ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
AssertionConsumerServiceURL vaue must match the one specified in partner meta data
Article ID: 76441
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
I'm running Siteminder Federation IdP, and when it receives the following AuthnRequest :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://sp.yourdomain.com/samlconsumer"
Destination="https://idp.mydomain.com/affwebservices/public/saml2sso"
ID="_943b1145ec08d2975433e6c8ecc13079"
IssueInstant="2018-03-28T07:32:21Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" > <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.yourdomain.com/secondserver</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
Then, my IdP Server returns the following error :
"AssertionConsumerServiceURL vaue must match the one specified in partner meta data"
In my Legacy Federation, I've defined the SP Assertion Consumer Service URL as : https://sp.yourdomain.com/samlconsumer
How can I fix this problem?
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://sp.yourdomain.com/samlconsumer"
Destination="https://idp.mydomain.com/affwebservices/public/saml2sso"
ID="_943b1145ec08d2975433e6c8ecc13079"
IssueInstant="2018-03-28T07:32:21Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" > <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.yourdomain.com/secondserver</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
Then, my IdP Server returns the following error :
"AssertionConsumerServiceURL vaue must match the one specified in partner meta data"
In my Legacy Federation, I've defined the SP Assertion Consumer Service URL as : https://sp.yourdomain.com/samlconsumer
How can I fix this problem?
Cause
The problem you face is that you are referring to the AssertionConsumerServiceURL value from the Federation AuthnRequest. But this functionality doesn't exist for Legacy Federation model. You have to use the Partnership configuration to be able to use it :
Asserting Party Not Accepting ACS URL in an Authentication Request (170971)
Symptom:
CA Single Sign-On Federation was not accepting and processing the
Assertion Consumer Service URL in the incoming authentication
request. The system did not verify whether the authentication request
had an Assertion Consumer Service URL defined.
Solution:
For an IdP-to-SP partnership, the Administrative UI has a new check
box labeled Accept ACS URL in the Authnrequest. This check box is in
the SSO section of the SSO and SLO step of the partnership
configuration. To confirm that the URL is present and valid in the
authentication request, and it is in the metadata, select this option.
STAR issue: 21361990
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52#DefectsFixedin12.52-AssertingPartyNotAcceptingACSURLinanAuthenticationRequest(170971)
Asserting Party Not Accepting ACS URL in an Authentication Request (170971)
Symptom:
CA Single Sign-On Federation was not accepting and processing the
Assertion Consumer Service URL in the incoming authentication
request. The system did not verify whether the authentication request
had an Assertion Consumer Service URL defined.
Solution:
For an IdP-to-SP partnership, the Administrative UI has a new check
box labeled Accept ACS URL in the Authnrequest. This check box is in
the SSO section of the SSO and SLO step of the partnership
configuration. To confirm that the URL is present and valid in the
authentication request, and it is in the metadata, select this option.
STAR issue: 21361990
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52#DefectsFixedin12.52-AssertingPartyNotAcceptingACSURLinanAuthenticationRequest(170971)
Environment
Release: FEDMGP99000-12.52-Federation-Partnerships
Component:
Component:
Resolution
Configure your Federation as a Partnership instead of a Legacy one, and set the IdP to use the AssertionConsumerServiceURL from the SAML AuthnRequest by checking "Accept ACS URL in the Authnrequest" configuration setting in your Partnership, putting the expected value of AssertionConsumerServiceURL in the list for ACS.
Feedback
Yes
No
Powered by
