search cancel

SAML Cookie syntax error after Spectrum upgrade to 21.2.1 when using MS Azure for authentication


Article ID: 224779


Updated On:


CA Spectrum


We upgraded to and have now have problems to log in with SAML as now we get frequent errors which speak of invalid SAML ID's.

It was working before upgrade and no SAML ID errors were seen on Azure.

In the tomcat log, we see the token begins with a number .  The customer is refreshing until he gets a correct token.

2021-09-01 15:23:13 INFO  SAMLProcessorImpl:389 - Issuer url:
2021-09-01 15:23:20 INFO  SAMLProcessorImpl:389 - Issuer url:
2021-09-01 15:34:20 INFO  SAMLProcessorImpl:389 - Issuer url:
2021-09-01 15:48:04 INFO  SAMLProcessorImpl:389 - Issuer url:
2021-09-01 15:48:53 INFO  SAMLProcessorImpl:389 - Issuer url:


Release : Spectrum
SAML integration with Microsoft Azure AD who handle their authentication



MS Azure documents the following requirement which is not working on Spectrum 21.2.1 due to a code change.

Parameter Type Description
ID Required Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.

The code change in question was:

• Symptom:
 NetIQ  Access Manager SAML IDP is not working with the default authorization requests.
 Code changes are made to customize the SAML AuthnRequest to give the required values for IdP. (DE499786, 32597919, 21.2.1)



To resolve this problem on 21.2.1 

1. Navigate to tomcat\conf\fediz_config.xml and add the below line in bold.  The order does not matter.

2. restart tomcat

   <protocol xmlns:xsi="" xsi:type="samlProtocolType" version="2.0">


Additional Information

This was fixed in 21.2.2 as part of US754294 : SAML : Support NetIQ during Spectrum upgrade.