AuthnResponse contains not SAML compliant Timestamp

book

Article ID: 208775

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server and a CA Access Gateway as IdP, when
these ones create an Assertion as SAMLResponse, the IssueInstant value
is not following the SAML protocol (1). The time is in local time and not
UTC time :

The SAMLRequest is sent to CA Access Gateway with Zulu time :

   IssueInstant="2020-12-28T15:50:06Z"

and the CA Access Gateway (SPS) Federation Services return in local
time :

   IssueInstant="2020-12-28T15:43:59.425+01:00"

The same behavior can be seen on the Web Agent Option Pack.

Here's the flow and details of the Assertions :

Test.saz :

Line 2 :

Request :

GET http://sps.training.com/affwebservices/public/saml2sso?SAMLRequest=fZFRT8MgFIX%2FSsP7WtasriVrk%2BkeXDJjs1UffDEUqCNpAbkw9d9LV43zZQkvl3s%2FzjmXFdChN2Tt3VHtxbsX4KLPoVdAzo0SeauIpiCBKDoIII6Rw%2FphR9IYE2O100z36AK5TlAAYZ3UCkXbTYleF4znyyIrOBY8FxlfFnnXFUW2YGmbc54WC9bygmK8RNGzsBDIEoWHAg7gxVaBo8qFK5zi2TydpXkzz0iGCb55QdEmpJGKujN1dM4ASRIwEDtLpZLqLWZ6SGjXfYg2%2BDpJJiAxvu0lS8YsKYAelepgW55EiZz1AkXr3xB3WoEfhD1M7NN%2B9yczfIGJwxkV2DSHovpnYbdS8SB%2FfVftNATkvmnqWf14aFC1Gm2Rc3ZbgVkll%2FVU%2Ff%2FM6hs%3D

(<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" Version="2.0"
IssueInstant="2020-12-28T15:50:06Z"
Destination="https://sps.training.com/affwebservices/public/saml2sso"
IsPassive="true"
AssertionConsumerServiceURL="https://mysp.sp.com/consume"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>sp</saml:Issuer></samlp:AuthnRequest>)

Response :

  HTTP/1.1 200 OK
  Date: Mon, 28 Dec 2020 14:43:52 GMT
  Server: Apache/2.4.43 (Unix) mod_jk/1.2.48

  <form action="https://mysp.sp.com/consume" method="POST">

  <input type="hidden" name="SAMLResponse"
  value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/
  Pgo8UmVzcG9uc2UgSUQ9Il8yYjkxYTFjMGQ5ZTA2YjM3NjZiNWM3NGVlNTcwY2VkZjU1MTEiIEluUmV
  zcG9uc2VUbz0iXzRjZDg3OTU5ZDBlZDhlNWQ3OThmZjk5NTRjMmI4ZGQyOTRjYmQ5YTAwNyIgSXNzdW
  VJbnN0YW50PSIyMDIwLTEyLTI4VDE1OjQzOjU5LjQyNSswMTowMCIgVmVyc2lvbj0iMi4wIiB4bWxuc
  z0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48bnMxOklzc3VlciBGb3JtYXQ9
  InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6bnM
  xPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5zcHM8L25zMTpJc3N1ZXI+PF
  N0YXR1cz48U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1c
  zpSZXF1ZXN0ZXIiPjxTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6
  c3RhdHVzOk5vUGFzc2l2ZSIvPjwvU3RhdHVzQ29kZT48L1N0YXR1cz48L1Jlc3BvbnNlPgoK">
  
  (<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response
  ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511"
  InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007"
  IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0"
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode
  Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode
  Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>)

FWSTrace.log :

  [12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
  cba94ae1-a55a3f63-1f6f][SSO.java][doGet][Query String: SAMLRequest=fZFRT8MgFIX
  %2FSsP7WtasriVrk%2BkeXDJjs1UffDEUqCNpAbkw9d9LV43zZQkvl3s%2FzjmXFdChN2Tt3VHtxbs
  X4KLPoVdAzo0SeauIpiCBKDoIII6Rw%2FphR9IYE2O100z36AK5TlAAYZ3UCkXbTYleF4znyyIrOBY
  8FxlfFnnXFUW2YGmbc54WC9bygmK8RNGzsBDIEoWHAg7gxVaBo8qFK5zi2TydpXkzz0iGCb55QdEmp
  JGKujN1dM4ASRIwEDtLpZLqLWZ6SGjXfYg2%2BDpJJiAxvu0lS8YsKYAelepgW55EiZz1AkXr3xB3W
  oEfhD1M7NN%2B9yczfIGJwxkV2DSHovpnYbdS8SB%2FfVftNATkvmnqWf14aFC1Gm2Rc3ZbgVkll%2
  FVU%2Ff%2FM6hs%3D]

