Received the following response from SAML2 assertion generator: SAML2Response=NO.

Document ID : KB000113610
Last Modified Date : 17/09/2018
Show Technical Document Details
Issue:
Running CA Access Gateway - AG (a.k.a. SPS), when user through VPN requests a 
Federation resource, it fails and SPS and Policy Server report errors: 

Policy Server 

1. [06/05/2018][09:47:25][140379345655552][][][][][][][][][][][][][][Loading 
the configration data for the Service Provider with ID 
"https://xyz.compay.com/saml/sp/metadata/company_vpn" 
...][][][AuthnRequestProtocol.java][17357][09:47:25.599][getSPProperties] 
[][][][][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][][][][][][][] 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

CA Access Gateway (SPS) 

2. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][SSO.java] 
[processAssertionGeneration][Transaction 
with ID: 14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809 
failed. Reason: FAILED_INVALID_RESPONSE_RETURNED] 

3. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809] 
[ErrorRedirectionHandler.java][redirectToErrorPage][Sending 
HTTP Error 500 ] 

Federation:

"Received the following response from SAML2 assertion generator: SAML2Response=NO." 
Environment:
Policy Server 12.7CR00 on RedHat Linux 7; 
CA Access Gateway (SPS) 12.7 on Redhat Linux 7.
Cause:
The problem is that the Policy Server gets the configuration of the 
partnership; but for some reason, it cannot get the certificate serial 
number or issuer DN. 

a*) The configuration for the encryption certificate is this: 

EncryptionCertSerialNumber=e4d41e01771769a9a5ebbd3558f2a3a, 
EncryptionCertIssuerDN=CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US, 
EncryptionBlockAlgorithm=tripledes 
EncryptionKeyAlgorithm=rsa-v15 

And the Policy Server reports this problem : 

b*) [06/05/2018][09:47:25][140379345655552][][][][][][][][][][][][][][Primary 
certificate serial number or issuer dn is empty or 
null][][][SignatureProcessor.java][17357][09:47:25.600][verifyFromHTTP] 
[][][][][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][][][][][][] 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

The CA Access Gateway - SG (a.k.a SPS) receives the request, and after submitting 
the SAML request to the Policy Server (step 3), it receives an error and returns error 500 (step 5) as below. 

FWSTrace.log : 

1. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][SSO.java] 
[processAssertionGeneration][Request 
to policy server for generating saml2 assertion/artifact based on 
selected profile. [CHECKPOINT = 
SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]] 

2. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][SSO.java] 
[processAssertionGeneration][Result 
of authorizeEx call is: 1.] 

3. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][SSO.java] 
[processAssertionGeneration][Transaction 
with ID: 14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809 
failed. Reason: FAILED_INVALID_RESPONSE_RETURNED] 

4. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][SSO.java] 
[processAssertionGeneration][Denying 
request due to "NO" returned from SAML2 assertion generator.] 

5. [06/05/2018][09:47:25][3048][140127741576960] 
[14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809] 
[ErrorRedirectionHandler.java][redirectToErrorPage][Sending 
HTTP Error 500 ] 

So, the Policy Server gets the Partnership configuration, but it 
cannot find the certificate. 
Resolution:
DE309353 (Devfix smkeydatabase.jar  provided for 12.7)

Instruction to deploy Devfix smkeydatabase.jar.

1. Stop policy Server, if running.
2. Take backup of smkeydatabase.jar from \bin\jars folder of Policy 
Server installation.
3. Replace Devfix .jar in <CA_SiteMinder_Home>\bin\jars folder.
4. Start Policy Server. 
5. Run Transactions.