Symantec Access Management

We are beginning to see an usual error with our federation services when performing outbound SSO to a particular SAML service provider.  When attempting to do IDP initiated SAML SSO to a particular SP we're getting 500 error from SiteMinder.  The smtrace logs indicate "invalid encryption indication", but SAML encryption is disabled.

We have a case open with CA Support, but I think this could be a tough one to debug so we're hoping to get additional help from CA Community if possible.

[15154/4012030832][Mon Jun 25 2018 17:55:08][AssertionGenerator.java][ERROR][sm-FedServer-00090] AssertionHandler process() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

[06/25/2018][18:03:11][3907132272][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 39910. Current count is 1]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 39910. Current count is 0]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Entering Assertion Generator Framework.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Reqesting parameters: -AssertionHandler:SAML20 SSO#unspecified:editableFields=accountholderemail,amount]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandlerAlias][][][][][][][][Found Alias Name : 'SAML20' in the Active Expression parameter.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Requesting resource: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandlerOverrideClass][][][][][][][][Looking for override class in resource string: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Assertion Handler for "SAML20" will be loaded.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandler][][][][][][][][Loading AssertionHandler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGeneratorCache.java][getObject][][][][][][][][Found cached instance for com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][getAssertionHandler][][][][][][][][Successfully loaded Assertion Handler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][getConfig][][][][][][][][Start to get configuration data supporting SAML2.0.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][AuthnRequestProtocol][][][][][][][][Initial the context data ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Initial the AuthnRequest with the query parameters ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][
   queryParameters: "/SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C&PersonId=863023321&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041"]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SPID = sp_instamed-member-asuris-uat]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: RelayState = https://pay-uat.instamedtest.com/Form/Payments/New]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: AuthToken = C06DB42FD3753DC1043F7C8748FBCC4C]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: PersonId = 863023321]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SSOUrl = https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: Oid = 21-0005daf2-722d-1b31-aec7-87f40a16f041]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Attributes being passed to Assertion Generator Plug-in:
{AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C, PersonId=863023321}
]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][
Destination Variable:  https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx
]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][setDeflatedAuthnRequest][][][][][][][][Unsolicited Response is expected by the Service Provider.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getSPProperties][][][][][][][][Loading the configration data for the Service Provider with ID "sp_instamed-member-asuris-uat" ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][preProcess][][][][][][][][Start to validate the SAML2.0 Authn request.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating the Request...All the properties:
{EncryptAssertion=0, AttributeList=SSO#unspecified:editableFields=accountholderemail,amount, IdPSourceID=204440eee359610905f91a46440600caadea14c0, ReuseSessionIndex=0, IsActive=1, MniRequireEncryptedNameID=0, PartnershipSource=1, EnableAuthnRequestRedirect=1, Domain=@03-000d01d9-0307-11b6-aefb-879f0a1610b6, SLOServiceValidityDuration=60, UnauthorizedAccessRedirectMode=0, KEY_SPID=sp_instamed-member-asuris-uat, AttrSvcValidityDuration=60, ArtifactEncoding=FORM, EnableSSOPostBinding=1, EnableServerErrorURL=0, Policy=@04-00073967-722d-1b31-aec7-87f40a16f041, RequireSignedArtifactResolve=0, MniSignRequest=0, AttrSvcEnableProxiedQuery=0, EnableIPD=0, EncryptionBlockAlgorithm=tripledes, PostSignatureOption=0, CustomTimeout=1, MniRequireSignedResponse=0, SignArtifactResponse=0, EnableAttributeService=0, EnableAuthnRequestPost=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniSOAPTimeout=0, Realm=@06-00064eb6-722d-1b31-aec7-87f40a16f041, EnableSLORedirectBinding=0, OneTimeUse=0, AE_PARAM_SAML2=-AssertionHandler:SAML20 SSO#unspecified:editableFields=accountholderemail,amount, Response=@07-0007281e-722d-1b31-aec7-87f40a16f041, SAML2.AuthnRequestProtocolManager=com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol@1506fa2, MniRequireSignedRequest=0, CompareUserDNForSMC=1, DisableSignatureProcessing=0, EnableSMC=0, AssertionConsumerDefaultURL=https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx, MniRetryBoundary=0, MniEnableSOAPBinding=0, MniRetryCount=0, EnforceForceAuthnSessionTimeouts=0, NameIdType=1, AttrList=SSO#SSO#unspecified:editableFields=accountholderemail,amount, AttrSvcPartnershipAAProtEnabled=0, LegacyArtifactProtEnabled=0, Oid=21-0005daf2-722d-1b31-aec7-87f40a16f041, MniEncryptNameID=0, MniAllowUserSelfService=0, MniNotificationAuthType=1, MniEnableNotification=0, MniEnablePostBinding=0, SAMLMajorVersion=2, AttrSvcSignAssertion=0, RequireSignedAuthnRequests=0, SessionNotOnOrAfterType=0, MniSignResponse=0, EncryptionKeyAlgorithm=rsa-v15, Agent=@01-0006318f-722d-1b31-aec7-87f40a16f041, AssertionPluginClass=com.cambiahealth.enterprise.plugin.assertiongenerator.CambiaSAML2AssertionGeneratorPlugin, AllowCreationOfUserIdentifier=0, InvalidRequestRedirectMode=0, EnableSSOArtifactBinding=0, SkewTime=30, NameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, ValidityDuration=60, MniDeleteNameID=0, ProxyServer=https://fedsvc-staging.asuris.com, NetegrityAffiliateMinderAuthURL=https://fedsvc-staging.asuris.com/affwebservices/redirectjsp/smportalstate_asuris.jsp, AssertionPluginParameters=/usr/pservices/ca/siteminder/bin/thirdparty/instamed-member-uat-mock.properties, PersistentCookie=0, EnableInvalidRequestURL=0, IdPID=idp_asuris_member-instamed-uat, ServerErrorRedirectMode=0, AllowOFCAuthnContextOverride=0, AttrSvcRequireSignedQuery=0, EncryptNameID=0, MniEnableRedirectBinding=0, ArtifactSignatureOption=3, SAMLMinorVersion=0, Rule=@0b-00071df4-722d-1b31-aec7-87f40a16f041, EnableSSOECPProfile=0, IgnoreRequestedAuthnContext=0, SignatureAlgo=1, DSigningAlias=cambiasamlcertificate, AuthenticationLevel=5, Name=instamed - member_asuris-uat, AttrSvcLegacyAAProtEnabled=0, MniNotifyTimeout=0, PartnershipArtifactProtEnabled=0, EnableUnauthorizedRequestURL=0, ApplicationURL=https://portal-qa2.asuris.com/group/asuris_common/agp, AttrSvcSignResponse=0, UseSecureAuthURL=0, RelayStateOverridesSloConfirm=0}]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Identity Provider is not allowed to create a new identifier to represent the principal.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Creation of new user identifier is not applicable with TRANSIENT name identifiers.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][User Name Identifier from IdP resolved.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating Service Provider ID ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Service Provider ID is valid.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating AuthnRequest ProtocolBinding ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateBindings][][][][][][][][Requesting Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest ProtocolBinding is valid and supported.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest validation is successful.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() succeeds, it returns:]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionHandlerSAML20.java][process][][][][][][][][Start to handle the SAML2.0 Authn request.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][processRequest][][][][][][][][Start to process the request ...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][Generating SAML Assertion Conditions...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][Adding SPID audience to AudienceRestriction element: sp_instamed-member-asuris-uat]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateConditions][][][][][][][][SAML Assertion Conditions generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateSubject][][][][][][][][Generating SAML Assertion Subject.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateSubject][][][][][][][][SAML Assertion Subject generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Generating SAML Assertion AuthnStatement...]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getSessionIndex][][][][][][][][A new session index will not be created.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][getStartTime][][][][][][][][Use Force Authn Session Timeouts is: true]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Using authn context from properties map]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][AuthnContext Class Ref used: urn:oasis:names:tc:SAML:2.0:ac:classes:Password]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 0]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :90]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SAML Assertion AuthnStatement generated successfully.]
[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AssertionGenerator.java][invoke][][][][][][][][Error happens in running Assertionhandler process(). Leaving Assertion Generator Framework.  Exception:
com.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

]
[06/25/2018][18:03:11][3991051120][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][18:03:11][3907132272][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.131.45 with Port No 55970. Current count is 1]
[06/25/2018][18:03:11][3938601840][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.131.45 with Port No

Duc dmt953

Is a Custom Assertion Generator Plugin being used?

