We are getting 500 errors for our Legacy federated application. The 500 error occurs while consuming the assertion. The assertion looks valid and the user ID (NameID) exists in the configured user store.
Release : ALL
Component : SITEMINDER FEDERATION SECURITY SERVICES
The FWSTrace.log showed that the 500 error was occurring due to the Target application not being protected. As the SP is using Legacy Federation, the Target application must be protected with the SAML auth scheme.
AgentName resolution was not occurring as expected, resulting in the Target application not being protected. With an update to the AgentName ACO parameter, the Target application was effectively protected with the required SAML auth scheme and the problem resolved.
One of the advantages of Partnership Federation over Legacy Federation is in Partnership Federation the Target application can be protected with any regular (non-SAML) auth scheme. This allows unauthenticated internal users to request the application directly without going through SAML authentication. With Legacy Federation, the Target application must be protected with the SAML auth scheme, as as such, if an unauthenticated user requests the application directly, a 500 error will occur as the web agent has no way to challenge the user under this circumstance (SAML auth scheme can only perform assertion-based authentication).