We're running Federation Service to protect a specific application as
IdP, when the Federation Service receives the SAMLRequest, then the
browser get return code 403 :

  Denying request due to authorizeEx call failure,

and the Federation Service reports error :

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
  e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Result
  of authorizeEx call is: 2.]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
  e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Received
  the assertion/artifact response based on profile selected. [CHECKPOINT
  = SSOSAML2_RECEIVEDASSERTION_RSP]]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
  e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Transaction
  with ID: 7d55ds64-f4ewe2bfe-2d257dsadd-e4ww07a8-5e82d906-ce2
  failed. Reason: FAILED_AUTHEX]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
  e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Denying
  request due to authorizeEx call failure.]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
  e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Sending
  403 error]

The user is authenticated by the User Directory where the email fields
has no value, then the user cannot get access to the application. You
need the product to get the email user attribute from the other User
Directory.

How can we fix that ?

Release : 12.52

Component : SITEMINDER -POLICY SERVER

In Federation Journey, you cannot get user attributes from more than 1
User Directory if you run Policy Server and AdminUI version prior to
12.8SP3 as related in this thread :

  Re: SiteMinder Federation - how to retrieve attributes from 2 user
  directories for a single assertion

    Hello, In Federation you can not use Directory Mapping as you could
    use for A standard SiteMinder integration (Authenticate in directory A
    and authorize in directory B). You can not retrieve attributes from
    multiple user directories. You can retrieve attributes from the
    directory where you have been authenticated. As krish04 told you, you
    can maybe archive that by using a custom assertion plug-in
    generator. Hope it helps, Julien.

  https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=736349

If you upgrade the environment to 12.8SP3, then you'll benifit this
feature which will allow you to get the user authenticated in one User
Directory and the email value picked from a second User Directory :

  Identity Mapping for Federation Partnerships

    You can now configure the Identity Mapping feature in SAML 2.0
    IdP SP partnerships. This feature allows you to perform user
    authentication and authorization using different user directories at
    IdP. Attributes are returned from the user directory that authorizes a
    user.  In Administrative UI, the Configure Partnership step of
    partnership creation now includes new fields to enable the feature.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/new-features.html#concept.dita_0384d3ef52101beffdb5469f329c50f18cfc48ee_IdentityMappingforFederationPartnerships

Identity Mapping in SAML 2.0 Federation

  Identity Mapping in a SAML 2.0 IdP -> SP federation partnership lets
  you authenticate users with one user directory and authorize them with
  another user directory at IdP. The assertion attributes are returned
  from the user directory that authorizes the user.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/generate-aggregate-user-attributes-in-saml-2-0-federation/identity-mapping-in-saml-2-0-federation.html

Out of the Box, Policy Server has no functionality to validate if the
value of the email attribute is empty or not, and if empty to search
the next directory.

The expression are used as filter to check and process different
attributes for the "same" User Director as related in this community
thread :

  Some extra help with SiteMinder expression attribute
  https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=801496

The most probable way to search the user in the first directory, and
if the email value is null to search for it in the second directory
will be to create a Custom Assertion Generator Plugin, which will
avoid that error :

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f
  -e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Received
  the assertion/artifact response based on profile
  selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f
  -e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration]
  [Transaction with ID: 7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2 
   failed. Reason: FAILED_AUTHEX]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
  e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration]
  [Denying request due to authorizeEx call failure.]