Environment
- Access Manager 4.4.x
- Access Manager 4.5.x
- Access Manager 5.0
Situation
- Access Manager IDP server has been configured as SAML2 Identity Provider
- 3Rd Party SAML2 Service Srovider Metadata does not include any encryption or signing certificate but instead uses a key reference using the:
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>SPSigningCertificateName</ds:KeyName>
</ds:KeyInfo> -
NAM IDP server returns:
.....
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:StatusCode>
</samlp:Status>
....
Resolution
- add the signing and encryption certificate to the already imported metadata using iManager
- or create a complete new metadata document storing encryption and signing certificates as: "<ds:X509Data> XML element
- an Enhancement Request has been added for the feature at:
https://community.microfocus.com/cyberres/accessmanager/i/accmanideas/saml-2-0-support-of-ds-keyname.
In case you require the same functionality you can raise your vote for it.
Cause
- using the "<ds:KeyName>" XML Signature is not supported by any version of Micro Focus access Manager
Additional Information
The <ds:KeyName> element is a certificate name referencing a certificate in a given keystore. The advantage of using just a reference is that no new metadata has to be created and distributed in case a new signing / encryption certificate has been assigned. This has not yet been implemented with Access Manager.
Troubleshooting
- turn on the following logging options:
- use a browser client with a SAML Tracer plugin or a Windows Workstation with fiddler installed to review the flow and all SAML2 messages routed by the browser client
- For XML Signature validation you can reference KB 7024052 which includes all the required steps to add the required debug output