Symantec Access Management

 View Only
  • 1.  Error : "Cannot parse bytes to a ProviderDataResponseData",

    Posted Oct 25, 2019 08:59 AM
    Hi team,

    I am trying to set up basic SAML legacy federation on my machine. In order to have both the SP and idp on my machine, I have installed 2 instances of SPS on my machine.

    So both have different domains. However I am unable to complete the federation testing.

    I am able to access the URL : http:///www.idp.demo:82/affwebservices/assertionretriever and http://www.sp.demo:84/affwebservices/assertionretriever

    I get the success message. However the actual federation flow is not working.

    I have protected the resource http://www.sp.demo:84/spsample/protected/SPS2.html on the SP side. There is no .jsp file that I have protected in the SP side. However I feel that this should work though.

    I have changed the proxyrules.xml file content as per the example template that uses the URI. Hence when I hit the unprotected resource on the SP side, it works fine. However when I hit the protected resource there are errors. (federation flow fails)

    Errors are as below :

    affwebserv.log

    [5560/12524][Fri Oct 25 2019 15:21:51][AuthnRequest.java][ERROR][sm-FedClient-02890] sm-FedClient-02890 (40219353-64e26675-0747d1b7-a99fbc69-b4dc11dd-c1, ATHR_NO_PROVIDER_ID, , , )
    [5560/12524][Fri Oct 25 2019 15:22:13][SAMLTunnelClient.java][ERROR][sm-FedClient-01660] sm-FedClient-01660 (com.netegrity.affiliateminder.webservices.saml2.l, getIdentityProviderInfoByID, java.lang.IllegalArgumentException: "Cannot parse bytes to a ProviderDataResponseData", , )

    FWStracelog :

    [10/25/2019][15:27:13][5560][12524][d6bf86c5-6329705e-eac06074-8ea2009e-c5c810e4][SAMLTunnelClient.java][getIdentityProviderInfoByID][Tunnel result code: 2.]
    [10/25/2019][15:27:13][5560][12524][d6bf86c5-6329705e-eac06074-8ea2009e-c5c810e4][SAMLTunnelClient.java][getIdentityProviderInfoByID][Exception caught in class com.netegrity.affiliateminder.webservices.saml2.l, method getIdentityProviderInfoByID: java.lang.IllegalArgumentException: "Cannot parse bytes to a ProviderDataResponseData"]
    [10/25/2019][15:27:13][5560][12524][d6bf86c5-6329705e-eac06074-8ea2009e-c5c810e4][SAML2Base.java][getIdentityProviderInfo][Tunnel client message: null.]
    [10/25/2019][15:27:13][5560][12524][d6bf86c5-6329705e-eac06074-8ea2009e-c5c810e4][SAML2Base.java][getIdentityProviderInfo][Could not find identity provider information for idp: idp.demo.]
    [10/25/2019][15:27:13][5560][12524][d6bf86c5-6329705e-eac06074-8ea2009e-c5c810e4][AuthnRequest.java][processRequest][SAML2 AuthnRequest Service get provider configuration failed. Unable to process requests.]

    The time may not match but the error is always the same.

    Also it could be great if you could let me know the URL that I can try for the idp initiated check.

    Please help me that what should I check in order to resolve this?

    ------------------------------
    Medha
    ------------------------------


  • 2.  RE: Error : "Cannot parse bytes to a ProviderDataResponseData",
    Best Answer

    Broadcom Employee
    Posted Oct 28, 2019 05:54 PM
    Hi Medha,

    The format for IDP-initiated SAML is:
    http(s)://host.domain.com/affwebservices/public/saml2sso?SPID=<SPID Value>

    Please note that query parameter names in SAML are case sensitive, so SPID must be in uppercase on the query string.

    Is there a reason you're using Legacy Federation rather than the newer Partnership model?  One of the reasons I ask is because Partnership federation is more flexible, and will be enhanced over time whereas no further enhancements will be made to the Legacy model, thus we recommend using the Partnership model for new implementations..  Also, in the Legacy model, you must protect the target application with a SAML auth scheme.  Since the SAMl auth scheme contains the SAML configuration for the application, the auth scheme is how Siteminder knows to map the SPID to the target application (this is not a requirement in the Partnership model, and thus why it's more flexible - Partnership allows you to protect the target resource with any non-SAML auth scheme, allowing both SAML and non-SAML (internal) users to access the same resource using the same URL (otherwise SAML and non-SAML users would be forced to use separate URLs since the SAML auth scheme can only authenticate a user via assertion).

    Regards,
    Pete


  • 3.  RE: Error : "Cannot parse bytes to a ProviderDataResponseData",

    Broadcom Employee
    Posted Oct 28, 2019 08:45 PM
    To add a bit more, when the browser access the SP side protected resource with SAML 2.0 Authentication Scheme, the browser will not automatically redirect to the IDP nor AuthnRequest will trigger automatically.

    The URL you are using  http:///www.idp.demo:82/affwebservices/assertionretriever  should be a protected resource.
    That is where the Consumer(It seems you are testing SAML 1.x instead of 2.0) visits the Producer to retrieve the SAML Assertion via SSL Back Channel.
    This means you CANNOT USE HTTP, it has to be https.
    And for SAML Artifact Profile, you must have session store enabled at the Producer side so the Policy Server can hold the Assertion for Consumer to come and fetch (after authenticating itself).

    As Peter suggested, use partnership model instead of legacy and use SAML 2.0 POST Profile which has less prerequisites.



    ------------------------------
    Support Engineer 5
    Broadcom
    ------------------------------