Symantec Access Management

Expand all | Collapse all

SiteMinder IDP Certificate issue

  • 1.  SiteMinder IDP Certificate issue

    Posted 07-30-2014 11:48 AM

    Hi All,

     

    Currently I am working on a dot application which interacts with the siteminder IDP for authentication. And the problem is that Siteminder is not able to generate assertion (Response) once I enable the signature functionality.

    Steps at dot net Application:


    1. Generated a SHA1 certificate using makecert executable and installed it on Host1

    2. Used Security Cryptography APIs to generate the Signature.

    3. Redirected to IDP (/affwebservice/public/saml2sso)

              a. SAMLRequest - encoded

              b. RelayState

              c. SigAlg - "http://www.w3.org/2000/09/rsa-sha1" - URL encoded

              d. Signature- sent from generated by dot net api - URL encoded

     

    SiteMinder:

     

    1. Imported SHA1 certificate for  IDP configuration.

    2. Enabled the Signature in partnership

    3. Activated the partnership.

     

    FWSTrace.log And Fiddler Sceen shot attached:

     

    Error:

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Enforce Force Authn Timeouts is set to: false]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][resource is: /SMASSERTIONREF=QUERY&SAMLRequest=nVJNb%2bIwFPwrke%2bJna8uawFSNmlVJNiNgFJpLyvjvJRIiZ3Nc4D99zWBVkjbcujJkmc8npn3xiiauuVJb3ZqCX97QOMcm1ohH4AJ6TvFtcAKuRINIDeSr5LFnAce422njZa6Jk6CCJ2ptEq1wr6BbgXdvpLwtJxPyM6YllPaHvZNAXtsWhZ7RXvwalnz6HsYxNQKFb009DMZ4mTWWKXECXsXzJ83i%2bx%2bs1rkLPKy%2fNmbp3MqyvIAWzy%2fQ9r227qS9BQmQNTEedCdhCHuhPjEmWX2KMNg5DPmxncidqOoHLmiAObKKA5DHyLGSmaZiD3MFBqhzIQEzI9c9s0N2dqPOYt4HP8mTn4p5Eelikq93G5veyYhf1yvczf%2ftVoTZwMdDhEtgUzHJ9t8%2bLi7msptWfHWIZmmOk%2fuj3In1Av8WeZjeqV3Fm%2f5Tyswy3JtW%2frnJHWtD2kHwsDQDn1jXVYDiqE5Ox0DR3Pxd32V1vb7JZRfcXtz0zQaLiSXJ32LqQqNO7Ijuwu5f8n1kY%2fpGfs0AP1%2f%2faev&RelayState=ss:mem:67c1258534f184fe7dc222ea0a3c587b044464367142625d02bc61351893c7d1&Signature=NuYv6eJ%2b0w59DmsEsD2jk2uABxrmPIr7TEvTt0vzsZ%2fsrpPmKQNkGnx40DjZhiUceQrMx%2bqwTf0SaeEb0llhM9IYtd9DQNdF6fkMVvNq7olPnJkMF1n1yKArvuYFu1vcUyYZgeAxeQRNdS3IE%2bneRnpgocPhqdqGWjLa0xd6z3g%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1&SAMLTRANSACTIONID=12491de8-277c71e1-4744a6db-48631f63-8ff36cd1-96&SSOUrl=http://PWVMDEVSMP04.DPW.LCL/affwebservices/public/saml2sso&Oid=21-0fe871ff-7739-43f3-9acb-1160d143c0d6]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var name="ConsumerURL" rtype="3"><![CDATA[http://pwvmdevsmp05.dpw.lcl:49325/product/AssertionConsumerService]]></Var><Var name="FederationAPIVersion" rtype="2"><![CDATA[1]]></Var></RVARS>]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Transaction with ID: 23b6b633-09379405-3fc44733-46f79a23-48b6b309-1 failed. Reason: FAILED_AUTHEX]

    [07/30/2014][11:05:58][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

    [07/30/2014][11:05:59][2124][4044][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][SSO.java][processAssertionGeneration][Sending 500 error]

             

     

    SM.png

    Any help or suggestion is most welcome. Thank you.



