Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
Access Manager acting as a SAML2 Identity (IDP) server. A 3rd party Service provider (SP) is setup to authenticate against the Novell IDP server. After exchanging metadata and defining the appropriate configuration settings, users try and access the SP application using their browsers. The SP generates the Authentication Request (AuthnRequest) to the IDP server and instead of getting the IDP login page, the following error is displayed on the browser:
Resolution
Modified the SP configuration so that the IDP referenced URLs match that of the IDP server.
In our specific example, the incoming Authentication Request had a Destination header of
Destination="https://IDP126.lab.novell.com/nidp/saml2/sso"
The IDP servers local metadata URLs were the same as the above URL, but the case sensitivity was different. The IDP advertised it's baseURL as idp126.lab.novell.com where the idp was all lower case. The resulting check for the Destination URL validity failed and caused the above error to be reported.
In our specific example, the incoming Authentication Request had a Destination header of
Destination="https://IDP126.lab.novell.com/nidp/saml2/sso"
The IDP servers local metadata URLs were the same as the above URL, but the case sensitivity was different. The IDP advertised it's baseURL as idp126.lab.novell.com where the idp was all lower case. The resulting check for the Destination URL validity failed and caused the above error to be reported.
Additional Information
Incoming AUthnRequest looked like:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fa30136e4799de1d52672217b4b9dd6b156860ed7c" Version="2.0" IssueInstant="2011-05-31T08:00:12Z" Destination="https://IDP126.lab.novell.com/nidp/saml2/sso" AssertionConsumerServiceURL="http://ncsles11.lab.novell.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>http://ncsles11.lab.novell.com/simplesamlphp</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/><samlp:RequestedAuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2
.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>
Since the Destination URL did not match what was setup on the IDP server itself (SingleSignOn service is https://idp126.lab.novell.com/nidp/saml2/sso), the following error would get reported in the catalina.out file (assuming that component level logging was set to DEBUG for SAML2)
Warning: Invalid resource key: Destination url validation failed. No prefix!
Warning: Invalid resource key: Destination url validation failed. No prefix!
<amLogEntry> 2011-05-31T08:00:13Z INFO NIDS Application: AM#500105039: AMDEVICEID#E1E240D48F834C12: AMAUTHID#BD61A225B8F05EFD73D04D698C0EB50C: Error on session id BD61A225B8F05EFD73D04D698C0EB50C, error Destination url validation failed-E1E240D48F834C12, Unable to complete request at this time. Destination url validation failed </amLogEntry>
This string came from the IDP metadata URLs defined on the SAML2 SP, and specifically the SingleSIgnOnService URL.
'SingleSignOnService' => 'https://IDP126.lab.novell.com/nidp/saml2/sso',
Changing this to be 'SingleSignOnService' => 'https://idp126.lab.novell.com/nidp/saml2/sso' fixed the issue.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_fa30136e4799de1d52672217b4b9dd6b156860ed7c" Version="2.0" IssueInstant="2011-05-31T08:00:12Z" Destination="https://IDP126.lab.novell.com/nidp/saml2/sso" AssertionConsumerServiceURL="http://ncsles11.lab.novell.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>http://ncsles11.lab.novell.com/simplesamlphp</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/><samlp:RequestedAuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2
.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>
Since the Destination URL did not match what was setup on the IDP server itself (SingleSignOn service is https://idp126.lab.novell.com/nidp/saml2/sso), the following error would get reported in the catalina.out file (assuming that component level logging was set to DEBUG for SAML2)
Warning: Invalid resource key: Destination url validation failed. No prefix!
Warning: Invalid resource key: Destination url validation failed. No prefix!
<amLogEntry> 2011-05-31T08:00:13Z INFO NIDS Application: AM#500105039: AMDEVICEID#E1E240D48F834C12: AMAUTHID#BD61A225B8F05EFD73D04D698C0EB50C: Error on session id BD61A225B8F05EFD73D04D698C0EB50C, error Destination url validation failed-E1E240D48F834C12, Unable to complete request at this time. Destination url validation failed </amLogEntry>
This string came from the IDP metadata URLs defined on the SAML2 SP, and specifically the SingleSIgnOnService URL.
'SingleSignOnService' => 'https://IDP126.lab.novell.com/nidp/saml2/sso',
Changing this to be 'SingleSignOnService' => 'https://idp126.lab.novell.com/nidp/saml2/sso' fixed the issue.