Environment
NetIQ Access Manager 3.2
NetIQ Identity Server acting as a SAML2 Service Provider
3rd party SAML2 Identity Server
Firefox, Chrome, IE6 browsers work without issues
IE7 and greater experiencing errors
NetIQ Identity Server acting as a SAML2 Service Provider
3rd party SAML2 Identity Server
Firefox, Chrome, IE6 browsers work without issues
IE7 and greater experiencing errors
Situation
Access Manager setup and working well ie. users can access protected resources successfully after having autenticated at the NAM Identity server. A new application was rolled out that required users to authenticate using an external contract to a remote SAML2 Identity server. The user would hit the Access Gateway (AG) protected resource, get redirected to the NAM Identity server which in turn generates a SAML AuthnRequest to the remote Identity server. Once authenticated, the assertion was passed all the way back to the NAM Identity server and AG so that the SSO happened. This all worked fine with initial testing. However, as the application was rolled out some users started reporting the following errors on the browser :
Error status 300101011 - Assertion is being replayed
An assertion has been received that was already used to authenticate a user at the service provider.
Turns out that the users reporting this were on IE7 and greater, whereas users on older versions of IE and latest CHrome or Firefox browser had no issues.
Error status 300101011 - Assertion is being replayed
An assertion has been received that was already used to authenticate a user at the service provider.
Turns out that the users reporting this were on IE7 and greater, whereas users on older versions of IE and latest CHrome or Firefox browser had no issues.
Resolution
Changed to AG Proxy Server certificate to one whose subject name matched the DNS name of that proxy server.
The situation we were in was that the server certificate assigned to the reverse proxy (published dns name esp.secure.windows.co.uk) the users were hitting was actually the test-connector certificate when it should have been esp_secure_windows_co_uk. Most browsers (Firefox, Chrome, IE6) don't care about this and you can simply select accept to continue, but apparently IE7 and above do care and we were seeing a duplicate assertion sent as a result. The
following link seems to suggests that it has been seen on other software:
http://help.netmail.com/pages/viewpage.action?pageId=5506721
The
reason the test-connector certificate was still in use was because of a failed
certificate change to the proxy. It failed because the devman.keystore
certificate had expired (updates never progressed from pending to current). We
replaced the devman certificate which then allowed us to change to the correct
proxy certificate, and all is well with Internet Explorer 7+.
Additional Information
The catalina log files confirms that the browser POSTs the assertion from the Remote IDP server 2 times, 4 secs apart. Both the assertionID and ResponseID are the same - these should be unique. This would indicate that it is not a NAM issue but an issue with the browser or app or remote IDP server.
// Response 1 from IDP server
<amLogEntry seq="27376620" d="2013-07-15T13:04:19Z" lg="SAML2" lv="DEBUG" th="15" ><msg>Method: SAML2Profile.traceMessage
Thread: http-443-Processor4
************************* SAML2 POST message ********************************
Type: received
RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; Destination="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"; ID="I570BE9E71A6796CB2E37680C543E34386ADE1BB2" IssueInstant="2013-07-15T13:04:29Z" Version="2.0"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="A27E77BF4463B0C507767C32A8D7576415858DDCB" IssueInstant="2013-07-15T13:04:29Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#A27E77BF4463B0C507767C32A8D7576415858DDCB"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>Hfe0DfNl/ryu2E6H+29JlxjkxYE=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.mymoneyworks.co.uk" SPNameQualifier="https://ids.secure.windows.co.uk/nidp/saml2/metadata">1dba9fac698aab5efb8cd7359bcb6c2977297e9b</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-07-15T13:05:34Z" Recipient="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-07-15T13:04:24Z" NotOnOrAfter="2013-07-15T13:05:34Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.windows.co.uk/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-07-15T13:02:44Z" SessionIndex="A27E77BF4463B0C507767C32A8D7576415858DDCB" SessionNotOnOrAfter="2013-07-15T21:02:49Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
************************* End SAML2 message ****************************</msg></amLogEntry>
// Response 2 from IDP server 4 secs later
************************* SAML2 POST message ********************************
Type: received
RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; Destination="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"; ID="I570BE9E71A6796CB2E37680C543E34386ADE1BB2" IssueInstant="2013-07-15T13:04:29Z" Version="2.0"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="A27E77BF4463B0C507767C32A8D7576415858DDCB" IssueInstant="2013-07-15T13:04:29Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#A27E77BF4463B0C507767C32A8D7576415858DDCB"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>Hfe0DfNl/ryu2E6H+29JlxjkxYE=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.mymoneyworks.co.uk" SPNameQualifier="https://ids.secure.windows.co.uk/nidp/saml2/metadata">1dba9fac698aab5efb8cd7359bcb6c2977297e9b</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-07-15T13:05:34Z" Recipient="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-07-15T13:04:24Z" NotOnOrAfter="2013-07-15T13:05:34Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.windows.co.uk/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-07-15T13:02:44Z" SessionIndex="A27E77BF4463B0C507767C32A8D7576415858DDCB" SessionNotOnOrAfter="2013-07-15T21:02:49Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
