Assertion validation fails with Ping Identity due to SubjectConfirmationData NotOnOrAfter timeout exceeding SAML conditions NotOnOrAfter timeout

  • 7018632
  • 17-Feb-2017
  • 23-Feb-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1

Situation

NAM SAML 2 Identity Server generating assertion for Ping Identity SP
When assertion sent to ACS, SSO fails with standard error message about not being able to login
Debugging SP shows following message:

(reference# IJZGAXII) Response contains no valid assertions: [
Assertion (idxmi5oIRwBvZ0JPSxxmmdJadH8tc) Status: INVALID
Remarks:
(Profiles 4.1.4.2) assertion could not be confirmed - here's why: [#1 subject confirmation is unsatisfactory: [Time condition: for security reasons NotOnOrAfter (2016-09-26T23:38:29Z) cannot be more than 74 minutes ahead of the current time (2016-09-26T19:38:33.061Z)]]]. InMessageContext
 
Looking at the assertion, we see multiple time constraints which seems to invalidate the assertion. Specifically, the saml:SubjectConfirmation NotOnOrAfter value is outside (after) of the timeframe in the saml Conditions NotOnOrAfter value and it is the Conditions element that controls the overall validity of the assertion. I highlighted below the times in question taken from assertion.
                                                                                                                                                                                                                                          
<saml:SubjectConfirmationData InResponseTo="bADTj-ddzziVjs.emIFXySxXMa6" NotOnOrAfter="2016-09-28T19:16:55Z"
               Recipient="https://federate.sidewalkpro.com:9031/sp/ACS.saml2" />
 
<saml:Conditions NotBefore="2016-09-28T15:11:55Z" NotOnOrAfter="2016-09-28T15:21:55Z">
 
The SubjectConfirmationData timeout is related to users session timeout - set to 4 hours.  So that would explain why the value in the confirmation data is exactly four hours ahead of the conditions value.

 Look at this site:
 
http://stackoverflow.com/questions/29508906/notonorafter-in-subjectconfirmationdata-and-conditions-and-sessionnotonorafter
 
it references the timeouts and SAML specs.

The core saml spec says that the time frame in SubjectConfirmationData should fall within the time frame in the Conditions. They have a few options.
1.       Leave out the SubjectConfirmation (parent to SubjectConfirmationData) element entirely as it is optional.
2.       Include the SubjectConfirmation and leave out the SubjectConfirmationData element as it is optional.
3.       Include the SubjectConfirmationData element and leave out the NotOnOrAfter attribute as it is optional.
4.       Adjust the SubjectConfirmationData attributes (NotBefore and/or the NotOnOrAfter) time values so they are within the times specified by the Conditions element.”
 

Resolution

Apply 4.3.1.
 
With NAM 4.3, the 'SubjectConfirmationData' uses the 'NotOnOrAfter' based on the session timeout as defined in the Authentication Contract, whereas 'Conditions' builds it from the assertion validity in the SAML configuration.
 
The fix in 4.3., checks if the former is less than the latter, and if so uses that as the  'NotOnOrAfter' attribute in the 'SubjectConfirmationData' . If not, the  'NotOnOrAfter' attribute is set to the latter in both the 'SubjectConfirmationData' and 'Conditions' elements of the assertion.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.