IBM Security Verify

Expand all | Collapse all

could_not_perform_token_exchange when using with Auth0 as a SP

  • 1.  could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Mon September 13, 2021 06:02 AM

    Hello (probably Jon :) ),

    I am busy setting up an Auth0 SAML service provider that connects to an external IBM Security Access Manager 9 SAML identity provider.
    In order to get the initial steps working we have have disabled the signature verification on the IBM and Auth0 side.
    However we still get this error message as the SAML response, any ideas what th
    is could be?

    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
    <samlp:StatusDetail>
    <fim:FIMStatusDetail MessageID="could_not_perform_token_exchange" />
    </samlp:StatusDetail>
    </samlp:Status>

    This is the SAML Request being sent, maybe there is something wrong here?

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    Destination="https://<redacted-domain>/isam/sps/SAML-ppe/saml20/login"
    AssertionConsumerServiceURL="https://test-tenant.eu.auth0.com/login/callback?connection=test-connection"
    ID="_04.....29f1a"
    IssueInstant="2021-09-13T09:42:46Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:auth0:test-tenant:test-connection</saml:Issuer> </samlp:AuthnRequest>


    Many thanks,
    Andrew



    ------------------------------
    Andrew Potgieter
    ------------------------------


  • 2.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Mon September 13, 2021 11:25 AM
    Hi Andrew,

    To find out WHY Verify Access is returning the could_not_perform_token_exchange error, you're going to need to look into the message log of the Federation runtime.  In there you should be able to find some error message that indicates the reason for the failure.

    If you find start at the end of the file and find an Exception, don't forget to keep looking up the file to find the FIRST exception - which would be most likely to indicate the root of the problem.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Mon September 13, 2021 11:35 AM
    Hello Jon,

    We were having a troubleshooting session today with the client. The client being the owner of the IBM SAML IdP.
    They are going to get the logs (which I do not yet have access to) and send them through to the IBM support to ask for some help.
    I will post the solution once we have found it in case anyone has the same problem in the future.
    Thanks for your help.

    Andrew

    ------------------------------
    Andrew Potgieter
    ------------------------------



  • 4.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Tue September 21, 2021 12:39 PM

    Hello Jon,
    So I got hold of the logs from the client.
    It appears that there is an error from the token exchange service. 

    This is what seems to be the relevant sections:

    Firstly there is what I think is an xml request message to the Security Token Service starting with 

    <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser"> ...

    Let me know if you would like the whole xml message I will do the necessary redacting.

    Shortly after, the failure messages seem to start with:

    4588 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager 3 doPostChainProcessing Request failed status: {http://schemas.xmlsoap.org/ws/2005/02/trust}RequestFailed <- I'm not sure if this is relevant. Or what it means really
    4589 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager > get(Class<C>) ENTRY
    4590 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager$Configuration > getObject(Class<C>) ENTRY
    4591 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager$Configuration 3 getObject(Class<C>) Class com.tivoli.am.fim.trustserver.sts.STSModuleChain$CustomProperties from version 1632227718389.
    4592 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager$Configuration < getObject(Class<C>) RETURN
    4593 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager < get(Class<C>) RETURN
    4594 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager > requestedTokenTypeIsStatus ENTRY
    4595 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager 3 requestedTokenTypeIsStatus Requested Token type is Status = false
    4596 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager < requestedTokenTypeIsStatus RETURN
    4597 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager < doPostChainProcessing RETURN
    4598 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager < processthroughChains(STSRequest,STSResponse) RETURN
    4599 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSManager < process(STSRequest,STSResponse) RETURN
    4600 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.service.SecurityTokenProcessor < process(STSRequest, STSResponse) RETURN
    4601 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.service.SecurityTokenService < requestSecurityToken(STSRequest, STSResponse) RETURN
    4602 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.fedmgr2.trust.TokenExchangeCommandImpl < exchange RETURN
    4603 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper 3 exchangeToken Response: com.tivoli.am.fim.fedmgr2.trust.TokenExchangeResponse@4e02ea33
    4604 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper 1 exchangeToken Error: Token exchange failed; halting with AuthnFailedInterrupt <- I cant actually see any reasons in the previous messages which would suddenly give this except maybe the "Requested Token type is Status = false" 
    4605 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper > handleTokenExchangeError ENTRY
    4606 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper E handleTokenExchangeError FBTSML006E The token cannot be exchanged for the service provider. <- The only reference I could find to this error code did not give me much insight.
    4607 [9/21/21 14:37:24:781 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper I handleTokenExchangeError com.tivoli.am.fim.trustserver.sts.STSModuleException: LDAP Search failed.
    4608 at com.tivoli.am.fim.attributemapper.util.LDAPClient.doLDAPSearch(LDAPClient.java:115)
    4609 at com.tivoli.am.fim.attributemapper.impl.LDAPAttributeMapper.map(LDAPAttributeMapper.java:573)
    4610 at com.tivoli.am.fim.trustserver.sts.modules.AttributeMappingModule.invoke(AttributeMappingModule.java:93)
    ....
    4660 Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=People,ou=User,DC=<REDACTED>' <- And this seems to be the cause of the LDAP error
    4661 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3191)

