We are currently migrating our environment to R12.6, and as part of this migration we are also updating our custom XML Agents built with WSS SDK R12.0 SP3 to the latest version R12.52 SP1, but we are seeing differences in how the same code behaves when running tests and causes the agent to not work properly, as it seems it does not recognize the message body as a SAML assertion.

We see the following error when we check the SDK debug logs:

189215 2017-09-23 12:41:15,753 [http-nio-27200-exec-10] DEBUG com.netegrity.tm.contenthelper.handler.authentication.WSSecuritySAMLAuthHandler  - No confirmation method selected. Rejecting all assertions.
189215 2017-09-23 12:41:15,753 [http-nio-27200-exec-10] DEBUG com.netegrity.tm.contenthelper.handler.HandlerServiceManager  - dispatch request failed. 

WSS SDK R12.52 SP1Policy Server R12.6

The assertion is being rejected due to a configuration issue, as the error above is due to having none of the Options under SAML Token Restrictions selected in the WSS Authentication Scheme

The following line from the SDK debug logs show which options are selected:

189215 2017-09-23 12:41:15,753 [http-nio-27200-exec-10] DEBUG com.netegrity.tm.contenthelper.handler.authentication.WSSecuritySAMLAuthHandler  - hk flag: false; sv flag: false; bearer flag: false; supportingSigsRequired flag: false; timestamp flag: false; timestamp skew (sec): 30; ssl flag: false; ssl keystore flag: false; role: null

In the authentication scheme you need to select one of the SAML Token Restrictions according to your requirements to solve the issue:

Allow sender-vouches

Allow bearer

Allow holder-of-key