We're running Federation Service to protect a specific application as
IdP, when the Federation Service receives the SAMLRequest, then the
browser get return code 403 :
Denying request due to authorizeEx call failure,
and the Federation Service reports error :
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Result
of authorizeEx call is: 2.]
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Received
the assertion/artifact response based on profile selected. [CHECKPOINT
= SSOSAML2_RECEIVEDASSERTION_RSP]]
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Transaction
with ID: 7d55ds64-f4ewe2bfe-2d257dsadd-e4ww07a8-5e82d906-ce2
failed. Reason: FAILED_AUTHEX]
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Denying
request due to authorizeEx call failure.]
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Sending
403 error]
The user is authenticated by the User Directory where the email fields
has no value, then the user cannot get access to the application. You
need the product to get the email user attribute from the other User
Directory.
How can we fix that ?
Release : 12.52
Component : SITEMINDER -POLICY SERVER
In Federation Journey, you cannot get user attributes from more than 1
User Directory if you run Policy Server and AdminUI version prior to
12.8SP3 as related in this thread :
Re: SiteMinder Federation - how to retrieve attributes from 2 user
directories for a single assertion
Hello, In Federation you can not use Directory Mapping as you could
use for A standard SiteMinder integration (Authenticate in directory A
and authorize in directory B). You can not retrieve attributes from
multiple user directories. You can retrieve attributes from the
directory where you have been authenticated. As krish04 told you, you
can maybe archive that by using a custom assertion plug-in
generator. Hope it helps, Julien.
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=736349
If you upgrade the environment to 12.8SP3, then you'll benifit this
feature which will allow you to get the user authenticated in one User
Directory and the email value picked from a second User Directory :
Identity Mapping for Federation Partnerships
You can now configure the Identity Mapping feature in SAML 2.0
IdP SP partnerships. This feature allows you to perform user
authentication and authorization using different user directories at
IdP. Attributes are returned from the user directory that authorizes a
user. In Administrative UI, the Configure Partnership step of
partnership creation now includes new fields to enable the feature.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/new-features.html#concept.dita_0384d3ef52101beffdb5469f329c50f18cfc48ee_IdentityMappingforFederationPartnerships
Identity Mapping in SAML 2.0 Federation
Identity Mapping in a SAML 2.0 IdP -> SP federation partnership lets
you authenticate users with one user directory and authorize them with
another user directory at IdP. The assertion attributes are returned
from the user directory that authorizes the user.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/generate-aggregate-user-attributes-in-saml-2-0-federation/identity-mapping-in-saml-2-0-federation.html
Out of the Box, Policy Server has no functionality to validate if the
value of the email attribute is empty or not, and if empty to search
the next directory.
The expression are used as filter to check and process different
attributes for the "same" User Director as related in this community
thread :
Some extra help with SiteMinder expression attribute
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=801496
The most probable way to search the user in the first directory, and
if the email value is null to search for it in the second directory
will be to create a Custom Assertion Generator Plugin, which will
avoid that error :
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f
-e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration][Received
the assertion/artifact response based on profile
selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f
-e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration]
[Transaction with ID: 7dba0f64-f4722bfe-2d257c8f-e4df07a8-5e82d906-ce2
failed. Reason: FAILED_AUTHEX]
[11/19/2019][10:30:41][3574][106093424][7dba0f64-f4722bfe-2d257c8f-
e4df07a8-5e82d906-ce2][SSO.java][processAssertionGeneration]
[Denying request due to authorizeEx call failure.]