    This eventually propagates into the "could_not_perform_token_exchange" we see in the saml message

    Does this mean an LDAP error could be causing a token exchange failure. Or is it the other way around?

    Any ideas or suggestions?
    Many thanks,
    Andrew



    ------------------------------
    Andrew Potgieter
    ------------------------------



  • 5.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Tue September 21, 2021 02:39 PM
    Hi Andrew,

    From the trace, I would say that the LDAP error is causing the failure.

    This is a failure of LDAP to find an object being requested.  I'm not an expert in this part of the code but looks like perhaps you have an LDAP attribute source defined but the system is failing to find the authenticated user in LDAP to pull attributes.

    Do you have any LDAP attribute sources defined for the Federation/Partner definition?  If so, maybe try removing these and retry?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 6.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Tue September 21, 2021 03:06 PM

    Hello Jon,

    Thanks for the quick reply. Yes it does seem that way. That was my first thought but then the more I thought about it the more confused I got. One of those.
    I know that the LDAP users used to log in to the system do actually exist so my first thought is that some config is wrong that points to the incorrect domain or something. I will contact the client tomorrow and we can investigate further.
    I will update if I find any thing.
    Many thanks,
    Andrew



    ------------------------------
    Andrew Potgieter
    ------------------------------



  • 7.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Wed September 22, 2021 01:45 AM
    Edited by Shane Weeden Wed September 22, 2021 03:06 AM
    The error appears to be with the LDAPAttributeMapper looking up specific attributes for a user. Check what you have configured for attribute mapping at the IDP, and that any configured attributes are actually defined, and do exist in the user's LDAP record. Better still, read attributes into the credential at authentication time and use a simple JavaScript mapping rule to populate them into the SAML assertion. 

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 8.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Wed September 22, 2021 09:14 AM
    Hi Shane/Jon/Andrew

    This issue was logged as a case TS006825838. There are 43 SAML partners and also the mobile app oauth stuff in the log so it is confusing when reading it. We have all signing and encryption turned off and using the default mapping rule on the Federation. No mapping rule override, this rule is working on many partners without issue.

    ------------------------------
    Thomas Mockridge
    ------------------------------



  • 9.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Wed September 22, 2021 09:17 AM
    Hi Shane/Jon/Andrew

    This issue was logged as a case TS006825838. There are 43 SAML partners and also the mobile app oauth stuff in the log so it is confusing when reading it. We have all signing and encryption turned off and using the default mapping rule on the Federation. No mapping rule override, this rule is working on many partners without issue.

    ------------------------------
    Thomas Mockridge
    ------------------------------



  • 10.  RE: could_not_perform_token_exchange when using with Auth0 as a SP

    Posted Wed September 22, 2021 03:41 PM
    Hi

    Thanks for your input - I deleted the SAML partner - then recreated it with no attributes. This worked. I then added attributes one by one testing each time I made a change. When I added the "common name" (cn) It broke. I then checked the attribute mapping and found there was a typo in the base dn - I believe someone (yes, yes, who?) deleted a char in the base dn, in error. I corrected this and now it works as expected.

    Again thanks for your collective input, I am glad it is now resolved - I have closed the case.

    ------------------------------
    Thomas Mockridge
    ------------------------------