Symantec Access Management

Hi,

We upgraded siteminder from R12.50 to R12.52 and SP initiated flows are failing with 500 internal server error , Below is the log that is from policy server:

Smtracedefault.log:

[05/10/2016][00:10:56.355][00:10:56][16700][3540642672][AuthnRequestProtocol.java][validateDestination][fdcd7431-95bd2235-e40bb7af-0b309673-1de3cc85-6f3][][][][][][][][][][][][][][][][][][][][Desti

nation does not match local URL.

Smps.log:

</StatusCode>

        <StatusMessage>Request did not satisfy security requirements!</StatusMessage>

    </Status>

</Response>

Affwebserv.log:

Reason: FAILED_INVALID_RESPONSE_RETURNED

FWSTrace.log:

[SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

[ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

We have proxy URL coming in the logs which is different than the destination URL but exact same case work in R12.50. Also one of the SP integrated application in R12.52 works fine and in that case proxy URL is same as to destination URL.

Below are the questions if somebody can help answer ( We have already raised the CA case on it but if somebody has answers or experienced the same issue please help answer to it) - We are using Federation partnership.

- In R12.52 if some logic is changed to compare and destination URL has to be same as proxy URL as not working in R12.52 works fine in R12.50.

- Proxy URL in the logs is picked up from which configuration of the partnership.

- Is proxy URL part of the metadata that is imported on SP side.

- What changes should be made to fix it???

- Is this the real cause of the impact that we are seeing?

Thanks

I understand you were asking Federation partnership in particular, but for lack of example at the moment to demonstrate, Federation partnership by design has similarity components comparing with Legacy Federation.  Here are steps for Legacy Federation.

Request Processing with a Proxy Server at the SP - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation

Request Processing with a Proxy Server at the SP:

When CA Single Sign-On receives certain requests at the SP, it validates the message attributes. CA Single Sign-On verifies the attributes using the local URL for Federation Web Services application. After verification, CA Single Sign-On processes the request.

For example, a logout request message can contain the following attribute:

Destination="http://sp.domain.com:8080/affwebservices/public/saml2slo" 

In this example, the destination attribute in the logout message and the address of the Federation Web Services application are the same. CA Single Sign-On verifies that the destination attribute matches the local URL of the FWS application.

If the CA Single Sign-On sits behind a proxy server, the local and destination attribute URLs are not the same. The destination attribute is the URL of the proxy server. For example, the logout message can include the following destination attribute:

Destination="http://proxy.domain.com:9090/affwebservices/public/saml2slo" 

The local URL for Federation Web Services, http://sp.domain.com:8080/affwebservices/public/saml2slo, does not match the Destination attribute so the request is denied.

You can specify a proxy configuration to alter how CA Single Sign-On determines the local URL used for verifying the message attribute of a request. In a proxy configuration, CA Single Sign-On replaces the <protocol>://<authority> portion of the local URL with the proxy server URL. This replacement results in a match between the two URLs.

Configure Request Processing with a Proxy Server at the SP

Specify a proxy configuration to alter how CA Single Sign-On determines the local URL used for verifying the message attribute of a request.

To use a proxy server at the Service Provider

1. Navigate to the SAML 2.0 authentication scheme you want to modify.
2. Select SAML 2.0 Configuration, Advanced.

  3. In the Proxy section, enter a partial URL in the Server field. The format is <protocol>://<authority>.
For example, the proxy server configuration would be:

http://proxy.domain.com:9090 

If your network includes theCA Access Gateway, the Server field must specify the CA Access Gateway host and port, for example,

http://sps_federation_gateway.domain.com:9090
 4. Click OK to save your changes.

The Server configuration affects the URLs for the following services at the SP:

• Assertion consumer Service
• Single Logout Service

The server value becomes part of the URL CA Single Sign-On uses to verify SAML attributes, like the destination attribute.

Federation partnership does not have the configuration for proxy URL but legacy partnership have it.

Looks like base URL in federation partnership comes as proxy URL in case of federation partnership.

The question is if destination URL and proxy URL are different than will it cause this issue , As the same config was working in R12.50 is there a logic change in R12.52.

Thanks.

Issue is fixed , Proxy URL comes from base URL of the partnership and we changed the base URL to match the destination URL and it worked fine.

Looks like there was no check in R12.50 which made it work but in R12.52 there might be some logic change which is making it fail and on matching destination and base URL it is working fine.

Thanks,

Kanishak