Environment
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Situation
Access Manager Identity Server setup as a SAML 1 Identity (IDP) Server. A trust relationship with a SAML 1.1 enabled Service Provider (SP) was configured and enabled. When users tried to access the SAML 1.1 SP using the IDP Intersite transfer URL, the SP would return a custom error indicating that the SAML assertion response received from the IDP that failed to authenticate the user session.
Looking at the traffic on the browser in more detail, it was noticed that an artifact request was sent to the SP by the IDP after the users credentials were validated. The SP could only accept assertions via the POST binding. Looking at the 'Profile' configuration for the SAML1 setup, the only option available was to enable/disable the Artifact binding. Since the SP metadata included an entry for both POST and Artifact bindings, the IDP was always using the Artifact Binding when sending the assertion.
Looking at the traffic on the browser in more detail, it was noticed that an artifact request was sent to the SP by the IDP after the users credentials were validated. The SP could only accept assertions via the POST binding. Looking at the 'Profile' configuration for the SAML1 setup, the only option available was to enable/disable the Artifact binding. Since the SP metadata included an entry for both POST and Artifact bindings, the IDP was always using the Artifact Binding when sending the assertion.
Resolution
Add the SAML 1 Service Provider with only a POST binding entry populated ('Post consumer URL' entry), and do not populate the 'Artifact Consumer URL' entry.
The UI should have the option to enable/disable both the POST and Artifact bindings globally and a defect is open to address this.
When done, the assertion should be visible using HTTP header dump on the browser. Confirmation that the assertion is sent in POST is shown below:
The UI should have the option to enable/disable both the POST and Artifact bindings globally and a defect is open to address this.
When done, the assertion should be visible using HTTP header dump on the browser. Confirmation that the assertion is sent in POST is shown below:
POST /nidp/saml/spassertion_consumer HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: https://idp126.lab.novell.com:8443/nidp/saml/idpsend?id=windidpsaml1
Accept-Language: en-US,en-IE;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTbFXTV5/5.8.0.12304)
Host: windidp.lab.novell.com:8443
Content-Length: 9656
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: novell_poo_autoplay=1; novell_poo_offset=-3600; __utma=64695856.718819823.1288373736.1288373736.1288373736.1; __utmz=64695856.1288373736.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: https://idp126.lab.novell.com:8443/nidp/saml/idpsend?id=windidpsaml1
Accept-Language: en-US,en-IE;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTbFXTV5/5.8.0.12304)
Host: windidp.lab.novell.com:8443
Content-Length: 9656
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: novell_poo_autoplay=1; novell_poo_offset=-3600; __utma=64695856.718819823.1288373736.1288373736.1288373736.1; __utmz=64695856.1288373736.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
TARGET=https%3A%2F%2Fwindidp.lab.novell.com%3A8443%2Fnidp%2F&SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6%0D%0AcHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRp%0D%0Ab24iIElzc3VlSW5zdGFudD0iMjAxMC0xMS0xMFQxNjozNjo0OVoiIE1ham9yVmVyc2lvbj0iMSIg%0D%0ATWlub3JWZXJzaW9uPSIxIiBSZWNpcGllbnQ9Imh0dHBzOi8vd2luZGlkcC5sYWIubm92ZWxsLmNv%0D%0AbTo4NDQzL25pZHAvc2FtbC9tZXRhZGF0YSIgUmVzcG9uc2VJRD0iaWRFT3dmSmlwcnRmbGZtLUJX%0D%0AR0lsRWFOa2ppNkUiPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIw%0D%0AMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIHht%0D%0AbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiBBbGdvcml0aG09Imh0dHA6%0D%
:
:
:
: