Symantec Access Management

Hi

We are getting below error in the smps.log in the SP Initiated SSO Call for one of our on-premise partner:

[AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_37bf9cd57f08587fa174a8bcadbc3137abe2" InResponseTo="_15b9ce6e5fad2789c8cdc011225cca16" IssueInstant="2016-11-18T21:24:37Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IDP Entity ID</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</StatusCode>
<StatusMessage>Request did not fulfill security requirements!</StatusMessage>
</Status>
</Response>

Could anyone suggest me / share your thoughts on this federation issue.

Thanks!

Hi Teja,

Look at policy server trace log , it should have more indication of what happened and why it failed.

This thread may also be related :

https://communities.ca.com/thread/241753845

Regards,

Ujwol

I am seeing [** Status: Authorized. ] in the profiler logs,  but the SAML Response is not getting generated.

Hi Teja,

We will need full smtrace. If you can't attach it here, do you mind sending it via email (communities)?

Regards,

Ujwol

Copy response from duplicate thread :

wonsa03 Nov 20, 2016 5:05 AM

Hi Teja,

I was able to replicate the issue in my lab.

It seems that you have Signed Authentication request requirement set to YES at IDP :

However, the AuthnRequest sent by SP is not signed.

You can verify this by reviewing the fiddler. If the AuthNRequest is signed you should see the signature as below :

                                                       Fig. Signed AuthNRequest

In case of unsigned AuthnRequest , you will NOT see the Signature , see below :

                                                        Fig. Un Signed AuthNRequest

Also, if you have the detailed tracing enabled on Policy server you should see the exact error message like this on IDP smtrace log :

[11/21/2016][10:35:05][4788][a15a8888-d72d7f92-b17b0803-fc600ef2-0050a3e4-d3][AuthnRequestProtocol.java][verifySignatureOnRequest][][][][][][][][Authnrequests are required to be signed but the request did not contain a required query parameter: Signature, or SigAlg is missing.]
[11/21/2016][10:35:05][4788][a15a8888-d72d7f92-b17b0803-fc600ef2-0050a3e4-d3][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

Solution :

Configure SP to sign AuthNRequest. If SP is CA SSO you can do this as below on SP side of partnership :

Let me know if this works for you.

Regards,

Ujwol Shrestha

Ujwol's Single Sign-On Blog 

I disabled the Signed Authentication Requests, and it works fine.

Thanks for all your help! I will enable the IDP SMTrace so that it will write the detailed logging.