SAML AuthenRequest fails with error ACS URL in unsigned request could not be verified at NAM IDP server after upgrade to 4.5.3

  • 7024995
  • 29-Jan-2021
  • 29-Jan-2021

Environment

  • Access Manager 4.5.3

Situation

  • NAM IDP has been configured as SAML2 Identity Provider

  • 3rd Party SAML2 Service Provider:

    • using SAML2 Redirect Binding for Authentication Requests



    • creating dynamic AssertionConsumerServiceURL



    • metadata includes:



    • SHA256 Signed Authentication Request



    • SP Advanced Options configured



  • with Application and SAML2 debug logging turned on the following error has been logged in the catalina.out

    <amLogEntry> 2021-01-29T07:34:45Z INFO NIDS Application: AM#500105039: AMDEVICEID#902CE8D0987577CC: AMAUTHID#b722a190fb32299d316e4d6833f079b0bd6cbf87aadfb87a2a984a4bb0b82a82: Error on session id b722a190fb32299d316e4d6833f079b0bd6cbf87aadfb87a2a984a4bb0b82a82, error ACS URL in unsigned request could not be verified-902CE8D0987577CC, Unable to complete request at this time.:ACS URL in unsigned request could not be verified: </amLogEntry>

  • users will receive the error:





    Resolution

    • add the following Option to your SP configuration

      IGNORE_ACS_METADATA_CHECK = true

    Additional Information

    The SAML2 specification define:
    AssertionConsumerServiceURL [Optional]
    Specifies by value the location to which the <Response> message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing <AuthnRequest> message is another. This attribute is mutually exclusive with theAssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute.