Cannot encrypt Assertion or NameIdentifier within assertion despite the options being enabled

  • 7007684
  • 23-May-2012
  • 23-May-2012


Novell Access Manager 3.1 Support Pack 4 applied
Novell Access Manager 3.1 Identity server running


Novell Access Manager setup as a SAML2 Identity server with the goal of single signing on to a 3rd party SAML2 service provider. Everything worked fine with the default setup, but as soon as the administrator enabled the option to encrypt the 'Assertion' or 'Name Identifiers' for that remote SAML2 service provider, the assertion would still be sent unencrypted eg. looking at the subject header that includes the Name Identifier tag

 <saml:Subject> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2012-05-04T16:45:34Z" Recipient="" /> </saml:SubjectConfirmation> </saml:Subject>
<saml:Conditions NotBefore="2012-05-04T16:35:34Z" NotOnOrAfter="2012-05-04T16:45:34Z" > <saml:AudienceRestriction> <saml:Audience></saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2012-05-04T16:40:34Z" SessionIndex="idc19WDLn5vA1LpzYF09xXPNitk.Q" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute xmlns:xsd="" xmlns:xsi="" Name="/UserAttribute[@ldap:targetAttribute=&qout;cn&qout;]" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml:AttributeValue xsi:type="xsd:string">ncashell</saml:AttributeValue> </saml:Attribute>

This typically occured with any SaaS provider setup.


Make sure that the SAML2 service provider metadata included the x509 certificate required to encrypt the data. If the metadata fails to include such a certificate, the encryption process errors out and no data gets encrypted.