Unable to locate parent for "CA.SM::SAMLv2IdP" object error

book

Article ID: 5098

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We're upgrading our Policy Servers and Policy Store from 12.0 SP3 to
12.52 SP1 and when we run the XPSImport smpolicy.xml command as
mentioned in the documentation for a Policy Store upgrade process, we
see the following error:

  [7278/1][Mon Sep 19 2016
  16:34:58][Validate.cpp:680][Validate][WARN][sm-xpsxps-03250]
  CA.SM::[email protected](myobject):
  Required parent missing.

Also, if we try to export the store for troubleshooting, the export
completes successfully but we see the following warning message in the
log :

  (WARN) : [sm-xpsxps-04960] Unable to locate parent for
  "CA.SM::[email protected](myobject)". Skipping.

What is this object, and how can we solve this error ?

 

Cause

 

When you create an Authentication Scheme, you create SAML2.0
configurations along with it. The object seen is from such
configuration. Later, if you delete the Authentication Scheme, this
SAML2.0 config object doesn't get deleted and it is kept in the Policy
Store. And because the related Authentication Scheme doesn't exist
anymore, then it report the warning :

     CA.SM::[email protected](myobject):
     Required parent missing.

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

To solve the issue and to insure that this object isn't related to any
Authentication Scheme anymore, you need to check the object validity
through XPSExplorer:

  - Open XPSExplorer tool from a command line on your Policy Server;

  - In the "Main menu", type the option number for SAMLv2IdP (could be
    number 144 depending the version) and hit enter;

  - Type S and hit enter to show the current objects of this type. You
    should see the one named as shown in the error (i.e. "myobject");

  - Type the corresponding number for the object (located at the
    beginning of the entry), and hit enter;

  - On the header displayed, you will see a "Parent" field, and should
    reference the Authentication Scheme where this configuration was
    generated;

  - If you type L and hit enter, it should show you that
    Authentication Scheme object;

  - Check also the values for SPID and KEY_IdPID, and check if those
    are still existing and/or valid as follows;

  - Return to the Main Menu (by typing Q and hitting enter until you
    reach there) and check SPBase objects to find the SPID referenced;

  - Type the value for SPbase* and hit enter;

  - Type S and hit enter. You should find a partnership matching the
    SPID you have found before;

  - Repeat the same steps for IdPbase* menu, for the KEY_IdPID value;

If any of those IDs are not matching anymore any object, or the
authentication scheme is empty or not existing anymore, you may want
to delete this SAML Config object as it could be an old configuration
which has not been removed properly.

 

Additional Information

 

  Configure a SAML 2.0 Service Provider
  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-service-provider.html