NAM IDP sends malformed SAML Authentication response rejected "samlp:StatusMessage" message

  • 7023834
  • 23-Apr-2019
  • 23-Apr-2019

Environment


  • Access Manager 4.4
  • Access Manager 4.4.1
  • Access Manager 4.4.2
  • Access Manager 4.4.3
  • Access Manager 4.4.4
  • Access Manager 4.5

Situation

  • IDP Borkering has been configured (Group + Rule)

  • NAM IDP server acts as SAML2 IDP

  • ADFS acts as SAML2 SP

  • In case the "Brokering Rule" processing will result with the Action = Deny the IDP server will send a SAML Request Denied Message with a status message like: "Authorization is failed"

    Example:
    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained" Destination="https://idpa.kgast.nam.com:8443/nidp/saml2/spassertion_consumer" ID="id8Vr8PxVJlCV5uvxs3MDmvN4lGGE" InResponseTo="idyH7SKBGxf1TF8PMI5IcvQVZPATE" IssueInstant="2019-04-11T08:37:08Z" Version="2.0">
        <saml:Issuer>https://idpa31.kgast.nam.com:8443/nidp/saml2/metadata</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#id8Vr8PxVJlCV5uvxs3MDmvN4lGGE">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">*****</DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">******</SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>******</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
            </samlp:StatusCode>
            <StatusMessage>Authorization is failed</StatusMessage>
        </samlp:Status>

    </samlp:Response>


  • The above returned Status message is based on the SAML2 specs malformed. In fact it should look like:
    <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
                <samlp:StatusMessage>Authorization is failed</StatusMessage>
            </samlp:StatusCode>
     </samlp:Status>

Resolution

  • This issue has been addressed to engineering
  • Contact support in case you have the urgent need to get a fix for NAM 4.4.4 and 4.5