Symantec Access Management

Hi,

I was in the process of the creating the SP Initiated Federated SSO. After Siteminder Authenticated the projected resources and set the cookie on the browser, FM is flagging it as invalid cookie. Any help in fixing the issue will be appreciated

FWSTrace.log

[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

affwebserv.log

[44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

Hi Matheensyed

SiteMinder Web Agent trace log will provide further detailed information why it has "too many SMSERVERSESSIOID". In Chrome browser, please enable developer tool, and check the number of smsession cookie and other variable.

With the provide logs, it is hard to find the root of the issue. Please share the web agent log and web agent trace log.

Kind regards

B.K.
Original Message:
Sent: 06-19-2020 08:55 PM
From: Matheen Syed
Subject: SP Initiated Federated SSO

Hi,

I was in the process of the creating the SP Initiated Federated SSO. After Siteminder Authenticated the projected resources and set the cookie on the browser, FM is flagging it as invalid cookie. Any help in fixing the issue will be appreciated

FWSTrace.log

[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

affwebserv.log

[44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

Here are the logs attached

------------------------------
Matheen
------------------------------

Original Message:
Sent: 06-20-2020 01:20 AM
From: Bong-Kyun Rhim
Subject: SP Initiated Federated SSO

Hi Matheensyed

SiteMinder Web Agent trace log will provide further detailed information why it has "too many SMSERVERSESSIOID". In Chrome browser, please enable developer tool, and check the number of smsession cookie and other variable.

With the provide logs, it is hard to find the root of the issue. Please share the web agent log and web agent trace log.

Kind regards

B.K.
Original Message:
Sent: 06-19-2020 08:55 PM
From: Matheen Syed
Subject: SP Initiated Federated SSO

Hi,

I was in the process of the creating the SP Initiated Federated SSO. After Siteminder Authenticated the projected resources and set the cookie on the browser, FM is flagging it as invalid cookie. Any help in fixing the issue will be appreciated

FWSTrace.log

[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

affwebserv.log

[44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

Hi Matheen

I have checked your FWStrace.log, but I could not find any AuthN request. It seems like that it does not follow standard SP initiated SAML SSO.

You can validate AuthN request via Chrome SAML plug in. Here is the example.

In the log, I can also see the following one. SMASSERTIONREF=QUERY and SAMLTRASCTIONID is appended 10 times. It is not normal redirection flow. 

https://federated.dev.xxxx.com/affwebservices/redirectjsp/redirect.jsp?SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SMASSERTIONREF=QUERY&SPID=1WSDevSP&AssertionConsumerServiceIndex=1&SAMLTRANSACTIONID=26727b06-2fc7f614-f2940b48-8220d772-9fa767ac-741&SAMLTRANSACTIONID=1d910fbf-2bb6adf5-5ad10e9d-5a14265b-b3bbca5a-481&SAMLTRANSACTIONID=37077432-582ccd00-714614a0-6f76b605-3375a5c4-f&SAMLTRANSACTIONID=11492811-608e30d9-7fcbd620-7ba58b6a-14ea8c21-d6f&SAMLTRANSACTIONID=237b9f51-67bd3c7d-2d8b4544-d27caafc-e4a0f6c4-ed9&SAMLTRANSACTIONID=6334ec3c-7100d210-6333e4e3-9dfd408b-abac9872-7&SAMLTRANSACTIONID=1b7c87bc-9e6b3d45-3d2205e6-a303aa62-04c9d961-18b&SAMLTRANSACTIONID=363ee029-dfee6e67-e72f6f9c-397d1212-eff8cc63-6f&SAMLTRANSACTIONID=8806caa1-559fb349-a9272807-6bab8e30-a6f11eaa-8&SAMLTRANSACTIONID=2c599068-2d9d88a9-2ab30a06-a7f8508e-043ee8b6-75&SAMLTRANSACTIONID=260481a0-5a70dadf-d7a04fc3-17572fa3-d36c68c8-e2f&SAMLTRANSACTIONID=18259bd5-0dcee244-bb682fc0-be1c5292-e85f1304-d32&SMPORTALURL=https%3A%2F%2Ffederated.dev.1worldsync.com%2Faffwebservices%2Fpublic%2Fsaml2s

Please test it with IDP initiated SAML test first. When it works, please test it with SP initiated SAML.

