SungHoon_Kim

Federation fails with "SAML2Response=NO" in FWSTrace.log, how do I find out what is causing this?

Blog Post created by SungHoon_Kim Employee on May 11, 2016

Policy Server is responsible in generating assertion and the user must be authorized in the partnership or affiliate properties setting to do so.

 

When using "<PS>/config/profiler_template/samlidp_trace.template" for smtracedefault.log, the following message helped to get close to the root cause.

 

[AssertionHandler preProcess() failed. Leaving AssertionGenerator.]

 

Once you have located this message, just look for a few lines above it and there should be the information to determine the cause.

 

For example,

Sample1: [Web SSO HTTP Post binding is disabled in the SP configuration.]

Sample2: exceptions

 

In the above Sample1, Both HTTP-Artifact and HTTP-POST method were not allowed so even when the Policy Server had collected the information to generate assertion, it has declined to generate one.

Solution was to enable HTTP-POST method to post the assertion to SP.

 

In the Sample2, look out for exceptions and there could be many different reasons but one of them could be an expired certificate for the signing key.

Outcomes