Environment
NetIQ Access Manager 3.2
ADFS2 SAML2 Identity Server Server running on Windows 2008 R2
NetIQ Identity Server acting as SAML2 Service Provider
Situation
Access Manager installed and working well - users can access protected resources behind the Access Gateway (AG) after authenticating to the NAM Identity (IDP) Server. Administrator then rolled out a new application, that required users to authenticate to a remote ADFS server on Windows 2008. A SAML2 setup between NAM and ADFS was performed, where ADFS was the SAML2 IDP server. When users accessed the new application, they were redirected to the ADFS server via the NAM IDP server to login, but instead of getting redirected to the AG protected resource, users received the following error on the browser:
IDP response failed to authenticate: NIDPLOGGING.300101008
Resolution
Edit the /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/nidpconfig.properties file on the NAM IDP server and add
SAML2_AVOID_SPNAMEQUALIFIER=true
Save and restart the IDP server after the change.
Cause
Event log on ADFS server showed the following entry:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
This caused the ADFS server to respond with a status that was not a success, which triggered the generic 300101008 error on NAM (here's snippet of response)
<samlp:Response ID="_76c381a5-234b-4aad-ace4-b653cc15beb4" Version="2.0" IssueInstant="2013-09-06T10:32:06.981Z" Destination="https://nam32phys.lab.no
vell.com:8443/nidp/saml2/spassertion_consumer" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="idi1WExCbBXnlXH1osFjgQ88E31nE"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://win2k12dc.win2k12lab.info/adfs/service
s/trust</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
:
:
</Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:
oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode></samlp:Status></samlp:Response>
Looking at the AuthnRequest triggered by NAM, we could see the SPNameQualifier being injected ... which ADFS does not like
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:
SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idi1WExCbBXnlXH1osFjgQ88E31nE" IsPassive="false" IssueInstant="2013-09-06T10:31:50Z" ProtocolBind
ing="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>https://nam32phys.lab.novell.com:8443/nidp/saml2/metadata</saml:Issuer
><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="https://nam32phys.lab.novell.com
:8443/nidp/saml2/metadata"/><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password
ProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>
By removing the SPNameQualifier entry, ADFS happily handles the request.