SAML2 Federation failing when "Encrypt name identifiers" or "Encrypt Assertion" option is enabled

  • 7018553
  • 31-Jan-2017
  • 31-Jan-2017


NetIQ Access Manager 4.2
NetIQ Access Manager Identity Server
SAML 2.0 Federation
Encryption enabled for assertions


Access Manager's Identity Server setup to federate with a number of different SAML 2.0 Service Providers. Everything working fine and users could authenticate to the NAM Identity (IDP) server and SSO to the remote SAML Service (SP) Provider. After adding a new SAML 2.0 SP to the configuration, users could not get SSO'd correctly - the remote SPs would complain about encryption specific errors.

Turns out that the new SAML 2.0 SP required that the name identifier within assertion be encrypted, and this option was enabled for this SP on NAM side. Adding a new NAM IDP server to act as an SP with the same set (encrypted assertion enabled) showed similar problems ie. with "encrypt assertions" and "Encrypt name identifiers" options enabled, the SP would throw the following error when processing assertion:

"An Identity Provider response was received that failed to authenticate this session. (300101021-D87D02A6F4B279C6)".


Fixed in 4.3. For 4.2.1, 4.2.2 and 4.2.3 builds, the following workaround exists:

1. Save a backup copy of xmlsec.jar found at /opt/novell/nids/lib/webapp/WEB-INF/lib/ .

2. Save a backup copy of org directory found at /opt/novell/nids/lib/webapp/WEB-INF/classes/ .

3. Get access to the 4.2.0 IDP installation files and untar the file.

4. Find the rpm "novell-nidp-server-" at [installer-path]/nids/.

5. To extract the rpm without installing it, use following command :

                                "rpm2cpio novell-nidp-server- | cpio -idmv"

6. The files of rpm are extracted in same directory.

7. Navigate to [installer-path]/nids/opt/novell/nids/lib/webapp/WEB-INF/classes and copy org directory to    /opt/novell/nids/lib/webapp/WEB-INF/classes/.

8. Navigate to [installer-path]/nids/opt/novell/nids/lib/webapp/WEB-INF/lib and copy xmlsec.jar to /opt/novell/nids/lib/webapp/WEB-INF/lib/.

9. Restart the IDP Server using command, "/etc/init.d/novell-idp restart".