Environment
- Access Manager 4.5.3
Situation
- NAM IDP has been configured as SAML2 Identity Provider
- 3rd Party SAML2 Service Provider:
- using SAML2 Redirect Binding for Authentication Requests
- creating dynamic AssertionConsumerServiceURL
- metadata includes:
- SHA256 Signed Authentication Request
- SP Advanced Options configured
- with Application and SAML2 debug logging turned on the following error has been logged in the catalina.out<amLogEntry> 2021-01-29T07:34:45Z INFO NIDS Application: AM#500105039: AMDEVICEID#902CE8D0987577CC: AMAUTHID#b722a190fb32299d316e4d6833f079b0bd6cbf87aadfb87a2a984a4bb0b82a82: Error on session id b722a190fb32299d316e4d6833f079b0bd6cbf87aadfb87a2a984a4bb0b82a82, error ACS URL in unsigned request could not be verified-902CE8D0987577CC, Unable to complete request at this time.:ACS URL in unsigned request could not be verified: </amLogEntry>
- users will receive the error:
Resolution
Additional Information
The SAML2 specification define:
AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the <Response> message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing <AuthnRequest> message is another. This attribute is mutually exclusive with theAssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute.