Symantec Access Management

 View Only
  • 1.  what is authorizeEx call and what does its different values indicate?

    Posted Mar 22, 2018 05:21 PM

    I am getting below error in IDP side FWStrace logs, here we can see authorizeEx call is returning 1 and assertion is not getting generated.

     

    [Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
    [03/22/2018][15:20:24][30470][2576021248][10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990][SSO.java][processAssertionGeneration][Transient IP check: false]
    [03/22/2018][15:20:24][30470][2576021248][10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
    [03/22/2018][15:20:24][30470][2576021248][10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
    [03/22/2018][15:20:24][30470][2576021248][10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990][SSO.java][processAssertionGeneration][Transaction with ID: 10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990 failed. Reason: FAILED_NO_ATTR_RETURNED]
    [03/22/2018][15:20:24][30470][2576021248][10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990][SSO.java][processAssertionGeneration][Denying request due to no attribute returned from SAML2 assertion generator.]
    [03/22/2018][15:20:24][30470][2576021248][10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990][SSO.java][processAssertionGeneration][Sending error for unsolicited response]



  • 2.  Re: what is authorizeEx call and what does its different values indicate?
    Best Answer

    Posted Mar 22, 2018 06:59 PM

    The return codes for AuthorizeEx are basically the same as for the sm_agentAPI in the SDK. In particular a return code of 1 means YES, which in turn means that the Authorex has been completed, -1 indicates a communication failure between agent and policy server, -2 indicates a connection timeout, -3 means no existing connection.


    Now going back to your problem.The logs you have posted clearly suggests the transaction - 10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990 has failed and that NO ATTRIBUTES were returned to generate an assertion.

     

    As next step, Use the Transaction ID - 10a7ec9b-42137cef-e81d3889-a1c655d8-8552e931-990 and look into your Policy server trace logs to understand what is going on.

     

    Regards

    Paul Merugu

    Architect

    CA Services