Access Manager 4.5.2 IDP server error: ACS Index and the ProtocolBinding attributes are mutually exclusive as per the SAML2

  • 7024640
  • 20-May-2020
  • 20-May-2020

Environment

  • Access Manager 4.5.2

Situation

  • Access Manager IDP server have been upgraded from NAM 4.5.1 to NAM 4.5.2
  • Access Manager has been configured to act as SAML2 Identity Provider
  • After upgrading to NAM 4.5.2 IDP servers report: ACS Index and the ProtocolBinding attributes are mutually exclusive as per the SAML2 for SAML2 SPs like SAP and Qlik
  • SAML2 AuthnReq to just make use of the AssertionConsomerService Index without including any Binding
Example:

<samlp:AuthnRequest
    ID="_3737fbb0-23b8-42a0-8625-8feeb84ebe0c" Version="2.0"
    IssueInstant="2020-05-12T06:33:52.042Z"
    ForceAuthn="false"
    IsPassive="false"
    AssertionConsumerServiceIndex="2">
    <saml:Issuer>https://saml2sp.kgast.nam.com</saml:Issuer>
</samlp:AuthnRequest>
  • The corresponding metadata for the SP defines all required endpionts correctly
Example:

SingleLogoutService
Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Location = https://samlsp2.kgast.nam.com/samlnam/samlauthn/slo/
SingleLogoutService
Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Location = https://samlsp2.kgast.nam.com/samlnam/samlauthn/slo/
NameIDFormat
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
AssertionConsumerService
Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Location = https://samlsp2.kgast.nam.com/samlnam/samlauthn/
index = 1
isDefault = false
AssertionConsumerService
Binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Location = https://samlsp2.kgast.nam.com/samlnam/samlauthn/
index = 2
isDefault = true

Resolution

  • This issue has been identified as a bug and has been addressed to engineering

  • The only current workaround would be to have the SP sending a SAMLAuthnReq which includes a binding attribute instead of using the index
Example:

<samlp:AuthnRequest
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  
Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
  
ForceAuthn="false"
  
ID="idHnKoxCrejnH-zOjL0S4TSC6A3uM"
   IsPassive="false"
   IssueInstant="2020-05-20T12:48:44Z"
  
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   Version="2.0" >
  
<saml:Issuer>https://idpa.kgast.nam.com:8443/nidp/saml2/metadata</saml:Issuer>
   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <samlp:RequestedAuthnContext Comparison="minimum"> <saml:AuthnContextClassRef>com:mf:ext:contract:level1</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>

Additional Information

With the SAML specs you can use ether the Index or the Bindings Attribute but not both:

AssertionConsumerServiceIndex [Optional]

Indirectly identifies the location to which the <Response> message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter, such as the Web Browser SSO profile in [SAMLProf]. The identity provider MUST have a trusted means to map the index value in the attribute to a location associated with the requester. [SAMLMeta] provides one possible mechanism. If omitted, then the identity provider MUST return the <Response> message to the default location associated with the requester for the profile of use. If the index specified is invalid, then the identity provider MAY return an error <Response> or it MAY use the default location. This attribute is mutually exclusive with the AssertionConsumerServiceURL and ProtocolBinding attributes.