Kerberos SAML2 authentication response to Service Providers does not follow standards.

Document ID:7008865
Creation Date:21-Jun-2011
Modified Date:26-Apr-2012
- Micro Focus Products:
  Access Manager (NAM)

Environment

Novell Access Management 3.1
Novell Access Management 3.1 Support Pack 3 applied

Situation

When sending SAML2 authentication responses to other SPs, if we use Kerberos to
authenticate the user then we should use the standards-defined name rather than
Novell making up their own.

It should be:
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</saml:AuthnContextClassRef>

NOT
<saml:AuthnContextClassRef>SPNEGO/Kerberos</saml:AuthnContextClassRef>

Resolution

Reported to engineering