Hi Andrew,
From the trace, I would say that the LDAP error is causing the failure.
This is a failure of LDAP to find an object being requested. I'm not an expert in this part of the code but looks like perhaps you have an LDAP attribute source defined but the system is failing to find the authenticated user in LDAP to pull attributes.
Do you have any LDAP attribute sources defined for the Federation/Partner definition? If so, maybe try removing these and retry?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue September 21, 2021 12:39 PM
From: Andrew Potgieter
Subject: could_not_perform_token_exchange when using with Auth0 as a SP
Hello Jon,
So I got hold of the logs from the client.
It appears that there is an error from the token exchange service.
This is what seems to be the relevant sections:
Firstly there is what I think is an xml request message to the Security Token Service starting with
<stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser"> ...
Let me know if you would like the whole xml message I will do the necessary redacting.
Shortly after, the failure messages seem to start with:
4588 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager 3 doPostChainProcessing Request failed status: {http://schemas.xmlsoap.org/ws/2005/02/trust}RequestFailed <- I'm not sure if this is relevant. Or what it means really
4589 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager > get(Class<C>) ENTRY
4590 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager$Configuration > getObject(Class<C>) ENTRY
4591 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager$Configuration 3 getObject(Class<C>) Class com.tivoli.am.fim.trustserver.sts.STSModuleChain$CustomProperties from version 1632227718389.
4592 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager$Configuration < getObject(Class<C>) RETURN
4593 [9/21/21 14:37:24:779 SAST] 000000a5 id=00000000 com.tivoli.am.fim.om.ObjectManager < get(Class<C>) RETURN
4594 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager > requestedTokenTypeIsStatus ENTRY
4595 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager 3 requestedTokenTypeIsStatus Requested Token type is Status = false
4596 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager < requestedTokenTypeIsStatus RETURN
4597 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager < doPostChainProcessing RETURN
4598 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSModuleChainManager < processthroughChains(STSRequest,STSResponse) RETURN
4599 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.sts.STSManager < process(STSRequest,STSResponse) RETURN
4600 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.service.SecurityTokenProcessor < process(STSRequest, STSResponse) RETURN
4601 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.trustserver.service.SecurityTokenService < requestSecurityToken(STSRequest, STSResponse) RETURN
4602 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 com.tivoli.am.fim.fedmgr2.trust.TokenExchangeCommandImpl < exchange RETURN
4603 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper 3 exchangeToken Response: com.tivoli.am.fim.fedmgr2.trust.TokenExchangeResponse@4e02ea33
4604 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper 1 exchangeToken Error: Token exchange failed; halting with AuthnFailedInterrupt <- I cant actually see any reasons in the previous messages which would suddenly give this except maybe the "Requested Token type is Status = false"
4605 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper > handleTokenExchangeError ENTRY
4606 [9/21/21 14:37:24:780 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper E handleTokenExchangeError FBTSML006E The token cannot be exchanged for the service provider. <- The only reference I could find to this error code did not give me much insight.
4607 [9/21/21 14:37:24:781 SAST] 000000a5 id=00000000 ivoli.am.fim.saml20.protocol.utils.SAML20TokenExchangeHelper I handleTokenExchangeError com.tivoli.am.fim.trustserver.sts.STSModuleException: LDAP Search failed.
4608 at com.tivoli.am.fim.attributemapper.util.LDAPClient.doLDAPSearch(LDAPClient.java:115)
4609 at com.tivoli.am.fim.attributemapper.impl.LDAPAttributeMapper.map(LDAPAttributeMapper.java:573)
4610 at com.tivoli.am.fim.trustserver.sts.modules.AttributeMappingModule.invoke(AttributeMappingModule.java:93)
....
4660 Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=People,ou=User,DC=<REDACTED>' <- And this seems to be the cause of the LDAP error
4661 at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3191)
This eventually propagates into the "could_not_perform_token_exchange" we see in the saml message
Does this mean an LDAP error could be causing a token exchange failure. Or is it the other way around?
Any ideas or suggestions?
Many thanks,
Andrew
------------------------------
Andrew Potgieter
Original Message:
Sent: Mon September 13, 2021 11:25 AM
From: Jon Harry
Subject: could_not_perform_token_exchange when using with Auth0 as a SP
Hi Andrew,
To find out WHY Verify Access is returning the could_not_perform_token_exchange error, you're going to need to look into the message log of the Federation runtime. In there you should be able to find some error message that indicates the reason for the failure.
If you find start at the end of the file and find an Exception, don't forget to keep looking up the file to find the FIRST exception - which would be most likely to indicate the root of the problem.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon September 13, 2021 06:01 AM
From: Andrew Potgieter
Subject: could_not_perform_token_exchange when using with Auth0 as a SP
Hello (probably Jon :) ),
I am busy setting up an Auth0 SAML service provider that connects to an external IBM Security Access Manager 9 SAML identity provider.
In order to get the initial steps working we have have disabled the signature verification on the IBM and Auth0 side.
However we still get this error message as the SAML response, any ideas what this could be?
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
<samlp:StatusDetail>
<fim:FIMStatusDetail MessageID="could_not_perform_token_exchange" />
</samlp:StatusDetail>
</samlp:Status>
This is the SAML Request being sent, maybe there is something wrong here?
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://<redacted-domain>/isam/sps/SAML-ppe/saml20/login"
AssertionConsumerServiceURL="https://test-tenant.eu.auth0.com/login/callback?connection=test-connection"
ID="_04.....29f1a"
IssueInstant="2021-09-13T09:42:46Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:auth0:test-tenant:test-connection</saml:Issuer></samlp:AuthnRequest>
Many thanks,
Andrew
------------------------------
Andrew Potgieter
------------------------------