Use Namespaces and Prefixes in All SAML Tags from Policy Server
search cancel

Use Namespaces and Prefixes in All SAML Tags from Policy Server

book

Article ID: 141973

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a CA Access Gateway as the Federation Gateway and SiteMinder acts as the Service Provider (SP) and configured a Federation Partnership with a third part Identity Provider (IDP).

The IDP receives the following SAML Request from SiteMinder Policy Server:

    <AuthnRequest
    AssertionConsumerServiceURL="---------------------------------"
    ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    Destination="----------------------------"
    ID="----------------------"
    IssueInstant="-------------------------"
    Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

    <ns1:Issuer xmlns:ns1=urn:oasis:names:tc:SAML:2.0:assertion>-------------------</ns1:Issuer>
     <NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
     <RequestedAuthnContext Comparison="minimum">
      <ns2:AuthnContextClassRef xmlns:ns2=urn:oasis:names:tc:SAML:2.0:assertion>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
     </RequestedAuthnContext>
    </AuthnRequest>

However, the IDP expects all tags with namespace names in the SAML Request like this sample:

    <saml2p:AuthnRequest
    AssertionConsumerServiceURL="---------------------------------"
    ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    Destination="----------------------------"
    ID="----------------------"
    IssueInstant="-------------------------"
    Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns1:Issuer xmlns:ns1=urn:oasis:names:tc:SAML:2.0:assertion>-------------------</ns1:Issuer>
     <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
     <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="minimum">
      <ns2:AuthnContextClassRef xmlns:ns2=urn:oasis:names:tc:SAML:2.0:assertion>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
    </saml2p:AuthnRequest>

Why SiteMinder doesn't generate SAML requests based on the IDP requirement, with the following:

  1. All required namespace declarations in the base tag with namespace prefixes;
  2. Qualifying all subsequent tags with namespace prefixes; 

 

Environment

 

CA Access Gateway (SPS) 12.8.03
Policy Server 12.8.03

 

Resolution

 

This is as such because the prefix is not mandatory in the xml document. As such, the partner shouldn't request them  as mandatory neither. More, expecting the prefix saml2p at the first stage, this is a prefix which is valid but referenced nowhere in the OASIS documentation.

Looking at each element definition from OASIS, none of the elements have a mandatory prefix (1)(2)(3).

 

Additional Information

 

(1)

    3.4 Authentication Request Protocol
    

(2)

    3.4.1 Element <AuthnRequest>
    

(3)
    
    3.4.1.1 Element <NameIDPolicy>
    

Powered by Wolken Software