[06/25/2018][18:03:11][3991051120][10f6ffc4-0e262478-cd269737-26660031-b50cf069-cd][AuthnRequestProtocol.java][init][][][][][][][][Attributes being passed to Assertion Generator Plug-in:
{AuthToken=C06DB42FD3753DC1043F7C8748FBCC4C, PersonId=863023321}
]

It is mentioned encryption is disabled at Partnership level. But are you playing with encryption within Custom AGP? 

What happens if we disable the Custom AGP or on partnership which does not have this Custom AGP? Can we derive a pattern this issue only occurs on Partnerships which has the Custom AGP?

Lastly what component (WA-WAOP or CA AG) and version is this?

Regards

Hubert

Yes we are using a custom assertion generator plugin, but this same plugin is being used for dozens of other SAML partnerships without errors

We used the "Legacy Federation" to create SAML service provider partners rather than the SiteMinder "Partnership" method of creating SAML configuration.  One of the main reason for this is that the "Partnership" method does not allow us to provide the "Application URL" for SiteMinder to redirect user to a different location to obtain user data prior for it being passed to the AGP plugin.

We had been experiencing very unusual behaviors with our SiteMinder environment policy servers.  Last week we had some corrupted objects which prevented us from using the Admin UI to make changes/update SAML service provider configurations so we had to do an LDIF backup/recover to the policystore database.  There is just too many strange things going on with our SiteMinder federation domain in regards to inconsistent behavior. 

We have two policy servers in this environment.  I just shut down one of the policy server along with it's policystore directory server to prevent multi-write/replication issues with the other server.

policy server: r12.52 SP1 CR05

policy store: r12.0 SP17

Webagent OptionPack r12.52 SP1 CR05

Hi Hubert,

Attached are two smtrace files, the first file: "smtrace-no-errors.log" which is for a transaction from a SAML service provider configuration "Instamed - member_regence-uat".  The second file "smtrace-invalid-encryption-error.log" which is for the SAML service provider "Instamed - member_asuris-uat".  Both of these Legacy Federation SAML service provider configurations points to the same "Application URL" resource and custom AGP plugin, but one works while the other gives me 500 error complaining about "invalid encryption indication".

I disabled the custom AGP plugin and still see this error.  please see attached "smtrace-agp-disabled-encryption-error.log" file.

 tail -f smtracedefault.log

[06/25/2018][21:33:55][4043160432][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][21:33:55][3906792304][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.159.106 with Port No 60024. Current count is 1]
[06/25/2018][21:33:55][3990711152][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.159.106 with Port No 60024. Current count is 0]
[06/25/2018][21:33:55][3990711152][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][21:33:55][3990711152][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][21:33:56][3906792304][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 42600. Current count is 1]
[06/25/2018][21:33:56][4032670576][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 42600. Current count is 0]
[06/25/2018][21:33:56][4032670576][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][21:33:56][4032670576][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][21:33:56][3906792304][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 41657. Current count is 0]
[06/25/2018][21:33:56][4022180720][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 41657. Current count is 0]
[06/25/2018][21:33:56][4022180720][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][Received request to obtain Service Provider data.]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][Received request to obtain Service Provider data. Provider ID: sp_instamed-member-asuris-uat]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][addPrivateKeyAndCerts][][][][][][][][Entering]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][addPrivateKeyAndCerts][][][][][][][][Exiting]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][SP Info: {NameIdType=1, EncryptAssertion=0, AttributeList=SSO#SSO#unspecified:editableFields=accountholderemail,amount, LegacyArtifactProtEnabled=0, AttrSvcPartnershipAAProtEnabled=0, AttrList=SSO#SSO#SSO#unspecified:editableFields=accountholderemail,amount, Oid=21-0006a655-a4d1-1b31-9f41-87f40a16f041, IdPSourceID=204440eee359610905f91a46440600caadea14c0, MniEncryptNameID=0, MniAllowUserSelfService=0, MniNotificationAuthType=1, ReuseSessionIndex=0, IsActive=1, MniEnableNotification=0, MniRequireEncryptedNameID=0, MniEnablePostBinding=0, PartnershipSource=1, SAMLMajorVersion=2, AttrSvcSignAssertion=0, RequireSignedAuthnRequests=0, EnableAuthnRequestRedirect=1, SessionNotOnOrAfterType=0, Domain=@03-000d01d9-0307-11b6-aefb-879f0a1610b6, SLOServiceValidityDuration=60, MniSignResponse=0, EncryptionKeyAlgorithm=rsa-v15, Agent=@01-0006ee99-a4d1-1b31-9f41-87f40a16f041, UnauthorizedAccessRedirectMode=0, KEY_SPID=sp_instamed-member-asuris-uat, AttrSvcValidityDuration=60, ArtifactEncoding=FORM, AllowCreationOfUserIdentifier=0, InvalidRequestRedirectMode=0, EnableSSOArtifactBinding=0, SkewTime=30, EnableSSOPostBinding=1, EnableServerErrorURL=0, NameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, Policy=@04-0007d413-a4d1-1b31-9f41-87f40a16f041, RequireSignedArtifactResolve=0, ValidityDuration=60, MniDeleteNameID=0, ProxyServer=https://fedsvc-staging.asuris.com, MniSignRequest=0, AttrSvcEnableProxiedQuery=0, EnableIPD=0, NetegrityAffiliateMinderAuthURL=https://fedsvc-staging.asuris.com/affwebservices/redirectjsp/smportalstate_asuris.jsp, EncryptionBlockAlgorithm=tripledes, PersistentCookie=0, PostSignatureOption=0, EnableInvalidRequestURL=0, CustomTimeout=1, MniRequireSignedResponse=0, IdPID=idp_asuris_member-instamed-uat, SignArtifactResponse=0, EnableAttributeService=0, EnableAuthnRequestPost=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniSOAPTimeout=0, Realm=@06-000703f3-a4d1-1b31-9f41-87f40a16f041, ServerErrorRedirectMode=0, EnableSLORedirectBinding=0, AllowOFCAuthnContextOverride=0, AttrSvcRequireSignedQuery=0, OneTimeUse=0, EncryptNameID=0, MniEnableRedirectBinding=0, ArtifactSignatureOption=3, Response=@07-0007c4b8-a4d1-1b31-9f41-87f40a16f041, SAMLMinorVersion=0, Rule=@0b-0007be24-a4d1-1b31-9f41-87f40a16f041, EnableSSOECPProfile=0, IgnoreRequestedAuthnContext=0, SignatureAlgo=1, MniRequireSignedRequest=0, DSigningAlias=cambiasamlcertificate, AuthenticationLevel=5, Name=instamed - member_asuris-uat, CompareUserDNForSMC=1, DisableSignatureProcessing=0, EnableSMC=0, AttrSvcLegacyAAProtEnabled=0, AssertionConsumerDefaultURL=https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx, MniNotifyTimeout=0, PartnershipArtifactProtEnabled=0, EnableUnauthorizedRequestURL=0, AttrSvcSignResponse=0, MniRetryBoundary=0, MniEnableSOAPBinding=0, MniRetryCount=0, UseSecureAuthURL=0, EnforceForceAuthnSessionTimeouts=0, RelayStateOverridesSloConfirm=0}]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][TunnelUtils][addProviderPasswords][][][][][][][][Entering addProviderPasswords]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][TunnelUtils][addProviderPasswords][][][][][][][][Found passwords for oid: 21-0006a655-a4d1-1b31-9f41-87f40a16f041]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][TunnelUtils][addProviderPasswords][][][][][][][][Exiting addProviderPasswords]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][Policy server returns SAML2.0 SP Configuration [CHECKPOINT = SSOSAML2_SPCONFFROMPS_RSP]]
[06/25/2018][21:33:56][4022180720][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][SAMLSPbyIDTunnelService.java][tunnel][][][][][][][][status: status=0]
[06/25/2018][21:33:56][4022180720][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][21:33:56][3906792304][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 41657. Current count is 1]
[06/25/2018][21:33:56][3969731440][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 41657. Current count is 0]
