ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Federation metadata export Includes BOTH HTTP-Redirect and HTTP-Post Bindings even though we selected ONLY HTTP-Post Binding in the Federation Partnership.

book

Article ID: 226858

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Federation metadata exports BOTH HTTP-Redirect and HTTP-Post Bindings even though we selected ONLY HTTP-Post Binding in the Federation Partnership.

------ Detailed Usecase:

When we are creating SAML2 Federation partnership in the SSO section we are selecting the following options:

- FLOW: Partnership Federation - Partnerships - Create Partnership - SSO and SLO section:

- Authentication Request Binding -> only HTTP-Post is selected

- SSO Binding -> only HTTP-Post is selected

- But when we take the METADATA export we see that this metadata file has two bindings like below: HTTP-Redirect and HTTP-Post even though we selected ONLY HTTP-Post Binding in the Federation Partnership.

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://testentity.com/affwebservices/public/saml2sso"/>

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://testentity.com/affwebservices/public/saml2sso"/>

Environment

CA siteminder (AKA SYMANTEC SITEMINDER) 12.8 SP4 environment

Resolution

- Why we are getting HTTP-Redirect binding in the metadata even though we select ONLY HTTP-POST binding when we are creating Federation Partnership.

- "HTTP-Redirect" binding is basically a GET request to the FEDERATION Webservices so when partners exchange this metadata sometimes it is leading to issues because of the mismatch of Authentication REQUEST BINDING between two partnerships and allowing HTTP GET authentication request as well instead of ONLY POST authentication request.

- We are expecting the metadata to be exported without the HTTP-Redirect binding, as it is configured in the Partnership.

----- Solution:

We have a DEV FIX/PATCH (" DE510572 ") to resolve this issue which we received from Internal from SE Engineering team.

Kindly find the attached DEV FIX from the Defect.

Then follow the Instructions outlined in " readme.txt " inside the attached zip file for deployment of binaries.

This DEV FIX/PATCH helps to resolve the reported Issue.

Additional Information

If you observe this issue either in 12.8 SP2 and/or in 12.8 SP4 release, then please open a support ticket so that will provide you the required PATCH ("DE510572 ").
Also, kindly note that SE Engineering team will fix this issue in the upcoming releases.