Environment
- Access Manager 4.5.2
Situation
- Access Manager IDP server have been upgraded from NAM 4.5.1 to NAM 4.5.2
- Access Manager has been configured to act as SAML2 Identity Provider
- After upgrading to NAM 4.5.2 IDP servers report: ACS Index and the ProtocolBinding attributes are mutually exclusive as per the SAML2 for SAML2 SPs like SAP and Qlik
- SAML2 AuthnReq to just make use of the AssertionConsomerService Index without including any Binding
Example:
<samlp:AuthnRequest
ID="_3737fbb0-23b8-42a0-8625-8feeb84ebe0c" Version="2.0"
IssueInstant="2020-05-12T06:33:52.042Z"
ForceAuthn="false"
IsPassive="false"
AssertionConsumerServiceIndex="2">
<saml:Issuer>https://saml2sp.kgast.nam.com</saml:Issuer>
</samlp:AuthnRequest>
- The corresponding metadata for the SP defines all required endpionts correctly
Example:
SingleLogoutServiceBinding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-RedirectLocation = https://samlsp2.kgast.nam.com/samlnam/samlauthn/slo/Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSTLocation = https://samlsp2.kgast.nam.com/samlnam/samlauthn/slo/urn:oasis:names:tc:SAML:2.0:nameid-format:transientBinding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-RedirectLocation = https://samlsp2.kgast.nam.com/samlnam/samlauthn/index = 1isDefault = falseAssertionConsumerServiceBinding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSTLocation = https://samlsp2.kgast.nam.com/samlnam/samlauthn/index = 2isDefault = true
Resolution
- This issue has been identified as a bug and has been addressed to engineering
- The only current workaround would be to have the SP sending a SAMLAuthnReq which includes a binding attribute instead of using the index
Example:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
ForceAuthn="false"
ID="idHnKoxCrejnH-zOjL0S4TSC6A3uM"
IsPassive="false"
IssueInstant="2020-05-20T12:48:44Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" >
<saml:Issuer>https://idpa.kgast.nam.com:8443/nidp/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <samlp:RequestedAuthnContext Comparison="minimum"> <saml:AuthnContextClassRef>com:mf:ext:contract:level1</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
Additional Information
With the SAML specs you can use ether the Index or the Bindings Attribute but not both:
AssertionConsumerServiceIndex [Optional]
Indirectly identifies the location to which the <Response> message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter, such as the Web Browser SSO profile in [SAMLProf]. The identity provider MUST have a trusted means to map the index value in the attribute to a location associated with the requester. [SAMLMeta] provides one possible mechanism. If omitted, then the identity provider MUST return the <Response> message to the default location associated with the requester for the profile of use. If the index specified is invalid, then the identity provider MAY return an error <Response> or it MAY use the default location. This attribute is mutually exclusive with the AssertionConsumerServiceURL and ProtocolBinding attributes.