PolicyExport validation Error

Document ID : KB000009172
Last Modified Date : 13/03/2018
Show Technical Document Details
Issue:

When attempting to perform an XPSImport on a server that has existing Policy Store objects, i.e a merge of objects, validation errors occur.

 

 In the XPSImport log, the following is observed: 

 

(ERROR) : [sm-xobfss-00300] CA.SM::SAMLv2SP@21-feb98e5f-37c3-42b8-81c1-f0516f5d14ea(worknet to mrm - rr donnelly): Legacy Federation object CA.SM::SAMLv2SP@21-feb98e5f-37c3-42b8-81c1-f0516f5d14ea(worknet to mrm - rr donnelly) cannot be saved; it conflicts with object CA.SM::SAMLv2SP@21-0fcb15f4-7f06-44aa-9df7-a534894800ee which is active 

 

(ERROR) : [sm-xobfss-00300] Legacy Federation object CA.SM::SAMLv2IdP@21-c339b84d-ba9b-4975-9db5-e6e7c151fe0d(External Availity AutoLoad Mybcbswny SAML2 Auth Scheme) cannot be saved; it conflicts with object CA.SM::SAMLv2IdP@21-e8fd50a5-9103-4a69-bdb4-258936b8c295 which is active 

Environment:
Migration from 12.52 to 12.7
Cause:

This issue occurs when an object in the XPSImport data already exists in the Policy Store that the new data is being merged with, and is being used for something, in this case, a Legacy Federation configuration.

Simply, the following is observed:

 

- Object A exists in Policy Store A

- Object A also exists in Policy Store B

- When Policy Store B is exported and merged with Policy Store A, it errors out because Object A already exists and is in use in Policy Store A.

Resolution:

In order to resolve the issue, the object that exists in both the destination Policy Store and the Policy Store export file that is being imported needs to be removed from the Policy Store export file.

This can be achieved by deleting the erroneous object from the Policy Store (via the Admin UI or manually in the export file itself) before it is being used to import more data into the existing (running) Policy Store.  

 

Alternatively, if new data is needed from the new Policy Store export (i.e. the object in question needs to be updated), then the Legacy Federation object in this case needs to be disabled prior to import.  The issue is primarily with the fact that the object is in use and cannot be modified at the time of the import.