Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager Identity Server with SAML enabled
NetIQ Access Manager 4.0
NetIQ Access Manager Identity Server with SAML enabled
Situation
Access Manager Identity Server setup as a SAML Identity (IDP) Server. It generates assertions to a SAML Service Provider (SP) where the NameIdentified format is Email, and the value is retrieved from the users LDAP mail attribute at login. All works well. However, if the users LDAP mail attribute changes after the user logs into the Identity server, the corresponding SAML assertion NameIdentifier field generated does not include the updated email address. If we have a SAML AttributeStatement in the assertion that includes the same LDAP mail attribute, the updated value is sent as expected.
Here's the steps we used to duplicate the issue:
Here's the steps we used to duplicate the issue:
1. setup a SAML2 relationship with remote SAML2 SP 2. Go to authentication response tab and set this to be nameid format of unspecified or emailaddr with the ldap mail attribute as value 3. Under Attributes, send this ldap mail attribute in the attribute statement 4. login to IDP and send assertion to the SP ACS URL - use SAML tracer to look at assertion to SP. Make sure that the subject NameID value and AttributeStatement both show the correct user email address 5. Go to the user store and change the email address of the user 6. login to IDP again and send assertion to the SP ACS URL - use SAML tracer to look at assertion to SP. This time, notice that the updated email address is only sent in the attributeStatement but not the subject NameID statement. Here's an example assertion after I changed my email address from ncashell@novell.com to neilcashell@novell.com on the LDAP server. The new email address is only reflected in the attributeStatement. Only when I restart the IDP server will the old email address get reflected correctly in the assertion <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://nam32phys.lab.novell.com:8443/nidp/saml2/metadata" SPNameQualifier="http://simplesaml.lab.novell.com/" >ncashell@novell.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_4a8f4676e396915c800824079d82d3386e60d4f61b" NotOnOrAfter="2013-05-17T16:18:24Z" Recipient="http://simplesaml.lab.novell.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-simplesaml-sp" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2013-05-17T16:08:24Z" NotOnOrAfter="2013-05-17T16:18:24Z" > <saml:AudienceRestriction> <saml:Audience>http://simplesaml.lab.novell.com/</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2013-05-17T16:13:24Z" SessionIndex="id5ByZE8cSrn8KzZ0XJjJmzTl35RQ" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="/UserAttribute[@ldap:targetAttribute=&qout;mail&qout;]" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml:AttributeValue xsi:type="xs:string">neilcashell@novell.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
Resolution
Fixed in NAM 4.1.