Tech Tip : CA Single Sign-On : Unable to locate parent for "CA.SM::SAMLv2IdP" object error

Document created by Albert_Fernandez Employee on Jul 6, 2017
Version 1Show Document
  • View in full screen mode


We are upgrading our Policy Servers and Policy Store from 12.0 SP3 to 12.52 SP1 and when we run the XPSImport smpolicy.xml command as mentioned in the documentation for a Policy Store upgrade process, we see the following error:


[7278/1][Mon Sep 19 2016 16:34:58][Validate.cpp:680][Validate][WARN][sm-xpsxps-03250] CA.SM::SAMLv2IdP@21-6d946e97-0138-165a-7e8d-137534702cb3(myobject): Required parent missing.


Also, if we try to export the store for troubleshooting, the export completes successfully but we see the following warning message in the log:


(WARN) : [sm-xpsxps-04960] Unable to locate parent for "CA.SM::SAMLv2IdP@21-6d946e97-0138-165a-7e8d-137534702cb3(myobject)". Skipping.


What is this object, and wow can we solve this error?


Policy Server R12.52 SP1


When you create an Authentication Scheme, you create SAML2.0 configurations along with it. The object seen is from such configuration. Later, if you delete the Authentication Scheme, this SAML2.0 config object doesn't get deleted and it is kept in the Policy Store. And because the related Authentication Scheme doesn't exist anymore, then it report the warning :

     CA.SM::SAMLv2IdP@21-6d946e97-0138-165a-7e8d-137534702cb3(myobject): Required parent missing.


To solve the issue and to insure that this object isn't related to any Authentication Scheme anymore, you need to check the object validity through XPSExplorer:


- Open XPSExplorer tool from a command line on your Policy Server.
- In the "Main menu", type the option number for SAMLv2IdP (could be number 144) and hit enter
- Type S and hit enter to show the current objects of this type. You should see the one named as shown in the error (i.e. "myobject")
- Type the corresponding number for the object (located at the beginning of the entry), and hit enter.
- On the header displayed, you will see a "Parent" field, and should reference the Authentication Scheme where this configuration was generated.
- If you type L and hit enter, it should show you that Authentication Scheme object.
- Check also the values for SPID and KEY_IdPID, and check if those are still existing and/or valid as follows.
- Return to the Main Menu (by typing Q and hitting enter until you reach there) and check SPBase objects to find the SPID referenced:
- Type the value for SPbase* and hit enter
- Type S and hit enter. You should find a partnership matching the SPID you have found before.
- Repeat the same steps for IdPbase* menu, for the KEY_IdPID value.


If any of those IDs are not matching anymore any object, or the authentication scheme is empty or not existing anymore, you may want to delete this SAML Config object as it could be an old configuration which has not been removed properly.



Additional Information: