Hi, We are started getting these issues after changing the S...

[Kamesh Gopalan]

Hi,

We are started getting these issues after changing the SAML SSO setting from AD to Azure AD.

(FOC44540) Web Services Request got error. Response Status : 403 ; Reason: Forbidden

Tested this link and it is working.

http://hostname:8080/ibi_apps/rsIBIRS_action=TEST

We are using POST request and confirmed that CSRF token is generating and the configuration on Admin Console shows CSRF is enforced. Recently we switched the SAML SSO from AD to Azure AD. After that, this is stopped working. Do I need to look anything else on the configuration

Thanks for your help

Kamesh

Version: WF8206

[Toby Mills]

Hi Kamesh

Let me ask you a couple of questions.

First - have your tried logging on to the WebFOCUS Reporting Server Console and going to Access Control and then used the Test button to see if you can log in successfully from there If this part doesnt work, then nothing will work as expected.

 

Open WFRS Console

Choose Access Control

Right click o n the Access Control Provider that youre trying to use and choose Properties.

at the bottom of the screen will be a Test button. Try to log on.

 

Second, do you know who is giving you the 403 Is it coming from maybe IIS or your Web Server Or is it coming from WebFOCUS Tomcat (or whatever webapp server youre using) even

To check, start at the first thing your HTTP request hits and work your way to the back (being WebFOCUS).

 

Check your Web Server Logs first (like IIS for example). Find your request and look at the timestamp and see if you see the 403 here. Remember the timestamp is shifted off to GMT time so it may be 5 or 6 hours ahead of your local time).

Next, take a look at your current tomcatlogslocalhost_access log (or whatever log shows URLs and return code for your Webapp server if its not tomcat). Find that same request you saw in IIS being handed off to Tomcat (use the timestamp to help). Does this one show the 403

Move on to WebFOCUS logs. Again using the time, this time go look through audit.log, event.log and websecurity.log to see if you see more info.

 

If your can authenticate okay from the WFRS (WebFOCUS Reporting Server) Console Access Control, let us know what you find on where you get knocked out with a 403. There is a trace you might turn on if youre making it to WebFOCUS but getting knocked out.

Last thing for interests sake - what version are you on and which company are you working for (in case that helps any of us who previously worked in techsupport or Profesisonal Services and might know youre enironment.

Thanks

Toby Mills, CISSP

[Toby Mills]

Hi Kamesh - sorry I didnt see the last line where you said youre on 8206.

The version doesnt matter so much, but I just wanted to get it documented.

Let me know once you test the things in my last note.

Thanks

[Kamesh Gopalan]

Thanks Toby.

By default, CSRF token is enabled in the latest version. Combination of disabling the CSRF token and Form Based Authentication solved our issue.