Previous Topic: WSFedDispatcher Service at the RPNext Topic: Error Message When Viewing FederationWSCustomUserStore


Troubleshooting

This section contains the following topics:

General Issues

SAML 1.x-Only Issues

SAML 2.0-Only Issues

General Issues

The following troubleshooting topics apply to SAML 1.x and SAML 2.0.

Web Agent Option Pack Fails to Initialize Due to Invalid smjavaagent.dll

Symptom:

The Web Agent Option Pack fails to initialize with on a system with other CA products. Error messages, such as "Java Agent API initialization FAILED" or "unsatisfied link error" display.

Error messages similar to the following appear in the Federation Web Service log file:

11:04:46 AM[29959477:E] Exception while reading the WebAgent configuration information: javaagent_api_getConfig
11:04:46 AM[29959477:E] Java Agent API initialization FAILED.

Solution:

An invalid version of smjavaagentapi.dll can be present the system path. Verify that all installed products are compatible with one another and of compatible versions.

To verify the versions

  1. Log in to the Technical Support site.
  2. Search for the SiteMinder Platform Support Matrix for r12.0 SP3.

Cookie Domain Mismatch Errors

Symptom:

After successful SAML authentication at consumer/SP site, the consumer/SP Web Agent still challenges the user because of cookie domain mismatch.

Solution:

Verify that the producer/IdP and consumer/SP are not in the same cookie domain. Legacy federation does not support federation within the same cookie domain. Separate cookie domains are required at the producer/IdP and consumer/SP sites. Additionally, verify that the CookieDomainScope parameter is set to the appropriate value for your environment. This parameter is a Web Agent parameter (see information about single sign-on in the SiteMinder Web Agent Configuration Guide.

If separate cookie domains are in use, verify that the cookie domain in the Agent configuration matches the domain name in the requested target URL.

Error After Successful Authentication at Consumer/SP

Symptom:

After successful authentication at the consumer site, an HTTP 404 "Page Not Found" error code is returned to the browser.

Solution:

Verify that the target page exists in the web server document root. Examine the FWS trace log to verify that the user is being redirected to the correct URL.

HTTP 404 Error When Trying to Retrieve Assertion at the Consumer

Symptom:

When the relying party tries to retrieve an assertion, an HTTP 404 "Page Not Found" error code is returned to the browser.

Solution:

Verify that the Federation Web Services application is deployed as a web application. Deploy the application on a web server running one of the supported application servers. The SiteMinder Platform Support Matrix lists the supported platforms for the Web Agent Option Pack.

More Information:

Deploy Federation Web Services as a Web Application

Federation Web Services Fails to Send SAML Request to Producer/IdP

Symptom:

The Federation Web Services application at the consumer/SP fails to send a SAML request message to the producer/IdP. The consuming side fails to trust the certificate of the web server.

Solution:

Add the certificate of the Certificate Authority that issued the client certificate to the key database of the web server at the producer/IdP.

Matching Parameter Case-Sensitivity Configuration Issues

Symptom:

Problems occur due to conflicts between configuration parameters that must correspond on producer/Identity Provider and consumer/Service Provider, even though the parameters appear to match.

Solution:

The URL string that comes after the colon is case-sensitive. For example, the text after http: is case-sensitive. Therefore, the case of the URLs in all corresponding settings must match.

Parameter values that must match between the asserting and relying parties are documented in the topic Configuration Settings that Must Use the Same Values.