  [12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
  cba94ae1-a55a3f63-1f6f][SSO.java][getAuthnRequestData][AuthnRequest: 
  <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d79
  8ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z" 
  Destination="https://sps.training.com/affwebservices/public/saml2sso" 
  IsPassive="true" AssertionConsumerServiceURL="https://mysp.sp.com/consume" 
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>sp
  </saml:Issuer></samlp:AuthnRequest>]

  [12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4-
  cba94ae1-a55a3f63-1f6f][SSO.java][sendPOSTBindingNoPassiveResponse]
  [SAMLResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" 
  InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" 
  IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" 
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer 
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
  </StatusCode></Status></Response>

  ][12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4
  -cba94ae1-a55a3f63-1f6f][SSO.java][sendSAMLResponse]
  [SAML2 Single Sign-On Service sending SAML Response: <?xml version="1.0" 
  encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" 
  InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" 
  IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" 
  xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer 
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
  </StatusCode></Status></Response>.]

smtracedefault.log :

  [12/28/2020][15:43:51.603][15:43:51][30735][140503237285632][SmMessage.cpp:557]
  [CSmMessage::ParseAgentMessage][s14/r5][sps-training-com][][][][][][][][][]
  [][][][][][][][][/affwebservices/public/saml2sso?SAMLRequest=fZFRT8MgFIX%2FSsP
  7WtasriVrk%2BkeXDJjs1UffDEUqCNpAbkw9d9LV43zZQkvl3s%2FzjmXFdChN2Tt3VHtxbsX4KLPo
  VdAzo0SeauIpiCBKDoIII6Rw%2FphR9IYE2O100z36AK5TlAAYZ3UCkXbTYleF4znyyIrOBY8FxlfF
  nnXFUW2YGmbc54WC9bygmK8RNGzsBDIEoWHAg7gxVaBo8qFK5zi2TydpXkzz0iGCb55QdEmpJGKujN
  1dM4ASRIwEDtLpZLqLWZ6SGjXfYg2%2BDpJJiAxvu0lS8YsKYAelepgW55EiZz1AkXr3xB3WoEfhD1
  M7NN%2B9yczfIGJwxkV2DSHovpnYbdS8SB%2FfVftNATkvmnqWf14aFC1Gm2Rc3ZbgVkll%2FVU%2F
  f%2FM6hs%3D]
  [Receive request attribute 201, data size is 480][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][]

  [12/28/2020][15:43:52.301][15:43:52][30735][140503237285632][CServer.cpp:6557]
  [CServer::Tunnel][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][][][]
  [][][][][][][][][][][::ffff:192.168.1.108][][][][Lib='smjavaapi', 
  Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.
  SAMLSPbyIDTunnelService', Server='', Device=''][] 
  [Resolved all the input parameters][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][]

 

Environment

 

 CA Access Gateway (SPS) 12.8SP4 on RedHat 8;
 Web Agent Option Pack 12.52SP1CR08 on Tomcat 8.5.53 on RedHat 7;

 

Resolution

 

As per date of June the 4th 2021, the fix will be available in the
next version of Web Agent Option Pack which is expected to be
12.52SP1CR12.

When running CA Access Gateway (SPS), upgrade the version to 12.8SP5
to solve this issue.

 

Additional Information

 

(1)

    1.3.3 Time Values

      All SAML time values have the type xs:dateTime, which is built in to
      the W3C XML Schema Datatypes specification [Schema2], and MUST be
      expressed in UTC form, with no time zone component.  SAML system
      entities SHOULD NOT rely on time resolution finer than
      milliseconds. Implementations MUST NOT generate time instants that
      specify leap seconds.

      p.9

    IssueInstant [Required]

      The time instant of issue in UTC, as described in Section 1.3.3.

    https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf