Error: "There is either no 'Local Card' or a 'Provider Card' configured for the requested contract" processing SAML2 AuthnRequest

  • 7016366
  • 31-Mar-2015
  • 15-Apr-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

Access Manager setup as a SAML2 Identity (IDP) Server, with trust relationship to multiple SAML2 Service Providers (SP). After adding a new SAML2 SP, users accessing the SP and getting redirected to the NAM IDP server receive the following error message instead of the login page:

"There is either no 'Local Card' or a 'Provider Card' configured for the requested contract"

We get the error on an authentication request if a class is requested, e.g. PasswordProtectedTransport. The IDP complains that it cannot find a contract, even though a default contract for Secure Name Password exists for this auth type. It works fine without the class request. Here's the AuthnRequest with the error:

RelayState: ouccamwhuacmr
<AuthnRequest AssertionConsumerServiceURL="https://mchlvip.netiq.com:443/irj/portal" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://cdcsx151.netiq.com:8443/nidp/saml2/sso" ID="S4392e57c-f2ad-48e3-9d7a-8761c20c6c54" IssueInstant="2015-03-31T08:22:56.923Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"><ns2:Issuer>http://u0s.netiq.com</ns2:Issuer><NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><RequestedAuthnContext Comparison="better"><ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns2:AuthnContextClassRef></RequestedAuthnContext></AuthnRequest>
************************* End SAML2 message ****************************

</amLogEntry>

<amLogEntry> 2015-03-31T08:22:57Z INFO NIDS Application: AM#500105016: AMDEVICEID#BA6534E4583F8F18: AMAUTHID#997CA3BEE38C2A5B29D76ADFDEFCB576:  Processing login resulting from Service Provider authentication request. </amLogEntry>

<amLogEntry> 2015-03-31T08:22:57Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

Warning: Invalid resource key: Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null]. No prefix!
Warning: Invalid resource key: Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null]. No prefix!
<amLogEntry> 2015-03-31T08:22:57Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.doAuthentication
Thread: http-bio-10.128.106.104-8443-exec-1
Authentication error: There is either no 'Local Card' or a 'Provider Card' configured for the requested contract [null] </amLogEntry>

Resolution

Make sure that the Context comparisson in the AuthnRequest is set to anything but better eg. exact, minimum, or maximum.

In the problem case above, it is set to better indicating the contract must be stronger than the class or type specified in the authentication statement. This cannot work in the NAM environment.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.