Policy Server is not generating SAML Assertion and reporting this message [Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated.]
Users are getting HTTP 500 and smps.log does not show any error.
Release : 12.8
Component : SITEMINDER -POLICY SERVER
The reason why Policy Server refuses to generate assertion is because the NAMEID value cannot be null.
When configuring Federation Partnership, you will specify which user attribute to read and use for NameID.
If this user attribute does not have a value then Policy Server cannot generate assertion as it is a mandatory value.
In normal circumstances when the Policy Server refuses to generate assertion because the requesting user is not authorized or there was an error somewhere, you would see SAMLResponse=NO which implies that Policy Server rejected the request to generate Assertion.
But in this case, it is not an ERROR but not meeting the prerequisite.
NameID is mandatory part of Assertion and it must be populated. But the login attribute value returned null.
As NameID value cannot be null, policy server gives up generating assertion.
In the following sample, user attribute "UserID2" is used for NameID and it has returned a null value.
[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID format is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]
[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]]
[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Identity Provider is not allowed to create a new identifier to represent the principal.]
[SmAuthUser.cpp:2288][GetPropIndex][][][][][][][][Processing Attribute [Property = UserID2] [Trim Property = login] [Separator = ^]]
[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID: value of the User Attribute "UserID2"]
[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated.]
This is by design. You must ensure the user attribute for NameID will return a value or the assertion will not be generated.
You may be able to use Attribute Mapping to resolve one attribute in a user directory to another attribute to make this work.