Symantec Access Management

Hello Everyone, I am running into a issue with my session store. Hope someone can help me.

I have a Federation partnership using a authentication URL which is protected by a persistent realm. Needed this for implementing SLO. I am able to SSO to the federation site from another application that uses persistent realms. 

However,  when a user logs into a non-persistent realm/application, and then the user logs into our federation partnership which uses persistent realm, request fails to login as the policy server is unable to write the session information to session store while completing SLO transaction. The error is because the authentication URL in federation partnership never kicks in as the existing session(non-persistent) is validated by SPS and Policy server, but Policy Server is not able to complete the transaction as session information can not be stored. It looks like its by design. 

Is there a work around?  or am I missing some configuraition?

[8019/4055206768][Mon May 08 2017 15:06:14][SmSessionServer.cpp:786][ERROR][sm-Server-06007] failed. Error code : 2
[8019/4055206768][Mon May 08 2017 15:06:14][IsAuthorized.cpp:70][ERROR][sm-Server-02740] SmSessionVariableProvider::SetSessionVariable() - SetVariable Failed for : StateSLO.SP.21-000efdcb-796f-190b-b5ed-90340a98a0fe

[8019/4055206768][Mon May 08 2017 15:06:14][AssertionGenerator.java][ERROR][sm-FedServer-00130] postProcess() returns fatal error. Can not save the SLO information into session stor

Appreciate any insight.

Hi, SamWalker.

You are right.

When you enable SLO or other features that require a persistent session stored in the session store, you need to ensure 2 things.

1. AuthenticationURL is set to persistent realm (This handles the use case where the user has no session yet)

2. A Persistent realm where the federation links are presented. (This handles the use case where the user already has a session)

Your problem is the use case #2 above.

Those federation related entries in the session store requires the user sessionid entry available as a parent so the child entries can be created.

And because the user did not navigate to any persistent realm yet, there is no sessionid record in the session store.

For that reason the SLO or any other federation related records cannot be created and fail.

On the web page that displays the links to the federated sites, make sure that resource is set as persistent realm.

An enhancement request would be the way to go.

Hi,

I am getting same exact error on Federation Server. Neither we have enabled Persistent Session Nor we have Session store.  

[15041/3918547824][Tue Aug 15 2017 21:07:53][SmSessionServer.cpp:571][ERROR][sm-Server-06007] failed. Error code : 2
[15041/3991976816][Tue Aug 15 2017 21:07:53][SmSessionServer.cpp:571][ERROR][sm-Server-06007] failed. Error code : 2
[15041/3708750704][Tue Aug 15 2017 21:07:53][CSmDbSessionManager.cpp:585][INFO][sm-Server-04350] Using ODBC 'User Store' data source 'PWB User Store'.
[15041/3991976816][Tue Aug 15 2017 21:07:54][SmSSProvider.cpp:503][ERROR][sm-Server-07004] failed.Exception :
[15041/3991976816][Tue Aug 15 2017 21:07:54][SmSessionServer.cpp:535][ERROR][sm-Server-06007] failed. Error code : 3

Any thoughts ..

Hi, Sanjay_Katkar, the log clearly says you are trying to set session store record.

You can try a full policy store export (XPSExport -xb export.xml) and try to check the realm directly and see if the persistent realm is set.

AdminUI would display different things when session store is enabled and when not.

So the accurate way would be to check directly from policystore export.

I took an export and found that some of the realms have "SessionType"  either "0 (Non Persistent)or 1 (Persistent),.Am i looking for right info as you requested?

Thanks & Regards,

Sanjay

What exactly we should look at? 

Hi , we are also facing the same problem in CA SSO 12.7.00 

is there any work around/fix avilable for this. 

Regards

Brahma