Symantec Access Management

I'm setting up a partnership federation on Access Gateway r12.8 sp05 on Windows 2019.  Policy server r12.8 (no service pack) is on Windows 2016.  My issue is similar to this link:


except my problem is on the IdP side.

Requests to https://<fqdn>/affwebservices/assertionretriever behave as expected:  the initial request results in a basic dialogue box to enter credentials, then the access gateway responds with "Assertion Retrieval Service has been successfully initialized.  The requested service accepts only HTTP POST requests."  That tells me the assertion retrieval service is healthy and SSL is working, so that's a good start.

I have a partnership federation configured with a local SAML2 IDP and remote SAML2 SP.  I use the SSL Service URL in a fresh browser:


and am expecting a redirect to the configured Authentication URL which is protected by a policy.  Here's what happens:


I've checked and re-checked the entity and partnership configurations and am not seeing anything that might lead to such an error.  I've verified that both the policy server and the access gateway have JDK unlimited JCE enabled.  A session store is NOT enabled at the IdP.  Unlike the SP, I would not expect a session store to be a requirement at the IdP.

Any suggestions would be appreciated.

------------------------------
Sr. Services Consultant
MIRIMAR Consulting
------------------------------

Hi Richard,

The redirect.jsp file (as well as the redirectjsp folder (it's not an application/service, just a folder) is not meant to be accessed directly.  The whole purpose of the page is to redirect you back from where you came, thus is used as an authentication URL.

For IDP-initiated requests,  the requests should be formatted like this:

https://host/affwebservices/public/saml2sso?SPID=<spid value>

For SP-initiated requests, the user first visits a link at the SP which will generate a SAMLRequest that is then passed to the IDP's saml2sso URL, either as post data is POST binding is used, or as query string data if REDIRECT binding is used.

When an unauthenticated user makes a request to the saml2sso URL, saml2sso uses the SPID provided in the query string or within the SAMLRequest data to determine the proper Authentication URL and redirect the user there.  Since the Authentication URL should be a protected resource, this will cause the user to get challenged.  Upon authentication, the user will access the redirect.jsp file which will redirect the user back to saml2sso and will include the query parameters needed to allow the request to proceed.

Regards,
Pete

Original Message:
Sent: 06-01-2021 04:54 PM
From: Richard Faust
Subject: getting 400 BAD request error for IdP initiated federation

I'm setting up a partnership federation on Access Gateway r12.8 sp05 on Windows 2019.  Policy server r12.8 (no service pack) is on Windows 2016.  My issue is similar to this link:

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=796323

except my problem is on the IdP side.

Requests to https://<fqdn>/affwebservices/assertionretriever behave as expected:  the initial request results in a basic dialogue box to enter credentials, then the access gateway responds with "Assertion Retrieval Service has been successfully initialized.  The requested service accepts only HTTP POST requests."  That tells me the assertion retrieval service is healthy and SSL is working, so that's a good start.

I have a partnership federation configured with a local SAML2 IDP and remote SAML2 SP.  I use the SSL Service URL in a fresh browser:

https://gateway.Local-IdP.com/affwebservices/redirectjsp/redirect.jsp?SPID=https://service.RemoteSP.com/saml/SSO

and am expecting a redirect to the configured Authentication URL which is protected by a policy.  Here's what happens:

HTTP Status 400 – Bad Request

Type Status Report

Message <H2> Bad Request </H2><BR><BR> The SMPORTALURL could not be found.

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

I've checked and re-checked the entity and partnership configurations and am not seeing anything that might lead to such an error.  I've verified that both the policy server and the access gateway have JDK unlimited JCE enabled.  A session store is NOT enabled at the IdP.  Unlike the SP, I would not expect a session store to be a requirement at the IdP.

Any suggestions would be appreciated.

------------------------------
Sr. Services Consultant
MIRIMAR Consulting
------------------------------

Thanks, Peter.  I noticed my mistake and didn't have a chance to circle back to this post before you responded.  Thanks for taking the time to compose an informative response.

------------------------------
Sr. Services Consultant
MIRIMAR Consulting
------------------------------

Original Message:
Sent: 06-02-2021 04:41 PM
From: Peter Burant
Subject: getting 400 BAD request error for IdP initiated federation

Hi Richard,

The redirect.jsp file (as well as the redirectjsp folder (it's not an application/service, just a folder) is not meant to be accessed directly.  The whole purpose of the page is to redirect you back from where you came, thus is used as an authentication URL.

