Tech Tip : CA Single Sign-On : Long assertion being truncated on Policy Server

Document created by Albert_Fernandez Employee on Dec 1, 2017
Version 1Show Document
  • View in full screen mode

Question:

We have some users who are not able to login through WSFederation, and we found out that the WSFederation response generated for these users is getting truncated, as they have huge group information that needs to be sent as part of the response.

 

When checking the logs we see in the assertion the group information being interrupted with the characters: .]

 

...
<ns1:AttributeValue>SampleAttributeValue-351</ns1:AttributeValue>
<ns1:AttributeValue>SampleAttributeValue-352</ns1:AttributeValue>
      .]
     
It could be the Policy Server is truncating it as it is a very long assertion? How can we fix this?

Environment:

Policy Server R12.52 SP1 CR00 on Windows 2008 R2

Answer:

When IDP generates the assertion, and if it is very long exceeding 48K, the assertion is truncated on Policy Server side and the truncated assertion is sent to WAOP on IDP side.

This is fixed in R12.52 SP1 CR06:

 

00236681 DE102140 Policy Server truncates assertion data if the size of active response in assertion exceeds 48K.

 

Additional Information:

Attachments

    Outcomes