[06/25/2018][21:33:56][3969731440][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][21:33:56][3969731440][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]
[06/25/2018][21:33:56][3906792304][][CServer.cpp:1869][CAgentMessageHandler::HandleInput][][][][][][][][Enqueuing a Normal Priority Message, from IP 10.22.135.148 with Port No 41657. Current count is 1]
[06/25/2018][21:33:56][4011690864][][CServer.cpp:1428][ThreadPool::Run][][][][][][][][Dequeuing a Normal Priority message, from IP 10.22.135.148 with Port No 41657. Current count is 0]
[06/25/2018][21:33:56][4011690864][][CServer.cpp:5764][CServer::ProcessRequest][][][][][][][][Enter function CServer::ProcessRequest]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][invoke][][][][][][][][Entering Assertion Generator Framework.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][invoke][][][][][][][][Reqesting parameters: -AssertionHandler:SAML20 SSO#SSO#unspecified:editableFields=accountholderemail,amount]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][getAssertionHandlerAlias][][][][][][][][Found Alias Name : 'SAML20' in the Active Expression parameter.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][invoke][][][][][][][][Requesting resource: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0006a655-a4d1-1b31-9f41-87f40a16f041]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][getAssertionHandlerOverrideClass][][][][][][][][Looking for override class in resource string: /SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0006a655-a4d1-1b31-9f41-87f40a16f041]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][invoke][][][][][][][][Assertion Handler for "SAML20" will be loaded.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][getAssertionHandler][][][][][][][][Loading AssertionHandler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGeneratorCache.java][getObject][][][][][][][][Found cached instance for com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][getAssertionHandler][][][][][][][][Successfully loaded Assertion Handler: com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionHandlerSAML20.java][getConfig][][][][][][][][Start to get configuration data supporting SAML2.0.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][AuthnRequestProtocol][][][][][][][][Initial the context data ...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][Initial the AuthnRequest with the query parameters ...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][
   queryParameters: "/SPID=sp_instamed-member-asuris-uat&RelayState=https://pay-uat.instamedtest.com/Form/Payments/New&SSOUrl=https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso&Oid=21-0006a655-a4d1-1b31-9f41-87f40a16f041"]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SPID = sp_instamed-member-asuris-uat]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: RelayState = https://pay-uat.instamedtest.com/Form/Payments/New]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: SSOUrl = https://fedsvc-staging.asuris.com/affwebservices/public/saml2sso]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][Query parameter: Oid = 21-0006a655-a4d1-1b31-9f41-87f40a16f041]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][Attributes being passed to Assertion Generator Plug-in:
{}
]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][init][][][][][][][][
Destination Variable:  https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx
]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][setDeflatedAuthnRequest][][][][][][][][Unsolicited Response is expected by the Service Provider.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][getSPProperties][][][][][][][][Loading the configration data for the Service Provider with ID "sp_instamed-member-asuris-uat" ...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionHandlerSAML20.java][preProcess][][][][][][][][Start to validate the SAML2.0 Authn request.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating the Request...All the properties:
{NameIdType=1, EncryptAssertion=0, AttributeList=SSO#SSO#unspecified:editableFields=accountholderemail,amount, LegacyArtifactProtEnabled=0, AttrSvcPartnershipAAProtEnabled=0, AttrList=SSO#SSO#SSO#unspecified:editableFields=accountholderemail,amount, Oid=21-0006a655-a4d1-1b31-9f41-87f40a16f041, IdPSourceID=204440eee359610905f91a46440600caadea14c0, MniEncryptNameID=0, MniAllowUserSelfService=0, MniNotificationAuthType=1, ReuseSessionIndex=0, IsActive=1, MniEnableNotification=0, MniRequireEncryptedNameID=0, MniEnablePostBinding=0, PartnershipSource=1, SAMLMajorVersion=2, AttrSvcSignAssertion=0, RequireSignedAuthnRequests=0, EnableAuthnRequestRedirect=1, SessionNotOnOrAfterType=0, Domain=@03-000d01d9-0307-11b6-aefb-879f0a1610b6, SLOServiceValidityDuration=60, MniSignResponse=0, EncryptionKeyAlgorithm=rsa-v15, Agent=@01-0006ee99-a4d1-1b31-9f41-87f40a16f041, UnauthorizedAccessRedirectMode=0, KEY_SPID=sp_instamed-member-asuris-uat, AttrSvcValidityDuration=60, ArtifactEncoding=FORM, AllowCreationOfUserIdentifier=0, InvalidRequestRedirectMode=0, EnableSSOArtifactBinding=0, SkewTime=30, EnableSSOPostBinding=1, EnableServerErrorURL=0, NameIdFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, Policy=@04-0007d413-a4d1-1b31-9f41-87f40a16f041, RequireSignedArtifactResolve=0, ValidityDuration=60, MniDeleteNameID=0, ProxyServer=https://fedsvc-staging.asuris.com, MniSignRequest=0, AttrSvcEnableProxiedQuery=0, EnableIPD=0, NetegrityAffiliateMinderAuthURL=https://fedsvc-staging.asuris.com/affwebservices/redirectjsp/smportalstate_asuris.jsp, EncryptionBlockAlgorithm=tripledes, PersistentCookie=0, PostSignatureOption=0, EnableInvalidRequestURL=0, CustomTimeout=1, MniRequireSignedResponse=0, IdPID=idp_asuris_member-instamed-uat, SignArtifactResponse=0, EnableAttributeService=0, EnableAuthnRequestPost=0, AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Password, MniSOAPTimeout=0, Realm=@06-000703f3-a4d1-1b31-9f41-87f40a16f041, ServerErrorRedirectMode=0, EnableSLORedirectBinding=0, AllowOFCAuthnContextOverride=0, AttrSvcRequireSignedQuery=0, OneTimeUse=0, EncryptNameID=0, AE_PARAM_SAML2=-AssertionHandler:SAML20 