Symantec Access Management

  • 1.  I am the idp and getting error message after adding encryption cert,

    Posted Aug 10, 2016 04:14 PM

    37

    [08/10/2016][07:01:57][2672][1925875456][16c805ad-0ee6d2bf-c6a44495-772f7cca-d7ac5baa-e1e][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 ***

    38

    ertion generator.]

    39

    [08/10/2016][07:01:57][2672][1925875456][16c805ad-0ee6d2bf-c6a44495-772f7cca-d7ac5baa-e1e][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]

    40

    [08/10/2016][07:01:57][2672][1925875456][16c805ad-0ee6d2bf-c6a44495-772f7cca-d7ac5baa-e1e][SSO.java][processAssertionGeneration][Not enforcing ForceAuthnTimeouts.]

    41

    [08/10/2016][07:01:57][2672][1925875456][16c805ad-0ee6d2bf-c6a44495-772f7cca-d7ac5baa-e1e][SSO.java][processAssertionGeneration][Received the following response from SA

    42

    ML2 assertion generator: SAML2Response=NO.]

    43

    [08/10/2016][07:01:57][2672][1925875456][16c805ad-0ee6d2bf-c6a44495-772f7cca-d7ac5baa-e1e][SSO.java][processAssertionGeneration][Transaction with ID: 16c805ad-0ee6d2bf-

    44

    c6a44495-772f7cca-d7ac5baa-e1e failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

    45

    [08/10/2016][07:01:57][2672][1925875456][16c805ad-0ee6d2bf-c6a44495-772f7cca-d7ac5baa-e1e][SSO.java][processAssertionGeneration][Denying request due to "NO" returned fr

    46

    om SAML2 assertion generator.]

    Siteminder 12.50 using legency federation setup in siteminder



  • 2.  Re: I am the idp and getting error message after adding encryption cert,

    Posted Aug 10, 2016 06:32 PM

    Hi Karen,

     

    The Policy Server trace will logged more details relate to why the assertion failed to be generated.

     

    Apply samlidp_trace.template as the PS profiler template and check the request in the corresponding Policy Server trace.



  • 3.  Re: I am the idp and getting error message after adding encryption cert,
    Best Answer

    Posted Aug 10, 2016 06:33 PM

    Hi,

     

    Based on the FWSTrace log snippet that you provided, it seems the policy server experience some problem when try to generate assertion. Policy server trace log will give more hints on why this happen. We can match the transaction id in the FWSTrace log to policy server trace log. I suspect is something related to certificate in the IDP.

     

    Check following KB if that applicable to your case.

     

    AuthnRequest sign verification issue

     

    Hope that helps

     

    Regards,

    Kar Meng