SAML federation via IWA Sessionstore problem

book

Article ID: 143417

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server as IDP in Federation scenario and when a
user logs in, then then Policy Server faces a problem to set the
session data into the Session Store. The Policy Server log reports
error :

  [2616/1932][Tue Jan 07 2020
  11:55:41][SmSSInLDAPStore.cpp:1173][ERROR][sm_LoginLogout_01001] Fail
  to create object
  cn=mzL4dsadPlzAHHKi1NYrSTIf0\+mht2Zy3bmz9AaLx7qs\=,smSessionId=hcdsad1UA4Ip/n5ddsbz79jLdGkM\=,o=mysessionstore. (32)

  [2616/1932][Tue Jan 07 2020
  11:55:41][SmSessionServer.cpp:785][ERROR][sm-Server-06007]
  failed. Error code : 2

  [2616/1932][Tue Jan 07 2020
  11:55:41][IsAuthorized.cpp:68][ERROR][sm-Server-02740]
  SmSessionVariableProvider::SetSessionVariable() - SetVariable Failed for :
  UserNameIDFormat.SP.21-4b15aa6c-f399-4158-a830-8f965545b81a

We've found the following KD reporting similar issue, but the
parameter request to be set from this one don't solve the issue.

  IWA + Federation Configuration Issues
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=7614

How can we fix this ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

Check if the realms a all persistents and decide if persistency is
needed or not. Having a mixture of persistent and non-persistent
realms can provoke this error. Remove also all SLO configuration that
are not is use.