SAML Assertion based user authentication failed
search cancel

SAML Assertion based user authentication failed

book

Article ID: 115922

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

CA Siteminder is SP in federation setup. IDP is not CA Siteminder.
When SAML assertion is received by CA Siteminder, user gets error "SAML Assertion based user authentication failed" during assertion consuming process.

FWStrace.log
[09/10/2018][07:55:51][14195][757815040][<TransactionID>][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2] 
[09/10/2018][07:55:51][14195][757815040][<TransactionID>][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]] 
[09/10/2018][07:55:51][14195][757815040][<TransactionID>][FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.] 


 

Environment

OS: ALL
Policy Server: 12.7, 12.6, 12.52

Cause

After further investigation, the failure is due to inclusion of NotBefore attribute inside <saml2:SubjectConfirmationData>.
Failed assertion content sample: 
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotBefore="2018-09-03T01:14:16.121Z" NotOnOrAfter="2018-09-16T22:34:16.121Z" Recipient="https://<Server Name>/public/saml2assertionconsumer"/></saml2:SubjectConfirmation> 

Siteminder by design does not take parameters NotBefore within <SubjectConfirmationData> element. 

Please check the Oasis SAML document here: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
On page 19, you can see the following:
------------
The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If
the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.
------------

So the "NotBefore" element is not allowed in the SubjectConfirmationData.

Resolution

IDP partner needs to adhere to standard by modifying the SubjectConfirmationData field to NOT include the NotBefore element within <saml2:SubjectConfirmationData> element, but still keep NotOnOrAfter parameter.

Additional Information

https://communities.ca.com/thread/241760639-siteminder-saml-auth-scheme-failing-to-authenticate-a-saml-idp-partner