NIDP acting as SAML Identity Provider is not able to satisfy contract of equal or higher level

Document ID:7017050
Creation Date:07-Dec-2015
Modified Date:07-Dec-2015
- Micro Focus Products:
  Access Manager (NAM)

Environment

NetIQ Access Manager 4.1
NetIQ Access Manager 4.1.1

Situation

NAM IDP server acting as SAML2 IDP server for remote SAML2 Service Provider (SP)

two SAML2.0 SPs have been configured with the NAM NIDP Server.

both SPs have been configured with a different contract / method
both contracts have been set to the same "Authentication Level"
both contracts "Satisfiable by a contract of equal or higher level" set

Resolution

This issue has been addressed to engineering and

has been fixed with NAM 4.2
will be fixed with the next NAM 4.1 Service Pack (SP2)

As a workaround the SAML2 Service provider the contract which should be executed at the NAM IDP instead of using the Step Up Authentication option and map this authentication type to a local contract

<saml:AuthnContextClassRef>
    urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

© Micro Focus. Please see Terms of Use applicable to this content.