Environment
Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Support Pack 3 applied
Situation
Access Manager SAML 1.0 artifact-based relationship setup with CA Netegrity SiteMinder Identity Provider. When user authenticated to the Siteminder server and a corresponding assertion is sent to Access Manager, it is not acceptable on the Access Manager SAML 1.0 Service Provider. The catalina.out log file on the Access Manager server (assuming IDP logging is enabled for SAML1) shows that the 'Assertion Consumer failed - no assertion was returned in Response'.
Example of unaccepted assertion:
—---------------------------------------------------------------------------------
2008-06-03T08:06:58Z VERBOSE NIDS SAML1: Received Saml1 SOAP response from: https://wa.trust-preprod.bbs.co.uk/affwebservices/assertionretriever
2008-06-03T08:06:58Z DEBUG NIDS SAML1: Saml1 SOAP response
OTEuMTA5LjE4MS4yMzh3bGxqZW9ndmNkY3Vpd2pkbW91
**
OTEuMTA5LjE4MS4yMzh3bGxqZW9ndmNkY3Vpd2pkbW91
2008-06-03T08:06:58Z VERBOSE NIDS SAML1: SAML1 Assertion Consumer failed - no assertion was returned in Response
2008-06-03T08:06:58Z INFO NIDS Application: AM#500105039: AMDEVICEID#99C53F50C26C0B13: AMAUTHID#D1BEBDD042ADC5252598B33CE017A746: Error on session id D1BEBDD042ADC5252598B33CE017A746, error 300101008-99C53F50C26C0B13, Unable to complete authentication request. AM#300101008: AMDEVICEID#99C53F50C26C0B13: : No assertion returned in response
The same request from an Access Manager Identity Server to an Access Manager Service provider using SAML 1.0 works fine.
Example of unaccepted assertion:
—---------------------------------------------------------------------------------
The same request from an Access Manager Identity Server to an Access Manager Service provider using SAML 1.0 works fine.
Resolution
Make sure that the Siteminder server includes a statement in the incoming assertion or use the Access Gateway custom rewriter (assuming the Access Manager SAML 1.0 Service provider lies behind an Access Gateway) to inject the following string to the above assertion:
urn:oasis:names:tc:SAML:1.0:cm:artifact-01
Additional Information
With SAML 1.0, Access Manager must receive a SubjectConfirmation as shown:
urn:oasis:names:tc:SAML:1.0:cm:artifact-01
SiteMinder doesn't send it and Access Manager will not consider it a valid assertion. The SAML 1.0 bindings and profiles document defines what is required of statements when used with the artifact profile as follows:
"The element of each assertion MUST be set to urn:oasis:names:tc:SAML:1.0:cm:artifact-01."
SiteMinder doesn't send it and Access Manager will not consider it a valid assertion. The SAML 1.0 bindings and profiles document defines what is required of statements when used with the artifact profile as follows:
"The