ADFS Federation Failed - AuthReason=49

Document ID : KB000117524
Last Modified Date : 15/10/2018
Show Technical Document Details
Question:
We have configured Federation partnership with ADFS, being ADFS the IdP and CA SSO R12.8 as the SP. We are getting a HTTP 500 error message when being redirected to https://my.domain.com/affwebservices/public/saml2assertionconsumer with SAML response.Ā 

In the logs we see the following:
[10/10/2018][12:43:03][20804][121763075886305][11c36b6b-72c890a3-cf34a57c-a10b6c7a-a8db25c-310][AssertionConsumer.java][processSAMLResponse][authenticateUser failed: 1]
[10/10/2018][12:43:03][20804][121763075886305][11c36b6b-72c890a3-cf34a57c-a10b6c7a-a8db25c-310][AssertionConsumer.java][redirectLoginFailure][AuthReason=49]
[10/10/2018][12:43:03][20804][121763075886305][11c36b6b-72c890a3-cf34a57c-a10b6c7a-a8db25c-310][AssertionConsumer.java][redirectLoginFailure][Redirect Mode="0" URL="null"]
[10/10/2018][12:43:03][20804][121763075886305][11c36b6b-72c890a3-cf34a57c-a10b6c7a-a8db25c-310][AssertionConsumer.java][redirectLoginFailure][Ending SAML2 AssertionConsumer Service request processing with HTTP error 500]
[10/10/2018][12:43:03][20804][121763075886305][11c36b6b-72c890a3-cf34a57c-a10b6c7a-a8db25c-310][AssertionConsumer.java][redirectLoginFailure][Transaction with ID: 11c36b6b-72c890a3-cf34a57c-a10b6c7a-a8db25c-310 failed. Reason: ACS_FAILED_PROCESS_FAILURE]


What can be the problem causing this error? How can we solve it?
Environment:
Policy Server R12.8 on Linux
Access Gateway R12.8 on Linux
Answer:
This error (ACS_FAILED_PROCESS_FAILURE) can be caused by different reasons, and it is important to check carefully the Policy Server traces along with FWSTrace.log to get a better understanding of why it happens. The Auth Reason = 49 points to a problem in the Assertion and how it is formed.

For this case the problem was caused as the Audience sent from ADFS was not matching exactly the SP Entity ID in CA SSO, and after correcting it, the issue was solved.