NAM IDP acting as SAML2 IDP server returns "RequestDenied" in response to SAML2 AuthnRequest

  • 7025198
  • 20-Jul-2021
  • 20-Jul-2021


  • Access Manager 4.4.x
  • Access Manager 4.5.x
  • Access Manager 5.0


  • Access Manager IDP server has been configured as SAML2 Identity Provider

  • 3Rd Party SAML2 Service Srovider Metadata does not include any encryption or signing certificate but instead uses a key reference using the:

    <ds:KeyInfo xmlns:ds="">



  • NAM IDP server returns:

      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>




  • using the "<ds:KeyName>" XML Signature is not supported by any version of Micro Focus access Manager

Additional Information

The <ds:KeyName> element is a certificate name referencing a certificate in a given keystore. The advantage of using just a reference is that no new metadata has to be created and distributed in case a new signing / encryption certificate has been assigned. This has not yet been implemented with Access Manager.


  • turn on the following logging options:
  • use  a browser client with a SAML Tracer plugin or a Windows Workstation with fiddler installed to review the flow and all SAML2 messages routed by the browser client

  • For XML Signature validation you can reference KB 7024052 which includes all the required steps to add the required debug output