search cancel

Federation Issue "Accept ACS URL in the Authnrequest" causing problems

book

Article ID: 133986

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When running a Policy Server with a Partnership configured with
"Accept ACS URL in the Authnrequest" set to yes, the Authenrequest
with AssertionConsumerServiceURL in it is not working.

From the logs one can notice :

   [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
   [SSO.java][processRequest]
   [Transaction with ID: a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b failed. Reason: NO_BINDING_SPECIFIED]

 

Cause

 

The cause is that the SAMLRequest doesn't have ProtocolBinding set,
and as such, the Policy Server reports error "NO_BINDING_SPECIFIED" :

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
  [SSO.java][getAuthnRequestData]
  [AuthnRequest:

  <samlp2:AuthnRequest xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="samlp2-8e40b382f27845cd99562bd13c193cdb"
    IssueInstant="2019-06-19T05:53:06.111Z"
    Version="2.0"
    ForceAuthn="false"
    IsPassive="false"
    AssertionConsumerServiceURL="https://myserver.mydomain.com/resource/authorize">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">myissuer</saml2:Issuer>
  </samlp2:AuthnRequest>]

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
  [SSO.java][getACSIndexRow][Found the ACS Row corresponding to index: 0]

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff
  8cd-1d050e61-20328988-b][SSO.java][getACSIndexRow][ACS Binding: HTTP-Post]

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
  [SSO.java][getACSIndexRow][ACS URL: https://myserver.mydomain.com/resource/authorize]

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
  [SSO.java][ACSIndexDefaultBinding]
  [Settting the Binding for the Default Assertion Consumer Service to: HTTP-Post]

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
  [SSO.java][processRequest][Got Assertion Consumer URL in AuthnRequest. Determining Validity of URL]

  [06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
  [SSO.java][processRequest]
  [Transaction with ID: a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b failed. Reason: NO_BINDING_SPECIFIED]

From the OASIS group, the ProtocolBinding is mandatory when
AssertionConsumerServiceURL is set (1).

 

Environment

 

  Policy Server 12.8SP1CR00;

 

Resolution

 

Configure the SAMLRequest to set ProtocolBinding to solve this issue.

 

Additional Information

 

(1)

    AssertionConsumerServiceURL [Optional]

      Specifies by value the location to which the <Response> message
      MUST be returned to the requester. The responder MUST ensure by
      some means that the value specified is in fact associated with the
      requester. [SAMLMeta] provides one possible mechanism; signing the
      enclosing <AuthnRequest> message is another. This attribute is
      mutually exclusive with the AssertionConsumerServiceIndex
      attribute and is typically accompanied by the ProtocolBinding
      attribute.

    https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf