I'm setting up a partnership federation on Access Gateway r12.8 sp05 on Windows 2019. Policy server r12.8 (no service pack) is on Windows 2016. My issue is similar to this link:
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=796323
except my problem is on the IdP side.
Requests to
https://<fqdn>/affwebservices/assertionretriever behave as expected: the initial request results in a basic dialogue box to enter credentials, then the access gateway responds with "Assertion Retrieval Service has been successfully initialized. The requested service accepts only HTTP POST requests." That tells me the assertion retrieval service is healthy and SSL is working, so that's a good start.
I have a partnership federation configured with a local SAML2 IDP and remote SAML2 SP. I use the SSL Service URL in a fresh browser:
https://gateway.Local-IdP.com/affwebservices/redirectjsp/redirect.jsp?SPID=https://service.RemoteSP.com/saml/SSO
and am expecting a redirect to the configured Authentication URL which is protected by a policy. Here's what happens:
HTTP Status 400 – Bad Request
Type Status Report
Message <H2> Bad Request </H2><BR><BR> The SMPORTALURL could not be found.
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
I've checked and re-checked the entity and partnership configurations and am not seeing anything that might lead to such an error. I've verified that both the policy server and the access gateway have JDK unlimited JCE enabled. A session store is NOT enabled at the IdP. Unlike the SP, I would not expect a session store to be a requirement at the IdP.
Any suggestions would be appreciated.
------------------------------
Sr. Services Consultant
MIRIMAR Consulting
------------------------------