Deleting Affiliate Domain with more then a 1000 Service provider from Adminui resulting in timeout.

Below are steps that can be followed to perform the delete using the XPSExport/Import for objects class with large child objects such as the Affiliate Domain. childs  

Any Supported siteminder release

While the objects can be manually cleaned up via the AdminUI, a more efficient bulk deletion method involves using an XPSImport changeset. This approach avoids the limitations of deleting 10 items at a time in the Adminui with saml service provider deletions in this scneario

Detailed Action Plan

Note --> in this example Symantec Directory is used, the same concept is applicable for any supported Policy Store Directory.

**** Action 1 --> Take a Full LDIF backup or backup the .db file of the Polciy Store DSA 

**** Action 2 --> Stop the replication on the DSA that you ented to run the Change on 

**** Action 3 --> download the "changeset.xml"  file from the case under files_from_broadcom  and copy it to the policy server that is connected to the DSA in "Action 2"

The file contains the following Changeset DELETE for Affiliate Domain OID --> 03-c6f7b4ea-xxxxxxxxxxxxxxxxxxxxxxxxx  

<?xml version="1.0" encoding="UTF-8"?>
<changeset>
 <context>
   <loc id="Ref0001" xid="CA.SM::Domain@03-c6f7b4ea-xxxxxxxxxxxxxxxxxxxxxxxxx" />
 </context>
 <changes>
     <object refid="Ref0001" changetype="delete" />
   </changes>
</changeset>

**** Action 4 -->  Run the Following XPSImport command to start the delete process 

XPSImport -changeset changeset.xml

Internally on the repro Environment, it took ~ 1 hour and 23 min to complete 
Example from the Execution the repro environment 

[root@]# time XPSImport -changeset changeset.xml
[XPSImport - XPS Version 12.8.0801.3003]
Log output: /opt/CA/siteminder/log/XPSImport.2026-03-04_194806.log
Initializing XPS, please wait...
Log Time Phase/Section                #Objects       %age        Elapsed
-------- ------------------------ --------------- -----------  -----------------
19:52:37 Initializing
20:21:07 Saving                     35736/35736     100%       00:28:30
21:15:37 Saving                     35736/35736     100%       01:23:00  00:54:30
14:33:48 Complete                                              18:41:11
Total elapsed time:01:23:00

**** Action 5 --> Verify from XPSExplorer and Adminui that Domain was deleted 

**** Action 6 --> cleanup generated servercommands manually 

1) genrate a "ldapdeleteservercmd.txt" using the command below (replace your host IP and port and DN in the below ) 

ldapsearch -D "cn=adminexample" -w pass -h 10.10.10.10 -p 8289 -b "ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example" "objectclass=smservercommand4" smServerCommandOID4 | \awk '/^smServerCommandOID4/ {print "smServerCommandOID4="$2",ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example"}' > ldapdeleteservercmd.txt

the generated fle from first command should contains the entries like this 

bash-4.2# more ldapdeleteservercmd.txt
smServerCommandOID4=13-000be7c7-c211-xxxxxxxxxxxxxxxx,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example
smServerCommandOID4=13-000bbf65-c211-xxxxxxxxxxxxxxxx,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example
smServerCommandOID4=13-000be397-c211-xxxxxxxxxxxxxxxx,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example

2) check the file to make sure list is generated .

Once done run the ldapdelete command below  which will delete the smservercmd commands

ldapdelete -D "cn=adminexample" -w pass -h 10.10.10.10-p 8289 -f ldapdeleteservercmd.txt

3) restart your policy server 

NOTE --> if you use SSL for your LDAP connection , add the     -P <Path_tocert8b>/cert8.db   for both commands 

**** Action 7 --> Run XPSSweeper  

**** Action 8 --> copy the .db from the DSA in Action 2 (the one the changeset was ran against) and copy it to the Other DSA servers and perform the following 

1) shutdown the DSA on the other servers 
2) replace the .db file of these DSAs by the one we copied from the fixed server 
3) restart the DSA 

**** Action 9 --> Start Replication between all DSAs and now we should have data the same on all DSAs. Restart Policy servers one by one if you can to make sure the cache was refreshed with the changes