For IDP-initiated requests,  the requests should be formatted like this:

https://host/affwebservices/public/saml2sso?SPID=<spid value>

For SP-initiated requests, the user first visits a link at the SP which will generate a SAMLRequest that is then passed to the IDP's saml2sso URL, either as post data is POST binding is used, or as query string data if REDIRECT binding is used.

When an unauthenticated user makes a request to the saml2sso URL, saml2sso uses the SPID provided in the query string or within the SAMLRequest data to determine the proper Authentication URL and redirect the user there.  Since the Authentication URL should be a protected resource, this will cause the user to get challenged.  Upon authentication, the user will access the redirect.jsp file which will redirect the user back to saml2sso and will include the query parameters needed to allow the request to proceed.

Regards,
Pete

Original Message:
Sent: 06-01-2021 04:54 PM
From: Richard Faust
Subject: getting 400 BAD request error for IdP initiated federation

I'm setting up a partnership federation on Access Gateway r12.8 sp05 on Windows 2019.  Policy server r12.8 (no service pack) is on Windows 2016.  My issue is similar to this link:

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=796323

except my problem is on the IdP side.

Requests to https://<fqdn>/affwebservices/assertionretriever behave as expected:  the initial request results in a basic dialogue box to enter credentials, then the access gateway responds with "Assertion Retrieval Service has been successfully initialized.  The requested service accepts only HTTP POST requests."  That tells me the assertion retrieval service is healthy and SSL is working, so that's a good start.

I have a partnership federation configured with a local SAML2 IDP and remote SAML2 SP.  I use the SSL Service URL in a fresh browser:

https://gateway.Local-IdP.com/affwebservices/redirectjsp/redirect.jsp?SPID=https://service.RemoteSP.com/saml/SSO

and am expecting a redirect to the configured Authentication URL which is protected by a policy.  Here's what happens:

HTTP Status 400 – Bad Request

Type Status Report

Message <H2> Bad Request </H2><BR><BR> The SMPORTALURL could not be found.

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

I've checked and re-checked the entity and partnership configurations and am not seeing anything that might lead to such an error.  I've verified that both the policy server and the access gateway have JDK unlimited JCE enabled.  A session store is NOT enabled at the IdP.  Unlike the SP, I would not expect a session store to be a requirement at the IdP.

Any suggestions would be appreciated.

------------------------------
Sr. Services Consultant
MIRIMAR Consulting
------------------------------

The 400 (Bad Request) status code indicates that the server cannot or will not process the request because the received syntax is invalid, nonsensical, or exceeds some limitation on what the server is willing to process. It means that the request itself has somehow incorrect or corrupted and the server couldn't understand it. The server is refusing to service the request because the entity of the request is in a format not supported by the requested resource for the requested method . Therefore, it prevents the website from being properly displayed. The main thing to understand is that the 400 Bad Request error is a client-side error.

The cause of a 400 error can be a wrongly written URL or a URL that contains unrecognizable characters. Another cause of the error might be an invalid or expired cookie. Also, if you try to upload a file that's too large. If the server is programmed with a file size limit, then you might encounter a 400 error.

Original Message:
Sent: 06-01-2021 04:54 PM
From: Richard Faust
Subject: getting 400 BAD request error for IdP initiated federation

I'm setting up a partnership federation on Access Gateway r12.8 sp05 on Windows 2019.  Policy server r12.8 (no service pack) is on Windows 2016.  My issue is similar to this link:

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=796323

except my problem is on the IdP side.

Requests to https://<fqdn>/affwebservices/assertionretriever behave as expected:  the initial request results in a basic dialogue box to enter credentials, then the access gateway responds with "Assertion Retrieval Service has been successfully initialized.  The requested service accepts only HTTP POST requests."  That tells me the assertion retrieval service is healthy and SSL is working, so that's a good start.

I have a partnership federation configured with a local SAML2 IDP and remote SAML2 SP.  I use the SSL Service URL in a fresh browser:

https://gateway.Local-IdP.com/affwebservices/redirectjsp/redirect.jsp?SPID=https://service.RemoteSP.com/saml/SSO

and am expecting a redirect to the configured Authentication URL which is protected by a policy.  Here's what happens:

HTTP Status 400 – Bad Request

Type Status Report

Message <H2> Bad Request </H2><BR><BR> The SMPORTALURL could not be found.

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

I've checked and re-checked the entity and partnership configurations and am not seeing anything that might lead to such an error.  I've verified that both the policy server and the access gateway have JDK unlimited JCE enabled.  A session store is NOT enabled at the IdP.  Unlike the SP, I would not expect a session store to be a requirement at the IdP.

Any suggestions would be appreciated.

------------------------------
Sr. Services Consultant
MIRIMAR Consulting
------------------------------