Unable to locate parent for "CA.SM::SAMLv2IdP" object error
search cancel

Unable to locate parent for "CA.SM::SAMLv2IdP" object error

book

Article ID: 5098

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

While running the XPSImport smpolicy.xml command as mentioned in the documentation for a Policy Store upgrade process, see the following error:

[7278/1][Mon Sep 19 2016 16:34:58][Validate.cpp:680][Validate][WARN][sm-xpsxps-xxxxx] CA.SM::SAMLv2IdP@xx-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(myobject): Required parent missing.

Also, on trying to export the store for troubleshooting, the export completes successfully but  the following warning message are logged in the log :

(WARN) : [sm-xpsxps-xxxxx] Unable to locate parent for "CA.SM::SAMLv2IdP@xx-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(myobject)". Skipping.

 

 

Environment

Siteminder release: 12.8.x and 12.9 (Applicable to all the supported releases)
Component: Policy Server (SMPLC)
OS: All

 

Cause

On creating an Authentication Scheme,  create SAML2.0 configurations along with it. The object seen is from such configuration.

Later, on deleting the Authentication Scheme, this SAML2.0 config object does not get deleted and it is kept in the Policy Store.

And because the related Authentication Scheme does not exist anymore,  it reports  the following warning :

CA.SM::SAMLv2IdP@xx-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(myobject): Required parent missing.

Resolution

To solve the issue and to insure that this object isn't related to any Authentication Scheme anymore,  check the object validity through XPSExplorer:

  - Open XPSExplorer tool from a command line on Policy Server;

  - In the "Main menu", type the option number for SAMLv2IdP (could be number 144 depending on the version) and hit enter;

  - Type S and hit enter to show the current objects of this type. Observe the one named as shown in the error (i.e. "myobject");

  - Type the corresponding number for the object (located at the beginning of the entry), and hit enter;

  - On the header displayed, notice a "Parent" field, and referenced by the Authentication Scheme where this configuration was generated;

  - Type L and hit enter, it should show the referenced Authentication Scheme object;

  - Check also the values for SPID and KEY_IdPID, and check if those are still existing and/or valid as follows;

  - Return to the Main Menu (by typing Q and hitting enter until main menu is reached) and check SPBase objects to find the SPID referenced;

  - Type the value for SPbase* and hit enter;

  - Type S and hit enter. there should be a partnership matching the SPID found before;

  - Repeat the same steps for IdPbase* menu, for the KEY_IdPID value;

If any of those IDs are not matching anymore any object, or the authentication scheme is empty or not existing anymore,  delete this SAML Config object as it could be an old configuration which has not been removed properly.

 

Additional Information

- Kindly review the below document for reference:

Configure a SAML 2.0 Service Provider

 

Powered by Wolken Software