When running a Policy Server and a CA Access Gateway as IdP, when these ones create an Assertion as SAMLResponse, the IssueInstant value is not following the SAML protocol (1). The time is in local time and not UTC:
The SAMLRequest is sent to CA Access Gateway with Zulu time:
IssueInstant="2020-12-28T15:50:06Z"
and the CA Access Gateway (SPS) Federation Services return in local time:
IssueInstant="2020-12-28T15:43:59.425+01:00"
The same behavior can be seen on the Web Agent Option Pack.
The flow and details of the Assertions:
Test.saz :
Line 2 :
Request :
GET http://_idp._idpdomain._com/affwebservices/public/saml2sso?SAMLRequest=fZFRT8 [...omitted for brevity...] 2FM6hs%3D
(<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z" Destination="https://_idp._idpdomain._com/affwebservices/public/saml2sso" IsPassive="true" AssertionConsumerServiceURL="https://_sp._sp._com/consume" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>sp</saml:Issuer></samlp:AuthnRequest>)
Response :
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2020 14:43:52 GMT
Server: Apache/2.4.43 (Unix) mod_jk/1.2.48
<form action="https://_sp._sp._com/consume" method="POST">
<input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/ [...omitted for brevity...] c3RhdHVzOk5vUGFzc2l2ZSIvPjwvU3RhdHVzQ29kZT48L1N0YXR1cz48L1Jlc3BvbnNlPgoK">
(<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>)
FWSTrace.log :
[12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][SSO.java][doGet][Query String: SAMLRequest=fZFRT8MgFIX [...omitted for brevity...] FVU%2Ff%2FM6hs%3D]
[12/28/2020][14:43:52][25050][140317858985728][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][SSO.java][getAuthnRequestData][AuthnRequest: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4cd87959d0ed8e5d79 8ff9954c2b8dd294cbd9a007" Version="2.0" IssueInstant="2020-12-28T15:50:06Z" Destination="https://_idp._idpdomain._com/affwebservices/public/saml2sso" IsPassive="true" AssertionConsumerServiceURL="https://_sp._sp._com/consume" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>sp</saml:Issuer></samlp:AuthnRequest>]
[12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][SSO.java][sendPOSTBindingNoPassiveResponse][SAMLResponse: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>
[12/28/2020][14:43:59][25050][140317858985728][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][SSO.java][sendSAMLResponse][SAML2 Single Sign-On Service sending SAML Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Response ID="_2b91a1c0d9e06b3766b5c74ee570cedf5511" InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" IssueInstant="2020-12-28T15:43:59.425+01:00" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">sps</ns1:Issuer><Status><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/></StatusCode></Status></Response>.]
smtracedefault.log :
[12/28/2020][15:43:51.603][15:43:51][30735][140503237285632][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s14/r5][sps-training-com][][][][][][][][][][][][][][][][][][/affwebservices/public/saml2sso?SAMLRequest=fZFRT8MgFIX%2FSsP [...omitted for brevity...] f%2FM6hs%3D][Receive request attribute 201, data size is 480][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[12/28/2020][15:43:52.301][15:43:52][30735][140503237285632][CServer.cpp:6557][CServer::Tunnel][158702f7-d1608030-b9b793d4-cba94ae1-a55a3f63-1f6f][][][][][][][][][][][][][][::ffff:192.168.1.108][][][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.netegrity.saml2ps.tunnel. SAMLSPbyIDTunnelService', Server='', Device=''][] [Resolved all the input parameters][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
CA Access Gateway (SPS) 12.8SP4 on RedHat 8;
Web Agent Option Pack 12.52SP1CR08 on Tomcat 8.5.53 on RedHat 7;
The fix will be available in the next version of the Web Agent Option Pack which is expected to be 12.52SP1CR12 to benefit the fix from DE503252.
When running CA Access Gateway (SPS), upgrade the version to 12.8SP5 to solve this issue as this issue is not present from that version and higher.