Environment
- NetIQ Access Manager 4.4
- NetIQ Access Manager 4.5
- Access Manager Idnetity Server acting as SAML2 Service Provider
- Italian Government Servers acting as SAML2 Identity Provider
Situation
To extend authentication functionality, the NAM identity server was integrated with regional SAML IDP servers via three IDP affiliates (Postecom, Infocert and Telecom). The NAM IDP server would consume the assertions sent by the regional IDP servers and use the information to single sign on to internal applications protected by the Access Gateway.
Although we have no problems with Postecom, Infocert rejects our saml AuthnRequest request. Based on the Italian regional SAML specs, each AuthnRequest needed to include
1. Format and NameQualifier in saml:Issuer
2. AllowCreate attribute in NameIDPolicy.
2. AllowCreate attribute in NameIDPolicy.
Here's a sample AuthnRequest that works.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="0"
AttributeConsumingServiceIndex="0"
Destination="https://posteid.poste.it/jod-fs/ssoservicepost"
ForceAuthn="true"
ID="s213f90f155d1d52028e4a61dd98ebf37164713ab9"
IssueInstant="2016-04-06T16:48:58Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://accessosicuro.rete.toscana.it/opensso/sp"
>https://accessosicuro.rete.toscana.it/opensso/sp</saml:Issuer>
<ds:Signature>
…
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="https://accessosicuro.rete.toscana.it/opensso/sp"
/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL3</saml:AuthnContextClassRef>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
AssertionConsumerServiceIndex="0"
AttributeConsumingServiceIndex="0"
Destination="https://posteid.poste.it/jod-fs/ssoservicepost"
ForceAuthn="true"
ID="s213f90f155d1d52028e4a61dd98ebf37164713ab9"
IssueInstant="2016-04-06T16:48:58Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="https://accessosicuro.rete.toscana.it/opensso/sp"
>https://accessosicuro.rete.toscana.it/opensso/sp</saml:Issuer>
<ds:Signature>
…
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="https://accessosicuro.rete.toscana.it/opensso/sp"
/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL3</saml:AuthnContextClassRef>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Resolution
Apply NAM the following setting for each IDP server in the cluster by modifying the "/opt/novell/nids/lib/webapp/WEB-INF/classes/nidpconfig.properties" file
#This file is loaded by NIDPLocalConfig.NIDP_CONFIG enum
SAML2_ISSUER_FORMAT = true
SAML2_ISSUER_NAMEQUALIFIER = true
SAML2_NAMEIDPOLICY_ALLOWCREATE = true
SAML2_ISSUER_FORMAT = true
SAML2_ISSUER_NAMEQUALIFIER = true
SAML2_NAMEIDPOLICY_ALLOWCREATE = true
...
..