Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Identity Server setup to consume SAML2 assertions from a 3rd party SAML2 Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Identity Server setup to consume SAML2 assertions from a 3rd party SAML2 Identity Server
Situation
Access Manager 3.1 setup as a SAML2 Service Provider (SP), and consumes assertions from a 3rd party Identity (IDP) Server. After authenticating at the 3rd part SAML2 IDP server, the assertion would be sent to the Novell Access Manager SAML2 SP to be consumed using the POST binding, and instead of displaying the valid target target URL, the following error would be rendered at the browser:
"An Identity Provider response was received that failed to authenticate this session."
Looking at the catalina log files in more detail with IDP logging for SAML2 set to DEBUG, we can see that the assertion comes in (including snippet here)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
:
<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.test.novell.com" SPNameQualifier="https://ids.secure.novell.com/nidp/saml2/metadata">4979e445895d6d258ad7624a33400c11f61980e3</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2011-11-28T10:30:10Z" Recipient="https://ids.secure.scottishwidowsoat.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-11-28T10:29:00Z" NotOnOrAfter="2011-11-28T10:30:10Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.novell.com/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-11-28T10:28:43Z" SessionIndex="A0B04CFB98A634D25D7EECA4DFB4BAC123B7C3F8F" SessionNotOnOrAfter="2011-11-28T18:28:48Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
Immediately following the consuming of this assertion, the following exception was displayed:
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException"
SAML2AuthenticationHandler.java, Line: 296, Method: getValidContext
SAML2AuthenticationHandler.java, Line: 204, Method: getAuthentication
IDPAuthenticationHandler.java, Line: 492, Method: setAuthentication
IDPAuthenticationHandler.java, Line: 439, Method: doProtocolAuthentication
IDPAuthenticationHandler.java, Line: 224, Method: handleAuthentication
SAML2SSOProfile.java, Line: 519, Method: processResponse
SAML2SSOProfile.java, Line: 492, Method: processResponse
SAML2Profile.java, Line: 290, Method: handleInBoundMessage
SAML2SSOProfile.java, Line: 474, Method: processResponse
SAML2Handler.java, Line: 544, Method: handleSSO
SAML2Handler.java, Line: 239, Method: handleRequest
SAML2MeDescriptor.java, Line: 600, Method: handleRequest
NIDPServlet.java, Line: 144, Method: myDoGet
NIDPBaseServlet.java, Line: 89, Method: doGet
NIDPBaseServlet.java, Line: 43, Method: doPost
"An Identity Provider response was received that failed to authenticate this session."
Looking at the catalina log files in more detail with IDP logging for SAML2 set to DEBUG, we can see that the assertion comes in (including snippet here)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
:
<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.test.novell.com" SPNameQualifier="https://ids.secure.novell.com/nidp/saml2/metadata">4979e445895d6d258ad7624a33400c11f61980e3</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2011-11-28T10:30:10Z" Recipient="https://ids.secure.scottishwidowsoat.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-11-28T10:29:00Z" NotOnOrAfter="2011-11-28T10:30:10Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.novell.com/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-11-28T10:28:43Z" SessionIndex="A0B04CFB98A634D25D7EECA4DFB4BAC123B7C3F8F" SessionNotOnOrAfter="2011-11-28T18:28:48Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
Immediately following the consuming of this assertion, the following exception was displayed:
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException"
SAML2AuthenticationHandler.java, Line: 296, Method: getValidContext
SAML2AuthenticationHandler.java, Line: 204, Method: getAuthentication
IDPAuthenticationHandler.java, Line: 492, Method: setAuthentication
IDPAuthenticationHandler.java, Line: 439, Method: doProtocolAuthentication
IDPAuthenticationHandler.java, Line: 224, Method: handleAuthentication
SAML2SSOProfile.java, Line: 519, Method: processResponse
SAML2SSOProfile.java, Line: 492, Method: processResponse
SAML2Profile.java, Line: 290, Method: handleInBoundMessage
SAML2SSOProfile.java, Line: 474, Method: processResponse
SAML2Handler.java, Line: 544, Method: handleSSO
SAML2Handler.java, Line: 239, Method: handleRequest
SAML2MeDescriptor.java, Line: 600, Method: handleRequest
NIDPServlet.java, Line: 144, Method: myDoGet
NIDPBaseServlet.java, Line: 89, Method: doGet
NIDPBaseServlet.java, Line: 43, Method: doPost
Resolution
Enable the 'Satisfies Contract' parameter on the Novell Access Manager setup for this 3rd party IDP server and add a valid contract to map to. This is done by selecting the SAML2 -> Identity Server (3rd party entry) -> Authentication Card field in iManager and selecting a contract in the drop down menu for 'Satisfies Contract'.