Skip to main content

Hello,

Currently in our environment we are trying to enable SSO with ADFS. We’re able to login to IFS using AD credentials if we manually input them, but if you select “Sign in as current user” it will prompt to enter credentials, and then returns error 400. Detailed error below:

Ifs.Fnd.FndSystemException: Unexpected error while calling server method ClientApplication/IdentifyCurrentUser

at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(Object requestBody, Object responseBody, String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Boolean forcedSync, Boolean integrationGateway)
at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(String intface, String operation, Object requestBody, Object responseBody, FndRequestContext requestContext, Boolean forcedSync, Boolean integrationGateway)
at Ifs.Fnd.AccessProvider.Interactive.FndLoginDialog.AuthenticateCredentials(FndLoginCredentials loginCreds) ---> Ifs.Fnd.FndSystemException: 400
at Ifs.Fnd.AccessProvider.FndConnection.CallGetResponse(String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Byte,] requestHeaderBytes, Byte,] requestBodyBytes, FndApfAsyncInvoke asyncInvokeHandle, Boolean integrationGateway)
at Ifs.Fnd.AccessProvider.FndConnection.InvokeGetResponse(String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Byte,] requestHeaderBytes, Byte,] requestBodyBytes, Boolean& abandoned, Boolean forcedSync, Boolean integrationGateway)
at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(Object requestBody, Object responseBody, String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Boolean forcedSync, Boolean integrationGateway)
--- End of inner exception stack trace ---

I increased the Limit Field Request size per this article and even tried logging in with a new user belonging to no groups, but I received the same error. I did set the HTTP server to trace and saw this error in the logs:

URL::sendHeaders(): meth='POST' file='/main/default/clientgateway' protocol='HTTP/1.1'
Header to WLS: User-Agent]=gIFS .NET Access Provider/1.2]
Header to WLS: Os-User]=Udomain\\user]
Header to WLS: Program]=gIfs.Fnd.Explorer.exe]
Header to WLS: Machine]=hconsole@userpc.domain.com]
Header to WLS: X-Ifs-Capabilities]=t02]
Header to WLS: X-Ifs-Timeout]=e30000]
Header to WLS: Content-Type]=Tapplication/octet-stream]
Header to WLS: Host]=Hifs10devutil.domain.com:58080]
Header to WLS: Content-Length]=n0]
Header to WLS: ECID-Context]=t1.005x4^Yi9OgFk3o5sVd9iX00062z00000Y;kXjE]
Header to WLS: Connection]=tKeep-Alive]
Header to WLS: WL-Proxy-SSL]=-true]
Header to WLS: X-Forwarded-For]=-xx.x.x.74]
Header to WLS: WL-Proxy-Client-IP]=txx.x.x.74]
Header to WLS: WL-Proxy-Client-Port]=P64156]
Header to WLS: X-WebLogic-KeepAliveSecs]=S30]
Header to WLS: X-WebLogic-Request-ClusterInfo]=Itrue]
Header to WLS: x-weblogic-cluster-hash]=hA4z6JJO09Z2Ycft4x6TZf+W2l84]
Post data length (not in memory): 0
sendPostData(): No T-E header, postSize == 0; C-L must have been zero
About to call parseHeaders
Reader::fill(): first=0 last=0 toRead=4096
Reader::fill(): sysRecv returned 2030
URL::parseHeaders: CompleteStatusLine set to eHTTP/1.1 401 Unauthorized]
URL::parseHeaders: StatusLine set to e401 Unauthorized]
URL::parseHeaders: StatusLineWithoutStatusCode set to eUnauthorized]
Header from WLS:mCache-Control]=tno-cache, no-store, must-revalidate]
Header from WLS:mDate]=DThu, 09 Feb 2023 19:10:35 GMT]
Header from WLS:mPragma]=aNo-cache]
Header from WLS:mContent-Length]=n1468]
Header from WLS:mContent-Type]=Ttext/html; charset=UTF-8]
Header from WLS:mExpires]=iThu, 01 Jan 1970 00:00:00 GMT]
Header from WLS:mWWW-Authenticate]=cBearer realm="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@https://domain-scdb.domain.com/adfs", scope="openid", authorization_uri="https://domain-scdb.domain.com/adfs"]
Header from WLS:mX-ORACLE-DMS-RID]=-0:1]
Header from WLS:mX-ORACLE-DMS-ECID]=E005x4^Yi9OgFk3o5sVd9iX00062z00000Y]
Header from WLS:mX-IFS-OAuth2-Resource]=uapi://IFSTEST]
Header from WLS:mX-IFS-OAuth2-IDP]=-ADFS]
parsed all headers OK
Exiting method BaseProxy::sendRequest
sendResponse() : r->status = '401'
Hdrs to client (add):(Cache-Control]=tno-cache, no-store, must-revalidate]
Hdrs to client (add):(Date]=DThu, 09 Feb 2023 19:10:35 GMT]
Hdrs to client (add):(Pragma]=aNo-cache]
Hdrs to client (add):(Expires]=iThu, 01 Jan 1970 00:00:00 GMT]
Hdrs to client (add):(WWW-Authenticate]=cBearer realm="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@https://domain-scdb.domain.com/adfs", scope="openid", authorization_uri="https://domain-scdb.domain.com/adfs"]
Hdrs to client (add):(X-ORACLE-DMS-RID]=-0:1]
Hdrs to client (add):(X-ORACLE-DMS-ECID]=E005x4^Yi9OgFk3o5sVd9iX00062z00000Y]
Hdrs to client (add):(X-IFS-OAuth2-Resource]=uapi://IFSTEST]
Hdrs to client (add):(X-IFS-OAuth2-IDP]=-ADFS]
AH01502: headers: ap_headers_output_filter()

As far as I’m aware SSO has never worked for our environment with ADFS. I followed the steps in this article, but most of the links are dead. I checked our ADFS server against the Achieving Single Sign-On behavior doc and everything appears to be configured correctly.

 

Does anyone know if there is a fix?

 

Thank you

As an update, I figured out the issue. Our ADFS server was missing a SPN. I added SPNs to our DC via the Setspn command in powershell.


Reply