Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
SAML2 setup where a 3rd party SAML Service Provider (SP) is generating a SAML2 Authentication request to a Novell Access Manager Identity (IDP) Provider. All metadata has been exchanged and trusted root certificates imported on both sides. The Novell IDP can initialise the 3rd party SP without problems. When the 3rd party SAML authentication request arrives at the Access Manager IDP server, a 'RequestDenied' error is displayed on the browser.
Looking closely at the SAML logs in catalina.out file, one can see the incoming AUthnRequest
Type: received
RelayState: None
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" Destination="https://devidp.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="a3e8hh15c0gafb0e32g7e74b8a98beh" IsPassive="false" IssueInstant="2010-01-28T13:56:47.705Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://coffey-t60.0998.novell.com:80/newSpringSaml</saml:Issuer><samlp:Scoping ProxyCount="2"><samlp:IDPList><samlp:IDPEntry Loc="https://devidp.novell.com/nidp/saml2/sso" ProviderID="https://devidp.novell.com/nidp/saml2/metadata"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest>
generates the following error
<amLogEntry> 2010-01-28T13:56:48Z INFO NIDS IDFF: AM#500106006: AMDEVICEID#FDA949784848E457: Validation failure on message from http://coffey-t60.0998.novell.com:80/newSpringSaml : Digital signature is required </amLogEntry>
Looking closely at the SAML logs in catalina.out file, one can see the incoming AUthnRequest
Type: received
RelayState: None
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" Destination="https://devidp.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="a3e8hh15c0gafb0e32g7e74b8a98beh" IsPassive="false" IssueInstant="2010-01-28T13:56:47.705Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://coffey-t60.0998.novell.com:80/newSpringSaml</saml:Issuer><samlp:Scoping ProxyCount="2"><samlp:IDPList><samlp:IDPEntry Loc="https://devidp.novell.com/nidp/saml2/sso" ProviderID="https://devidp.novell.com/nidp/saml2/metadata"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest>
generates the following error
<amLogEntry> 2010-01-28T13:56:48Z INFO NIDS IDFF: AM#500106006: AMDEVICEID#FDA949784848E457: Validation failure on message from http://coffey-t60.0998.novell.com:80/newSpringSaml : Digital signature is required </amLogEntry>
Resolution
Modify the SP metadata to disable the 'WantAssertionsSigned' tag and reimport this SP metadat at the Access Manager IDP server.
The 3rd party SP had the following WantAssertionsSigned entry in the metadata
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" ProtocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
but was NOT signing the incoming Authentication Requests. By disabling this tag and reimporting it at the IDP, the IDP was not expecting the incoming Authentication request to be signed and no error was thrown.
The 3rd party SP had the following WantAssertionsSigned entry in the metadata
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" ProtocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
but was NOT signing the incoming Authentication Requests. By disabling this tag and reimporting it at the IDP, the IDP was not expecting the incoming Authentication request to be signed and no error was thrown.