SAML Assertion based user authentication failed
search cancel

SAML Assertion based user authentication failed


Article ID: 115922


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


CA Siteminder is SP in federation setup. IDP is not CA Siteminder.
When SAML assertion is received by CA Siteminder, user gets error "SAML Assertion based user authentication failed" during assertion consuming process.

[09/10/2018][07:55:51][14195][757815040][8ff98cba-04a46a86-5e0a2b50-65f83888-9547284f-7][][authenticateUser][result code from AgentAPI login call: 2] 
[09/10/2018][07:55:51][14195][757815040][8ff98cba-04a46a86-5e0a2b50-65f83888-9547284f-7][][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]] 
[09/10/2018][07:55:51][14195][757815040][8ff98cba-04a46a86-5e0a2b50-65f83888-9547284f-7][][processFailedAuthentication][SAML Assertion based user authentication failed.] 



Policy Server: 12.7, 12.6, 12.52


After further investigation, the failure is due to inclusion of NotBefore attribute inside <saml2:SubjectConfirmationData>.
Failed assertion content sample: 
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotBefore="2018-09-03T01:14:16.121Z" NotOnOrAfter="2018-09-16T22:34:16.121Z" Recipient=""/></saml2:SubjectConfirmation> 

Siteminder by design does not take parameters NotBefore within <SubjectConfirmationData> element. 

Please check the Oasis SAML document here:
On page 19, you can see the following:
The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If
the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.

So the "NotBefore" element is not allowed in the SubjectConfirmationData.


IDP partner needs to adhere to standard by modifying the SubjectConfirmationData field to NOT include the NotBefore element within <saml2:SubjectConfirmationData> element, but still keep NotOnOrAfter parameter.

Additional Information