SAML SP connection is failing with the below exception when upgrade to 12.8 SP5 release.

------ Exception while Decrypting Attributes: java.lang.NullPointerException

- After Upgrading the Policy Server to 12.8 SP5, while validating some of the FED Applications, it was found that the Policy Server is failing on consuming the assertion with Null pointer Exception. 

Upgrading from 12.8 SP3 (Any lower versions than 12.8 SP5) to 12.8 SP5 release Policy Server can cause this exception.

CA siteminder Policy Server Version: Full Version=12.80.500.2546
 
This issue is also observed for the build of the 12.8 SP5 (2362) which is used for "AuthHub" (12.8 SP5 (Auth Hub Release) build number is 2362).

On the Attribute processing, the Null pointer exception is popping up as follows. 

------ Cause:

<saml2:Conditions>
<saml2:AudienceRestriction>
<saml2:Audience>urn:federation:metlife</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>

------ NotBefore and NotOnOrAfter are optional attributes but our code is not checking for null and trying to access the elements directly as if they were present in the assertion.

Exception while Decrypting Attributes: java.lang.NullPointerException
at com.netegrity.ps.auth.saml.Saml2Validator.checkAssertion(Unknown Source)
at com.netegrity.ps.auth.saml.Saml2Validator.smAuthenticate(Unknown Source)
at com.netegrity.ps.auth.saml.SamlValidator.smAuthenticate(Unknown Source)

------ Null checks have to be enabled for " notOnOrAfterXMLGC " and " notBeforeXMLGC ".

------ After upgrading the Policy Server release to the 12.8 SP5 release and If the exception is observed, kindly open a support ticket and reference this KB document and the below SE Engineering team defect number so that support team will provide a PATCH.

- DE507610

We have a DEV fix PATCH to resolve the above mentioned exception.

This DEV FIX PATCH contains " smauthsaml.jar " which need to be replaced in Policy Server machine under " $NETE_PS_ROOT/bin/jars " location.