Error: Denying request due to "NO" from SAML2 assertion generator
search cancel

Error: Denying request due to "NO" from SAML2 assertion generator

book

Article ID: 250099

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction


The new SAML Partnership fails with a 500 error in the browser.

Checking the FWSTrace.log shows the following messages:

[09/05/2022][19:37:31][6392][139941262227200][][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]

[09/05/2022][19:37:31][6392][139941262227200][][SSO.java][processAssertionGeneration][Transaction with ID: <value> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]

[09/05/2022][19:37:31][6392][139941262227200][][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]

[09/05/2022][19:37:31][6392][139941262227200][][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

The Assertion Generation occurs on the Policy Server. Reviewing the smps.log shows the following messages:    

[97320/139896865937152][Mon Sep 05 2022 16:37:31][SmSessionServer.cpp:785][ERROR][sm-Server-06007] failed. Error code : 2

[97320/139896865937152][Mon Sep 05 2022 16:37:31][IsAuthorized.cpp:68][ERROR][sm-Server-02740] SmSessionVariableProvider::SetSessionVariable() - SetVariable Failed for : StateSLO.SP.<value>

[97320/139896865937152][Mon Sep 05 2022 16:37:31][AssertionGenerator.java][ERROR][sm-FedServer-00130] postProcess() returns fatal error. Can not save the SLO information into session store.

[97320/139896840759040][Mon Sep 05 2022 16:37:31][Scanner.h:86][yyerror][ERROR][sm-xpsxps-06180] Unrecognized character: "Syntax error"

The issue is that SLO is configured but the information can't be saved.

 

Cause


The error code 2 from the SmSessionServer.cpp indicates a store failure to save session info. The further discussion confirmed that Persistent Sessions were not enabled.

The documentation shows features that require a Session Store (1).

 

Resolution


Since the Persistent Sessions are enabled and the Session Store is configured, the SAML transactions are successful.

 

Additional Information

 

  1. Federation Features Requiring the Session Store
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/federation-features-requiring-the-session-store.html