500 error with SAML auth scheme "not protected".

Document ID : KB000024746
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Getting 500 error and in logs you can see the SAML resource is not protected even though a realm was created and assigned a SAML auth scheme.

LOGS:

SMTraceDefault.log profiler:

 [8245][518][01/30/2009][13:15:41.702][SmMessage.cpp:369][CSmMessage::ParseAgentMessage]
 [[Receive request attribute 208, data size is 11][127.0.0.1][ACO][s469/r12] 
 [8245][518][01/30/2009][13:15:41.702][SmMessage.cpp:369][CSmMessage::ParseAgentMessage]
 [Receive request attribute 221, data size is 48]
 [19f57e5b-94a17846-564923ea-2dd72098-385db2ae-9dd][mrealm][s469/r12] 
 [8245][518][01/30/2009][13:15:41.702][SmMessage.cpp:369][CSmMessage::ParseAgentMessage]
 [Receive request attribute 200, data size is 20][wrongagent][ACO][s469/r12] 
 [8245][518][01/30/2009][13:15:41.702][SmMessage.cpp:369][CSmMessage::ParseAgentMessage]
 [Receive request attribute 217, data size is 0][aco][s469/r12] 
 [8245][518][01/30/2009][13:15:41.702][SmMessage.cpp:369][CSmMessage::ParseAgentMessage]
 [Receive request attribute 201, data size is 59]
 [/SAMLProtected?SRCID=245ce30e1eac29d72d077d0][realm][s469/r12] 
 [8245][518][01/30/2009][13:15:41.702][SmMessage.cpp:369][CSmMessage::ParseAgentMessage]
 [Receive request attribute 202, data size is 3][GET][mdcppwb03m][s469/r12] 
 [8245][518][01/30/2009][13:15:41.702][Sm_Az_Message.cpp:193][CSm_Az_Message::ProcessMessage]
 [** Received agent request.][aco][s469/r12][IsProtectedEx] 
 [8245][518][01/30/2009][13:15:41.702][Sm_Az_Message.cpp:318][CSm_Az_Message::AnalyzeAzMessage]
 [Enter function CSm_Az_Message::AnalyzeAzMessage] 
 [8245][518][01/30/2009][13:15:41.702][Sm_Az_Message.cpp:326][CSm_Az_Message::AnalyzeAzMessage][true]
 [Leave function CSm_Az_Message::AnalyzeAzMessage] 
 [8245][518][01/30/2009][13:15:41.702][IsProtected.cpp:44][CSm_Az_Message::IsProtected]
 [Enter function CSm_Az_Message::IsProtected] 
 [8245][518][01/30/2009][13:15:41.702][IsProtected.cpp:67][CSm_Az_Message::IsProtected]
 [Received request from agent, check agent api version.][1536][aco][10.66.80.15] 
 [8245][518][01/30/2009][13:15:41.702][IsProtected.cpp:90][CSm_Az_Message::IsProtected]
 [Starting IsProtected processing.][wrongagent][/SAMLProtected?SRCID=245ce30e1eac29d72d077d0][GET] 
 [8245][518][01/30/2009][13:15:41.702][SmAuthorization.cpp:496][CSmAz::IsProtected]
 [Enter function CSmAz::IsProtected] 
 [8245][518][01/30/2009][13:15:41.702][SmAuthorization.cpp:540][CSmAz::IsProtected]
 [65536][Resource is not protected, no realm matches this resource]
 [/SAMLProtected?srcid=245ce30e1eac29d72d077d0] 
 [8245][518][01/30/2009][13:15:41.702][Sm_Az_Message.cpp:337][CSm_Az_Message::SendReply]
 [Enter function CSm_Az_Message::SendReply] 
 [8245][518][01/30/2009][13:15:41.702][Sm_Az_Message.cpp:694][CSm_Az_Message::FormatAttribute]
 [Send response attribute 146, data size is 0][wrongagent][s469/r12][IsProtectedEx] 
 [8245][518][01/30/2009][13:15:41.702][Sm_Az_Message.cpp:694][CSm_Az_Message::FormatAttribute]
 [Send response attribute 147, data size is 0][wrongagent][s469/r12][IsProtectedEx] 
 [8245][518][01/30/2009][13:15:41.703][Sm_Az_Message.cpp:493][CSm_Az_Message::ProcessMessage]
 [** Status: Not Protected. ][wrongagent][s469/r12][IsProtectedEx] 

FWSTrace.log:

[01/30/2009][18:13:48][397468][10320][SAMLCredentialCollector.java][getAndValidatePCI][Requested resource is either not protected or protected with a Non-SAML authentication scheme. Redirecting the user to Target - https://www.ca.com/SAMLProtected]

Solution:

Log analysis showed the resource was unprotected according to the Policy Server. Confirmed the Agent group was added to the realm along with the SAML auth scheme.

The SMPS log showed a different agent name was picking up the resource than expected. Added the correct agent name to the agent group contained in the SAML protected realm.

Now the resource is protected by SAML.

Did a ping of the host serving the SAML protected resource and it was successful. Did an NSLookup of the host name which serves the SAML protected resource and it failed.

Modify the DNS settings for the SAML Agent's FQDN allowed the proper Agent Name to be resolved for the requests. After this was done they removed the incorrect agent from the agent group resulting in the SAML auth scheme now working properly.