ADFS Federation Failed - AuthReason=49
search cancel

ADFS Federation Failed - AuthReason=49

book

Article ID: 117524

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We have configured Federation partnership with ADFS, being ADFS the IdP and CA SSO R12.8 as the SP. We are getting a HTTP 500 error message when being redirected to https://my.domain.com/affwebservices/public/saml2assertionconsumer with SAML response. 

In the logs we see the following:
[10/10/2018][12:43:03][20804][121763075886305][11cxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-310][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
[10/10/2018][12:43:03][20804][121763075886305][11cxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-310][AssertionConsumer.java][redirectLoginFailure][AuthReason=49]
[10/10/2018][12:43:03][20804][121763075886305][11cxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-310][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="0" URL="null"]
[10/10/2018][12:43:03][20804][121763075886305][11cxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-310][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]
[10/10/2018][12:43:03][20804][121763075886305][11cxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-310][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 11cxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-310-310 failed. Reason: ACS_FAILED_PROCESS_FAILURE]


What can be the problem causing this error? How can we solve it?

Environment

Policy Server R12.8 on Linux
Access Gateway R12.8 on Linux

Resolution

This error (ACS_FAILED_PROCESS_FAILURE) can be caused by different reasons, and it is important to check carefully the Policy Server traces along with FWSTrace.log to get a better understanding of why it happens. The Auth Reason = 49 points to a problem in the Assertion and how it is formed.

For this case the problem was caused as the Audience sent from ADFS was not matching exactly the SP Entity ID in CA SSO, and after correcting it, the issue was solved.