AssertionConsumerServiceURL vaue must match the one specified in partner meta data

Article Id: 76441
Status: Published
Updated On: 05-04-2018 00:51
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On
Issue/Introduction:

I'm running Siteminder Federation IdP, and when it receives the following AuthnRequest :

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://sp.yourdomain.com/samlconsumer"
Destination="https://idp.mydomain.com/affwebservices/public/saml2sso"
ID="_943b1145ec08d2975433e6c8ecc13079"
IssueInstant="2018-03-28T07:32:21Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" > <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.yourdomain.com/secondserver</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>

Then, my IdP Server returns the following error :

  "AssertionConsumerServiceURL vaue must match the one specified in partner meta data"

In my Legacy Federation, I've defined the SP Assertion Consumer Service URL as : https://sp.yourdomain.com/samlconsumer

How can I fix this problem?

Cause:

The problem you face is that you are referring to the AssertionConsumerServiceURL value from the Federation AuthnRequest. But this functionality doesn't exist for Legacy Federation model. You have to use the Partnership configuration to be able to use it :

Asserting Party Not Accepting ACS URL in an Authentication Request (170971)
Symptom:

CA Single Sign-On Federation was not accepting and processing the
Assertion Consumer Service URL in the incoming authentication
request. The system did not verify whether the authentication request
had an Assertion Consumer Service URL defined.

Solution:

For an IdP-to-SP partnership, the Administrative UI has a new check
box labeled Accept ACS URL in the Authnrequest. This check box is in
the SSO section of the SSO and SLO step of the partnership
configuration. To confirm that the URL is present and valid in the
authentication request, and it is in the metadata, select this option.

STAR issue: 21361990

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52#DefectsFixedin12.52-AssertingPartyNotAcceptingACSURLinanAuthenticationRequest(170971)
 

Environment:

Release: FEDMGP99000-12.52-Federation-Partnerships
Component:

Resolution:

Configure your Federation as a Partnership instead of a Legacy one, and set the IdP to use the AssertionConsumerServiceURL from the SAML AuthnRequest by checking "Accept ACS URL in the Authnrequest" configuration setting in your Partnership, putting the expected value of AssertionConsumerServiceURL in the list for ACS.