ADFS 3 returns error: ID0013: The value must be an absolute URI while processing a NAM SAML 2.0 assertion

  • 7015106
  • 26-May-2014
  • 26-May-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

  • NetIQ Access Manager NIDP server runs as SAML 2.0 Identity  provider
  • Microsoft ADFS 3 runs as SAML 2.0 as SAML 2.0 Service Provider
  • User authentication at the NetIQ NIDP server works without a problem
  • Login to the AFDS 3 Service Provider fails after the SAML 2.0 assertion has been received.
  • ADFS 3 Service Prover reports the error:

    System.Xml.XmlException: ID0013: The value must be an absolute URI.
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSimpleUriElement(XmlReader reader, UriKind kind, Boolean allowLaxReading)
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAuthenticationContext(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAuthenticationStatement(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
       at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponseForSecurityToken(GenericProtocolRequest originalRequest, SecurityTokenElement requestedTokenElement, ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Resolution

  • Configure the NDIP authentication contract with an absolute URI like: "http://name/password/uri"

Cause

  • ADFS 3 does not accept the relative URI name for the: "<saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>" element presented with the SAML 2.0 assertion generated at the NetIQ NIDP server.

  • The "<saml:AuthnContextDeclRef>" stores the contract name used for the user Authentication at the NetIQ NIDP server.

  • The SAML 2.0 definition sates: <AuthnContextDeclRef> [Optional]
    Either an authentication context declaration provided by value, or a URI reference that identifies such
    a declaration. The URI reference MAY directly resolve into an XML document containing the
    referenced declaration.

  • A URI can be relative or absolute but ADFS 3 does accept absolute URI's only