Symantec Access Management

  • Private Community
 View Only

  • 1.  Validating the retrieved NameID fails -1 : value is null

    Posted Mar 16, 2018 10:40 AM

    Hi all,

     

    I have created a partnership where validation of Name ID type is getting failed.

     

    In smtracedefault logs i can see that the user is having that particular attribute which is configured as Name ID at IDP end.

    "Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated"

    on accessing application, I am getting:

     

    HTTP Status 401 - Authentication Failed: Error validating SAML message

    Can someone help me, what i should check or edit to make the partnership work.

     

    Regards,

    Shrawan



  • 2.  Re: Validating the retrieved NameID fails -1 : value is null

    Posted Mar 16, 2018 12:22 PM

    Shrawan shrawan.bhagwat

     

    What is CA SSO in this case acting as, SP or IdP? I am assuming SP? Please confirm.

     

    Check your partnership, do you have "Allow IDP to create user identifier" enabled ? If it is enabled (checked) do you really need that feature. If Yes, do you have write access to User Store.



  • 3.  Re: Validating the retrieved NameID fails -1 : value is null

    Posted Mar 16, 2018 12:28 PM

    Hi Dennis,

     

    CA SSO is acting as IDP in this.

    "Allow IDP to create user identifie" is disabled. 

     

    Regards,

    Shrawan



  • 4.  Re: Validating the retrieved NameID fails -1 : value is null

    Posted Mar 16, 2018 12:48 PM

    Thank You Shrawan shrawan.bhagwat

     

    Are we using a SP Initiated Flow i.e. generated from SP end with a SAML AuthnRequest. If Yes, does the SAML AuthnRequest have "AllowCreate=TRUE" ?

     

    Could you also suggest

    • what version of CA SSO Policy Server ?
    • what version of CA SSO WA / WAOP or CA SSO AG ?

     

    Could you make sure the attribute that is specified against NameID in IdP --> SP Partnership does not have a null value. For e.g. If we specified NameID=UID, make sure UID is not null in User Store.

     

    Based on the below table and your configuration, I'm guessing we should be falling under 2nd, 4th or 6th scenarios. Do you have any more detailed logging from smtracedefault.log (sanitize your log lines from sensitive / identity info) ?

     

    https://docops.ca.com/ca-single-sign-on/12-7/en/using/administrative-ui/federation-partnerships-reference/assertion-configuration-dialog-saml-2-0-idp


  • 5.  Re: Validating the retrieved NameID fails -1 : value is null

    Posted Mar 17, 2018 02:29 AM

    Hi Dennis,

     

    Thanks.

     

    PS version- R12.52 SP01 CR06

    WSOP version- R12.52 SP01 CR06

     

    I have tried with another user ID and the message "Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated" from the logs disappear. I think this was because the previous user was not having proper attribute value, as you said.

     

    As i can see in logs, allow create is not set in AuthnRequest. Is because of this i am getting that error? because this time with new user, i can see proper response generated.

     

    Sorry because of security, i can't share logs here.

     

    Regards,

    Shrawan