Federation Security Services Guide › Troubleshooting › URLs for Services at the Asserting Party › SP Not Authenticating When Accessing Assertion Retrieval Service
SP Not Authenticating When Accessing Assertion Retrieval Service
Symptom:
In an environment using SAML 2.0 artifact single sign-on, the Service Provider fails to authenticate when attempting to access the Artifact Resolution Service at the Identity Provider.
Error messages similar to the following appear in the Federation Web Service log file:
May 23, 2005 4:43:51.479 PM[31538514:E] SAML producer returned error http status code. HTTP return status: 401. Message: <HTML><HEAD><TITLE>401: Access Denied</TITLE></HEAD><BODY><H1>401: Access Denied</H1>
Proper authorization is required for this area. Either your browser does not perform authorization, or your authorization has failed.</BODY></HTML>
Solution:
Depends upon the configured authentication:
- If Basic authentication is configured, verify that the Name and Password values specified in the Service Provider Properties dialog at the IdP match the Affiliate Name and Password values configured for the SAML 2.0 authentication scheme at the SP.
- If client certificate authentication is configured to protect the Artifact Resolution Service, verify that the client certificate of the Service Provider is valid and that it is in the AM.keystore database of the Service Provider. Additionally, verify that the Certificate Authority that issued the client certificate is in the own key database of the web server at the Identity Provider.
- If no authentication is configured, verify that the Artifact Resolution Service URL is not protected.
ODBC Errors Deleting Expiry Data From Session Store
Symptom:
If you upgrade a Policy Server from an earlier version, ODBC errors can occur when deleting expiry data from the session store.
Solution:
Upgrade the session store schema as described in the SiteMinder Upgrade Guide.
Copyright © 2012 CA.
All rights reserved.
|
|