Issue creating SAML Service Provider

book

Article ID: 74960

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Unable to create SAML Service Provider Object in Administrative UI and receive error "Failed to create the backing Agent." 

In SMPS log: 

[29811/47576845911808][Wed Dec 06 2017 14:51:12][BackingObjects.cpp:192][SaveBackingAgent][ERROR][sm-xobfss-00040] Failed to create the backing Agent. 
[29811/47576845911808][Wed Dec 06 2017 14:51:12][SAMLSP.cpp:182][PreAction][ERROR][sm-xobfss-00250] Failed to create the backing Agent for the SAML Service Provider CA.SM::[email protected](vsp). 
[29811/47576845911808][Wed Dec 06 2017 14:51:12][XPSPolicyData.cpp:992][PreAction][WARN][Assert] Assert failed: Base -> PreAction(Action) 

In Server.log: 

2017-12-06 14:51:12,416 ERROR [com.ca.siteminder.rpc.rpc.ClientDispatcher] (Thread-999 (HornetQ-client-global-threads-619391994)) fault ServerException(sm-xobfss-00040:Failed to create the backing Agent.) object.create 'SAMLv2SP' 
2017-12-06 14:51:12,419 ERROR [com.ca.siteminder.framework.xps.XPSManagedObject] (Thread-999 (HornetQ-client-global-threads-619391994)) Failed to create managed object 

In smtrace log: 
[12/06/2017][14:51:12.415][29811][47576845911808][({ €E+][LogMessage:ERROR: Failed to create the backing Agent.][][][][SaveBackingAgent][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 
[12/06/2017][14:51:12.415][29811][47576845911808][Øm €E+][LogMessage:ERROR: Failed to create the backing Agent for the SAML Service Provider CA.SM::[email protected](vsp).][][][][PreAction][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 
[12/06/2017][14:51:12.415][29811][47576845911808][8i €E+][LogMessage:WARN: Assert failed: Base -> PreAction(Action)][][][][PreAction][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 


Reviewing the policy store LDIF reveals multiple corruption errors such as: 
xpsObject:3421 cannot find the associated XPS Extension object:31-6dc899c1-2680-4660-ad34-da7ca07438d2 

In this use case, there was an attempt to originally to try to import the objects from another environment, but later more objects were manually created with Administartive UI. 

 

How to create SAML Service Provider Object in Administrative UI when you get an error such as this: "Failed to create the backing Agent."?

Environment

RHEL 7.2 x86_64 
Policy Server 12.6 sp02 
Policy Store IBM Directory Server 6.3.1 
WebAgent 12.52 sp01 cr04 
WebAgent Option Pack 12.52 sp01 cr0

 

Resolution

A CA SSO Administrator familiar with XPS corruption and XPSExplorer usage needs to clean up the corrupt objects using XPSExplorer. Actions taken as below, as an example, for this use case.

There is a junk leftover agent named samlsp:vsp preventing creating the SAMLv2SP with name “vsp”. The agent should be deleted with JExplorer or XPSExplorer; XPSExplorer is a better choice.
 
dn: smAgentOID4=01-00093add-9ef2-1a1f-90eb-5fa5ac1df72a,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,dc=siteminder
objectclass: smAgent5
objectclass: top
smAgentOID4: 01-00093add-9ef2-1a1f-90eb-5fa5ac1df72a
cn: samlsp:vsp
smAgentTypeOID4: 10-fbe22c2f-ce96-4465-a8f3-45219bdd5232
description: * Please do not edit this *
smRealmHintID4: 0
 
Using XPSExplorer, you also need to manually delete 2 XPS stubs together with the smAgent5
 
dn: xpsNumber=0000005129,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=siteminder
objectclass: top
objectclass: xpsObject
xpsNumber: 0000005129
xpsCategory: 2
xpsClass: 3
xpsGUID: 01-00093add-9ef2-1a1f-90eb-5fa5ac1df72a
xpsSortKey: 2-0000005129
xpsUpdateBy: un56
xpsUpdateMethod: 5
ibm-entryuuid: c8b4c640-69df-1037-8399-9293ba430f2d
 
dn: xpsXID=CA.SM::[email protected],ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=siteminder
objectclass: top
objectclass: xpsXIDKey
xpsXID: CA.SM::[email protected]
xpsIndexedObject: xpsNumber=0000005129,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=siteminder
ibm-entryuuid: c8b4c640-69df-1037-839a-9293ba430f2d
 
When a corruption occurs, orphaned objects sometimes get left behind in the policy store. These objects usually do not show in the Administrative UI as they are missing either the XPS stub or the original SM base object. These two associated objects must be available for the object to appear in the UI, in addition to other associated objects (such as children or parent objects).