I have created a partnership where validation of Name ID type is getting failed.
In smtracedefault logs i can see that the user is having that particular attribute which is configured as Name ID at IDP end.
"Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated"
on accessing application, I am getting:
HTTP Status 401 - Authentication Failed: Error validating SAML message
Can someone help me, what i should check or edit to make the partnership work.
What is CA SSO in this case acting as, SP or IdP? I am assuming SP? Please confirm.
Check your partnership, do you have "Allow IDP to create user identifier" enabled ? If it is enabled (checked) do you really need that feature. If Yes, do you have write access to User Store.
CA SSO is acting as IDP in this.
"Allow IDP to create user identifie" is disabled.
Thank You Shrawan shrawan.bhagwat
Are we using a SP Initiated Flow i.e. generated from SP end with a SAML AuthnRequest. If Yes, does the SAML AuthnRequest have "AllowCreate=TRUE" ?
Could you also suggest
Could you make sure the attribute that is specified against NameID in IdP --> SP Partnership does not have a null value. For e.g. If we specified NameID=UID, make sure UID is not null in User Store.
Based on the below table and your configuration, I'm guessing we should be falling under 2nd, 4th or 6th scenarios. Do you have any more detailed logging from smtracedefault.log (sanitize your log lines from sensitive / identity info) ?
PS version- R12.52 SP01 CR06
WSOP version- R12.52 SP01 CR06
I have tried with another user ID and the message "Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated" from the logs disappear. I think this was because the previous user was not having proper attribute value, as you said.
As i can see in logs, allow create is not set in AuthnRequest. Is because of this i am getting that error? because this time with new user, i can see proper response generated.
Sorry because of security, i can't share logs here.