When running a Policy Server and a CA Access Gateway as IdP, when
these ones create an Assertion as SAMLResponse, the IssueInstant value
is not following the SAML protocol (1). The time is in local time and not
UTC time :
The SAMLRequest is sent to CA Access Gateway with Zulu time :
IssueInstant="2020-12-28T15:50:06Z"
and the CA Access Gateway (SPS) Federation Services return in local
time :
IssueInstant="2020-12-28T15:43:59.425+01:00"
The same behavior can be seen on the Web Agent Option Pack.
Here's the flow and details of the Assertions :
Test.saz :
Line 2 :
Request :
GET http://sps.training.com/affwebservices/public/saml2sso?SAMLRequest=fZFRT8MgFIX%2FSsP7WtasriVrk%2BkeXDJjs1UffDEUqCNpAbkw9d9LV43zZQkvl3s%2FzjmXFdChN2Tt3VHtxbsX4KLPoVdAzo0SeauIpiCBKDoIII6Rw%2FphR9IYE2O100z36AK5TlAAYZ3UCkXbTYleF4znyyIrOBY8FxlfFnnXFUW2YGmbc54WC9bygmK8RNGzsBDIEoWHAg7gxVaBo8qFK5zi2TydpXkzz0iGCb55QdEmpJGKujN1dM4ASRIwEDtLpZLqLWZ6SGjXfYg2%2BDpJJiAxvu0lS8YsKYAelepgW55EiZz1AkXr3xB3WoEfhD1M7NN%2B9yczfIGJwxkV2DSHovpnYbdS8SB%2FfVftNATkvmnqWf14aFC1Gm2Rc3ZbgVkll%2FVU%2Ff%2FM6hs%3D
(<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" Version="2.0"
IssueInstant="2020-12-28T15:50:06Z"
Destination="https://sps.training.com/affwebservices/public/saml2sso"
IsPassive="true"
AssertionConsumerServiceURL="https://mysp.sp.com/consume"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>sp</saml:Issuer></samlp:AuthnRequest>)
Response :
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2020 14:43:52 GMT
Server: Apache/2.4.43 (Unix) mod_jk/1.2.48
<form action="https://mysp.sp.com/consume" method="POST">
<input type="hidden" name="SAMLResponse"
value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/
Pgo8UmVzcG9uc2UgSUQ9Il8yYjkxYTFjMGQ5ZTA2YjM3NjZiNWM3NGVlNTcwY2VkZjU1MTEiIEluUmV
zcG9uc2VUbz0iXzRjZDg3OTU5ZDBlZDhlNWQ3OThmZjk5NTRjMmI4ZGQyOTRjYmQ5YTAwNyIgSXNzdW
VJbnN0YW50PSIyMDIwLTEyLTI4VDE1OjQzOjU5LjQyNSswMTowMCIgVmVyc2lvbj0iMi4wIiB4bWxuc
z0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48bnMxOklzc3VlciBGb3JtYXQ9
InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6bnM
xPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5zcHM8L25zMTpJc3N1ZXI+PF
N0YXR1cz48U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1c
zpSZXF1ZXN0ZXIiPjxTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6
c3RhdHVzOk5vUGFzc2l2ZSIvPjwvU3RhdHVzQ29kZT48L1N0YXR1cz48L1Jlc3BvbnNlPgoK">
(<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response
ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511"
InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007"
IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>)
FWSTrace.log :
[12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
cba94ae1-a55a3f63-1f6f][SSO.java][doGet][Query String: SAMLRequest=fZFRT8MgFIX
%2FSsP7WtasriVrk%2BkeXDJjs1UffDEUqCNpAbkw9d9LV43zZQkvl3s%2FzjmXFdChN2Tt3VHtxbs
X4KLPoVdAzo0SeauIpiCBKDoIII6Rw%2FphR9IYE2O100z36AK5TlAAYZ3UCkXbTYleF4znyyIrOBY
8FxlfFnnXFUW2YGmbc54WC9bygmK8RNGzsBDIEoWHAg7gxVaBo8qFK5zi2TydpXkzz0iGCb55QdEmp
JGKujN1dM4ASRIwEDtLpZLqLWZ6SGjXfYg2%2BDpJJiAxvu0lS8YsKYAelepgW55EiZz1AkXr3xB3W
oEfhD1M7NN%2B9yczfIGJwxkV2DSHovpnYbdS8SB%2FfVftNATkvmnqWf14aFC1Gm2Rc3ZbgVkll%2
FVU%2Ff%2FM6hs%3D]
[12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-
