Unable to locate parent for "CA.SM::SAMLv2IdP" object error
search cancel

Unable to locate parent for "CA.SM::SAMLv2IdP" object error


Article ID: 5098


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


While running the XPSImport smpolicy.xml command as
mentioned in the documentation for a Policy Store upgrade process, we
see the following error:

  [7278/1][Mon Sep 19 2016
  Required parent missing.

Also, if we try to export the store for troubleshooting, the export
completes successfully but we see the following warning message in the
log :

  (WARN) : [sm-xpsxps-04960] Unable to locate parent for
  "CA.SM::SAMLv2IdP@21-6d946e97-0138-165a-7e8d-137534702cb3(myobject)". Skipping.





Policy Server 12.8.x




On creating an Authentication Scheme, you create SAML2.0
configurations along with it. The object seen is from such
configuration. Later, if you delete the Authentication Scheme, this
SAML2.0 config object doesn't get deleted and it is kept in the Policy
Store. And because the related Authentication Scheme doesn't exist
anymore, then it report the warning :

     Required parent missing.



To solve the issue and to insure that this object isn't related to any
Authentication Scheme anymore, you need to check the object validity
through XPSExplorer:

  - Open XPSExplorer tool from a command line on your Policy Server;

  - In the "Main menu", type the option number for SAMLv2IdP (could be
    number 144 depending the version) and hit enter;

  - Type S and hit enter to show the current objects of this type. You
    should see the one named as shown in the error (i.e. "myobject");

  - Type the corresponding number for the object (located at the
    beginning of the entry), and hit enter;

  - On the header displayed, you will see a "Parent" field, and should
    reference the Authentication Scheme where this configuration was

  - If you type L and hit enter, it should show you that
    Authentication Scheme object;

  - Check also the values for SPID and KEY_IdPID, and check if those
    are still existing and/or valid as follows;

  - Return to the Main Menu (by typing Q and hitting enter until you
    reach there) and check SPBase objects to find the SPID referenced;

  - Type the value for SPbase* and hit enter;

  - Type S and hit enter. You should find a partnership matching the
    SPID you have found before;

  - Repeat the same steps for IdPbase* menu, for the KEY_IdPID value;

If any of those IDs are not matching anymore any object, or the
authentication scheme is empty or not existing anymore, you may want
to delete this SAML Config object as it could be an old configuration
which has not been removed properly.


Additional Information

Configure a SAML 2.0 Service Provider