Getting the error FAILED_INVALID_RESPONSE_RETURNED when enabling SLO on a working Federation Partnership

Document ID : KB000007260
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are trying to configure SLO for a Federation Partnership which works properly. When we configure the SLO as per documentation we are getting the following errors:

-- FWSTrace.log:
[06/15/2017][09:32:42][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Calling authorizeEx to invoke SAML2 assertion generator.]
[06/15/2017][09:32:42][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile. [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
[06/15/2017][09:32:42][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Transient IP check: false]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Received the assertion/artifact response based on profile selected. [CHECKPOINT = SSOSAML2_RECEIVEDASSERTION_RSP]]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Not enforcing ForceAuthnTimeouts.]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Received the following response from SAML2 assertion generator: SAML2Response=NO.]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Transaction with ID: 4b16d281-58910273-7ab61828-d829e82a-461ba673-ac failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]
[06/15/2017][09:32:45][2016][4212][4b16d281-58910273-7ab61828-d829e82a-461ba673-ac][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

-- Affwebservices.log:
[2016/4212][Thu Jun 15 2017 09:32:45][SSO.java][ERROR][sm-FedClient-02890] sm-FedClient-02890 (4b16d281-58910273-7ab61828-d829e82a-461ba673-ac, FAILED_INVALID_RESPONSE_RETURNED, , , )

Environment:
Policy Server R12.52 SP1
Cause:

SLO requires Session Store and persistent realm

Resolution:

Enabling the persistent flag in the realm where configuring SLO solves this issue.

Additional Information:

More information and configuration steps in the following documentation:

Configure Single Logout in the Federation deployment

Configure Single Logout

Enable Single Logout

SSO and SLO options