NIDP server returns the error 300101017 while processing a SAML response from a SAML2 Identity Provider

  • 7015015
  • 06-May-2014
  • 06-May-2014

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 HF2

Situation

  • NetIQ Access Manager NIDP server has been configured to act as SAML2 Service provider

  • SP and IDP have been configured to make use of the SAML2 Post Binding Protocol

  • On processing the SAML 2.0 Response including the SAML 2.0 Assertion the NIDP server returns the error: "Identity Provider response was received that failed to authenticate this session (300101017)"

  • The catalina.out logs the following error message:

    <amLogEntry> 2014-04-28T04:38:15Z VERBOSE NIDS Application: IDP response failed to authenticate: NIDPLOGGING.300101017 </amLogEntry>

Resolution

  • With NAM 3.2.2 IR2 and NAM4.0 HF3 an enhancement has been added to configure the NIDP server to accept a signed SAML Response (POST Binding) without a signed SAML 2.0 Assertion.

  • Federation fails if the SAML 2.0 post response contains signature whereas assertion does not. (Bug 842788)
    Fix: Added nidp config property: "[SAML2_AVOID_SIGN_AND_VALIDATE_ASSERTION_TRUSTEDPROVIDERS = <IDP entity URL>" in the service provider.

Cause

The SAML2 IDP server signed the SAML Response but not the included assertion.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.