When running a CA Access Gateway as the Federation Gateway and SiteMinder acts as the Service Provider (SP) and configured a Federation Partnership with a third part Identity Provider (IDP).
The IDP receives the following SAML Request from SiteMinder Policy Server:
<AuthnRequest
AssertionConsumerServiceURL="---------------------------------"
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Destination="----------------------------"
ID="----------------------"
IssueInstant="-------------------------"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer xmlns:ns1=urn:oasis:names:tc:SAML:2.0:assertion>-------------------</ns1:Issuer>
<NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
<RequestedAuthnContext Comparison="minimum">
<ns2:AuthnContextClassRef xmlns:ns2=urn:oasis:names:tc:SAML:2.0:assertion>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</RequestedAuthnContext>
</AuthnRequest>
However, the IDP expects all tags with namespace names in the SAML Request like this sample:
<saml2p:AuthnRequest
AssertionConsumerServiceURL="---------------------------------"
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Destination="----------------------------"
ID="----------------------"
IssueInstant="-------------------------"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer xmlns:ns1=urn:oasis:names:tc:SAML:2.0:assertion>-------------------</ns1:Issuer>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="minimum">
<ns2:AuthnContextClassRef xmlns:ns2=urn:oasis:names:tc:SAML:2.0:assertion>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Why SiteMinder doesn't generate SAML requests based on the IDP requirement, with the following:
CA Access Gateway (SPS) 12.8.03
Policy Server 12.8.03
This is as such because the prefix is not mandatory in the xml document. As such, the partner shouldn't request them as mandatory neither. More, expecting the prefix saml2p at the first stage, this is a prefix which is valid but referenced nowhere in the OASIS documentation.
Looking at each element definition from OASIS, none of the elements have a mandatory prefix (1)(2)(3).