Problem : 

Upgrading from Ca Siteminder 12.5 CR2 to 12.52 SP1 CR2.

When accessing an application through federation, we receive an HTTP 500 Error

on the browser and from FWSTrace.log , we see messages like below :

…[SSO.java][processRequest][Unable to get Assertion Consumer URL.

Verifying for Default Assertion Consumer URL in config]

…Received the following response from SAML2 assertion generator: SAML2Response=NO.

[Transaction with ID: c3cb7c59-2791f6e0-28cf755e-32c4ca99-e4b59f9c-6a failed.

Reason: FAILED_INVALID_RESPONSE_RETURNED]

After that the federation and any web based certificate authority did not work after re-imported the CRL.

Environment:  

Federation Environment. Upgrade from 12.5 Cr2 to 

Policy Server 12.52 SP1 CR02

Policy Store 12.52 SP1 CR02

WAM UI 12.52 SP1 CR002

Linux Redhat 6

Cause: 

After finished the upgrade on the Policy server they reimported the CRL.

Tried to import the CRL file through XPSExplorer,

it imported but didn't appear in the interface and neither validated the certificates.

About CRL, it’s not possible to export it, only to delete and re-import.

Resolution :

1.   1) Remove the CRL before upgrading Policy Server

2.    2) Upgrade Policy Server, Policy Store and WAM UI (in this order)

3.   3) Re-import the CRL only after finished the steps above.

Additional Information:

Troubleshooting if problem persists after applied the suggestions above :

1) Check if you are able to manage certs through UI

2) Also, check CDS and certs through XPSExplorer

3) Make sure to use the Federation trace template (Federation_ODBC_LDAP_Detailed_trace.template)

4) Make sure that private key + Cert pair both are added into the CDS

5) Take a XPSExport -xb , and send to support case so we can examine the CDS

6) Please double check the signing alias config in the partnership and take an screenshot of it.