Error: "Request was from an untrusted provider" when processing valid incoming SAML AUthnRequest

  • 7017296
  • 25-Feb-2016
  • 25-Feb-2016

Environment

NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
NetIQ Access Manager 4.0
NAM Identity Server setup as SAML Identity Server for multiple SAML SPs

Situation

Following AuthnRequest is send (from CyberArk) to Netiq Access Manager Identity Server:

 

<samlp:AuthnRequest ID="_178568af-9ce4-4dbb-8ad0-ce4264b71abb"

                    Version="2.0"

                    IssueInstant="2016-02-25T10:34:36Z"

                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

                    AssertionConsumerServiceURL="https://spp.cyberarc.com/PasswordVault/auth/saml/"

                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PasswordVault</saml:Issuer>

</samlp:AuthnRequest>

 

Provider ID "PasswordVault" is configured as trusted SP and it is not generating errors during initialization - confirmed that the "loaded Trusted Provider" message for this SP was written to IDP catalina logs without errors.

However, when we hit the SAML SP and it redirects us to the NAM IDP server to Authenticate, we get an error message about an untrusted provider instead of the login page. All other SAML SPs that talk to this IDP server work fine, where the AuthnRequests are very similar. The IDP catalina shows the following:

Is can see following log entry in catalina:

 

************************* SAML2 Redirect message ********************************

Type: received

 RelayState: None

<samlp:AuthnRequest ID="_e9c45b5a-bfc9-4397-91cb-8598bfe3a57b" Version="2.0" IssueInstant="2016-02-25T10:10:58Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://sp.cyberarc.com/PasswordVault/auth/saml/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PasswordVault</saml:Issuer></samlp:AuthnRequest>

************************* End SAML2 message ****************************  </amLogEntry>

Warning: Invalid resource key: Entity Provider not found with the provider id as PasswordVault. No prefix!

<amLogEntry> 2016-02-25T10:10:58Z WARNING NIDS SAML2: Entity Provider not found with the provider id as PasswordVault </amLogEntry>

Warning: Invalid resource key: Request was from an untrusted provider. No prefix!

Resolution

Make sure that the SP sends the AuthnRequest to the Single Sign On URL of IDP server ie. to /nidp/saml2/sso. In the above case, the AuthnRequest was being sent to /nidp/saml2/spassertion_consumer instead.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.