Use Namespaces and Prefixes in All SAML Tags

book

Article ID: 141973

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway as the Federation Gateway and
SiteMinder acts as the Service Provider (SP) and we've configured a
Federation Partnership with a third part IdentityProvider (IDP).

The IDP receives the following SAML Request from SiteMinder :

    <AuthnRequest
    AssertionConsumerServiceURL="---------------------------------"
    ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    Destination="----------------------------"
    ID="----------------------"
    IssueInstant="-------------------------"
    Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
 <ns1:Issuer xmlns:ns1=urn:oasis:names:tc:SAML:2.0:assertion>-------------------</ns1:Issuer>
 <NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
 <RequestedAuthnContext Comparison="minimum">
     <ns2:AuthnContextClassRef xmlns:ns2=urn:oasis:names:tc:SAML:2.0:assertion>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
 </RequestedAuthnContext>
    </AuthnRequest>

However, the IDP expects all tags with namespace names in the SAML
Request like this sample :

    <saml2p:AuthnRequest
    AssertionConsumerServiceURL="---------------------------------"
    ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    Destination="----------------------------"
    ID="----------------------"
    IssueInstant="-------------------------"
    Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
 <ns1:Issuer xmlns:ns1=urn:oasis:names:tc:SAML:2.0:assertion>-------------------</ns1:Issuer>
 <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
 <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="minimum">
     <ns2:AuthnContextClassRef xmlns:ns2=urn:oasis:names:tc:SAML:2.0:assertion>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
 </saml2p:RequestedAuthnContext>
    </saml2p:AuthnRequest>

Why SiteMinder doesn't it generate SAML requests based on the IDP
requirement, with the following:

  1. All required namespace declarations in the base tag with
     namespace prefixes
  2. Qualifying all subsequent tags with namespace prefixes ?

How can we configure all SAML tags to use namespaces and prefixes in
SiteMinder ?

 

Environment

Release : 12.8.03

Component : SITEMINDER FEDERATION SECURITY SERVICES

Resolution

 

This is as such because the prefix are not mandatory in xml
document. As such, the partner shouldn't request them as mandatory as
mandatory neither. More, you were expecting the prefix saml2p at the
first stage, a prefix which is valid but referenced nowhere in the
OASIS documentation.

In order to get implemented the possibility to set the prefixes of
your needs, and get an already formated one as per the sample I gave
you, we invite you to open an Enhancement Request (Idea) on the
Security page :

  1. Go to the "All Ideas" page :
     https://community.broadcom.com/ideation/allideas
  2. Click on the "Add" button.
  3. In the "Select categories...", select "Layer7 Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enahcement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted 

Looking a each element definition from OASIS, none of the elements has
a mandatory prefix.

3.4 Authentication Request Protocol

 at least one assertion MUST contain at least one authentication
 statement.

3.4.1 Element <AuthnRequest>

  To request that an identity provider issue an assertion with an
  authentication statement, a presenter authenticates to that identity
  provider (or relies on an existing security context) and sends it an
  <AuthnRequest> message that describes the properties that the
  resulting assertion needs to have to satisfy its purpose

  AssertionConsumerServiceURL [Optional]


  <saml:Subject> [Optional]

  <NameIDPolicy> [Optional]

  <RequestedAuthnContext> [Optional]

  AssertionConsumerServiceURL [Optional]

  Specifies by value the location to which the <Response> message MUST be returned to the
  requester. The responder MUST ensure by some means that the value specified is in fact associated
  with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing
  <AuthnRequest> message is another. This attribute is mutually exclusive with the
  AssertionConsumerServiceIndex attribute and is typically accompanied by the
  ProtocolBinding attribute.

  ProtocolBinding [Optional]

3.4.1.1 Element <NameIDPolicy>

  Format [Optional]
  AllowCreate [Optional]

  Note that if the requester wishes to permit the identity provider to
  establish a new identifier for the principal if none exists, it MUST
  include this element with the AllowCreate attribute set to "true"
  This is primarily useful in conjunction with the
  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Format value

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

 

Additional Information

<2019-12-17> :: [email protected] : Initial Publication