Federation Issue "Accept ACS URL in the Authnrequest" causing problems
Article ID: 133986
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
SITEMINDER
Issue/Introduction
When running a Policy Server with a Partnership configured with
"Accept ACS URL in the Authnrequest" set to yes, the Authenrequest
with AssertionConsumerServiceURL in it is not working.
From the logs one can notice :
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][processRequest]
[Transaction with ID: a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b failed. Reason: NO_BINDING_SPECIFIED]
Environment
Policy Server 12.8SP1CR00;
Cause
The cause is that the SAMLRequest doesn't have ProtocolBinding set,
and as such, the Policy Server reports error "NO_BINDING_SPECIFIED" :
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][getAuthnRequestData]
[AuthnRequest:
<samlp2:AuthnRequest xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"
ID="samlp2-8e40b382f27845cd99562bd13c193cdb"
IssueInstant="2019-06-19T05:53:06.111Z"
Version="2.0"
ForceAuthn="false"
IsPassive="false"
AssertionConsumerServiceURL="https://myserver.example.com/resource/authorize">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">myissuer</saml2:Issuer>
</samlp2:AuthnRequest>]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][getACSIndexRow][Found the ACS Row corresponding to index: 0]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff
8cd-1d050e61-20328988-b][SSO.java][getACSIndexRow][ACS Binding: HTTP-Post]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][getACSIndexRow][ACS URL: https://myserver.example.com/resource/authorize]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][ACSIndexDefaultBinding]
[Settting the Binding for the Default Assertion Consumer Service to: HTTP-Post]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][processRequest][Got Assertion Consumer URL in AuthnRequest. Determining Validity of URL]
[06/19/2019][14:08:06][27457][140240626992896][a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b]
[SSO.java][processRequest]
[Transaction with ID: a6cb4e04-d2625d5a-128ff8cd-1d050e61-20328988-b failed. Reason: NO_BINDING_SPECIFIED]
From the OASIS group, the ProtocolBinding is mandatory when
AssertionConsumerServiceURL is set (1).
Resolution
Configure the SAMLRequest to set ProtocolBinding to solve this issue.
Additional Information
(1)
AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the <Response> message
MUST be returned to the requester. The responder MUST ensure by
some means that the value specified is in fact associated with the
requester. [SAMLMeta] provides one possible mechanism; signing the
enclosing <AuthnRequest> message is another. This attribute is
mutually exclusive with the AssertionConsumerServiceIndex
attribute and is typically accompanied by the ProtocolBinding
attribute.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Feedback
Yes
No
Powered by
