Federation suddenly fails and no assertion being generated. FWSTrace.log shows SAML2Response=NO.

Document ID : KB000045541
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

Federation suddenly stopped working.

FWSTrace.log shows SAML2Response=NO

No assertion is generated.

 

Environment:  

R12.52 Federation

(Not specific to Version or OS)

 

Cause: 

When you see this message, the problem is not with the WAOP or SPS.

It is relaying the message that was returned from Policy Server.

You must look at the smtracedefault.log and you must use the samlidp_trace.template to ensure you get the meaningful message in the log.

 

There can be many reasons why the Policy Server can return this message but generally they are:

1. Time synchronization (The request is invalid)

2. Certificate Expiry (If SP is signing the AuthnRequest, IDP must have a valid certificate to verify the signature)

3. Other (reviewing the smtracedefault.log will reveal what could be the reason)

 

Resolution: 

It would be based on what you find in the smtracedefault.log

If the time synchronization is the problem, using Time Server would be a good way to prevent such problem.

If the certificate has expired, you must request SP to provide the updated certificate. Update(Import) the renewed certificate.

The rest, you will have to actually look into the smtracedefault.log

 

Additional Information: 

https://communities.ca.com/people/SungHoon_Kim/blog/2016/05/11/federation-fails-with-saml2responseno-in-fwstracelog-how-do-i-find-out-what-is-causing-this