  • 2.  Re: SiteMinder IDP Certificate issue

    Posted 07-30-2014 12:56 PM

    Your AuthorizeEx call of 2 is likely the reply form the Polcy Server. what do those logs say?

     

    your transaction id ([23b6b633-09379405-3fc44733-46f79a23-48b6b309-1]) should appear as attribute 221 in the Profiler log.



  • 3.  Re: SiteMinder IDP Certificate issue

    Posted 07-30-2014 01:27 PM

    [07/30/2014][11:05:58][3200][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][IsAuthorized.cpp:685][CSm_Az_Message::IsAuthorized][samlsp:copaexchange_idp-signed][][][bliu][Authorizing user...]

    [07/30/2014][11:05:58][3200][][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][Enter function CSmAz::IsOk]

    [07/30/2014][11:05:58][3200][][SmAuthorization.cpp:1443][CSmAz::IsOk][samlsp:copaexchange_idp-signed][][][bliu][Start of user policy analysis for realm.]

     

    07/30/2014][11:05:58][3200][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][Sm_Auth_Message.cpp:4043][CSm_Auth_Message::SetAuthContext][samlsp:copaexchange_idp-signed][/][][bliu][Evaluating 'OnAuthAccept' policy...]

    [07/30/2014][11:05:58][3200][][SmAuthorization.cpp:2262][CSmAz::GetRealmList][][][][][Enter function CSmAz::GetRealmList]

     

    [07/30/2014][11:05:58][3200][23b6b633-09379405-3fc44733-46f79a23-48b6b309-1][IsAuthorized.cpp:685][CSm_Az_Message::IsAuthorized][samlsp:copaexchange_idp-signed][][][bliu][Authorizing user...]

    [07/30/2014][11:05:58][3200][][SmAuthorization.cpp:1405][CSmAz::IsOk][][][][][Enter function CSmAz::IsOk]

     

     

    I don't understand much though, Is that what you are looking for?

     

    Thank You.



  • 4.  Re: SiteMinder IDP Certificate issue

    Posted 07-31-2014 09:01 AM

    "AnupamNandan"

     

    You seem to have only pulled part of the log.

    If that was everything then you are way to limited. Your next move should be FULL logging on BOTH sides.

     

    Remember you have many moving parts. only looking at one part will never be the full picture.

     

    You need a minimum of:

    • Agent Error Log (LogFileName of the ACO)
    • Agent Trace Log (TraceFileName of the ACO)
    • Federation Error Log (normally AffWebServices.log)
    • Federation Trace Log (normally FWSTrace.log)
    • Policy Server Access Log (normally smaccess)
    • Policy Server Error Log (normally smps.log)
    • Policy Server Trace Log (normally smtracedefault.log also known as the profiler log)

     

    The agent logs  (first four)  show you what is happening agent side.

    The Policy Server logs (last three) show the Policy Server Side.

     

    There's a bunch of documentation that i had created when i was with CA that would be great for them  to post to the documentation page, but they have not.(I haven't been CA for over a year.)

     

    I hope the links work... here's some KB Documents that might be useful

     

    PS Log Reading Primer: https://support.ca.com/irj/portal/kbtech?docid=487823

    WA Log Reading Primer: https://support.ca.com/irj/portal/kbtech?docid=487843

    More on Log Reading: https://support.ca.com/irj/portal/kbtech?docid=589903

    More on Log Correlation: https://support.ca.com/irj/portal/kbtech?docid=829800



  • 5.  Re: SiteMinder IDP Certificate issue

    Posted 07-31-2014 10:15 AM

    Sure, Thank you for Pointing it out.



  • 6.  Re: SiteMinder IDP Certificate issue

    Posted 07-31-2014 07:21 PM

    I looked it all around and didnt find anything much helpful today.

