{date}{time},672, (SSOProfileBean.java:2467), FIMDEMO02, , , , Unable to process the Response message, com.rsa.fim.saml.SAMLException

IDP unsolicited login

An example response that was sent to the SP service that could cause this exception:

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />

</samlp:StatusCode>

* SAML core specification is located at URL http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

When the IDP service (partner) responds with a status other than ?Success? (that is, ?Requester? or ?Responder?) it indicates that the operation failed (refer to lines 1634-1645 of saml-core-2.0-os.pdf).

Throwing an exception is the expectd response as in this case the partner is saying that the requester requested an invalid NameIDPolicy. The NameIDPolicy is only used in the AuthnRequest of an SP-initiated SSO (refer to lines 2025-2028 and 2130-2132 of saml-core-2.0-os.pdf).

In IdP-initiated (Tivoli calls it "push") SSO there is no AuthnRequest and therefore not NameIDPolicy, hence the operation failed with the exception.

Federated Identity Management Module 3.0 configured as the IDP