search cancel

SP initiated transaction reporting 500 error at Siteminder IDP service url - Transient Identifier NameID Format

book

Article ID: 201584

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server as IdP side, and when user initiates
from SP a transaction, Policy Server cannot handle the SAML request
and returns error :

  [11:53:12][AssertionGenerator.java][ERROR][sm-FedServer-00080]
  preProcess() returns fatal error. 
  
  <Response ID="_9f7b483c64f9e40a22bf702ee59431248870"
  InResponseTo="_7391846a-a830-46e3-8610-ff7145098073_1142e754-fb7c-48c3-9d93-a490402366e9"
  IssueInstant="2020-10-01T10:53:12Z" Version="2.0"
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"> 
   <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
   myfedidp
   </ns1:Issuer>
   <Status> 
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    <StatusMessage>
     Configuration error.
    </StatusMessage> 
   </Status>
  </Response>

We've configured "NameID Format" as "Transient Identifier" as the SP
partner requested you.

But when configuring this, we got this warning in the AdminUI
browser :

  Selected Name ID format is not supported by both the local and remote entities.

How can we fix this ?

 

Cause

 

As per the OASIS standards, both sides should be configured the same
way. Thus the Transient Identifier should be configured on both side
and in both entities (local and remote) in your side.

Assertions and Protocols for the OASIS Security Assertion Markup
Language (SAML) V2.0

  1.3.4 ID and ID Reference Values

    The mechanism by which a SAML system entity ensures that the
    identifier is unique is left to the implementation. In the case that
    a random or pseudorandom technique is employed, the probability of
    two randomly chosen identifiers being identical MUST be less than or
    equal to 2

  8.3.8 Transient Identifier

    URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    Indicates that the content of the element is an identifier with
    transient semantics and SHOULD be treated as an opaque and temporary
    value by the relying party. Transient identifier values MUST be
    generated in accordance with the rules for SAML identifiers (see
    Section 1.3.4), and MUST NOT exceed a length of 256 characters.

    The NameQualifier and SPNameQualifier attributes MAY be used to
    signify that the identifier represents a transient and temporary
    pair-wise identifier. In such a case, they MAY be omitted in
    accordance with the rules specified in Section 8.3.7.

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Name Identifier Profiles and Management in SAML 2.0

  3.6 Transient Identifiers

    SAML 2.0 shall provide a facility enabling a principals identity
    to be reflected to relying parties anonymously (in effect), using
    non-persistent identifiers. Identifiers of this type may be
    obtained upon relying party request; additionally, principals may
    designate that they are to be so represented to relying parties
    within the scope of a session. This facility shall be applicable
    independent of whether or not the principal has a federation
    relationship between the SAML authentication authority and any of
    the relying parties receiving assertions within the
    session. Desirably, it should be possible for a principal to
    request and/or configure use of this facility at the granularity
    of individual relying parties.

https://www.oasis-open.org/committees/download.php/4587

 

Environment

 

Policy Server 12.8SP3 on RedHat 6

 

Resolution

 

At first glance, it seems that the message you get when configuring
the Partnership comes from the fact one of both IDP and SP entities
doesn't have the Transient Identifier configured.

According to the code, the both IdP and SP Entities should have
"Transient Identifier".

SAML Local IDP

  Supported Name ID Formats and Attributes
  Transient Identifier

SAML 2.0 Remote SP

  Supported Name ID Formats
  Transient Identifier

To solve the issue, make sure that both IdP and SP entities have
Transient Identifier selected :

  SAML Local IDP

    Supported Name ID Formats and Attributes
    Transient Identifier

  SAML 2.0 Remote SP

    Supported Name ID Formats
    Transient Identifier