Error: FAILED_INVALID_RESPONSE_RETURNED by enabling SLO in Federation
search cancel

Error: FAILED_INVALID_RESPONSE_RETURNED by enabling SLO in Federation

book

Article ID: 7260

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When trying to configure SLO for a Federation Partnership which works properly. The SLO has been configured as per the documentation (1)(2)(3)(4), and the following errors show up:

-- FWSTrace.log:

[06/15/2017][09:32:42][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
[06/15/2017][09:32:42][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
[06/15/2017][09:32:42][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Transient IP check: false]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Not enforcing ForceAuthnTimeouts.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Transaction with ID: <Transaction ID> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

-- Affwebservices.log:

[2016/4212][Thu Jun 15 2017 09:32:45][SSO.java][ERROR][sm-FedClient-02890] sm-FedClient-02890 (<Transaction ID>, FAILED_INVALID_RESPONSE_RETURNED, , , )

 

Environment

 

Policy Server R12.52 SP1

 

Cause

 

SLO requires Session Store and persistent realm.

 

Resolution

 

Enabling the persistent flag in the realm where configuring SLO solves this issue.

 

Additional Information

 

  1. Configure Single Logout
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/use-a-sample-configuration-to-learn-about-legacy-federation/add-functionality-to-the-federation-deployment.html

  2. (Optional) Configure Single Logout
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/optional-configure-single-logout.html

  3. Enable Single Logout
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-service-provider/enable-single-logout.html
  4. SSO and SLO Dialog (SAML 2.0 IdP)
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html