Environment
Novell Access Management 3 Linux Novell Identity Server acting as SAML2 Service provider consuming assertions
Novell Access Management 3 Linux Access Gateway
3rd Party Identity Server acting as SAML2 provider
Situation
After authenticating to the 3rd party Identity server, this SAML2
provider sends back an assertion to our Access Manager service
provider (SP), which is acting as the SAML2 consumer. The SAML
profile was set to POST assertions, rather than use artifacts. Upon
receiving the assertions, the Access Manager SP would generate the
300101013 error and the browser would display this error with the
following details:
Error: Unable to validate the subject of the assertion
Cause: A subject may not have been sent in the assertion or was not valid. This check protects from certain assertion attacks.
Action: If persistent, check the protocol message sent for a missing subject and then notify administrator of trusted site.
Error: Unable to validate the subject of the assertion
Cause: A subject may not have been sent in the assertion or was not valid. This check protects from certain assertion attacks.
Action: If persistent, check the protocol message sent for a missing subject and then notify administrator of trusted site.
Resolution
Fixed in the Identity server 3.0.0-1013 build that is shipped in
Access Manager 3 SP1 IR1. There was an issue handling digital
signatures in the incoming SAML2 assertion.
Additional Information
Looking at the IDP logs on the Access Manager server (with most
verbose flags set for SAML2), one could see that the assertion sent
to the SPASSERTION service on the Access Manager Identity server
appeared fine. Yet, it would respond with the error below because
of a check it performed on the digital signatures failed.
************************* SAML2 Artifact/SOAP message ********************************
Type: received
RelayState: None
web1-idp.innovation.com
web1-idp.innovation.com
web1-idp.innovation.com
eyZTfFBPfhY7XJdHVqI5QQpkyegQ
http://idp.sim.utopia.novell.com:8080/nidp/saml2/metadata
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ** **
************************* End SAML2 message ****************************
Nov 29, 2006 7:44:38 AM com.novell.nidp.logging.NIDPLog doLog
INFO: Validation failure on message from web1-idp.innovation.com : Digital signature is required
Nov 29, 2006 7:44:38 AM com.novell.nidp.logging.NIDPLog doLog
WARNING: Exception message: "300101013"
y, Line: 2916, Method: validateAssertion
y, Line: 1578, Method:
y, Line: 3518, Method: processResponse
y, Line: 2812, Method: processResponse
y, Line: 2231, Method: processArtifactMessage
y, Line: 874, Method: B
y, Line: 2255, Method: handleInBoundMessage
y, Line: 152, Method: processResponse
y, Line: 3279, Method: A
y, Line: 1633, Method: handleRequest
y, Line: 982, Method: myDoGet
y, Line: 33, Method: doGet
HttpServlet.java, Line: 696, Method: service
HttpServlet.java, Line: 809, Method: service
ApplicationFilterChain.java, Line: 200, Method: internalDoFilter
ApplicationFilterChain.java, Line: 146, Method: doFilter
StandardWrapperValve.java, Line: 209, Method: invoke
StandardPipeline.java, Line: 596, Method: invokeNext
StandardPipeline.java, Line: 433, Method: invoke
ContainerBase.java, Line: 948, Method: invoke
StandardContextValve.java, Line: 144, Method: invoke
StandardPipeline.java, Line: 596, Method: invokeNext
CertificatesValve.java, Line: 199, Method: invoke
StandardPipeline.java, Line: 594, Method: invokeNext
StandardPipeline.java, Line: 433, Method: invoke
ContainerBase.java, Line: 948, Method: invoke
StandardContext.java, Line: 2358, Method: invoke
StandardHostValve.java, Line: 133, Method: invoke
************************* SAML2 Artifact/SOAP message ********************************
Type: received
RelayState: None
************************* End SAML2 message ****************************
Nov 29, 2006 7:44:38 AM com.novell.nidp.logging.NIDPLog doLog
INFO: Validation failure on message from web1-idp.innovation.com : Digital signature is required
Nov 29, 2006 7:44:38 AM com.novell.nidp.logging.NIDPLog doLog
WARNING: Exception message: "300101013"
y, Line: 2916, Method: validateAssertion
y, Line: 1578, Method:
y, Line: 3518, Method: processResponse
y, Line: 2812, Method: processResponse
y, Line: 2231, Method: processArtifactMessage
y, Line: 874, Method: B
y, Line: 2255, Method: handleInBoundMessage
y, Line: 152, Method: processResponse
y, Line: 3279, Method: A
y, Line: 1633, Method: handleRequest
y, Line: 982, Method: myDoGet
y, Line: 33, Method: doGet
HttpServlet.java, Line: 696, Method: service
HttpServlet.java, Line: 809, Method: service
ApplicationFilterChain.java, Line: 200, Method: internalDoFilter
ApplicationFilterChain.java, Line: 146, Method: doFilter
StandardWrapperValve.java, Line: 209, Method: invoke
StandardPipeline.java, Line: 596, Method: invokeNext
StandardPipeline.java, Line: 433, Method: invoke
ContainerBase.java, Line: 948, Method: invoke
StandardContextValve.java, Line: 144, Method: invoke
StandardPipeline.java, Line: 596, Method: invokeNext
CertificatesValve.java, Line: 199, Method: invoke
StandardPipeline.java, Line: 594, Method: invokeNext
StandardPipeline.java, Line: 433, Method: invoke
ContainerBase.java, Line: 948, Method: invoke
StandardContext.java, Line: 2358, Method: invoke
StandardHostValve.java, Line: 133, Method: invoke