SAML1 Assertion Consumer failed - no assertion was returned in Response

  • 7000714
  • 20-Jun-2008
  • 26-Apr-2012

Environment


Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Support Pack 3 applied

Situation

Access Manager SAML 1.0 artifact-based relationship setup with CA Netegrity SiteMinder Identity Provider. When user authenticated to the Siteminder server and a corresponding assertion is sent to Access Manager, it is not acceptable on the Access Manager SAML 1.0 Service Provider. The catalina.out log file on the Access Manager server (assuming IDP logging is enabled for SAML1) shows that the 'Assertion Consumer failed - no assertion was returned in Response'.

Example of unaccepted assertion:
—---------------------------------------------------------------------------------
2008-06-03T08:06:58Z VERBOSE NIDS SAML1: Received Saml1 SOAP response from: https://wa.trust-preprod.bbs.co.uk/affwebservices/assertionretriever

2008-06-03T08:06:58Z DEBUG NIDS SAML1: Saml1 SOAP response


OTEuMTA5LjE4MS4yMzh3bGxqZW9ndmNkY3Vpd2pkbW91


**

OTEuMTA5LjE4MS4yMzh3bGxqZW9ndmNkY3Vpd2pkbW91




2008-06-03T08:06:58Z VERBOSE NIDS SAML1: SAML1 Assertion Consumer failed - no assertion was returned in Response

2008-06-03T08:06:58Z INFO NIDS Application: AM#500105039: AMDEVICEID#99C53F50C26C0B13: AMAUTHID#D1BEBDD042ADC5252598B33CE017A746: Error on session id D1BEBDD042ADC5252598B33CE017A746, error 300101008-99C53F50C26C0B13, Unable to complete authentication request. AM#300101008: AMDEVICEID#99C53F50C26C0B13: : No assertion returned in response


The same request from an Access Manager Identity Server to an Access Manager Service provider using SAML 1.0 works fine.

Resolution

Make sure that the Siteminder server includes a statement in the incoming assertion or use the Access Gateway custom rewriter (assuming the Access Manager SAML 1.0 Service provider lies behind an Access Gateway) to inject the following string to the above assertion:


urn:oasis:names:tc:SAML:1.0:cm:artifact-01

Additional Information

With SAML 1.0, Access Manager must receive a SubjectConfirmation as shown:


urn:oasis:names:tc:SAML:1.0:cm:artifact-01


SiteMinder doesn't send it and Access Manager will not consider it a valid assertion. The SAML 1.0 bindings and profiles document defines what is required of statements when used with the artifact profile as follows:

"The element of each assertion MUST be set to urn:oasis:names:tc:SAML:1.0:cm:artifact-01."

Feedback service temporarily unavailable. For content questions or problems, please contact Support.