethod="Internal"
ExportType="Replace">
<Property Name="CA.FED::Endpoint.Index">
<NumberValue>0</NumberValue>
<Property Name="CA.FED::Endpoint.IsDefault">
<BooleanValue>false</BooleanValue>
From documentation, you do need to define a default, and different
indexes for each of them, and the incoming SAML document should show a
property ProtocolBinding or AssertionConsumerServiceIndex :
Define Indexed Endpoints for Different Single Sign-on Bindings
Note: If your network contains different CA Single Sign-On versions,
you cannot configure indexed endpoints. For example, you cannot
configure indexed endpoints if the Service Provider is r12.0 SP 2 and
the Identity Provider is r12.0 SP3. Configure only one Assertion
Consumer Service for both HTTP bindings.
Using indexed endpoints, the sequence of events is as follows:
1. The user selects a link to authenticate with a specific IdP. The
link contains the IdP ID and AssertionConsumerServiceIndex query
parameters index as query parameters because the index feature is
enabled.
2. The SP Federation Web Services (FWS) application asks for an
AuthnRequest from its local Policy Server. The request that it
sends includes the IdP ID and optionally, the
AssertionConsumerServiceIndex and ForceAuthn query parameters.
A protocol binding is not part of the request because the ACS
Index and the Protocol Binding parameters are mutually
exclusive. The AssertionConsumerServiceIndex is already
associated with a binding so there is no need to specify a
Protocol Binding value. If the protocol binding and the
AssertionConsumerServiceIndex are passed as query parameters, the
local Policy Server responds with an error denying the request.
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/legacy-federation/single-sign-on-configuration-for-saml-2-0#SingleSign-onConfigurationforSAML2.0-DefineIndexedEndpointsforDifferentSingleSign-onBindings
Resolution:
To solve the issue :
- Among the Federation EndPoints, select one as Default Index;
- Among the Federation EndPoints, set for each one a different Index;
- Configure the SAMLRequest for SLO to specify
AssertionConsumerServiceIndex or the ProtocolBinding properties;
KB : KB000130295