We are beginning to see an usual error with our federation services when performing outbound SSO to a particular SAML service provider.  When attempting to do IDP initiated SAML SSO to a particular SP we’re getting 500 error from SiteMinder.  The smtrace logs indicate “invalid encryption indication”, but SAML encryption is disabled.

 

We have a case open with CA Support, but I think this could be a tough one to debug so we’re hoping to get additional help from CA Community if possible.

 

[15154/4012030832][Mon Jun 25 2018 17:55:08][AssertionGenerator.java][ERROR][sm-FedServer-00090] AssertionHandler process() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

 

 

 

 

 

[06/25/2018][18:03:11][3907132272][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 39910. Current count is 1]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 39910. Current count is 0]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Entering Assertion Generator Framework.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Reqesting parameters: -AssertionHandler:SAML20 SSO#unspecified:editableFields=accountholderemail,amount]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandlerAlias][][][][][][][][Found Alias Name : ‘SAML20’ in the Active Expression parameter.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Requesting resource: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandlerOverrideClass][][][][][][][][Looking for override class in resource string: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Assertion Handler for “SAML20” will be loaded.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandler][][][][][][][][Loading AssertionHandler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGeneratorCache.java][getObject][][][][][][][][Found cached instance for com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandler][][][][][][][][Successfully loaded Assertion Handler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][getConfig][][][][][][][][Start to get configuration data supporting SAML2.0.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][AuthnRequestProtocol][][][][][][][][Initial the context data …]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Initial the AuthnRequest with the query parameters …]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][
   queryParameters: “/SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041“]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SPID = sp_instamed-member-asuris-uat]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: RelayState = https://pay-uat.instamedtest.com/Form/Payments/New]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: AuthToken = C06DB42FD3753DC1043F7C8748FBCC4C]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: PersonId = 863023321]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SSOUrl = https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: Oid = 21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Attributes being passed to Assertion Generator Plug-in:
{AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C, PersonId=863023321}
]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][
Destination Variable:  https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx
]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][setDeflatedAuthnRequest][][][][][][][][Unsolicited Response is expected by the Service Provider.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getSPProperties][][][][][][][][Loading the configration data for the Service Provider with ID “sp_instamed-member-asuris-uat” …]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][preProcess][][][][][][][][Start to validate the SAML2.0 Authn request.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating the Request…All the properties:
{EncryptAssertion=0, AttributeList=SSO#unspecified:editableFields=accountholderemail,amount, IdPSourceID=204440eee359610905f91a46440600caadea14c0, ReuseSessionIndex=0, IsActive=1, MniRequireEncryptedNameID=0, PartnershipSource=1, EnableAuthnRequestRedirect=1, Domain=@03-000d01d9-0307-11b6-aefb-879f0a1610b6, SLOServiceValidityDuration=60, UnauthorizedAccessRedirectMode=0, KEY_SPID=sp_instamed-member-asuris-uat, AttrSvcValidityDuration=60, ArtifactEncoding=FORM, EnableSSOPostBinding=1, EnableServerErrorURL=0, Policy=@04-00073967-722d-1b31-aec7-87f40a16f041, RequireSignedArtifactResolve=0, MniSignRequest=0, AttrSvcEnableProxiedQuery=0, EnableIPD=0, EncryptionBlockAlgorithm=tripledes, PostSignatureOption=0, CustomTimeout=1, MniRequireSignedResponse=0, SignArtifactResponse=0, EnableAttributeService=0, EnableAuthnRequestPost=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniSOAPTimeout=0, Realm=@06-00064eb6-722d-1b31-aec7-87f40a16f041, EnableSLORedirectBinding=0, OneTimeUse=0, AE_PARAM_SAML2=-AssertionHandler:SAML20 