SSO#SSO#unspecified:editableFields=accountholderemail,amount, MniEnableRedirectBinding=0, ArtifactSignatureOption=3, Response=@07-0007c4b8-a4d1-1b31-9f41-87f40a16f041, SAMLMinorVersion=0, SAML2.AuthnRequestProtocolManager=com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol@17808af, Rule=@0b-0007be24-a4d1-1b31-9f41-87f40a16f041, EnableSSOECPProfile=0, IgnoreRequestedAuthnContext=0, SignatureAlgo=1, MniRequireSignedRequest=0, DSigningAlias=cambiasamlcertificate, AuthenticationLevel=5, Name=instamed - member_asuris-uat, CompareUserDNForSMC=1, DisableSignatureProcessing=0, EnableSMC=0, AttrSvcLegacyAAProtEnabled=0, AssertionConsumerDefaultURL=https://pay-uat.instamedtest.com/Forms/SSO/ACS_SAML2.aspx, MniNotifyTimeout=0, PartnershipArtifactProtEnabled=0, EnableUnauthorizedRequestURL=0, AttrSvcSignResponse=0, MniRetryBoundary=0, MniEnableSOAPBinding=0, MniRetryCount=0, UseSecureAuthURL=0, EnforceForceAuthnSessionTimeouts=0, RelayStateOverridesSloConfirm=0}]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Configured NameID format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Verified nameid policy exists [CHECKPOINT = SSOSAML2_IDPNAMEIDPOLICY_VERIFY]]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Identity Provider is not allowed to create a new identifier to represent the principal.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][retrieveNameID][][][][][][][][Creation of new user identifier is not applicable with TRANSIENT name identifiers.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][User Name Identifier from IdP resolved.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating Service Provider ID ...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][Service Provider ID is valid.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][Validating AuthnRequest ProtocolBinding ...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateBindings][][][][][][][][Requesting Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest ProtocolBinding is valid and supported.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][validateRequest][][][][][][][][AuthnRequest validation is successful.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][invoke][][][][][][][][AssertionHandler preProcess() succeeds, it returns:]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionHandlerSAML20.java][process][][][][][][][][Start to handle the SAML2.0 Authn request.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][processRequest][][][][][][][][Start to process the request ...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateConditions][][][][][][][][Generating SAML Assertion Conditions...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateConditions][][][][][][][][Adding SPID audience to AudienceRestriction element: sp_instamed-member-asuris-uat]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateConditions][][][][][][][][SAML Assertion Conditions generated successfully.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateSubject][][][][][][][][Generating SAML Assertion Subject.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateSubject][][][][][][][][SAML Assertion Subject generated successfully.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Generating SAML Assertion AuthnStatement...]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][getSessionIndex][][][][][][][][A new session index will not be created.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][getStartTime][][][][][][][][Use Force Authn Session Timeouts is: true]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Using authn context from properties map]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][AuthnContext Class Ref used: urn:oasis:names:tc:SAML:2.0:ac:classes:Password]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 0]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :90]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SAML Assertion AuthnStatement generated successfully.]
[06/25/2018][21:33:56][4011690864][9c0de1f1-294ff2c4-4dcd82bd-e41d7e91-814348f5-b][AssertionGenerator.java][invoke][][][][][][][][Error happens in running Assertionhandler process(). Leaving Assertion Generator Framework.  Exception:
com.netegrity.assertiongenerator.AssertionGeneratorException: SAMLSPEntitlementParser: Invalid Encryption Indication
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.encryptExtractor(SAMLSPEntitlementParser.java:160)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.parseEntitlement(SAMLSPEntitlementParser.java:118)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementParser.getEntitlementList(SAMLSPEntitlementParser.java:92)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:147)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:121)
        at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.<init>(SAMLSPEntitlementGenerator.java:92)
        at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(AuthnRequestProtocol.java:1297)
        at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(AssertionHandlerSAML20.java:211)
        at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:259)
        at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)

