Symantec Access Management

  • Private Community
 View Only

  • 1.  SLO Not Working

    Posted Jul 14, 2020 09:26 AM
    Hello All,

    i am pretty new to SLO implementation in Siteminder and not able to make it work. We are using Siteminder 12.52 and always get a Error when the SP initiates the SLO on the logout button click. SP sends the SAML logout request as HTTP Redirect i.e. GET as below and request is signed:

    <saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    Destination="https://xyz.com/affwebservices/public/saml2slo"
    ID="a3ie9j5ga97gdhj41f2cab28ihca9i2"
    IssueInstant="2020-07-14T12:59:45.668Z"
    Version="2.0"
    >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">xxx:8080/saml/SSO</saml2:Issuer>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    >bZot0021</saml2:NameID>
    <saml2p:SessionIndex>cojnsyx0q2q/oLCrw6x1PBhUX1M=MuHOHA==</saml2p:SessionIndex>
    </saml2p:LogoutRequest>

    Now, once we i.e IDP receive the SAML logout request we Get HTTP 500 error with transaction ID and we see the below error in our logs:
    Logs:-
    Smdefaulttrace.log :-

    grep '95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f' smtracedefault.log[07/14/2020][09:04:31][09:04:31.478][12315][3421096848][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][][CServer.cpp:6050][CServer::Tunnel][][Resolved all the input parameters][][][][][][][][][][][][][][::ffff:172.19.80.136][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.SAMLSingleLogoutTunnelService', Server='', Device=''][][][][][][][][][07/14/2020][09:04:31][09:04:31.478][12315][3421096848][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][][SingleLogoutTunnelServiceHandler.java][setupLogout][][ENTER: setupLogout][][][][][][][][][][][][][][][][][][][][][][][][][$

    Affwebservices.log :-

    [5472/1236][Tue Jul 14 2020 09:04:31][SLOService.java][ERROR][sm-FedClient-02890] Transaction with ID: 95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f failed. Reason: SLO_GET_EXCEPTION (, , )[5472/1236][Tue Jul 14 2020 09:04:31][SLOService.java][ERROR][sm-FedClient-01660] Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SLOService, method doGet, message java.lang.NullPointerException. (, )

    FWSTrace.log:-

    [07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][FWSBase.java][getSessionFromCookie][Fetching session details from cookie [CHECKPOINT = SLO_SESSION_FETCH]]
    [07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][FWSBase.java][getSessionCookie][SMSESSION Cookie found.]
    [07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][SLOService.java][handleLogout][Reading session id from cookie data for session termination [CHECKPOINT = SLOSAML2_SESSIONIDFROMCOOKIEDATA_READ]]
    [07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][SLOService.java][handleLogout][Performing tunnel call for SAML1 SLO [CHECKPOINT = SLOSAML2_TUNNEL_REQUEST]]

    TUNNEL STATUS:   status  : 8   message : Error executing a Session Server API call: getStatus Session ID: uoDh0uZLvAhuRmSD8SDLph5Dm98= Status: 0][07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][SLOService.java][doGet][Transaction with ID: 95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f failed. Reason: SLO_GET_EXCEPTION]

    [07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][SLOService.java][doGet][Exception caught in class com.netegrity.affiliateminder.webservices.saml2.SLOService, method doGet: java.lang.NullPointerExceptionjava.lang.NullPointerException at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:1111) at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:844) at com.netegrity.affiliateminder.webservices.saml2.SLOService.c(DashoA10*..:805) at com.netegrity.affiliateminder.webservices.saml2.SLOService.doGet(DashoA10*..:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netegrity.affiliateminder.webservices.CAFedFilter.doFilter(DashoA10*..:58) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:856) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:566) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1508) at java.lang.Thread.run(Thread.java:662)][07/14/2020][09:04:31][5472][1236][95a8d79f-e3836a13-05f429f0-63235689-d8852aa6-8f][SLOService.java][doGet][Stack Trace: java.lang.NullPointerException

    Can anyone please help what i am missing here?

    Thank You
    Ankur Taneja


  • 2.  RE: SLO Not Working

    Broadcom Employee
    Posted Jul 15, 2020 02:25 AM
    Hi Ankur,

    In order to get SLO working, you do need to use a Session Store on IdP
    side.

    The following error is related to Session Store :

    "Error executing a Session Server API call"

    Best Regards,
    Patrick
    Original Message


  • 3.  RE: SLO Not Working

    Posted Jul 15, 2020 07:45 AM
    Hello Patrick,

    Yes, we have Session Store setup and it's up and active. We could see the connection fine from Policy server as well (PFA the screenshots).

    Is there anything that we are missing in our configuration?

    Thanks 
    Ankur Taneja
    Original Message


  • 4.  RE: SLO Not Working

    Broadcom Employee
    Posted Jul 15, 2020 02:39 PM

    Hi Ankur,

    SLO requires more than just the session store; it requires persistent sessions.  Persistent sessions result in centralized session storage/tracking which is required to support SLO.  Without this there is no way to track the many places where a user may have a session.  Please note that whether a session is persistent or not is determined at the time of authentication and cannot be changed without re-authenticating, thus, even if the realm protecting the Authentication URL is marked persistent, if the user has another way of authenticating to a non-persistent realm, users may still be able to access the federated application via a non-persistent session.

    I hope this helps.

    Regards,
    Pete


    Original Message