SSO#unspecified:editableFields=accountholderemail,amount, Response=@07-0007281e-722d-1b31-aec7-87f40a16f041, SAML2.AuthnRequestProtocolManager=com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol@1506fa2, MniRequireSignedRequest=0, CompareUserDNForSMC=1, DisableSignatureProcessing=0, EnableSMC=0, AssertionConsumerDefaultURL=https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx, MniRetryBoundary=0, MniEnableSOAPBinding=0, MniRetryCount=0, EnforceForceAuthnSessionTimeouts=0, NameIdType=1, AttrList=SSO#SSO#unspecified:editableFields=accountholderemail,amount, AttrSvcPartnershipAAProtEnabled=0, LegacyArtifactProtEnabled=0, Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041, MniEncryptNameID=0, MniAllowUserSelfService=0, MniNotificationAuthType=1, MniEnableNotification=0, MniEnablePostBinding=0, SAMLMajorVersion=2, AttrSvcSignAssertion=0, RequireSignedAuthnRequests=0, SessionNotOnOrAfterType=0, MniSignResponse=0, EncryptionKeyAlgorithm=rsa-v15, Agent=@01-0006318f-722d-1b31-aec7-87f40a16f041, AssertionPluginClass=com.cambiahealth.enterprise.plugin.assertiongenerator.CambiaSAML2AssertionGeneratorPlugin, AllowCreationOfUserIdentifier=0, InvalidRequestRedirectMode=0, EnableSSOArtifactBinding=0, SkewTime=30, NameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, ValidityDuration=60, MniDeleteNameID=0, ProxyServer=https://fedsvc-staging.asuris.com, NetegrityAffiliateMinderAuthURL=https://fedsvc-staging.asuris.com/affwebservices/redirectjsp/smportalstate_asuris.jsp, AssertionPluginParameters=/usr/pservices/ca/siteminder/bin/thirdparty/instamed-member-uat-mock.properties, PersistentCookie=0, EnableInvalidRequestURL=0, IdPID=idp_asuris_member-instamed-uat, ServerErrorRedirectMode=0, AllowOFCAuthnContextOverride=0, AttrSvcRequireSignedQuery=0, EncryptNameID=0, MniEnableRedirectBinding=0, ArtifactSignatureOption=3, SAMLMinorVersion=0, Rule=@0b-00071df4-722d-1b31-aec7-87f40a16f041, EnableSSOECPProfile=0, IgnoreRequestedAuthnContext=0, SignatureAlgo=1, DSigningAlias=cambiasamlcertificate, AuthenticationLevel=5, Name=instamed – member_asuris-uat, AttrSvcLegacyAAProtEnabled=0, MniNotifyTimeout=0, PartnershipArtifactProtEnabled=0, EnableUnauthorizedRequestURL=0, ApplicationURL=https://portal-qa2.asuris.com/group/asuris_common/agp, AttrSvcSignResponse=0, UseSecureAuthURL=0, RelayStateOverridesSloConfirm=0}]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID format is “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Identity Provider is not allowed to create a new identifier to represent the principal.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Creation of new user identifier is not applicable with TRANSIENT name identifiers.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][User Name Identifier from IdP resolved.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating Service Provider ID …]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Service Provider ID is valid.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating AuthnRequest ProtocolBinding …]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateBindings][][][][][][][][Requesting Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest ProtocolBinding is valid and supported.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest validation is successful.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() succeeds, it returns:]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][process][][][][][][][][Start to handle the SAML2.0 Authn request.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][processRequest][][][][][][][][Start to process the request …]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][Generating SAML Assertion Conditions…]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][Adding SPID audience to AudienceRestriction element: sp_instamed-member-asuris-uat]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][SAML Assertion Conditions generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateSubject][][][][][][][][Generating SAML Assertion Subject.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateSubject][][][][][][][][SAML Assertion Subject generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Generating SAML Assertion AuthnStatement…]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getSessionIndex][][][][][][][][A new session index will not be created.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getStartTime][][][][][][][][Use Force Authn Session Timeouts is: true]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Using authn context from properties map]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][AuthnContext Class Ref used: urn:oasis:names:tc:SAML:2.0:ac:classes:Password]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 0]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :90]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SAML Assertion AuthnStatement generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Error happens in running Assertionhandler process(). Leaving Assertion Generator Framework.  Exception:
com.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][18:03:11][3907132272][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.131.45 with Port No 55970. Current count is 1]
[06/25/2018][18:03:11][3938601840][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.131.45 with Port No


Source: New feed
{pubDate}

Leave a Reply

Your email address will not be published. Required fields are marked *