Symantec Access Management

 View Only

    Posted Oct 02, 2017 05:28 PM
      |   view attached



    I am having a issue in which when I hit the SP initiated URL Federation works fine (SAML Generated) and I am able to login and then able to browse the other Non-SAML siteminder protected URL's


    But when I hit Non-saml Siteminder Protected URL and login successfully and then try to hit the SP initiated URL it gives me error:


    [10/02/2017][21:11:28][2124][2236][152cfa46-05f6ba45-9d86dd8b-a32785b3-c4fa0729-8a7][][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]
    [10/02/2017][21:11:28][2124][2236][152cfa46-05f6ba45-9d86dd8b-a32785b3-c4fa0729-8a7][][processAssertionGeneration][Transaction with ID: 152cfa46-05f6ba45-9d86dd8b-a32785b3-c4fa0729-8a7 failed. Reason:


    Please suggest what I could be missing here.


    saml   5 KB 1 version

    Best Answer

    Posted Oct 02, 2017 05:44 PM

    "Received the following response from SAML2 assertion generator: SAML2Response=NO"  means that the CA SSO Policy Server rejected your request.


    This could be due to a variety of reasons e.g. UD mismatch in Partnership. When we login to a non SAML protected resource the Policy Domain Model or Application Model comes into play and also the UD associated with the Policy Domain. When we try to do purely an IdP initiated flow or SP initiated flow SAML flow the Partnership model and also the UD associated with the Partnership comes into play. If SP initiated flow worked, then that tells us that there is no issues with the Partnership. The only missing piece is the SSO between Policy Domain Model and Partnership Model; this typically starts with mismatch UD names used in Policy Domain & Partnership. Check if the UD in Policy Domain match the UD in Partnership.


    Additionally, Please check the smtracedefault.log in the Policy Server. That would tell us why this failed. Then we could take appropriate action.


    Posted Jun 29, 2020 07:55 AM
    I also got the similar error and As Hubert said that it can be for variety of reasons , For me the root cause as it showed in smtrace was SP cert was expired and hence the verification failed.
    though we could see in UI that cert was still valid, however there must have been some changes at SP for the cert.
    So we are renewing the cert to resolve this