Sporadic Failure of Federation with Message Reason: NO_SAML_REQUEST_OR_SPID

book

Article ID: 209434

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

We are receiving a sporadic error, Reason: NO_SAML_REQUEST_OR_SPID (, , ), in a SP initiated federation after user is authenticated at the IDP, the error occurs upon the user returning to the saml2sso URL.

The failed URL can be seen as <domain name>/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY

I have already done some research into the error. I have read the KB article https://knowledge.broadcom.com/external/article?articleId=37629 

It sounds like in some occasions, the authentication context is lost.  

In our environment

1. Session store is enabled on all policy servers

2. HTTP POST is used to receive SAML Authentication Request from SP

3. "Secure URL" is used in IDP partnership. 

The sporadic error is causing failure in login process to stop users from successfully logging into SP application.

 

 

Cause

Since the SAMLRequest (authnrequest) was received via POST binding, the post data needs to be held in the Polcy Server's session store while the user is authenticated.  In this instance, the Policy Server was unable to retrieve the SAMLRequest data from the session store after the user authenticated.  This was because the user took longer than 3 minutes to authenticate.  The federation GUID cookie associated with this use case has a default timeout of 3 minutes, after which the browser will no longer present this cookie.  Without the cookie, the SAMLRequest data cannot be retrieved from the session store.

Environment

Release : ALL

Component : SITEMINDER -FEDERATION

Resolution

By default the timeout value of the federation GUID cookie is 180 seconds, but this can be adjusted as high as 9999 seconds in the SSO section of the SSO and SLO page of the Partnership.