NAM Identity Server fails to send SAML Authentication response when 2 connectors are used

  • 7018107
  • 28-Sep-2016
  • 18-Oct-2016

Environment

NetIQ Access Manager 4.2
NAM Identity Server x509 class configured with 2nd connector as per https://www.netiq.com/documentation/access-manager-42/admin/data/b1tvhkg.html#x509validation (Configuring X.509 Authentication to Provide Access Manager Error Message)

Situation

Access Two NIDP connectors are used to provide fallback authentication for Smartcard authentication.
 
They use a custom SAML enabled application that acts as a SAML Service provider using NAM as the IDP. The SAML aware app will only work when using the POST binding.

With the current configuration using two connectors, the SAML authentication request sent by the SAML SP app is not responded to by the NAM IDP. If we use a single connector, all works fine as it also allows to use the SAML POST binding, and access to the SAML SP works. However the Smartcard fallback authentication needed for the Access gatway protected applications is broken using only one connector.

Note too that if the SAML SP server executes an SP initiated SSO using the POST binding, the NAM SAML IDP does not send an authentication response back to the SP with 2 connector model.

Authentication Flow:
------------------
1. SP sends a SAML  authn. request via POST to
POST /nidp/saml2/sso HTTP/1.1
Host: federation-qa.netiq.com

2. the NIDP server redirect to the second contract  ( CONNECTOR_HOST  configuration in the X.509 method)
HTTP/1.1 302 Found
Location: https://auth.federation-qa.netiq.com/nidp/saml2/sso

3. The user is successfully authenticated:

<amLogEntry> 2016-05-03T08:38:00Z INFO NIDS Application: AM#500105013: AMDEVICEID#6A67917902546C57: AMAUTHID#DAA3F64EAFD5BFD468D9E3483E0B5465:  Authenticated user cn=ncashell,o=AUTH in User Store IDMVAULT LDAP with roles "authenticated". </amLogEntry>

4. No SAML authentication response generated
------------------

The problem does not occur if:

- only one connector is used or
- if the SP uses the HTTP redirect binding ( this works with 2 connectors, but the SAML SP enabled app does not work with redirect binding)

Resolution

Upgrade to NAM 4.3.