Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Manager Support Pack 4 applied
Novell Access Manager Support Pack 4 applied
Situation
SAML 2 environment setup where Access Manager is the Identity Server (IDP) and a 3rd party is the SAML2 Service provider (SP).
The redirect profile is enabled on the SP. When the IDP receives the SAML AuthnRequest via a redirect, the Access Manager IDP server immediately responds with the following error:
"Digital signature is required"
The catalina.out file shows the following info:
Type: received
RelayState: http://webmail.eng.rrm.com/a/eng.rrm.com
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://ids.eng.rrm.com/nidp/saml2/sso" ID="hbieahflfddjajkdfffoekcpmbhcljbgjfkmfmcf" IssueInstant="2008-09-09T13:48:30Z" Version="2.0">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
</ds:Signature>
:
:
:
<saml:Issuer>eng.rrm.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextDeclRef>secure/federatedlogin/user/password/uri</saml:AuthnContextDeclRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
When our IDP server processes this, the following log entry is added:
<amLogEntry> 2008-09-09T13:47:36Z INFO NIDS IDFF: AM#500106006:
AMDEVICEID#1F1BA96EB218EAC3: Validation failure on message from eng.rrm.com :
AM#300101020: AMDEVICEID#1F1BA96EB218EAC3: : Digital signature is required
</amLogEntry>
The redirect profile is enabled on the SP. When the IDP receives the SAML AuthnRequest via a redirect, the Access Manager IDP server immediately responds with the following error:
"Digital signature is required"
The catalina.out file shows the following info:
Type: received
RelayState: http://webmail.eng.rrm.com/a/eng.rrm.com
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://ids.eng.rrm.com/nidp/saml2/sso" ID="hbieahflfddjajkdfffoekcpmbhcljbgjfkmfmcf" IssueInstant="2008-09-09T13:48:30Z" Version="2.0">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
</ds:Signature>
:
:
:
<saml:Issuer>eng.rrm.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextDeclRef>secure/federatedlogin/user/password/uri</saml:AuthnContextDeclRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
When our IDP server processes this, the following log entry is added:
<amLogEntry> 2008-09-09T13:47:36Z INFO NIDS IDFF: AM#500106006:
AMDEVICEID#1F1BA96EB218EAC3: Validation failure on message from eng.rrm.com :
AM#300101020: AMDEVICEID#1F1BA96EB218EAC3: : Digital signature is required
</amLogEntry>
Resolution
Make sure the SAML2 AuthnRequest includes the issuer TAG before the Signature details. The SAML specifications at http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (search for the RequestAbstractType structure) defines the element sequence and states that the Issuer must preceed the Signature. This is not the case in their setupand they need to change their code to be standard.
From the specs ...
The following schema fragment defines the RequestAbstractType complex type:
<complexType name="RequestAbstractType" abstract="true">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>
<element name="Extensions" type="samlp:ExtensionsType"/>
<complexType name="ExtensionsType">
<sequence>
<any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
</sequence>
</complexType>
From the specs ...
The following schema fragment defines the RequestAbstractType complex type:
<complexType name="RequestAbstractType" abstract="true">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>
<element name="Extensions" type="samlp:ExtensionsType"/>
<complexType name="ExtensionsType">
<sequence>
<any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
</sequence>
</complexType>