In IDP SAML initiated URL format is 

https://<IDP FQDN>/affwebservices/public/saml2sso?SPID=<SP NAME> 

In your case, it will be similar to 

https://federated.dev.xxxx.com//affwebservices/public/saml2sso?SPID=1WSDevSP

Please do NOT add any other parameter at the end of SPID.

To save your time for the issue, I would recommend you to open a support case and do a quick webex session with a support engineer.

Kind regards

B.K.
Original Message:
Sent: 06-22-2020 10:44 AM
From: Matheen Syed
Subject: SP Initiated Federated SSO

Here are the logs attached

------------------------------
Matheen

Original Message:
Sent: 06-20-2020 01:20 AM
From: Bong-Kyun Rhim
Subject: SP Initiated Federated SSO

Hi Matheensyed

SiteMinder Web Agent trace log will provide further detailed information why it has "too many SMSERVERSESSIOID". In Chrome browser, please enable developer tool, and check the number of smsession cookie and other variable.

With the provide logs, it is hard to find the root of the issue. Please share the web agent log and web agent trace log.

Kind regards

B.K.
Original Message:
Sent: 06-19-2020 08:55 PM
From: Matheen Syed
Subject: SP Initiated Federated SSO

Hi,

I was in the process of the creating the SP Initiated Federated SSO. After Siteminder Authenticated the projected resources and set the cookie on the browser, FM is flagging it as invalid cookie. Any help in fixing the issue will be appreciated

FWSTrace.log

[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

affwebserv.log

[44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

Hi Matheensyed,

Patrick gave you the correct answer in the other thread (https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=bd0503ac-f9a5-4490-8a9c-d0d27ea9bae6&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bmbd0503ac-f9a5-4490-8a9c-d0d27ea9bae6)

Affwebservices is not accepting the session that the login server is creating.  This is most likely because that web agent has DisableSessionVars=yes in it's ACO.  This will cause the session cookie to be incompatible with Affwebservices and thus the error.  Setting DisableSessionVars=No on the login server should resolve this.

https://knowledge.broadcom.com/external/article?articleId=142862

Regards,
Pete

Original Message:
Sent: 06-19-2020 08:55 PM
From: Matheen Syed
Subject: SP Initiated Federated SSO

Hi,

I was in the process of the creating the SP Initiated Federated SSO. After Siteminder Authenticated the projected resources and set the cookie on the browser, FM is flagging it as invalid cookie. Any help in fixing the issue will be appreciated

FWSTrace.log

[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

affwebserv.log

[44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.

Hi Pete,

I have two ACO objects and I checked both have DisableSessionVars=no.

Thanks,
Matheen

------------------------------
Matheen
------------------------------

Original Message:
Sent: 06-22-2020 03:58 PM
From: Peter Burant
Subject: SP Initiated Federated SSO

Hi Matheensyed,

Patrick gave you the correct answer in the other thread (https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=bd0503ac-f9a5-4490-8a9c-d0d27ea9bae6&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bmbd0503ac-f9a5-4490-8a9c-d0d27ea9bae6)

Affwebservices is not accepting the session that the login server is creating.  This is most likely because that web agent has DisableSessionVars=yes in it's ACO.  This will cause the session cookie to be incompatible with Affwebservices and thus the error.  Setting DisableSessionVars=No on the login server should resolve this.

https://knowledge.broadcom.com/external/article?articleId=142862

Regards,
Pete

Original Message:
Sent: 06-19-2020 08:55 PM
From: Matheen Syed
Subject: SP Initiated Federated SSO

Hi,

I was in the process of the creating the SP Initiated Federated SSO. After Siteminder Authenticated the projected resources and set the cookie on the browser, FM is flagging it as invalid cookie. Any help in fixing the issue will be appreciated

FWSTrace.log

[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][Verifying validity of session cookie [DEVSMSESSION] retrieved]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isSessionIdle][returning true]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][FWSBase.java][isValidSession][Session is Idle]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Force Authn is disabled.]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session state is: false]
[06/20/2020][00:34:42][44138][140318359791360][2353ed7a-77800f6d-6da7223d-e1c7dbb9-cc259d1b-c40][SSO.java][processRequest][Current session is not a valid session.]

affwebserv.log

[44138/140318359791360][Sat Jun 20 2020 00:34:42][isSessionIdle][ERROR][sm-FedClient-01570] SAML2 Request contains too many SERVERSESSIONID headers. Session is considered invalid and user must relogin. Service encounters the following error while processing request: {1}.