SP brokering breaking SAML intersite transfer URL setup for non brokered setups

  • 7009744
  • 15-Nov-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Access Manager Support Pack 3 applied
SP Brokering enabled

Situation

Access Manager setup as a SAML Identity Provider (IDP) to do SAML federation with a number of 3rd party Service Providers (SPs). Everything is working as expected and users can single sign on (SSO) to the 3rd party SAML enabled applications. With more Access Control in mind, we setup SP brokering to look at the various options for centralising the SAML communications.

Once we enabled SP brokering functionality and start configuring some setups there (not necessarely between SPs currently defined with intersite transfer URLs), all users accessing the original SAML2 intersite transfer URL for the original SPs ended up getting 300101057 errors, thrown from the broker instead of the application homepage.

O
nly when the broker is completely disabled will the intersite transfer URLs start working again ... they continue to fail even if the broker is enabled but the rules within that broker are disabled.

Resolution

When the Local IDP becomes part of at least one brokering group setups, then all the intersite transfer URLs will stop working with the 300101057 if the SP we are trying to access via this intersite transfer URL is also not part of the brokering group with Local IDP.

In order to work around the issue, the administrator will need to do the following operations on the SP brokering setup - to handle cases such as the following where we have some configured SAML SPs in the brokering setup and some outside, for example:

- For SAML SP1 don't apply any brokering rules (allow intersite transfer)
- For SAML SP2 apply brokering rules,

Operations required by Administrator:

-  Create a brokering group that has Local IDP as IDP and SP1 and SP2 as Trusted Providers.
-
Create brokering rules so that all its requests to SP1 are allowed, while ITS requests to SP2 will involve rules.