500 error when directly accessing ADFS RP based Target page (Legacy_Onyx KB Id: 258387)

Document ID : KB000055056
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When we access from WS-Federation (ADFS) Account Provider (AP), we use the following URLl

https://example.ap.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=urn:federation:example

enter credentails, then we successfully access the WS_Fed auth protected resource on the SiteMinder Resource Provider side, which is

https://example.rp.com/fedapp/ --> this is siteminder protected resource.

Starting a new session, we are now trying to access the target page directly i.e.

https://example.rp.com/fedapp/

and we would like to redirect the user to the original ADFS url which is

https://example.ap.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=urn:federation:example

We tried several rules/responses but cannot get this to work. In fact it does not seem to hit the policy server at all.
We are observing 500 errors from the web agent and web agent trace logs.

Solution:

This use case will always fail with the following error:

[444/2952][Tue Oct 09 2007 13:08:14][CSmHttpCredCore.cpp:1031][ERROR] User is trying to access a resource protected with federation auth scheme without fed auth scheme credentials. No way to challenge the user.

No event will be triggered that will result in a Status redirect from the Auth Scheme or a redirect response from Policy.

It may also be possible to accomplish this use case by configuring a custom 500 error page to be returned for the ADFS protected resource. Refer "Custom Error Handling for Applications" section in Web Agent Configuration Guide for more details.