HTTP 500 when specific user tries to SAML federate
search cancel

HTTP 500 when specific user tries to SAML federate

book

Article ID: 273469

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On

Issue/Introduction

Most of users are able to do a SAML Federation just fine but certain set of users are failing with HTTP 500.

In the FWSTrace.log following error is found.

[01/01/2023][12:34:56][2224][10616][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][SSO.java][processAssertionGeneration]
[01/01/2023][12:34:56][2224][10616][Transaction with ID: 270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2 failed. Reason: FAILED_NO_ATTR_RETURNED][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][SSO.java][processAssertionGeneration]
[01/01/2023][12:34:56][2224][10616][Denying request due to no attribute returned from SAML2 assertion generator.][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][SSO.java][processAssertionGeneration]

Environment

Release : 12.8.x

Cause

When FAILED_NO_ATTR_RETURNED is reported, this need to be investigated at the Policy Server side.

In the smtracedefault.log following was found.

[01/01/2023][12:34:56][1440][Configured NameID format is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][AuthnRequestProtocol.java][retrieveNameID][][][][][][][]
[01/01/2023][12:34:56][1440][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][AuthnRequestProtocol.java][retrieveNameID][][][][][][][]
[01/01/2023][12:34:56][1440][Identity Provider is not allowed to create a new identifier to represent the principal.][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][AuthnRequestProtocol.java][retrieveNameID][][][][][][][]
[01/01/2023][12:34:56][1440][Processing Attribute [Property = mail] [Trim Property = mail] [Separator = ^]][][SmAuthUser.cpp:2308][GetPropIndex][][][][][][][]
[01/01/2023][12:34:56][1440][Configured NameID: value of the User Attribute "mail"][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][AuthnRequestProtocol.java][retrieveNameID][][][][][][][]
[01/01/2023][12:34:56][1440][Validating the retrieved NameID fails -1 : value is null, Assertion will not be generated.][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][AuthnRequestProtocol.java][retrieveNameID][][][][][][][]
[01/01/2023][12:34:56][1440][AssertionHandler preProcess() returns:Leaving AssertionGenerator.][270dd7f8-0f379ac8-23a637ae-64ff0e0b-170298b5-3e2][AssertionGenerator.java][invoke][][][][][][][]

An assertion must contain a NameID with a value and it cannot be empty/null.

"mail" attribute was used for populating NameID in this use case but the attribute "mail" did not have a value.

Some customers may also be using custom assertion generation plugin(AGP) and if that code fails to execute or does not return the NameID value, same error will be reported.

As a result, policy server will not generate assertion for this user and the result would be an HTTP 500.

This is an expected behavior.

 

Resolution

Ensure the attribute used for generating the NameID has a value value.

Powered by Wolken Software