Long assertion being truncated on Policy Server

book

Article ID: 15587

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We have some users who are not able to login through WSFederation, and we found out that the WSFederation response generated for these users is getting truncated, as they have huge group information that needs to be sent as part of the response.

When checking the logs we see in the assertion the group information being interrupted with the characters: .]

...
<ns1:AttributeValue>SampleAttributeValue-351</ns1:AttributeValue>
<ns1:AttributeValue>SampleAttributeValue-352</ns1:AttributeValue>
      .]
     
It could be the Policy Server is truncating it as it is a very long assertion? How can we fix this?

Environment

Policy Server R12.52 SP1 CR00 on Windows 2008 R2

Resolution

When IDP generates the assertion, and if it is very long exceeding 48K, the assertion is truncated on Policy Server side and the truncated assertion is sent to WAOP on IDP side.

This is fixed in R12.52 SP1 CR06:

00236681 DE102140 Policy Server truncates assertion data if the size of active response in assertion exceeds 48K.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr06

Additional Information

R12.52 SP1 CR06 Defects fixed