After an upgrade of SiteMinder with CA Access Gateway acting as IdP, trying to initiate the Federation fails at assertion generation with the following error

[2442628/140118458775296][Mon Aug 05 2025 09:34:37.241][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: <Transaction_id> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED (, , )

Looking at FWSTrace.log there is the following error

[08/05/2025][09:34:47][2238537][140118458775296][10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
[08/05/2025][09:34:47][2238537][140118458775296][10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157][SSO.java][processAssertionGeneration][Transient IP check: false]
[08/05/2025][09:34:47][2238537][140118458775296][10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
[08/05/2025][09:34:47][2238537][140118458775296][<Transaction_id>][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
[08/05/2025][09:34:47][2238537][140118458775296][10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157][SSO.java][processAssertionGeneration][Not enforcing ForceAuthnTimeouts.]
[08/05/2025][09:34:47][2238537][140118458775296][10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]
[08/05/2025][09:34:47][2238537][140118458775296][10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157][SSO.java][processAssertionGeneration][Transaction with ID: 10c73191-8622ff1c-c9115f27-a67ced4d-1853bed0-157] failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]
[08/05/2025][09:34:47][2238537][140118458775296][<Transaction_id>][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

There are many possible reasons for this error, but one of the possible causes is that the Assertion Generator has been customized (1) and for some reason some of the jar files it uses are either missing or incorrectly specified in the JVMOptions classpath variable or they don't have the right user or group permissions or ownership or they don't implement the method as required by your custom plugin.

If such is the case there will be lines similar to the following in your policy server logs and traces:

[2238537][140118458775296][Mon Aug 05 2025 09:34:47.241][AssertionGenerator.java][ERROR][sm-FedServer-00110] The assertion customization failed. java.lang.NoClassDefFoundError: org/apache/commons/codec/binary/Base64
    at <custom_class>.<custom_method1>(<custom_code>.java:73)
    at <custom_class>.<custom_method2>(PropertyUtils.java:83)
    at <custom_class>.<custom_method3>(PropertyUtils.java:48)
 ...
    at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
    at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)

Check file JVMOptions.txt under the siteminder\config of your policy server and make sure that the Djava.class.path contains both your customized plugin jar and the jar files it requires for proper operation. For instance in the example above the org/apache/commons/codec/binary/Base64 method is contained in jar file commons-codec-1.15.jar. 

If all the jar files required for proper operation are present in the classpath you may want to verify that they have the necessary access permissions and also that the jar library versions required to implement your plugin are present. Please remember that upgrading or changing version of one of the jar files coming with the product is not supported and should not be done unless instructed by BroadCom Support

1. Customize Assertion Content