Environment
Novell Access Manager 3.1 Support Pack 4 applied
Novell Access Manager 3.1 Identity server running
Novell Access Manager 3.1 Identity server running
Situation
Novell Access Manager setup as a SAML2 Identity server with the goal of
single signing on to a 3rd party SAML2 service provider. Everything
worked fine with the default setup, but as soon as the administrator
enabled the option to encrypt the 'Assertion' or 'Name Identifiers' for
that remote SAML2 service provider, the assertion would still be sent
unencrypted eg. looking at the subject header that includes the Name
Identifier tag
<saml:Subject> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2012-05-04T16:45:34Z" Recipient="https://www.google.com/a/ag4cdemo.info/acs" /> </saml:SubjectConfirmation> </saml:Subject>
<saml:Conditions NotBefore="2012-05-04T16:35:34Z" NotOnOrAfter="2012-05-04T16:45:34Z" > <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2012-05-04T16:40:34Z" SessionIndex="idc19WDLn5vA1LpzYF09xXPNitk.Q" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/UserAttribute[@ldap:targetAttribute=&qout;cn&qout;]" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml:AttributeValue xsi:type="xsd:string">ncashell</saml:AttributeValue> </saml:Attribute>
This typically occured with any SaaS provider setup.
<saml:Subject> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2012-05-04T16:45:34Z" Recipient="https://www.google.com/a/ag4cdemo.info/acs" /> </saml:SubjectConfirmation> </saml:Subject>
<saml:Conditions NotBefore="2012-05-04T16:35:34Z" NotOnOrAfter="2012-05-04T16:45:34Z" > <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2012-05-04T16:40:34Z" SessionIndex="idc19WDLn5vA1LpzYF09xXPNitk.Q" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/UserAttribute[@ldap:targetAttribute=&qout;cn&qout;]" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml:AttributeValue xsi:type="xsd:string">ncashell</saml:AttributeValue> </saml:Attribute>
This typically occured with any SaaS provider setup.
Resolution
Make sure that the SAML2 service provider metadata included the x509
certificate required to encrypt the data. If the metadata fails to
include such a certificate, the encryption process errors out and no
data gets encrypted.