Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0
Situation
- NetIQ Access Manager NIDP server runs as SAML 2.0 Identity provider
- Microsoft ADFS 3 runs as SAML 2.0 as SAML 2.0 Service Provider
- User authentication at the NetIQ NIDP server works without a problem
- Login to the AFDS 3 Service Provider fails after the SAML 2.0 assertion has been received.
- ADFS 3 Service Prover reports the error:
System.Xml.XmlException: ID0013: The value must be an absolute URI.
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSimpleUriElement(XmlReader reader, UriKind kind, Boolean allowLaxReading)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAuthenticationContext(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAuthenticationStatement(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponseForSecurityToken(GenericProtocolRequest originalRequest, SecurityTokenElement requestedTokenElement, ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Resolution
- Configure the NDIP authentication contract with an absolute URI like: "http://name/password/uri"
Cause
- ADFS 3 does not accept the relative URI name for the: "<saml:AuthnContextDeclRef>name/password/uri</saml:AuthnContextDeclRef>" element presented with the SAML 2.0 assertion generated at the NetIQ NIDP server.
- The "<saml:AuthnContextDeclRef>" stores the contract name used for the user Authentication at the NetIQ NIDP server.
- The SAML 2.0 definition sates: <AuthnContextDeclRef> [Optional]
Either an authentication context declaration provided by value, or a URI reference that identifies such
a declaration. The URI reference MAY directly resolve into an XML document containing the
referenced declaration. - A URI can be relative or absolute but ADFS 3 does accept absolute URI's only