When running Federation Service to protect a specific application as
IdP, when the IdP Federation Service receives the SAMLRequest, then
the browser get return code 403 :

  Denying request due to authorizeEx call failure,

and the IdP Federation Service reports error :

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration][Result of authorizeEx call is: 2.]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration]
  [Received the assertion/artifact response based on profile selected.
  [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration]
  [Transaction with ID: 7d55ds64-f4ewe2bfe-2d257dsadd-e4ww07a8-5e82d906-ce2 failed. Reason: FAILED_AUTHEX]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration][Denying request due to authorizeEx call failure.]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration][Sending 403 error]

The user is authenticated by the User Directory where the email fields
has no value, then the user cannot get access to the application. The
email user attribute should be from the other User Directory.

Policy Server 12.52SP1

In Federation Journey, you cannot get user attributes from more than 1
User Directory if you run Policy Server and AdminUI version prior to
12.8SP3 as related in communities (1).

If you upgrade the environment to 12.8SP3, then you'll benefit this
feature which will allow you to get the user authenticated in one User
Directory and the email value picked from a second User Directory
(2)(3).

Out of the Box, Policy Server has no functionality to validate if the
value of the email attribute is empty or not, and if empty to search
the next directory.

The expression are used as filter to check and process different
attributes for the "same" User Director as related in this community
(4).

The most probable way to search the user in the first directory, and
if the email value is null to search for it in the second directory
will be to create a Custom Assertion Generator Plugin, which will
avoid that error :

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration]
  [Received the assertion/artifact response based on profile selected.
  [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration]
  [Transaction with ID: 7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2 failed. Reason: FAILED_AUTHEX]

  [11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2]
  [SSO.java][processAssertionGeneration]
  [Denying request due to authorizeEx call failure.]

(1)

    Re: SiteMinder Federation - how to retrieve attributes from 2 user
    directories for a single assertion

      Hello, In Federation you can not use Directory Mapping as you
      could use for A standard SiteMinder integration (Authenticate in
      directory A and authorize in directory B). You can not retrieve
      attributes from multiple user directories. You can retrieve
      attributes from the directory where you have been
      authenticated. As krish04 told you, you can maybe archive that
      by using a custom assertion plug-in generator. Hope it helps,
      Julien.

    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=736349

(2)

    Identity Mapping for Federation Partnerships

      You can now configure the Identity Mapping feature in SAML 2.0
      IdP SP partnerships. This feature allows you to perform user
      authentication and authorization using different user
      directories at IdP. Attributes are returned from the user
      directory that authorizes a user.  In Administrative UI, the
      Configure Partnership step of partnership creation now includes
      new fields to enable the feature.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/new-features.html#concept.dita_0384d3ef52101beffdb5469f329c50f18cfc48ee_IdentityMappingforFederationPartnerships

(3)
  

    Identity Mapping in SAML 2.0 Federation

      Identity Mapping in a SAML 2.0 IdP -> SP federation partnership
      lets you authenticate users with one user directory and
      authorize them with another user directory at IdP. The assertion
      attributes are returned from the user directory that authorizes
      the user.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/generate-aggregate-user-attributes-in-saml-2-0-federation/identity-mapping-in-saml-2-0-federation.html

(4)

    Some extra help with SiteMinder expression attribute
    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=801496