SAML assertions are not getting generated


Article ID: 40900


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



User initiates an IDP initiated transaction where the user keeps on looping between the redirect.jsp and the authenticationURL and the authentication scheme. This can be verified by taking a fiddler trace.

**Example: User will post credentials on a link like,

The user will be redirected to redirect.jsp which is normal. below is the example link:


Link the user should get access to the requested resource instead the user again gets redirected to the authentication scheme URL.



Any Partnership model.


Upon checking the logs, you will see that the user in the picture is not not authorized to access redirect.jsp file 

  1.  Click the saml2sso service url on now since the user does not have the smsession the user gets redirected to the authentication URL. 
  2.  User does a get on "login.fcc" and posts their credentials: 
  3.  An smsession cookie is set. After this the user is again sent back to the redirect.jsp and then the user again posts the credentials and then again  the user is     sent back to redirect.jsp 

This is happening is because the user is not authorized by the policy server. 

From the agenttrace log: 


[03/11/2016][10:34:39][3736][3660][CSmLowLevelAgent.cpp:2011][AuthorizeUser][000080fe00000000c71cad7ce6a4aecf-0e98-56e2f39f-0e4c-0073428b][*][][samltst][/affwebservices/redirectjsp/redirect.jsp?SPID=][schisen][User 'CN=UserName,OU=Users,OU=Southwind-02a,OU=xyz,OU=abx,DC=na,DC=abc,DC=com' is not authorized by Policy Server.] 

 From smtrace log: 


[03/11/2016][10:34:39.089][10:34:39][2016][3140][Sm_Az_Message.cpp:595][CSm_Az_Message::ProcessMessage][s1308/r7][samltst][][schisen][][samlpage][samltst][][][][][][][][][][][][][][** Status: Not Authorized. ][][][][][][][][][][][][yzE0FFdo0TZLruLd+WWV7JKyglsuNdNfsm9mQVkmpjBUZwMeb05UJrJIR12dRdroAT7LzV9V9rLgozSt7J+S+Px267/pSFdIIYiAFHeZvgD//DOYsUVNL8VtjPzJbR60nycpaYYulM9RIP1aUTGvF5w0UAgjVR1QbDNFJ9AIAZDoxJqd0SgGb1P9BRT6MnIjBRnk6ZJBW8hS4Prc7BrFzhZ4z5X3tpt+tqGgDkSy9me9BgNc3GHogTEW6A9bo7vuR3hoM2XBarGamVcmV4S8udvasydnInzn6f1DU09+b2IcmS+0VvpmXSNNu/QamXqSY0IAoWyfK3TgHNz8Ah++07ajZqzQpO4l4sQ3SLdr26a4R9OD+DEQNVd4Si9KrYtNE7jVPVuNw2vQBqPJZUgq7io/fUERb6IejJ+9LVRlGchn4CEikCBBRHW7I5ABs+Xzs3jFMB8Cz/B3kRazK+CEGShmIdz46Qa5xMe/0ZJgc5TQsW6GCkTQGuQ+fz0mAJXF][][][CN=UserName,OU=Users,OU=Southwind-02a,OU=xyz,OU=abx,DC=na,DC=abc,DC=com][][][][][][][][][][][][][][][][][][][][][][] 



1) Open the domain where you have configured the redirect.jsp realm or the authenticationURL realm.

2) Check if you have attached the correct user directory to this domain. The user should exist in this domain.

3) Open the policy attached to this domain. Click on users tab in the policy and check if the user in test is included in users tab or not.

4) Click the rules tab in policy and see if you have a rule attached to the policy or not. The policy for the AuthenticationURL domain should have a rule attached to it.

This rule should apply to the redirect.jsp page. For example:

Effective Resource: iisagent/siteminderagent/redirectjsp/* 



Component: SMFED