SAML SSO Failure Due to Additional Attributes in AuthnRequest IGA v15
search cancel

SAML SSO Failure Due to Additional Attributes in AuthnRequest IGA v15

book

Article ID: 433402

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

After upgrading to version v15 of Identity Manager (IM) and Identity Portal (IP), SAML Single Sign-On (SSO) fails. The Assertion Consumer Service (ACS) rejects the SAML AuthnRequest as invalid, preventing authentication.

Environment

IGA Xpress 1.0
IGA Suite v15

Cause

In version 15, the SAML AuthnRequest generated by IM/IP includes additional attributes and elements not present in version 14:

Newly Introduced Elements

  1. ProtocolBinding attribute

     
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
     

  2. NameIDPolicy element

     
    <saml2p:NameIDPolicy
    AllowCreate="true"
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
     

Although these additions are valid per the SAML 2.0 specification, the target ACS may enforce stricter validation policies and reject requests containing unsupported or unexpected fields.

Resolution

This issue has been addressed in Fix Pack 5 for version v15.

Action Required

Upgrade both:

  • Identity Manager (IM)

  • Identity Portal (IP)

to Fix Pack 5 or later

Additional Information

The v14 (working) SAML request is as follows:

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest
    AssertionConsumerServiceURL=https://<test-host>/sigma/app/acs
    Destination=https://<test-host>/idp/SSO.saml2
    ID="_1ea037adc52c55c4f0114f7d19a487cb"
    IssueInstant="2026-03-16T10:05:46.486Z"
    Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    https://<test-host>/sigma
  </saml2:Issuer>

</saml2p:AuthnRequest>

The new v15 (invalid) SAML adds a few more attributes/elements to the SAML request

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest
    AssertionConsumerServiceURL=https://<test-host>/sigma/app/acs
    Destination=https://<test-host>/idp/SSO.saml2
    ID="_a72e18b0a77dfc61a864462982f6f91d"
    IssueInstant="2026-03-16T09:56:16.135Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
    Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    https://<test-host>/sigma
  </saml2:Issuer>

  <saml2p:NameIDPolicy
      AllowCreate="true"
      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

</saml2p:AuthnRequest>

Powered by Wolken Software