How to resolve the "WSFED_SSO_NO_PROVIDER_ID" error for the Single Sign On Agent for SharePoint 2010/2013

Document ID : KB000045702
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

When logging into SharePoint via the R12 SP3 CR-05 Agent for SharePoint 2010, we are receiving the following error messages in the Federation.log and the user receives a 403 at the browser;

 

[2268/2868][Thu Jun 16 2016 14:51:02][SSO.java][ERROR][sm-FedClient-02890] Transaction with ID: 1e7941bc-c6dd4d88-69f63748-4a8562bf-941a319f-1ac failed. Reason: WSFED_SSO_NO_PROVIDER_ID (, , ) 

[2268/2868][Thu Jun 16 2016 14:51:02][SSO.java][ERROR][sm-FedClient-02650] No WSFED provider information found for RP sp11.

 

Environment:

Single Sign On (fka SiteMinder) R12 SP3 CR-05 Agent for SharePoint 2010

 

Cause:

This error is due to the "SharePoint Realm" defined in the SharePoint Connection Wizard not having the proper format of "urn:<name of Realm>". The "SharePoint Realm" defined in the Agent for SharePoint's Connection Wizard for the SharePoint Connection is used as the "Resource Partner ID" value in the resultant Resource Partnership created in the Policy Store. As such, the SharePoint Realm defined must be in the format of "urn:<name of SharePoint Realm>".

 

eg.  urn:MySharePointRealm

 

Resolution:

To resolve this issue, you will need to edit the existing SharePoint Connection via the SharePoint Connection Wizard and change the SharePoint Realm to "urn:<Name of SharePoint Realm>". This will update the Resource Partnership in the Policy Store with the proper format for the "Resource Partner ID" and will also update the "Account Partner ID" ("SP-ACC-urn:<Name of SharePoint Realm>").

 

You will then need to update the "DefaultProviderRealm" parameter in the existing TrustedIdentityTokenIssuer (TIP) in SharePoint so that SharePoint builds the 302 redirect to "/affwebservices/public/wsfeddispatcher"  appropriately.

 

To update the TrustedIdentityTokenIssuer (TIP); 

 

1.) Start the "SharePoint 2010 Management Shell" as an Administrator on the SharePoint Central Admin Server. 

2.) Run the Get-SPTrustedIdentityTokenIssuer command 

3.) Note the "Name" of the SiteMinder Trusted Identity Token Issuer (TIP). 

4.) Enter the following commands; 

 

a. $tip = Get-SPTrustedIdentityTokenIssuer "<name of the tip in quotes from #3>" 

 

eg. $tip = Get-SPTrustedIdentityTokenIssuer "MySiteMinderTip" 

 

b. $tip.DefaultProviderRealm = "urn:<Name of SharePoint Realm>"

 

eg. $tip.DefaultProviderRealm = "urn:MySharePointRealm"

 

c. $tip.Update() 

 

5.) Run the Get-SPTrustedIdentityTokenIssuer command and verify that the "DefaultProviderRealm" has been updated. 

6.) Close the "SharePoint 2010 Management Shell". 

7.) Re-test.