Assertion send by NAM IDP server does not include any "AuthnContextClassRef"

  • Document ID:7024127
  • Creation Date:19-Sep-2019
  • Modified Date:19-Sep-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.4.x
  • Access Manager 4.5

Situation

  • NetIQ Access Manager has been configured to act as:

    • SAML2 Identity Provider (IDP) for local SAML2 Service Provider
    • SAML2 Service Provider (SP) forwarding AuthnRequest to remote IDP Servers
            [SP] <===> [Local IDP] <===> [Remote IDP]
  • SAML2 SP sends a a SAML AuthnRequest which does not include any <samlp:RequestedAuthnContext>
 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                        Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
                        Destination="https://idpa.kgast.nam.com:8443/nidp/saml2/sso"
                        ForceAuthn="false"
                        ID="id5xch3PbBXtAcTj6tBMrVZvPpakU"
                        IsPassive="false"
                        IssueInstant="2019-09-19T09:31:45Z"
                        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Version="2.0"
                        >
        <saml:Issuer>https://nam.kgast.local/nidp/saml2/metadata</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:SignedInfo>
            <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
                                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
              <ds:Reference URI="#id5xch3PbBXtAcTj6tBMrVZvPpakU">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                  <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">XXXX</DigestValue>
                </ds:Reference>
          </ds:SignedInfo>
          <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">XXXX</SignatureValue>
        <ds:KeyInfo>
          <ds:X509Data>
            <ds:X509Certificate>XXXX</ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </ds:Signature>
      <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </samlp:AuthnRequest>

  • The local IDP server will be used to forward the SAML AuthnRequest to the configured remote IDP server.
    The SAML Assertion returned back by the remote IDP server includes a <saml:AuthnContext>
    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    Destination="https://idpa.kgast.nam.com:8443/nidp/saml2/spassertion_consumer"
                    ID="idPhMWpfGbEKqk8x2c9rWg2aUhGjk"
                    InResponseTo="idOIYX7VsU7MhsKVMED6sLRdQvRno"
                    IssueInstant="2019-09-19T09:41:23Z"
                    Version="2.0"
                    >
        <saml:Issuer>https://idpa31.kgast.nam.com:8443/nidp/saml2/metadata</saml:Issuer>
        <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        </samlp:Status>
        <saml:Assertion ID="id0SJxlfDybUwaf1_IU4DXgFdGGOI"
                        IssueInstant="2019-09-19T09:41:23Z"
                        Version="2.0"
                        >
            <saml:Issuer>https://idpa31.kgast.nam.com:8443/nidp/saml2/metadata</saml:Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
                                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
                                            />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                    <ds:Reference URI="#id0SJxlfDybUwaf1_IU4DXgFdGGOI">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">XXXX</DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">XXXX</SignatureValue>
                <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>XXXX</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </ds:Signature>
            <saml:Subject>
                <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                             NameQualifier="https://idpa31.kgast.nam.com:8443/nidp/saml2/metadata"
                             SPNameQualifier="https://idpa.kgast.nam.com:8443/nidp/saml2/metadata"
                             >iZbNrNQnpAQwEWQ0ThRvOUIRbTtGE2c5tH8xMA==</saml:NameID>
                <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                    <saml:SubjectConfirmationData InResponseTo="idOIYX7VsU7MhsKVMED6sLRdQvRno"
                                                  NotOnOrAfter="2019-09-19T09:46:23Z"
                                                  Recipient="https://idpa.kgast.nam.com:8443/nidp/saml2/spassertion_consumer"
                                                  />
                </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2019-09-19T09:36:23Z"
                             NotOnOrAfter="2019-09-19T09:46:23Z"
                             >
                <saml:AudienceRestriction>
                    <saml:Audience>https://idpa.kgast.nam.com:8443/nidp/saml2/metadata</saml:Audience>
                </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement AuthnInstant="2019-09-19T09:39:18Z"
                                 SessionIndex="id0SJxlfDybUwaf1_IU4DXgFdGGOI"
                                 >
                <saml:AuthnContext>
                    <saml:AuthnContextClassRef>com:mf:ext:contract:level1</saml:AuthnContextClassRef>
                </saml:AuthnContext>
            </saml:AuthnStatement>
            <saml:AttributeStatement>
                <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                Name="/UserAttribute[@ldap:targetAttribute=&quot;mail"]"
                                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                                >
                    <saml:AttributeValue xsi:type="xs:string">klaus.gast@ema.corp</saml:AttributeValue>
                </saml:Attribute>
                <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                Name="/UserAttribute[@ldap:targetAttribute=&quot;cn"]"
                                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                                >
                    <saml:AttributeValue xsi:type="xs:string">kgast</saml:AttributeValue>
                </saml:Attribute>
            </saml:AttributeStatement>
        </saml:Assertion>
    </samlp:Response>
  • The Assertion finally send back from the local IDP server to the SP does not pass on the

    <saml:AuthnContext>
         <saml:AuthnContextClassRef>
        <saml:AuthnContextDeclRef>
    </saml:AuthnContext>

    provided by the remote server

  • This problem will not show up in case the SP defined a <samlp:RequestedAuthnContext> with the AuthnRequest

Resolution

  • This issue has been addressed to engineering and will be fixed with NAM45SP1
  • running the code change which will be shipped with NAM45SP1 will create a SAML Assertion with the following AuthnContext as a an example:

    <saml:AuthnContext>
          <saml:AuthnContextClassRef>com:mf:ext:contract:level1</saml:AuthnContextClassRef>
          <saml:AuthnContextDeclRef>com:mf:ext:contract:level1</saml:AuthnContextDeclRef>
      <saml:AuthenticatingAuthority>https://idpa31.kgast.nam.com:8443/nidp/saml2/metadata</saml:AuthenticatingAuthority>
    </saml:AuthnContext>
  • The <saml:AuthnContextDeclRef> stores the value of the URI configured on the executed contract at the local IDP
  • The <saml:AuthnContextClassRef> stores the value returned by the remote IDP server