Access Manager IDP server cannot access eDirectory secret store

  • 7024098
  • 30-Aug-2019
  • 30-Aug-2019

Environment

  • Access Manager 4.4
  • Access Manager 4.5

Situation

Configuration:
  • UserStore eDirectory 9.1.2 installed on SLES12 SP4
  • fresh installed eDirectory 9.1.2 configured as userstore (LDAP over SSL)
  • IDP = > Liberty => Web Service Provider => Credential Profile as been configured to use edir 9.1.2 userstore as "Novell Secret Store User Store References"
  • NMAS SAML NMAS Login Method has been installed with NAM 4.4.4 (due to userstore configuration / Install NMAS SAML method.
Symptom:
  • login against UserStore eDirectory 9.1.2 works fine
  • Access to SecretStore fails with error (ndstrace):
----------------------------------------------------------
262246: IssueInstant: 1552655305, current time: 1552655305, valid before: 180, valid after: 180
262246: IssueInstant matches current time.
262246: Trying certificate 0
262246: Successfully imported trusted certificate and public key.
262246: Error -1 validating assertion signature. Likely causes are 1) the signature is invalid or 2) the signing certificate is not trusted.
262246:     ...Failed. Trying next certificate.
262246: Error validating assertion signature. Likely causes are 1) the signature is invalid or 2) the signing certificate is not trusted.
262246: SAML LSM exiting with status: -1642
----------------------------------------------------------

Resolution

  • This issue has been addressed to engineering

  • Workaround:
    - use iManager and edit your IDP cluster configuration
    - You should have an "Options" menu item
    - select new
    - choose other
    • Property Name:SAML2 SIGN METHODDIGEST SHA256
    • Poperty Value false
Note: As this is a global setting this applies to all SAML Assertion which will be created by the IDP server. This can lead into the situation that due to security policies some SAML SPs might no longer accept SAML Assertions. In this case you have to configure the same option SAML2 SIGN METHODDIGEST SHA256 with the value True on each SP

Cause


The Access Manager IDP server makes use of the NMAS SAML Assertion Login Method which can be installed during the configuration process of an eDirectory userstore ( "Install NMAS SAML method" ) to access the SecretStore.  The current version of the SAML NMAS Plugin does not support SAML Assertions which are signed with SHA2.