"RequestDenied" error trying to login to Access Manager Identity Server via SAML

  • 7005338
  • 12-Feb-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server

Situation

SAML2 setup where a 3rd party SAML Service Provider (SP) is generating a SAML2 Authentication request to a Novell Access Manager Identity (IDP) Provider. All metadata has been exchanged and trusted root certificates imported on both sides. The Novell IDP can initialise the 3rd party SP without problems. When the 3rd party SAML authentication request arrives at the Access Manager IDP server, a 'RequestDenied' error is displayed on the browser.

Looking closely at the SAML logs in catalina.out file, one can see the incoming AuthnRequest includes the following information

Type: received
 RelayState: None
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" Destination="https://devidp.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="a3e8hh15c0gafb0e32g7e74b8a98beh" IsPassive="false" IssueInstant="2010-01-28T13:56:47.705Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://coffey-t60.0998.novell.com:80/newSpringSaml</saml:Issuer></samlp:AuthnRequest>

Generates the following response from the IDP server

Type: sent
Sent to: http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO RelayState: None
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://coffey-t60.0998.novell.com:80/newSpringSaml/saml/SSO" ID="idNVXm9uMG5QCY4qGEls.SROT-txE" InResponseTo="a177j09b06i564422f764j0hd3fd6hc" IssueInstant="2010-02-11T18:26:49Z" Version="2.0"><saml:Issuer>https://devidp.novell.com/nidp/saml2/metadata</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
:
:
:
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status></samlp:Response>

Resolution

Set the Name Identifier format for the Authentication Response to transient. This can be done by going to the IDP configuration and selecting SAML2 -> Service Provider -> <$SP_Config_Name> -> Authentication Response.

Within this field, the persistent and transient Name Identifier formats are enabled but the default is persistent. By changing the default to transient, we do not have to create an identifier and the authentication will proceed as expected. If the administrator wants to keep it persistent, the Authentication request MUST be modified include the 'AllowCreate=true' statement in a NameIDPolicy tag. An example of this would be

<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

Feedback service temporarily unavailable. For content questions or problems, please contact Support.