]
[06/25/2018][21:33:56][4011690864][][CServer.cpp:5950][CServer::ProcessRequest][][][][][][][][Leave function CServer::ProcessRequest]

Duc dmt953

I don't know if this is causing the issue OR not. See the words highlighted in RED in non working txns.

Hubert,

So we needed to create a total of 6 separate SAML service providers for our new SSO partner.  The very first SAML service provider configuration, I manually created a "Static" SAML attribute "editableFields" with value of [accountholderEmail,amount].  for the subsequent SAML service providers I added the static SAML attribute by simply copying and pasting the attribute script  - - > "unspecified:editableFields=accountholderemail,amount"

So for the SAML service provider "Instamed - member_asuris-uat", of which I had been dealing with that "invalid encryption indication" error,  I deleted the static SAML attribute and the error went away.  I then created that static attribute again, but this time not using the attribute script but instead using the Admin UI "Attribute Setup" interface and added the attribute variable name and value manually.

It seems extremely unlike, but at this point it does in deed look like that entry that you spotted in the log - - > AttributeList=SSO#SSO#unspecified:editableFields=accountholderemail,amount, is the cause of the issue.  As strange as this looks, but I really do hope that this is the root cause.  It's pretty late now so I will call it a night and will do some more testing and investigating tomorrow to confirm this.

Thank you so much for your help!

HubertDennis

Hi Hubert,

I confirmed it that this 500 error with the smtrace log indicating "Invalid Encryption Indication" is caused by that SAML attribute showing up as "SSO#SSO#unspecified:editableFields=accountholderemail,amount"

The reason why this attribute shows up like this is because when I open the "Attribute" tab from another SAML Service Provider configuration, the SAML attribute "Script" field showed this - - - > "SSO#unspecified:editableFields=accountholderemail,amount" and I just copied it and pasted it into another SAML Service Provider configuration attribute.  But if I opened the original SAML Service Provider configuration and click on "Edit" then click on the "Attribute" tab then the attribute "Script" field shows this attribute in it's correct format as this - - > "unspecified:editableFields=accountholderemail,amount".

It is a little strange that an invalid SAML attribute configuration would cause the SAML partner configuration to be invalid causing a 500 error, but the smtrace log printing the message "Invalid Encryption Indication" is what really threw me off in debugging this.

Once again, I want to thank you for your help and for putting in the extra time helping me figuring this out.  Very much appreciate it.

Duc Tran,