End users are unable to login to the RSA SecurID Access SSO Portal or perform SSO login to applications with IWA.
IWA is not accessible or is not responding. This can be investigated by checking the events in the RSA Identity Router (IDR)'s symplified.log file.
An administrator can view an IDR's /var/log/symplified/symplified.log which can be obtained as described in the article on how to Generate and Download an Identity Router Log Bundle. Be sure to obtain the log bundle and check the symplified.log from all IDRs that are in use in the affected deployment.
Using a text editor, search the symplified.log looking for events logged by the component com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler.
A normal sequence for an IWA authentication, logged by this IDR component to symplified.log, should include the following events in the order shown:
INFO com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler - Posting SAMLRequest to IdP endpoint: https://<IWA URL>
INFO com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler - SAMLRequest contents: <saml2p:AuthnRequest XML message>
WARN com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler - Saml 2 Generic IdP Handler handling inbound response.
INFO com.symplified.adapter.idp.saml2.generic.Saml2GenericIdPHandler - Inbound SAMLResponse is valid. Accepting assertion for user: <user id>
Note that there will be events from other IDR components interleaved between the above events in the symplified.log.
Examine your IDRs' symplified.log files and check for any variations to the entries above and handle accordingly. For example:
If event message  is logged but  and  are not logged, it means the IDR has not received a response from the IWA server.
Steps that can be taken to investigate further:
Examine the Windows Event Log on the IWA Server for any explanatory events.