Long assertion being truncated on Policy Server

Document ID : KB000015587
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

We have some users who are not able to login through WSFederation, and we found out that the WSFederation response generated for these users is getting truncated, as they have huge group information that needs to be sent as part of the response.

When checking the logs we see in the assertion the group information being interrupted with the characters: .]

...
<ns1:AttributeValue>SampleAttributeValue-351</ns1:AttributeValue>
<ns1:AttributeValue>SampleAttributeValue-352</ns1:AttributeValue>
      .]
     
It could be the Policy Server is truncating it as it is a very long assertion? How can we fix this?

Environment:
Policy Server R12.52 SP1 CR00 on Windows 2008 R2
Answer:

When IDP generates the assertion, and if it is very long exceeding 48K, the assertion is truncated on Policy Server side and the truncated assertion is sent to WAOP on IDP side.

This is fixed in R12.52 SP1 CR06:

00236681 DE102140 Policy Server truncates assertion data if the size of active response in assertion exceeds 48K.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr06

Additional Information:

R12.52 SP1 CR06 Defects fixed