************************* End SAML2 message ****************************</msg></amLogEntry>
<amLogEntry seq="27376691" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2AuthnContext.parse
Thread: http-443-Processor3
expiration: 0</msg></amLogEntry>
<amLogEntry seq="27376692" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Processing artifact for pre-brokering, provider= idp.mymoneyworks.co.uk and relayState = https://sp.secure.windows.co.uk/frame.wpl/839</msg></amLogEntry>
<amLogEntry seq="27376693" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Relaystate does not have Intersite Transfer request.. no brokering policy enforcement is needed</msg></amLogEntry>
<amLogEntry seq="27376694" d="2013-07-15T13:04:23Z" lg="Application" lv="VERBOSE" th="14" ><msg>IDP response failed to authenticate: NIDPLOGGING.300101011</msg></amLogEntry>
<amLogEntry seq="27376695" d="2013-07-15T13:04:23Z" lg="SAML2" lv="WARNING" th="14" ><msg>Exception message: "NIDPLOGGING.300101011"
y, Line: 2431, Method: validate
y, Line: 3075, Method: verifyResponse
y, Line: 277, Method: handleAuthentication
y, Line: 2562, Method: processResponse
y, Line: 226, Method: processResponse
y, Line: 1125, Method: handleInBoundMessage
y, Line: 3474, Method: processResponse
y, Line: 2544, Method: A
// Response 1 from IDP server
<amLogEntry seq="27376620" d="2013-07-15T13:04:19Z" lg="SAML2" lv="DEBUG" th="15" ><msg>Method: SAML2Profile.traceMessage
Thread: http-443-Processor4
************************* SAML2 POST message ********************************
Type: received
RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; Destination="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"; ID="I570BE9E71A6796CB2E37680C543E34386ADE1BB2" IssueInstant="2013-07-15T13:04:29Z" Version="2.0"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="A27E77BF4463B0C507767C32A8D7576415858DDCB" IssueInstant="2013-07-15T13:04:29Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#A27E77BF4463B0C507767C32A8D7576415858DDCB"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>Hfe0DfNl/ryu2E6H+29JlxjkxYE=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.mymoneyworks.co.uk" SPNameQualifier="https://ids.secure.windows.co.uk/nidp/saml2/metadata">1dba9fac698aab5efb8cd7359bcb6c2977297e9b</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-07-15T13:05:34Z" Recipient="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-07-15T13:04:24Z" NotOnOrAfter="2013-07-15T13:05:34Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.windows.co.uk/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-07-15T13:02:44Z" SessionIndex="A27E77BF4463B0C507767C32A8D7576415858DDCB" SessionNotOnOrAfter="2013-07-15T21:02:49Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
************************* End SAML2 message ****************************</msg></amLogEntry>
// Response 2 from IDP server 4 secs later
************************* SAML2 POST message ********************************
Type: received
RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; Destination="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"; ID="I570BE9E71A6796CB2E37680C543E34386ADE1BB2" IssueInstant="2013-07-15T13:04:29Z" Version="2.0"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="A27E77BF4463B0C507767C32A8D7576415858DDCB" IssueInstant="2013-07-15T13:04:29Z" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Issuer>idp.mymoneyworks.co.uk</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#A27E77BF4463B0C507767C32A8D7576415858DDCB"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec14n:InclusiveNamespaces xmlns:ec14n="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>Hfe0DfNl/ryu2E6H+29JlxjkxYE=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.mymoneyworks.co.uk" SPNameQualifier="https://ids.secure.windows.co.uk/nidp/saml2/metadata">1dba9fac698aab5efb8cd7359bcb6c2977297e9b</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-07-15T13:05:34Z" Recipient="https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-07-15T13:04:24Z" NotOnOrAfter="2013-07-15T13:05:34Z"><saml:AudienceRestriction><saml:Audience>https://ids.secure.windows.co.uk/nidp/saml2/metadata</saml:Audience></saml:AudienceRestriction><saml:OneTimeUse/></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-07-15T13:02:44Z" SessionIndex="A27E77BF4463B0C507767C32A8D7576415858DDCB" SessionNotOnOrAfter="2013-07-15T21:02:49Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
************************* End SAML2 message ****************************</msg></amLogEntry>
<amLogEntry seq="27376691" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2AuthnContext.parse
Thread: http-443-Processor3
expiration: 0</msg></amLogEntry>
<amLogEntry seq="27376692" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Processing artifact for pre-brokering, provider= idp.mymoneyworks.co.uk and relayState = https://sp.secure.windows.co.uk/frame.wpl/839</msg></amLogEntry>
<amLogEntry seq="27376693" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Relaystate does not have Intersite Transfer request.. no brokering policy enforcement is needed</msg></amLogEntry>
<amLogEntry seq="27376694" d="2013-07-15T13:04:23Z" lg="Application" lv="VERBOSE" th="14" ><msg>IDP response failed to authenticate: NIDPLOGGING.300101011</msg></amLogEntry>
<amLogEntry seq="27376695" d="2013-07-15T13:04:23Z" lg="SAML2" lv="WARNING" th="14" ><msg>Exception message: "NIDPLOGGING.300101011"
y, Line: 2431, Method: validate
y, Line: 3075, Method: verifyResponse
y, Line: 277, Method: handleAuthentication
y, Line: 2562, Method: processResponse
y, Line: 226, Method: processResponse
y, Line: 1125, Method: handleInBoundMessage
y, Line: 3474, Method: processResponse
y, Line: 2544, Method: A