NIDP acting as SAML Identity Provider is not able to satisfy contract of equal or higher level

  • 7017050
  • 07-Dec-2015
  • 07-Dec-2015

Environment

NetIQ Access Manager 4.1
NetIQ Access Manager 4.1.1

Situation

  • NAM IDP server acting as SAML2 IDP server for remote SAML2 Service Provider (SP)
  • two SAML2.0 SPs have been configured with the NAM NIDP Server.
  • both SPs have been configured with a different contract / method
    both contracts have been set to the same "Authentication Level"
    both contracts "Satisfiable by a contract of equal or higher level" set

Resolution

  • This issue has been addressed to engineering and
    •  has been fixed with NAM 4.2
    •  will be fixed with the next NAM 4.1 Service Pack (SP2)

  • As a workaround the SAML2 Service provider the contract which should be executed at the NAM IDP instead of using the Step Up Authentication option and map this authentication type to a local contract
    • <saml:AuthnContextClassRef>
      urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
      </samlp:RequestedAuthnContext>