Seeing error "No confirmation method selected. Rejecting all assertions" when migrating custom XML Agent from WSS SDK R12.0 SP3 to WSS SDK R12.52 SP1

book

Article ID: 16947

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We are currently migrating our environment to R12.6, and as part of this migration we are also updating our custom XML Agents built with WSS SDK R12.0 SP3 to the latest version R12.52 SP1, but we are seeing differences in how the same code behaves when running tests and causes the agent to not work properly, as it seems it does not recognize the message body as a SAML assertion.

We see the following error when we check the SDK debug logs:

189215 2017-09-23 12:41:15,753 [http-nio-27200-exec-10] DEBUG com.netegrity.tm.contenthelper.handler.authentication.WSSecuritySAMLAuthHandler  - No confirmation method selected. Rejecting all assertions.
189215 2017-09-23 12:41:15,753 [http-nio-27200-exec-10] DEBUG com.netegrity.tm.contenthelper.handler.HandlerServiceManager  - dispatch request failed. 

Environment

WSS SDK R12.52 SP1Policy Server R12.6

Resolution

The assertion is being rejected due to a configuration issue, as the error above is due to having none of the Options under SAML Token Restrictions selected in the WSS Authentication Scheme

The following line from the SDK debug logs show which options are selected:

189215 2017-09-23 12:41:15,753 [http-nio-27200-exec-10] DEBUG com.netegrity.tm.contenthelper.handler.authentication.WSSecuritySAMLAuthHandler  - hk flag: false; sv flag: false; bearer flag: false; supportingSigsRequired flag: false; timestamp flag: false; timestamp skew (sec): 30; ssl flag: false; ssl keystore flag: false; role: null

In the authentication scheme you need to select one of the SAML Token Restrictions according to your requirements to solve the issue:

Allow sender-vouches

Allow bearer

Allow holder-of-key