     

    I am using simple dot net code :

     

    public static string SignSAMLRequest(string  samlRequest, X509Certificate2 certificate)

            {

     

     

                byte[] buffer = Encoding.Default.GetBytes(samlRequest);

                byte[] hash = SHA1Managed.Create().ComputeHash(buffer);

                RSAPKCS1SignatureFormatter formatter

                                    = new RSAPKCS1SignatureFormatter(certificate.PrivateKey);

                formatter.SetHashAlgorithm("SHA1");

                byte[] signature = formatter.CreateSignature(hash);

              //  formatter.GetType().BaseType.

                return System.Convert.ToBase64String(signature);

            }

     

    And finally redirecting to the siteminder and myapplication partnership (with certificate configured in partnership)

    encode using

    Signature = SignSAMLRequest(req, cert)

    newEncodedSignature= HttpUtility.UrlEncode(Signature);

    return Redirect(getURL + "?SAMLRequest=" + newSAMLEncodedRequest + "&RelayState=" + TempData[relaystate].ToString() + "&Signature=" + newEncodedSignature + "&SigAlg=" + sigedAlgo);

     

    Things works fine form me if I disable certificate option in the partnership and send only :

    return Redirect(getURL + "?SAMLRequest=" + newSAMLEncodedRequest + "&RelayState=" + TempData[relaystate].ToString()).

     

     

    Let me know if you have any thing her or where I am going wrong?

     

    Thank you.



  • 7.  Re: SiteMinder IDP Certificate issue

    Posted 08-19-2014 06:36 AM

    Hi Anupam ,

     

    I am also facing the similar issue. Please let me know if you resolved the issue.

     

    Regards

    Kannan



  • 8.  Re: SiteMinder IDP Certificate issue

    Posted 08-19-2014 10:22 AM

    Anupam,

     

    I dont know the code enough to see errors there.

    I do know the logging was way to low to get anything useful.

     

    You should configure the Polciy Server to

     

    components: AgentFunc, Server, IsProtected, Login_Logout, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC, LDAP, IdentityMinder, TXM, Fed_Server, DLP

    data: Date, PreciseTime, ExecutionTime, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, SearchKey, Query, Expression, ObjectClass, DomainOID, ObjectOID, Property, AuthStatus, AuthReason, AuthScheme, CertSerial, SubjectDN, IssuerDN, SessionSpec, SessionID, CertDistPt, UserDN, Action, RealmOID, State, ClusterID, HandleCount, FreeHandleCount, BusyHandleCount, ResponseTime, Throughput, MaxThroughput, MinThroughput, Threshold, TransactionName, HexadecimalData, ActiveExpr, RequestIPAddr, CacheHits, CacheSize, RefCount, Message, Data

    version: 1.1

     

    unless you know something can be removed.

    The refrences I gave you should enable that, as should an xls in the SM forum

     

    You neeed to capture in the logs. if hte logs are configured right it will tell you the issue.



  • 9.  Re: SiteMinder IDP Certificate issue

    Posted 08-19-2014 11:12 PM

    Hi Anupam,

     

    The FWSTrace log shows the issue related to authorization. Did the testing user has right to federate (SAML Service Provider Properties -> Users)? The policy server trace log will give more information on why it failed to generate the assertion.



  • 10.  Re: SiteMinder IDP Certificate issue

    Posted 10-22-2014 04:50 PM

    I'm having the same problem. It was working for weeks then random users started to fail with this AUTHEX error.



  • 11.  Re: SiteMinder IDP Certificate issue

    Posted 10-22-2014 07:31 PM

    Hi Brian,

    If the error in FWSTrace log is same as what reported by Anupam, then we need to look into policy server trace log on why random users started to fail. Policy server is responsible for authorization so we need to find more hints from policy server trace log. The profiler template that JPerlmutter provided earlier is a good point to start with.

     

    Thanks.



  • 12.  Re: SiteMinder IDP Certificate issue

    Posted 10-23-2014 10:33 AM

    Hi Karmeng,

     

    I turned on full profiler trace on the policy servers and don’t see any issue in the smtrade logs. The last entry I see for the users is Is Authorized with a value of True.  Also the web agent trace logs show the user as being authorized. The only error I can find is in the FWStrace.log:

    Result of authorizeEx call is: 2.

