Environment
Situation
With the current configuration using two connectors, the SAML authentication request sent by the SAML SP app is not responded to by the NAM IDP. If we use a single connector, all works fine as it also allows to use the SAML POST binding, and access to the SAML SP works. However the Smartcard fallback authentication needed for the Access gatway protected applications is broken using only one connector.
Note too that if the SAML SP server executes an SP initiated SSO using the POST binding, the NAM SAML IDP does not send an authentication response back to the SP with 2 connector model.
Authentication Flow:
------------------
1. SP sends a SAML authn. request via POST to
POST /nidp/saml2/sso HTTP/1.1
Host: federation-qa.netiq.com
2. the NIDP server redirect to the second contract ( CONNECTOR_HOST configuration in the X.509 method)
HTTP/1.1 302 Found
Location: https://auth.federation-qa.netiq.com/nidp/saml2/sso
3. The user is successfully authenticated:
<amLogEntry> 2016-05-03T08:38:00Z INFO NIDS Application: AM#500105013: AMDEVICEID#6A67917902546C57: AMAUTHID#DAA3F64EAFD5BFD468D9E3483E0B5465: Authenticated user cn=ncashell,o=AUTH in User Store IDMVAULT LDAP with roles "authenticated". </amLogEntry>
------------------
The problem does not occur if:
- only one connector is used or
- if the SP uses the HTTP redirect binding ( this works with 2 connectors, but the SAML SP enabled app does not work with redirect binding)