Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0
Situation
Access Manager setup as a SAML2 Identity (IDP) Server, with trust relationship to multiple SAML2 Service Providers (SP). After adding a new SAML2 SP, users accessing the SP and getting redirected to the NAM IDP server receive the following error message instead of the login page:
"There is either no 'Local Card' or a 'Provider Card' configured for the requested contract"
"There is either no 'Local Card' or a 'Provider Card' configured for the requested contract"
We get the error on an authentication request if a class is requested, e.g.
PasswordProtectedTransport. The IDP complains that it cannot find a contract,
even though a default contract for Secure Name Password exists for this auth type. It
works fine without the class request. Here's the AuthnRequest with the error:
RelayState: ouccamwhuacmr
<AuthnRequest AssertionConsumerServiceURL="https://mchlvip.netiq.com:443/irj/portal" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://cdcsx151.netiq.com:8443/nidp/saml2/sso" ID="S4392e57c-f2ad-48e3-9d7a-8761c20c6c54" IssueInstant="2015-03-31T08:22:56.923Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><ns2:Issuer>http://u0s.netiq.com</ns2:Issuer><NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><RequestedAuthnContext Comparison="better"><ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns2:AuthnContextClassRef></RequestedAuthnContext></AuthnRequest>
<AuthnRequest AssertionConsumerServiceURL="https://mchlvip.netiq.com:443/irj/portal" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://cdcsx151.netiq.com:8443/nidp/saml2/sso" ID="S4392e57c-f2ad-48e3-9d7a-8761c20c6c54" IssueInstant="2015-03-31T08:22:56.923Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><ns2:Issuer>http://u0s.netiq.com</ns2:Issuer><NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><RequestedAuthnContext Comparison="better"><ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns2:AuthnContextClassRef></RequestedAuthnContext></AuthnRequest>
************************* End SAML2 message ****************************
</amLogEntry>
<amLogEntry> 2015-03-31T08:22:57Z INFO NIDS Application:
AM#500105016: AMDEVICEID#BA6534E4583F8F18:
AMAUTHID#997CA3BEE38C2A5B29D76ADFDEFCB576: Processing login resulting from
Service Provider authentication request. </amLogEntry>
<amLogEntry> 2015-03-31T08:22:57Z VERBOSE NIDS Application: Session
has consumed authentications: false </amLogEntry>
Warning: Invalid resource key: Authentication error: There is either no
'Local Card' or a 'Provider Card' configured for the requested contract [null].
No prefix!
Warning: Invalid resource key: Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null]. No prefix!
<amLogEntry> 2015-03-31T08:22:57Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.doAuthentication
Thread: http-bio-10.128.106.104-8443-exec-1
Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null] </amLogEntry>
Warning: Invalid resource key: Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null]. No prefix!
<amLogEntry> 2015-03-31T08:22:57Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.doAuthentication
Thread: http-bio-10.128.106.104-8443-exec-1
Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null] </amLogEntry>
Resolution
Make sure that the Context comparisson in the AuthnRequest is set to anything but better eg. exact, minimum, or maximum.
In the problem case above, it is set to better indicating the contract must be stronger than the class or type specified in the authentication statement. This cannot work in the NAM environment.
In the problem case above, it is set to better indicating the contract must be stronger than the class or type specified in the authentication statement. This cannot work in the NAM environment.