Layer 7 Access Management

Tech Tip : CA Single Sign-On : Single Sign On Siteminder - Logout Issue

  • 1.  Tech Tip : CA Single Sign-On : Single Sign On Siteminder - Logout Issue

    Posted 05-06-2019 03:54 AM

    Issue:


    We're running Federation Services and when user logs out, then the
    browser recieves a soap message exception in browser like this one :

    https://fed.mydomain.com/affwebservices/public/saml2slo?dsadasdefggasdsad [...]

     

    Etat HTTP 500 - Une erreur interne sest produite lors de la
    tentative de traitement de la demande de déconnexion. Echec de la
    transaction avec lID
    1aacc1ea-8bf91faf-3a1fe03e-f78a7787-2b3318f4-1d

    Apache Tomcat/7.0.88

     

    We can see in the traces the error and the Web Agent Option Pack
    returns code 500 :

     

    [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
    -f78a7787-2b3318f4-1d][SLOService.java][handleLogout][

    TUNNEL STATUS:
    status : 2
    message : No SOAP or Redirect or Post binding configured
    for provider Provider ID: myproviderid.mydomain.com]

     

    [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
    -f78a7787-2b3318f4-1d][SLOService.java][doGet][Transaction
    with ID: 1aacc1ea-8bf91faf-3a1fe03e-f78a7787-2b3318f4-1d
    failed. Reason: SLO_GET_EXCEPTION]

     

    [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
    -f78a7787-2b3318f4-1d][SLOService.java][doGet][Exception
    caught in class
    com.netegrity.affiliateminder.webservices.saml2.SLOService, method
    doGet: java.lang.NullPointerException
    java.lang.NullPointerException
    at
    com.netegrity.affiliateminder.webservices.saml2.SLOService.a
    (DashoA10*..:1111)

    [03/20/2019][10:46:29][2528][9424][1aacc1ea-8bf91faf-3a1fe03e
    -f78a7787-2b3318f4-1d][SLOService.java][doGet][Ending
    SAML2 Single Logout Service request processing with HTTP error 500]

    Environment:

     

    Web Agent Option Pack 12.52SP1CR09 on Windows;
    Policy Server 12.8 on Windows 2016;
    Session Store on ODBC;

    Cause:

     

    The SAML SLO document that the Web Agent Option Pack recieves is for
    the SP "myproviderid.mydomain.com" :

     

    <LogoutRequest
    Destination="https://fed.mydomain.com/affwebservices/public/saml2slo"
    ID="444444444-4444-4444-4444-444444444444"
    IssueInstant="2019-03-20T09:46:29.167Z" Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
    xmlns:ns3="http://www.w3.org/2000/09/xmldsig#">
    <ns2:Issuer>myproviderid.mydomain.com</ns2:Issuer><ns2:NameID
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">711157
    </ns2:NameID><SessionIndex>NaSMsGamadsdqwXqsSs1ALya3Vs61GU=l7fVqg==</SessionIndex>
    </LogoutRequest>

     

    The Legacy Federation SP
    "myproviderid.mydomain.com" is configured with 2
    Endpoints for SLO :

     

    - each EndPoint has the same index;
    - each EndPoint is not defined as default, so there's no default;

     

    From the export of the Policy Store :

     

    <ReferenceValue ReferenceId="Ref00444">
    <StringValue>myproviderid.mydomain.com</StringValue>

    <Object Class="CA.FED::SPBase"
    Xid="CA.FED::SPBase@33333333-3333-3333-3333-333333333333"
    Name="CA.FED::SPBase.SPID">
    <StringValue>myproviderid.mydomain.com</StringValue>

    <Property Name="CA.FED::SPBase.Name">
    <StringValue>SP_Name</StringValue>

    The SP has 2 end points defined :

    <Property Name="CA.FED::SPBase.SLOSvcsLink">
    <LinkValue>
    <XID>CA.FED::Endpoint@11111111-1111-1111-1111-111111111111</XID>
    <LinkValue>
    <XID>CA.FED::Endpoint@22222222-2222-2222-2222-222222222222</XID>

    and each of them isn't set as default and has the index value set to
    0 :

     

    <Object Class="CA.FED::Endpoint"
    Xid="CA.FED::Endpoint@11111111-1111-1111-1111-111111111111"
    UpdatedBy="XPSDictionary::Import" UpdateMethod="Internal"
    ExportType="Replace">

    <Property Name="CA.FED::Endpoint.Index">
    <NumberValue>0</NumberValue>
    <Property Name="CA.FED::Endpoint.IsDefault">
    <BooleanValue>false</BooleanValue>

     

    <Object Class="CA.FED::Endpoint"
    Xid="CA.FED::Endpoint@22222222-2222-2222-2222-222222222222"
    UpdatedBy="XPSDictionary::Import" UpdateMethod="Internal"
    ExportType="Replace">

    <Property Name="CA.FED::Endpoint.Index">
    <NumberValue>0</NumberValue>
    <Property Name="CA.FED::Endpoint.IsDefault">
    <BooleanValue>false</BooleanValue>

     

    From documentation, you do need to define a default, and different
    indexes for each of them, and the incoming SAML document should show a
    property ProtocolBinding or AssertionConsumerServiceIndex :

    Define Indexed Endpoints for Different Single Sign-on Bindings

    Note: If your network contains different CA Single Sign-On versions,
    you cannot configure indexed endpoints. For example, you cannot
    configure indexed endpoints if the Service Provider is r12.0 SP 2 and
    the Identity Provider is r12.0 SP3. Configure only one Assertion
    Consumer Service for both HTTP bindings.

     

    Using indexed endpoints, the sequence of events is as follows:

     

    1. The user selects a link to authenticate with a specific IdP. The
    link contains the IdP ID and AssertionConsumerServiceIndex query
    parameters index as query parameters because the index feature is
    enabled.

     

    2. The SP Federation Web Services (FWS) application asks for an
    AuthnRequest from its local Policy Server. The request that it
    sends includes the IdP ID and optionally, the
    AssertionConsumerServiceIndex and ForceAuthn query parameters.

    A protocol binding is not part of the request because the ACS
    Index and the Protocol Binding parameters are mutually
    exclusive. The AssertionConsumerServiceIndex is already
    associated with a binding so there is no need to specify a
    Protocol Binding value. If the protocol binding and the
    AssertionConsumerServiceIndex are passed as query parameters, the
    local Policy Server responds with an error denying the request.

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/legacy-federation/single-sign-on-configuration-for-saml-2-0#SingleSign-onConfigurationforSAML2.0-DefineIndexedEndpointsforDifferentSingleSign-onBindings


    Resolution:

     

    To solve the issue :

     

    - Among the Federation EndPoints, select one as Default Index;

    - Among the Federation EndPoints, set for each one a different Index;

    - Configure the SAMLRequest for SLO to specify
    AssertionConsumerServiceIndex or the ProtocolBinding properties;

     

    KB : KB000130295