cba94ae1-a55a3f63-1f6f][SSO.java][getAuthnRequestData][AuthnRequest:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d79
8ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z"
Destination="https://sps.training.com/affwebservices/public/saml2sso"
IsPassive="true" AssertionConsumerServiceURL="https://mysp.sp.com/consume"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>sp
</saml:Issuer></samlp:AuthnRequest>]
[12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4-
cba94ae1-a55a3f63-1f6f][SSO.java][sendPOSTBindingNoPassiveResponse]
[SAMLResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511"
InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007"
IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
</StatusCode></Status></Response>
][12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4
-cba94ae1-a55a3f63-1f6f][SSO.java][sendSAMLResponse]
[SAML2 Single Sign-On Service sending SAML Response: <?xml version="1.0"
encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511"
InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007"
IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
</StatusCode></Status></Response>.]
smtracedefault.log :
[12/28/2020][15:43:51.603][15:43:51][30735][140503237285632][SmMessage.cpp:557]
[CSmMessage::ParseAgentMessage][s14/r5][sps-training-com][][][][][][][][][]
[][][][][][][][][/affwebservices/public/saml2sso?SAMLRequest=fZFRT8MgFIX%2FSsP
7WtasriVrk%2BkeXDJjs1UffDEUqCNpAbkw9d9LV43zZQkvl3s%2FzjmXFdChN2Tt3VHtxbsX4KLPo
VdAzo0SeauIpiCBKDoIII6Rw%2FphR9IYE2O100z36AK5TlAAYZ3UCkXbTYleF4znyyIrOBY8FxlfF
nnXFUW2YGmbc54WC9bygmK8RNGzsBDIEoWHAg7gxVaBo8qFK5zi2TydpXkzz0iGCb55QdEmpJGKujN
1dM4ASRIwEDtLpZLqLWZ6SGjXfYg2%2BDpJJiAxvu0lS8YsKYAelepgW55EiZz1AkXr3xB3WoEfhD1
M7NN%2B9yczfIGJwxkV2DSHovpnYbdS8SB%2FfVftNATkvmnqWf14aFC1Gm2Rc3ZbgVkll%2FVU%2F
f%2FM6hs%3D]
[Receive request attribute 201, data size is 480][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][][][][][][][][]
[12/28/2020][15:43:52.301][15:43:52][30735][140503237285632][CServer.cpp:6557]
[CServer::Tunnel][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][][][]
[][][][][][][][][][][::ffff:192.168.1.108][][][][Lib='smjavaapi',
Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel.
SAMLSPbyIDTunnelService', Server='', Device=''][]
[Resolved all the input parameters][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][][][]
CA Access Gateway (SPS) 12.8SP4 on RedHat 8;
Web Agent Option Pack 12.52SP1CR08 on Tomcat 8.5.53 on RedHat 7;
The fix will be available in the next version of Web Agent Option Pack
which is expected to be 12.8.
When running CA Access Gateway (SPS), upgrade the version to 12.8SP5
to solve this issue.
(1)
1.3.3 Time Values
All SAML time values have the type xs:dateTime, which is built in to
the W3C XML Schema Datatypes specification [Schema2], and MUST be
expressed in UTC form, with no time zone component. SAML system
entities SHOULD NOT rely on time resolution finer than
milliseconds. Implementations MUST NOT generate time instants that
specify leap seconds.
p.9
IssueInstant [Required]
The time instant of issue in UTC, as described in Section 1.3.3.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf