Environment
NetIQ Identity Server acting as a SAML2 Service Provider
3rd party SAML2 Identity Server
Firefox, Chrome, IE6 browsers work without issues
IE7 and greater experiencing errors
Situation
Error status 300101011 - Assertion is being replayed
An assertion has been received that was already used to authenticate a user at the service provider.
Turns out that the users reporting this were on IE7 and greater, whereas users on older versions of IE and latest CHrome or Firefox browser had no issues.
Resolution
The situation we were in was that the server certificate assigned to the reverse proxy (published dns name esp.secure.windows.co.uk) the users were hitting was actually the test-connector certificate when it should have been esp_secure_windows_co_uk. Most browsers (Firefox, Chrome, IE6) don't care about this and you can simply select accept to continue, but apparently IE7 and above do care and we were seeing a duplicate assertion sent as a result. The
following link seems to suggests that it has been seen on other software:
http://help.netmail.com/pages/viewpage.action?pageId=5506721
The
reason the test-connector certificate was still in use was because of a failed
certificate change to the proxy. It failed because the devman.keystore
certificate had expired (updates never progressed from pending to current). We
replaced the devman certificate which then allowed us to change to the correct
proxy certificate, and all is well with Internet Explorer 7+.
Additional Information
// Response 1 from IDP server
<amLogEntry seq="27376620" d="2013-07-15T13:04:19Z" lg="SAML2" lv="DEBUG" th="15" ><msg>Method: SAML2Profile.traceMessage
Thread: http-443-Processor4
************************* SAML2 POST message ********************************
Type: received
RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; Destination="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"; ID="I570BE9E71A6796CB2E37680C543E34386ADE1BB2" IssueInstant="2013-07-15T13:04:29Z" Version="2.0"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="A27E77BF4463B0C507767C32A8D7576415858DDCB" IssueInstant="2013-07-15T13:04:29Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#A27E77BF4463B0C507767C32A8D7576415858DDCB"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>Hfe0DfNl/ryu2E6H+29JlxjkxYE=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.mymoneyworks.co.uk" SPNameQualifier="https://ids.secure.windows.co.uk/nidp/saml2/metadata">1dba9fac698aab5efb8cd7359bcb6c2977297e9b</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-07-15T13:05:34Z" Recipient="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-07-15T13:04:24Z" NotOnOrAfter="2013-07-15T13:05:34Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.windows.co.uk/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-07-15T13:02:44Z" SessionIndex="A27E77BF4463B0C507767C32A8D7576415858DDCB" SessionNotOnOrAfter="2013-07-15T21:02:49Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
************************* End SAML2 message ****************************</msg></amLogEntry>
// Response 2 from IDP server 4 secs later
************************* SAML2 POST message ********************************
Type: received
RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; Destination="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"; ID="I570BE9E71A6796CB2E37680C543E34386ADE1BB2" IssueInstant="2013-07-15T13:04:29Z" Version="2.0"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="A27E77BF4463B0C507767C32A8D7576415858DDCB" IssueInstant="2013-07-15T13:04:29Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#A27E77BF4463B0C507767C32A8D7576415858DDCB"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>Hfe0DfNl/ryu2E6H+29JlxjkxYE=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.mymoneyworks.co.uk" SPNameQualifier="https://ids.secure.windows.co.uk/nidp/saml2/metadata">1dba9fac698aab5efb8cd7359bcb6c2977297e9b</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-07-15T13:05:34Z" Recipient="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-07-15T13:04:24Z" NotOnOrAfter="2013-07-15T13:05:34Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.windows.co.uk/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-07-15T13:02:44Z" SessionIndex="A27E77BF4463B0C507767C32A8D7576415858DDCB" SessionNotOnOrAfter="2013-07-15T21:02:49Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
************************* End SAML2 message ****************************</msg></amLogEntry>
<amLogEntry seq="27376691" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2AuthnContext.parse
Thread: http-443-Processor3
expiration: 0</msg></amLogEntry>
<amLogEntry seq="27376692" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Processing artifact for pre-brokering, provider= idp.mymoneyworks.co.uk and relayState = https://sp.secure.windows.co.uk/frame.wpl/839</msg></amLogEntry>
<amLogEntry seq="27376693" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Relaystate does not have Intersite Transfer request.. no brokering policy enforcement is needed</msg></amLogEntry>
<amLogEntry seq="27376694" d="2013-07-15T13:04:23Z" lg="Application" lv="VERBOSE" th="14" ><msg>IDP response failed to authenticate: NIDPLOGGING.300101011</msg></amLogEntry>
<amLogEntry seq="27376695" d="2013-07-15T13:04:23Z" lg="SAML2" lv="WARNING" th="14" ><msg>Exception message: "NIDPLOGGING.300101011"
y, Line: 2431, Method: validate
y, Line: 3075, Method: verifyResponse
y, Line: 277, Method: handleAuthentication
y, Line: 2562, Method: processResponse
y, Line: 226, Method: processResponse
y, Line: 1125, Method: handleInBoundMessage
y, Line: 3474, Method: processResponse
y, Line: 2544, Method: A