Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated
search cancel

Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated

book

Article ID: 138304

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Policy Server is not generating SAML Assertion and reporting this message [Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated.]

Users are getting HTTP 500 and smps.log does not show any error.

Environment

Release : 12.8

Component : SITEMINDER -POLICY SERVER

Cause

The reason why Policy Server refuses to generate assertion is because the NAMEID value cannot be null.

When configuring Federation Partnership, you will specify which user attribute to read and use for NameID.

If this user attribute does not have a value then Policy Server cannot generate assertion as it is a mandatory value.


In normal circumstances when the Policy Server refuses to generate assertion because the requesting user is not authorized or there was an error somewhere, you would see SAMLResponse=NO which implies that Policy Server rejected the request to generate Assertion.


But in this case, it is not an ERROR but not meeting the prerequisite.


Resolution

NameID is mandatory part of Assertion and it must be populated. But the login attribute value returned null. 

As NameID value cannot be null, policy server gives up generating assertion.

In the following sample, user attribute "UserID2" is used for NameID and it has returned a null value.

 

[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID format is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] 

[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]] 

[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Identity Provider is not allowed to create a new identifier to represent the principal.] 

[SmAuthUser.cpp:2288][GetPropIndex][][][][][][][][Processing Attribute [Property = UserID2] [Trim Property = login] [Separator = ^]] 

[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID: value of the User Attribute "UserID2"] 

[AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated.


This is by design. You must ensure the user attribute for NameID will return a value or the assertion will not be generated.

You may be able to use Attribute Mapping to resolve one attribute in a user directory to another attribute to make this work.