Error:The request to provide authentication to a service provider has failed. (Specified target is not valid: xxxxx-yyyy)

  • 7009743
  • 15-Nov-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server

Situation

Access Manager 3.0 setup as a SAML2 Identity server, providing assertions to many SAML2 Service providers. Almost all SAML2 Service Providers were accessed using the intersite transfer URL. One such SAML2 Service Provider was hit with

https://ids.novell.com/nidp/saml2/idpsend?PID=https://saml.conv.com/ldap/exportmetadata.do&TARGET=english


Notice the TARGET is just set to a language parameter instead of a final landing URL. This works in 3.0 with “RelayState†parameter set to “english†from the TARGET parameter.


After upgrading to Access Manager 3.1.3, the above intersite transfer link will post the response to the PID URL but will not use the TARGET as “RelayStateâ€.

In NAM 3.1.4, the above request will thrown the following error:


Error:
The request to provide authentication to a service provider has failed. (Specified target is not valid: English-6A73293A19F7F6A4)

where 6A73293A19F7F6A4 is the device ID of the IDP server.

Resolution

Add the parameter being passed to a valid URL instead of by itself.

The change in behaviour was added as a security enhancement with newer 3.1 builds to prevent cross scripting attacks.The Identity Server actually tries and scrub the TARGET url to detect certain characters that one would find in a XSS attack eg. the url could be set to the url javascript:alert(%22Neil_Xploit%22). This is not possible with the 3.1.4 codebase.