    Transaction with ID: 24db28de-d8958614-b6ea32ea-112e7da0-1d4e1a7a-554 failed. Reason: FAILED_AUTHEX]

    Denying request due to authorizeEx call failure.

    Sending 500 error

    and the affwebserv.log:

    [sm-FedClient-02890] Transaction with ID: 24db28de-d8958614-b6ea32ea-112e7da0-1d4e1a7a-554 failed. Reason: FAILED_AUTHEX (, , )

     

    I did a comparison of a successful and failed login in the policy server trace logs, and one noticeable item is that the second affwebservices call after the secureredirect never happens on the failed attempt. I believe the 500 is being throw prior to that call being made.

     

     

    Thanks,

    Brian



  • 13.  Re: SiteMinder IDP Certificate issue

    Posted 10-23-2014 01:42 PM

    Please disregard.

     

    I was unable to find any more detailed errors, but it turns out the user was unexpected removed from the required AD groups.

     

    Thanks,

    Brian



  • 14.  Re: SiteMinder IDP Certificate issue

    Posted 10-23-2014 10:00 PM

    Hi Brian,

    Glad you found the root cause. "Unexpected remove the user" is really not what I expect . I will put this in my memory to check in future similar use case. Thanks for sharing.,

    Regards,

    Kar Meng



  • 15.  Re: SiteMinder IDP Certificate issue

    Posted 02-24-2016 03:20 PM

    Hi All,

    We faced similar issue in our Siteminder environment where Federation Partnership is configured.

    Siteminder version r12.52 cr1

     

    Error message:

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Transaction with ID: 11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72 failed. Reason: FAILED_AUTHEX]

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

    [02/23/2016][07:58:31][6732][4884][11c399fd-07644a6a-c07e1e29-39424c26-f79f8065-9b72][SSO.java][processAssertionGeneration][Sending 500 error]

     

    Solution:

    The issue is related to the selected User Directory in the Federation Partnership and to rectify we followed the steps below:

    1. We deactivate the Federation Partnership having issue and attempted to modify the Federation definition.

    2. Removed the selected User Directory and assigned the dummy User Directory so that the section is not empty.

    3. Click on Next button till the last stage where its shows the confirmed screen before submitting the changes.

    4. On submitting, re-opened the same Federation to modify the definition.

    5. Reassigned the User Directory which is originally meant for authentication/authorization purpose.

    6. Submit the change and Activate the Federation Partnership.

    7. Attempt to access the Federated based application.

     

    Result: On performing the changes above the issue was resolved.



  • 16.  Re: SiteMinder IDP Certificate issue

    Posted 05-25-2017 06:00 PM

    This option worked for me. 

    I still have other errors but no longer says: "HTTP Status - 403 Request Forbbiden...."

     

    Thanks.



  • 17.  Re: SiteMinder IDP Certificate issue

    Posted 11-12-2018 07:18 AM

    I too hvae same issue with 403 Request Forbidden. LuisCossio Were you able to resolve this?



  • 18.  Re: SiteMinder IDP Certificate issue

    Posted 11-12-2018 08:24 AM

    Hello Chris. Yes, indeed once I followed the procedure indicated by @amitshinde I managed to eliminate the error  "HTTP Status - 403 Request Forbbiden....":

     

    "

    Solution:

    The issue is related to the selected User Directory in the Federation Partnership and to rectify we followed the steps below:

    1. We deactivate the Federation Partnership having issue and attempted to modify the Federation definition.

    2. Removed the selected User Directory and assigned the dummy User Directory so that the section is not empty.

    3. Click on Next button till the last stage where its shows the confirmed screen before submitting the changes.

    4. On submitting, re-opened the same Federation to modify the definition.

    5. Reassigned the User Directory which is originally meant for authentication/authorization purpose.

    6. Submit the change and Activate the Federation Partnership.

    7. Attempt to access the Federated based application.

     

    Result: On performing the changes above the issue was resolved."

     



  • 19.  Re: SiteMinder IDP Certificate issue

    Posted 11-12-2018 09:44 AM

    I did the same,

     

    But still with the same errors :(