Layer 7 Access Management

Expand all | Collapse all

CA Federation INRESPONSETO Missing

  • 1.  CA Federation INRESPONSETO Missing

    Posted 11-18-2015 01:22 PM

    We have CA Siteminder Federation setup up and running successfully. However we are having some issue issue while onboarding an aplication into federation.CA siteminder is not setting the "INRESPONSETO" attribute in SAMLResponse. Also we had a requirement for step-up authentication and did a minor customization in the federation flow - we have 2 jsp files deployed on SPS which posts the SAMLrequest instead of direct posting.

     

    redirectStr = "https://ssodev.coach.com/affwebservices/public/saml2sso?SPID="+SPID+"&RelayState="+ URLEncoder.encode(RelayState, "UTF-8") +"&SAMLRequest="+ URLEncoder.encode(SAMLRequest, "UTF-8");

     

    Below are the error message I am getting it from affwebserv.log

     

    Transaction with ID: 1250aff2-4a6117d2-ca7759fa-8b89a47b-8398fa99-5a86 failed. Reason: BAD_SAML_REQUEST_ENCODING (, , )

    The SAMLRequest parameter was not encoded properly. ()

     

    Any suggetsions ?



  • 2.  Re: CA Federation INRESPONSETO Missing

    Posted 11-18-2015 02:36 PM

    Ashok ashokpearl

     

    Should have raised different blogs for each issue as both issues are independent.

     

    ISSUE-1 : CA siteminder is not setting the "INRESPONSETO" attribute in SAMLResponse.

    I have a sample assertion which is generated by CA SSO. I do not see this currently. However if we skim through the FWSTrace.log we should see probably what you intend to see. Nevertheless, I have lurking doubt that this would translate into a Enhancement Request.

    [03/13/2015][14:51:45][5464][7144][23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d][AssertionConsumer.java][processSAMLResponse][RelayState: db2cb30a81e4731a592473528b1e8ab9360b7658]

    [03/13/2015][14:51:49][5464][7144][23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d][AssertionConsumer.java][processSAMLResponse][RequestID: _b198dd61-a7e4-4552-8680-93756d94ee48]

    [03/13/2015][14:51:49][5464][7144][23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d][AssertionConsumer.java][processSAMLResponse][RequestID _b198dd61-a7e4-4552-8680-93756d94ee48 maps to TransactionID: 23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d.]

    [03/13/2015][14:51:49][5464][7144][23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d][AssertionConsumer.java][processSAMLResponse][ResponseID: _b198dd61-a7e4-4552-8680-93756d94ee48]

    [03/13/2015][14:51:49][5464][7144][23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d][AssertionConsumer.java][processSAMLResponse][ResponseID _b198dd61-a7e4-4552-8680-93756d94ee48 maps to TransactionID: 23b90f58-a937f6ae-b2278e78-8e221b5d-c8d6e24d-59d.]

     

     

    ISSUE-2 : SAMLRequest parameter was not encoded properly. ()

    This looks like the SAMLREQUEST that was sent to WAOP was not in the proper format. I think it needs to be in a Base64 encoded format.

     

     

     

    Regards

     

    Hubert



  • 3.  Re: CA Federation INRESPONSETO Missing

    Posted 08-09-2016 04:27 AM

    Hi Hubert,

     

    I am encountering the same issue where "InResponseTo" element is missing in the first transaction of saml response but when I am re-running the journey in same session I am getting this element.

    Any suggestion?

     

    Thanks



  • 4.  Re: CA Federation INRESPONSETO Missing

    Posted 08-09-2016 12:21 PM

    Rakesh Dewangan

     

    What is the product being used on IdP Side and SP Side? What are you IdP or SP? Also could I know the version of WA-WAOP / SPS and Policy Server.

     

    When we say "we are running the journey in the same session"? Are we referring to a logged in Session. When a valid logged in Session Cookie exists on the Browser and we run the SP Initiated Journey on the same Browser session - we are able to see InResponseTo element.

     

    SiteMinder has been designed to add InResponseTo in the SAML Response when we do an AuthnRequest(SP Initiated Federation). We could run a fiddler trace and check the request - response stream for SAML AuthnRequest and SAML Assertion being posted.

     

    Example

     

    SAML AuthnRequest had ID as below.

    ID="_f2284f0b24f4f9b3756223022b26ea485b5e"

     

    And the SAML Assertion Response has InResponseTo as below.

    ID="_57cfc2e635a935b0fbca151ab515a5aebba6"

    InResponseTo="_f2284f0b24f4f9b3756223022b26ea485b5e"

     

     

    Regards

    Hubert



  • 5.  Re: CA Federation INRESPONSETO Missing

    Posted 08-10-2016 12:34 AM

    I am acting as IDP, IDP product is CA Siteminder(Partnership Federation); PolicyServer and SPS version is R12.52 SP1 CR1-GA

    On SP side, there a customized SAML component being used.

     

    Yes you got it correct, user logged in session where SMSession is already present, journey is successful (can see InResponseTo element in saml response)

    But in new session, SP Initiated journey is failing (here InResponseTo element is not present in saml response)

     

    Did a sharing session with CA support but they are also unable to identify the issue.

     

    Thanks,

    rakesh



  • 6.  Re: CA Federation INRESPONSETO Missing

    Posted 08-10-2016 12:42 AM

    Rakesh

     

    Did we upload a fiddler trace? Have we confirmed that in the New Session when the SAML Request arrives at IdP - there is a ID value being sent.

     

    Also could you confirm the version of WA-WAOP / SPS and PS. I don't think we always supported InResponseTo in older versions.

     

    Regards

    Hubert



  • 7.  Re: CA Federation INRESPONSETO Missing

    Posted 08-10-2016 12:55 AM

    saml trace was uploaded, yes Authnrequest ID is available in saml request.

    version of Policy Server and SPS is 12.52, update 00.01 build 154, CR 01



  • 8.  Re: CA Federation INRESPONSETO Missing

    Posted 08-10-2016 12:57 AM

    Yes, saml tracer logs are uploaded.

    yes in new session AuthnRequest ID is present in saml request.

     

    version of SPS and Policy Server is R12.52 update: 00.01 CR: 01 build: 154



  • 9.  Re: CA Federation INRESPONSETO Missing

    Posted 08-11-2016 12:00 PM

    Hi Rakesh,

     

    As discussed, You are using Custom login page which caused the issue. The request was changing to the IDP Initiated by the login page, Hence the "InResponseTo" element was missing which is expected for IDP Initiated transaction. Once we tested with Basic Authentication scheme, You were able to get the InResponseTo element without any issues.

     

    Thanks,

    Sharan