SAML Affiliate Agent throws HTTP 404 after upgrade.

Document ID : KB000024843
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

Customer had upgraded SAML Affiliate Agent from v6.0QMR4 to v6.0QMR5 on IIS6 Web Server and users are seeing HTTP 404 error in the browser. But if the browser is refreshed, it shows correct contents.

 

Environment:

SAML Affiliate Agent v6.0QMR5/v6.0QMR6

 

Cause :

Customer had SAML Affiliate Agent filter installed on the Web Server Instance level.
This is not the default setting as it will be installed on the "Web Sites" level.
During upgrade, SAML Affiliate Agent installer did not find SAML Affiliate Agent filter on the Web Sites level and it has installed one there.
This has become 2 SAML Affiliate Agents to be active and constructed the URL 2 times during redirect causing HTTP 404.


Solution :

There should be only one SAML Affiliate Agent filter and maintain only 1 active, whether it is "Web Sites" or Web Server Instance level.
Customer needs to ensure that all the manual configurations are recorded and added in the upgrade plan to prevent such issue.

 

Troubleshooting this issue requires HTTP tracing(HTTPWatch, IeHttpHeaders, Fiddler, etc) as this will give you the exact URL that is throwing HTTP 404.

We need to know why the HTTP 404 is being returned and who(web server or any backend application servers?) and for which resource is it about.

If refreshing the browser shows correct contents, that means there is no issue with authenticating and authorizing the user.
However, it could be that the URL is somehow being re-written with invalid string during authentication redirects, causing a 404.

Once the URL throwing HTTP 404 is identified, there are 2 possibilities.

  1. URL is correct and Web Server is throwing 404, or Web Application is throwing 404.

  2. URL is invalid and have multiple entries.


First possibility would not happen during SAML Affiliate Agent and it could either be a defect or there could have been changes that the administrator was unaware of.
If it is backend server that is throwing 404, redeploying the application may be an option.

Second possibility is what could happen if customer has multiple SAML Affiliate Agent Filter installed.

From header trace, it showed the following entry that resulted in HTTP 404.

https://www.testlab.local/SSO/externalUser.aspx,
/SSO/externalUser.aspx,/Federation/artifactConsumer.html?SAMLart=AABBBCCCCDDDDEEEEFFFFGGGGHHHHIIII

This clearly shows that there are 2 SAML Affiliate Agent filters active as each active filter would have appended the constructed URL("/LoginForm/externalUser.aspx") thus combining the 2 URLs will represent a non-existing URL, it is expected to throw HTTP 404.

However, in the browser, the actual URL is https://www.testlab.local/SSO/externalUser.aspx so a refresh of the browser will load this page.