SAML attributes from external Identity Server not consumed correctly at Access Manager SAML Service Provider

  • 7008525
  • 05-May-2011
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
IBM SAML 1.0 Identity Server
Novell Access Manager running as a SAML 1.0 Service provider
Novell Access Manager 3.1 Support Pack 3 applied


Access Manager setup to consume SAML 1.0 assertions from a trusted SAML 1.0 Identity (IDP) server running IBM software. The IBM IDP server generates an assertion with 8 attributes, which Access Manager SAML 1.0 Service Provider (SP) should consume.

Tests showed that when the assertion was consumed at the Access Manager SAML 1.0 SP, the SP would generate an AttributeQuery re-requesting the 8 attributes that it had just consumed. The IBM IDP server would generate an error handling this request and return the following status:

          FBTSML013E The SAML artifact is not valid.

The user would simply sit at the Access Manager SP portal page (/nidp path), without showing any errors.


Make sure that the AttributeName fields sent in the AttributeStatement by the IDP server match what is expected at the SP. In the above case, the names matched correctly but the namespace did not. For example, the IDP would send an assertion with

<saml:Attribute AttributeName="DPDEPTID" AttributeNamespace="ibm4it"><saml:AttributeValue>ibm4it</saml:AttributeValue></saml:Attribute> ( '" )

but the SP was configured to obtain the following at authentication:

<saml:AttributeDesignator AttributeName="DPDEPTID" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion"/>

CHanging the Attribute mapping on the Access Manager SP so that the name spaces matched fixed the problem.