We are getting below error in the smps.log in the SP Initiated SSO Call for one of our on-premise partner:
[AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_37bf9cd57f08587fa174a8bcadbc3137abe2" InResponseTo="_15b9ce6e5fad2789c8cdc011225cca16" IssueInstant="2016-11-18T21:24:37Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IDP Entity ID</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></StatusCode><StatusMessage>Request did not fulfill security requirements!</StatusMessage></Status></Response>
Could anyone suggest me / share your thoughts on this federation issue.
Look at policy server trace log , it should have more indication of what happened and why it failed.
This thread may also be related :
I am seeing [** Status: Authorized. ] in the profiler logs, but the SAML Response is not getting generated.
We will need full smtrace. If you can't attach it here, do you mind sending it via email (communities)?
Copy response from duplicate thread :
Logs shared in Communities Post is accessible by everyone.
The security requirement fulfilment error may relate to signed AuthNRequest. IdP needs the matching public certificate to verify the SP signature. To confirm if that's cause, please test with disabled AuthNRequest signing.
Common causes of the error -- IDP either does not have the certificate to verify the signature of the authNrequest or the certificate selected on IDP partnership has certIssuerDN and certserial value equal to null.
I was able to replicate the issue in my lab.
It seems that you have Signed Authentication request requirement set to YES at IDP :
However, the AuthnRequest sent by SP is not signed.
You can verify this by reviewing the fiddler. If the AuthNRequest is signed you should see the signature as below :
Fig. Signed AuthNRequest
In case of unsigned AuthnRequest , you will NOT see the Signature , see below :
Fig. Un Signed AuthNRequest
Also, if you have the detailed tracing enabled on Policy server you should see the exact error message like this on IDP smtrace log :
[11/21/2016][10:35:05][a15a8888-d72d7f92-b17b0803-fc600ef2-0050a3e4-d3][AuthnRequestProtocol.java][verifySignatureOnRequest][Authnrequests are required to be signed but the request did not contain a required query parameter: Signature, or SigAlg is missing.][11/21/2016][10:35:05][a15a8888-d72d7f92-b17b0803-fc600ef2-0050a3e4-d3][AssertionGenerator.java][invoke][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]
Configure SP to sign AuthNRequest. If SP is CA SSO you can do this as below on SP side of partnership :
Let me know if this works for you.
Ujwol's Single Sign-On Blog
I disabled the Signed Authentication Requests, and it works fine.
Thanks for all your help! I will enable the IDP SMTrace so that it will write the detailed logging.