Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
SAML2 setup where a 3rd party SAML Service Provider (SP) is generating
a SAML2 Authentication request to a Novell Access Manager Identity
(IDP) Provider. All metadata has been exchanged and trusted root
certificates imported on both sides. The Novell IDP can initialise the
3rd party SP without problems. When the 3rd party SAML authentication
request arrives at the Access Manager IDP server, a 'RequestDenied'
error is displayed on the browser.
Looking closely at the SAML logs in catalina.out file, one can see the incoming AuthnRequest includes the following information
Type: received
RelayState: None
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" Destination="https://devidp.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="a3e8hh15c0gafb0e32g7e74b8a98beh" IsPassive="false" IssueInstant="2010-01-28T13:56:47.705Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://coffey-t60.0998.novell.com:80/newSpringSaml</saml:Issuer></samlp:AuthnRequest>
Generates the following response from the IDP server
Type: sent
Sent to: http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO RelayState: None
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" ID="idNVXm9uMG5QCY4qGEls.SROT-txE" InResponseTo="a177j09b06i564422f764j0hd3fd6hc" IssueInstant="2010-02-11T18:26:49Z" Version="2.0"><saml:Issuer>https://devidp.novell.com/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
:
:
:
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:Response>
Looking closely at the SAML logs in catalina.out file, one can see the incoming AuthnRequest includes the following information
Type: received
RelayState: None
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" Destination="https://devidp.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="a3e8hh15c0gafb0e32g7e74b8a98beh" IsPassive="false" IssueInstant="2010-01-28T13:56:47.705Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://coffey-t60.0998.novell.com:80/newSpringSaml</saml:Issuer></samlp:AuthnRequest>
Generates the following response from the IDP server
Type: sent
Sent to: http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO RelayState: None
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" ID="idNVXm9uMG5QCY4qGEls.SROT-txE" InResponseTo="a177j09b06i564422f764j0hd3fd6hc" IssueInstant="2010-02-11T18:26:49Z" Version="2.0"><saml:Issuer>https://devidp.novell.com/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
:
:
:
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:Response>
Resolution
Set the Name Identifier format for the Authentication Response to transient. This can be done by going to the IDP configuration and selecting SAML2 -> Service Provider -> <$SP_Config_Name> -> Authentication Response.
Within this field, the persistent and transient Name Identifier formats are enabled but the default is persistent. By changing the default to transient, we do not have to create an identifier and the authentication will proceed as expected. If the administrator wants to keep it persistent, the Authentication request MUST be modified include the 'AllowCreate=true' statement in a NameIDPolicy tag. An example of this would be
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
Within this field, the persistent and transient Name Identifier formats are enabled but the default is persistent. By changing the default to transient, we do not have to create an identifier and the authentication will proceed as expected. If the administrator wants to keep it persistent, the Authentication request MUST be modified include the 'AllowCreate=true' statement in a NameIDPolicy tag. An example of this would be
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>