This section contains the following topics:
The following troubleshooting topics apply to SAML 1.x and SAML 2.0.
Symptom:
The Web Agent Option Pack fails to initialize with on a system with other CA products. Error messages, such as "Java Agent API initialization FAILED" or "unsatisfied link error" display.
Error messages similar to the following appear in the Federation Web Service log file:
11:04:46 AM[29959477:E] Exception while reading the WebAgent configuration information: javaagent_api_getConfig 11:04:46 AM[29959477:E] Java Agent API initialization FAILED.
Solution:
An invalid version of smjavaagentapi.dll can be present the system path. Verify that all installed products are compatible with one another and of compatible versions.
To verify the versions
Symptom:
After successful SAML authentication at consumer/SP site, the consumer/SP Web Agent still challenges the user because of cookie domain mismatch.
Solution:
Verify that the producer/IdP and consumer/SP are not in the same cookie domain. Legacy federation does not support federation within the same cookie domain. Separate cookie domains are required at the producer/IdP and consumer/SP sites. Additionally, verify that the CookieDomainScope parameter is set to the appropriate value for your environment. This parameter is a Web Agent parameter (see information about single sign-on in the SiteMinder Web Agent Configuration Guide.
If separate cookie domains are in use, verify that the cookie domain in the Agent configuration matches the domain name in the requested target URL.
Symptom:
After successful authentication at the consumer site, an HTTP 404 "Page Not Found" error code is returned to the browser.
Solution:
Verify that the target page exists in the web server document root. Examine the FWS trace log to verify that the user is being redirected to the correct URL.
Symptom:
When the relying party tries to retrieve an assertion, an HTTP 404 "Page Not Found" error code is returned to the browser.
Solution:
Verify that the Federation Web Services application is deployed as a web application. Deploy the application on a web server running one of the supported application servers. The SiteMinder Platform Support Matrix lists the supported platforms for the Web Agent Option Pack.
Symptom:
The Federation Web Services application at the consumer/SP fails to send a SAML request message to the producer/IdP. The consuming side fails to trust the certificate of the web server.
Solution:
Add the certificate of the Certificate Authority that issued the client certificate to the key database of the web server at the producer/IdP.
Symptom:
Problems occur due to conflicts between configuration parameters that must correspond on producer/Identity Provider and consumer/Service Provider, even though the parameters appear to match.
Solution:
The URL string that comes after the colon is case-sensitive. For example, the text after http: is case-sensitive. Therefore, the case of the URLs in all corresponding settings must match.
Parameter values that must match between the asserting and relying parties are documented in the topic Configuration Settings that Must Use the Same Values.
|
Copyright © 2012 CA.
All rights reserved.
|
|