SAML 2 SSO profile is not configured for relying party com.ca.apm.em.serviceprovider

Document ID : KB000106139
Last Modified Date : 12/07/2018
Show Technical Document Details
Issue:
We are experiencing below error when attempting to setup SAML between ACC and EM using SSL. Is this related to me needing to get something configured within AD LDS or can it be fixed within the EM or ACC?

ERROR
An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
Error Message: SAML 2 SSO profile is not configured for relying party com.ca.apm.em.serviceprovider


 
Environment:
Upgraded from APM 10.5.x to APM 10.7
Cause:
After investigating what certificates are used for signing we found the root cause of the problem.
On EM side the assertion is signed using key from Introscope/config/internal/server/EMkey.pem (and related certificate from EMcert.pem is included in the response).
On ACC side the signature is validated using certificate taken from IdP metadata located in config/security/saml/em_idp.metadata.xml.

The installation is an upgrade from 10.5.1 and there is a defect in upgrade procedure that causes all files from config/security to be taken from old version instead of the new ones. The certificate in EM was renewed some time ago, but in the installation the old one is still used.

 
Resolution:
After changing the EM metadata file (em_idp.metadata.xml) to new version 10.7 the ACC UI is shown correctly.
This issue will be addressed in 10.7 SP2 of the product.