Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 HF2
NetIQ Access Manager 4.0 HF2
Situation
- NetIQ Access Manager NIDP server has been configured to act as SAML2 Service provider
- SP and IDP have been configured to make use of the SAML2 Post Binding Protocol
- On processing the SAML 2.0 Response including the SAML 2.0 Assertion the NIDP server returns the error: "Identity Provider response was received that failed to authenticate this session (300101017)"
- The catalina.out logs the following error message:
<amLogEntry> 2014-04-28T04:38:15Z VERBOSE NIDS Application: IDP response failed to authenticate: NIDPLOGGING.300101017 </amLogEntry>
Resolution
- With NAM 3.2.2 IR2 and NAM4.0 HF3 an enhancement has been added to configure the NIDP server to accept a signed SAML Response (POST Binding) without a signed SAML 2.0 Assertion.
- Federation fails if the SAML 2.0 post response contains signature whereas assertion does not. (Bug 842788)
Fix: Added nidp config property: "[SAML2_AVOID_SIGN_AND_VALIDATE_ASSERTION_TRUSTEDPROVIDERS = <IDP entity URL>" in the service provider.
Cause
The SAML2 IDP server signed the SAML Response but not the included assertion.