unable to resolve agent name samlsp: agentname

book

Article ID: 207782

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Customer has a federation setup, the partnership is no longer working after policy server upgrade.

Siteminder is IDP.

When user initiates IDP login, smsession is created.

However, the moment user hits affwebservice on access gateway, current smsession is validated, but immediately smsession becomes logged off.

User is redirected to authentication page again.

The API call return value from access gateway to policy server is -1.

Policy server side trace log shows only one error "unable to resolve agent name samlsp: agentname", this is after smsession is validated and user is authorized.

There are many other partnerships in this setup working actively just fine.

 

Cause

"samlsp: agentname" is part of configuration that is not visible from admin ui partnership.

This partnership may had data corruption at some point, and recently customer recreated it.

The agent must be resolved in order for federation transaction to continue. Not resolving the agent, is the direct cause of the transaction failure.

Environment

Release : 12.8.04

Component : SITEMINDER FEDERATION SECURITY SERVICES

Resolution

1. Use XPSExplorer to verify partnership base (62) object is valid, and has valid agent link.  Then follow the agent link, ensure the agent object can be located. 

2. Recycle policy server to clear cache rebuild, since customer recreated this partnership recently.  This did resolve the problem.

Sometimes,  access gateway may need to be recycled as well.