Federation with external SAML 2.0 partner gives 300101013 error

  • 3903427
  • 02-Jan-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Novell Identity Server acting as SAML2 Service provider consuming assertions
Novell Access Management 3 Linux Access Gateway
3rd Party Identity Server acting as SAML2 provider


Situation

After authenticating to the 3rd party Identity server, this SAML2 provider sends back an assertion to our Access Manager service provider (SP), which is acting as the SAML2 consumer. The SAML profile was set to POST assertions, rather than use artifacts. Upon receiving the assertions, the Access Manager SP would generate the 300101013 error and the browser would display this error with the following details:

Error: Unable to validate the subject of the assertion
Cause: A subject may not have been sent in the assertion or was not valid. This check protects from certain assertion attacks.
Action: If persistent, check the protocol message sent for a missing subject and then notify administrator of trusted site.


Resolution

Fixed in the Identity server 3.0.0-1013 build that is shipped in Access Manager 3 SP1 IR1. There was an issue handling digital signatures in the incoming SAML2 assertion.

Additional Information

Looking at the IDP logs on the Access Manager server (with most verbose flags set for SAML2), one could see that the assertion sent to the SPASSERTION service on the Access Manager Identity server appeared fine. Yet, it would respond with the error below because of a check it performed on the digital signatures failed.

************************* SAML2 Artifact/SOAP message ********************************

Type: received
RelayState: None
web1-idp.innovation.com


web1-idp.innovation.com



web1-idp.innovation.com
eyZTfFBPfhY7XJdHVqI5QQpkyegQ




http://idp.sim.utopia.novell.com:8080/nidp/saml2/metadata


urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport****


************************* End SAML2 message ****************************



Nov 29, 2006 7:44:38 AM com.novell.nidp.logging.NIDPLog doLog
INFO: Validation failure on message from web1-idp.innovation.com : Digital signature is required
Nov 29, 2006 7:44:38 AM com.novell.nidp.logging.NIDPLog doLog
WARNING: Exception message: "300101013"
y, Line: 2916, Method: validateAssertion
y, Line: 1578, Method:
y, Line: 3518, Method: processResponse
y, Line: 2812, Method: processResponse
y, Line: 2231, Method: processArtifactMessage
y, Line: 874, Method: B
y, Line: 2255, Method: handleInBoundMessage
y, Line: 152, Method: processResponse
y, Line: 3279, Method: A
y, Line: 1633, Method: handleRequest
y, Line: 982, Method: myDoGet
y, Line: 33, Method: doGet
HttpServlet.java, Line: 696, Method: service
HttpServlet.java, Line: 809, Method: service
ApplicationFilterChain.java, Line: 200, Method: internalDoFilter
ApplicationFilterChain.java, Line: 146, Method: doFilter
StandardWrapperValve.java, Line: 209, Method: invoke
StandardPipeline.java, Line: 596, Method: invokeNext
StandardPipeline.java, Line: 433, Method: invoke
ContainerBase.java, Line: 948, Method: invoke
StandardContextValve.java, Line: 144, Method: invoke
StandardPipeline.java, Line: 596, Method: invokeNext
CertificatesValve.java, Line: 199, Method: invoke
StandardPipeline.java, Line: 594, Method: invokeNext
StandardPipeline.java, Line: 433, Method: invoke
ContainerBase.java, Line: 948, Method: invoke
StandardContext.java, Line: 2358, Method: invoke
StandardHostValve.java, Line: 133, Method: invoke