Federation request is failing with Request doesn't contain session ID header error

Document ID : KB000046019
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

We are facing issues while trying to setup Federation between two different environments, in both case SiteMinder acting as IDP and SP.

1) Dev is acting as IDP and test is acting as SP.

2) We are making IDP initiated transaction. Entered credentials after getting the login page and submitted.

3) After that the request is going in loop between public/saml2sso and authentication URL.

4) When we check the FWStrace logs, below is the error message in the logs

[05/17/2016][08:30:07][12418][2661268336][22a3c470-7947f08c-39b43256-5a60a0fc-a6c8f1ec-161][FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]

[05/17/2016][08:30:07][12418][2661268336][22a3c470-7947f08c-39b43256-5a60a0fc-a6c8f1ec-161][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]

[05/17/2016][08:30:07][12418][2661268336][22a3c470-7947f08c-39b43256-5a60a0fc-a6c8f1ec-161][FWSBase.java][isValidSession][Session ID is: /Pz43N5w8p45IpngiB4YrAcN3ec=]

[05/17/2016][08:30:07][12418][2661268336][22a3c470-7947f08c-39b43256-5a60a0fc-a6c8f1ec-161][FWSBase.java][isValidSession][Session Spec is: Ce784eYnjAz7hAD4ohNwhS1+s+g+Ibb/BiPtXMCAKOTDPmaZkaCFFfhRCLODnZjMVYiWkHOOoMKvrzOr0ELl60FvGsI2LpHA3M1GrvJiQBM426UCjMo25kV4GHl7NCftCS0Z79S9gtTG4+QIDqfo2RH0gyBVPE3UPvDzFItH5SbqL6Xdt0l/u2Z3MzhRNUP8df7o/2HalW+qNJCaiVtpwVhpkmAxanMqwKIzzgfzUs+npdJ17adlhagmAjEPtvTahy5fCUG6J/w56GYQo9yR++hexsOaPQxexYGSBzffCLNCZ8SOBzLZsr74mVR8kZglFlSGai+DfYHPB3PiLTBiOnvV19kppyM1aX5AKHCGk6Q+1pGxrAWiH/kMohc6/I92VPd0OUTqKBPfS4gH/sdvVdrv1j9h35/v96q/YJyip8goOUI19FvFGw6FaZYuAMPeKJh1wRzsbQDdvl5G+H/nNQ==]

[05/17/2016][08:30:07][12418][2661268336][22a3c470-7947f08c-39b43256-5a60a0fc-a6c8f1ec-161][FWSBase.java][isSessionIdle][Verifying validity of session cookie [SMSESSION] retrieved]

[05/17/2016][08:30:07][12418][2661268336][22a3c470-7947f08c-39b43256-5a60a0fc-a6c8f1ec-161][FWSBase.java][isSessionIdle][Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid.]

Environment:  

R12.5, R12.51, R12.52 SP1, R12.52 SP2

Cause: 

FWS finds an existing SMSESSION cookie. It finds the Session ID and Session Spec value. But when it tries to verify the validity of this retrieved session cookie, it complains that there is no "Session ID" *header*.

So, the problem is the lacking of Session ID header.

As a result, it ignores this session cookie and says "Session cookie [SMSESSION] is not valid" and redirects to authentication url.

1. If your federation agent has disablesessionvars set to yes (no by default) then it will not set the SessionID and SessionSpec headers. If those headers are not found (or too many found), then the federation agent has to ignore the session leading to this type of errors in FWS trace log.

2. If "ignoreurl=/affwebservices/public" is set in Agent Configuration Object which will give this type of errors in FWS trace log.

Because of ignoreurl=/affwebservices/public ACO parameter, the url that contains /affwebservices/public will not get authorized, hence the required headers will not set. So when affwebservices decoded the SMSESSION it was fine, but later when it relied on headers set from normal SPS/webagent it would not find them, Due to this FWS will fail to validate the session and redirecting back to Authentication URL.

Resolution:

1) Set DisableSessionVars = no (default value) in Agent configuration object

2) Please remove /affwebservices/public from ignoreurl ACO parameter

Additional Information:

https://communities.ca.com/message/241910014