Environment
NetIQ Access Manager 3.2
NetIQ Access Manager Identity Server acting as a SAML2 Service Provider
Shibboleth 3rd party SAML2 Identity Server (although can be any)
NetIQ Access Manager Identity Server acting as a SAML2 Service Provider
Shibboleth 3rd party SAML2 Identity Server (although can be any)
Situation
When NetIQ Access Manager (NAM) is setup as a SAML2 Service Provider (SP), any SP initiated Authentication Requests requests to the remote SAML2 Identity Server includes the AssertionConsumerServiceIndex tag. This is an optional tag according to the SAML core specs but the NAM metadata includes and links this index value to the corresponding Assertion Consumer service URL.
The following snippet of the catalina.out log file on the NAM IDP server shows such an Authentication Request being sent to a 3rd party SAML2 IDP server with the AssertionConsumerServiceIndex ="0".
************************* SAML2 Redirect message ********************************
Type: sent Sent to: https://gravitas.cs.ie/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hVJhT8IwEP0rS79vgw2CadiSCTFCRIgQo347uuIau3b2ugH%2F3m7TiF%2FwW3P33t177zpFKGV Fs9oW6ol%2F1hytdyqlQto1ElIbRTWgQKqg5Egto9ts9UCjYEAro61mWpILynUGIHJjhVbEy36eM62wLrnZctMIxhcq56eERMRrG1zZ6xNZD6K1ggaEhL3kxLvThvHOU0IOINGVFvOEiHypmiMb62Vw bibbFwYw%2FnhdK12s2cpBcOP0iYb%2FkhBrJwgttDKiwTD2B2N%2FON4NIxpP6DB6I97mO4RboXKh3q%2Br3fcgpPe73cbPnP8DMEu8Z27QReF2BAOSTtsgabfcpIW1FdIwdMPiqCrOGDiTgdINlzJ guqQ3o1EcKpFXYUuLwpJbyMHCNLwcM%2B0P%2FegkLeYbLQU7e5mU%2BjgzHKyzbE3dJ1fCP5G3FZH7hw5Kq1Y6WncDEqb9zr%2F%2FKf0C&RelayState=MA%3D%3D RelayState: MA== <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex ="2" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idJnvwc5oJ.yv7SXcaa5kYOnohOcM" IsPassive="false" IssueInstant="20 13-05-15T12:37:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Version="2.0"><saml:Issuer>https://nam32phys.lab.novell.com:84 43/nidp/saml2/metadata</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:Authn Request>
The NAM metadata for this SAML2 SP, imported at the remote IDP server, includes the following entry that links the index to the URL:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nam32phys.lab.novell.com:8443/nidp/saml2/spassertion_consumer" index="0" isDefault="true"/>
However, there may be 3rd party IDP servers that do not have the logic to tie the two together ie. link the index from the AuthnRequest to the appropriate URL where the assertion must be sent. In this particular case, it would be better if the Authentication Request generated by the NAM SP did not have any AssertionConsumerServiceIndex or AssertionConsumerServiceURL tag, so that the IDP server could simply respond to the URL defined in the metadata it imported for this NAM SP.
The following snippet of the catalina.out log file on the NAM IDP server shows such an Authentication Request being sent to a 3rd party SAML2 IDP server with the AssertionConsumerServiceIndex ="0".
************************* SAML2 Redirect message ********************************
Type: sent Sent to: https://gravitas.cs.ie/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hVJhT8IwEP0rS79vgw2CadiSCTFCRIgQo347uuIau3b2ugH%2F3m7TiF%2FwW3P33t177zpFKGV Fs9oW6ol%2F1hytdyqlQto1ElIbRTWgQKqg5Egto9ts9UCjYEAro61mWpILynUGIHJjhVbEy36eM62wLrnZctMIxhcq56eERMRrG1zZ6xNZD6K1ggaEhL3kxLvThvHOU0IOINGVFvOEiHypmiMb62Vw bibbFwYw%2FnhdK12s2cpBcOP0iYb%2FkhBrJwgttDKiwTD2B2N%2FON4NIxpP6DB6I97mO4RboXKh3q%2Br3fcgpPe73cbPnP8DMEu8Z27QReF2BAOSTtsgabfcpIW1FdIwdMPiqCrOGDiTgdINlzJ guqQ3o1EcKpFXYUuLwpJbyMHCNLwcM%2B0P%2FegkLeYbLQU7e5mU%2BjgzHKyzbE3dJ1fCP5G3FZH7hw5Kq1Y6WncDEqb9zr%2F%2FKf0C&RelayState=MA%3D%3D RelayState: MA== <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex ="2" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idJnvwc5oJ.yv7SXcaa5kYOnohOcM" IsPassive="false" IssueInstant="20 13-05-15T12:37:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Version="2.0"><saml:Issuer>https://nam32phys.lab.novell.com:84 43/nidp/saml2/metadata</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:Authn Request>
The NAM metadata for this SAML2 SP, imported at the remote IDP server, includes the following entry that links the index to the URL:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nam32phys.lab.novell.com:8443/nidp/saml2/spassertion_consumer" index="0" isDefault="true"/>
However, there may be 3rd party IDP servers that do not have the logic to tie the two together ie. link the index from the AuthnRequest to the appropriate URL where the assertion must be sent. In this particular case, it would be better if the Authentication Request generated by the NAM SP did not have any AssertionConsumerServiceIndex or AssertionConsumerServiceURL tag, so that the IDP server could simply respond to the URL defined in the metadata it imported for this NAM SP.
Resolution
Apply 3.2.2 IR1 and do the following:
a) Edit the "/opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/nidpconfig.properties" file
For more details, check out the 'Enabling or Disabling SAML tags' section of the docs at https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/?page=/documentation/netiqaccessmanager32/identityserverhelp/data/b13ucle3.html.
a) Edit the "/opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/nidpconfig.properties" file
b) add the line: "SAML2_AVOID_ASSERTIONCONSUMERSERVICEINDEX = true" anywhere in the file
c) restart your NIDP server: "/etc/init.d/novell-idp restart"
For more details, check out the 'Enabling or Disabling SAML tags' section of the docs at https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/?page=/documentation/netiqaccessmanager32/identityserverhelp/data/b13ucle3.html.