Error: FAILED_INVALID_RESPONSE_RETURNED by enabling SLO in Federation
search cancel

Error: FAILED_INVALID_RESPONSE_RETURNED by enabling SLO in Federation

book

Article ID: 7260

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When trying to configure SLO for a Federation Partnership which works properly. The SLO has been configured as per the documentation (1)(2)(3)(4), and the following errors show up:

-- FWSTrace.log:

[06/15/2017][09:32:42][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
[06/15/2017][09:32:42][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
[06/15/2017][09:32:42][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Transient IP check: false]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Not enforcing ForceAuthnTimeouts.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Transaction with ID: <Transaction ID> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]
[06/15/2017][09:32:45][2016][4212][<Transaction ID>][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

-- Affwebservices.log:

[2016/4212][Thu Jun 15 2017 09:32:45][SSO.java][ERROR][sm-FedClient-02890] sm-FedClient-02890 (<Transaction ID>, FAILED_INVALID_RESPONSE_RETURNED, , , )

 

Environment

 

Policy Server: 12.8.x

 

Cause

 

SLO requires Session Store and persistent realm.

 

Resolution

 

Enable Persistent Flag in the realm when configuring SLO in partnership. 

 

 

Additional Information

 

  1. Configure Single Logout
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/use-a-sample-configuration-to-learn-about-legacy-federation/add-functionality-to-the-federation-deployment.html

  2. (Optional) Configure Single Logout
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/optional-configure-single-logout.html

  3. Enable Single Logout
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-service-provider/enable-single-logout.html
  4. SSO and SLO Dialog (SAML 2.0 IdP)
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html

 

Powered by Wolken Software