SAML federation via IWA Sessionstore problem

Article Id: 143417

Status: Published

Updated On: 21-01-2020 00:45

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On Agents (SiteMinder) , SITEMINDER , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER

Issue/Introduction:

We're running a Policy Server as IDP in Federation scenario and when a
user logs in, then then Policy Server faces a problem to set the
session data into the Session Store. The Policy Server log reports
error :

[2616/1932][Tue Jan 07 2020
11:55:41][SmSSInLDAPStore.cpp:1173][ERROR][sm_LoginLogout_01001] Fail
to create object
cn=mzL4dsadPlzAHHKi1NYrSTIf0\+mht2Zy3bmz9AaLx7qs\=,smSessionId=hcdsad1UA4Ip/n5ddsbz79jLdGkM\=,o=mysessionstore. (32)

[2616/1932][Tue Jan 07 2020
11:55:41][SmSessionServer.cpp:785][ERROR][sm-Server-06007]
failed. Error code : 2

[2616/1932][Tue Jan 07 2020
11:55:41][IsAuthorized.cpp:68][ERROR][sm-Server-02740]
SmSessionVariableProvider::SetSessionVariable() - SetVariable Failed for :
UserNameIDFormat.SP.21-4b15aa6c-f399-4158-a830-8f965545b81a

We've found the following KD reporting similar issue, but the
parameter request to be set from this one don't solve the issue.

IWA + Federation Configuration Issues
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=7614

How can we fix this ?

Environment:

Policy Server 12.8SP3 on RedHat 7

Resolution:

Check if the realms a all persistents and decide if persistency is
needed or not. Having a mixture of persistent and non-persistent
realms can provoke this error. Remove also all SLO configuration that
are not is use.