Environment
NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
Access Manager Identity Server on Windows and Linux
NetIQ Access Manager 4.2
Access Manager Identity Server on Windows and Linux
Situation
We have Access Manager setup with an Access Gateway (AG) protecting Web servers/services and communicating with Identity Server (IDP) using liberty, where users can authenticate locally or via 3rd State level Identity servers using SAML2 (where NAM IDP acting as SAML2 SP).
Part of the requirements for authentication to the State level IDP is that the forceAuthn parameter must be enabled ie. set to true. There's a configuration setting in NAM when setting up remote SAML IDP server and this works fine ie. if I initiate a SAML AuthnRequest from the NAM IDP server to the Gov IDP server, all works fine and the forceAuthn parameter is set to true.
A problem exists however when the user initiates the AuthnRequest from the AG - the user tries to access the AG protected resource, is redirected to the NAM IDP server where an external contract is executed redirecting the user to the State Identity Server. In the case where we have an external contract on AG, which sends the Liberty AuthnRequest to the NAM IDP server, the forceAuth setting is always set to false, with no option to enable it. The AG sends the following AuthnRequest to Liberty IDP server
https://nam42sba.lab.novell.com/nidp/idff/sso?RequestID=id8OXkv-SbobCoCjzNqYCpELmR9UM&MajorVersion=1&MinorVersion=2&IssueInstant=2016-04-29T15%3A16%3A13Z&ProviderID=https%3A%2F%2Fnam42sba.lab.novell.com%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&agAppNa=namportal&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=https%3A%2F%2Fnam42sba.lab.novell.com%2Fportal%2Fusers%2Fintro%2F&AuthnContextStatementRef=%2Furi%2Fanyauthentication
with the ForceAuth parameter disabled - set to false. When we then proxy the SAML request to the remote IDP server, we set the forceAuthn parameter to false even though it is enabled for that IDP config
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://nam42sba.lab.novell.com/nidp/saml2/spassertion_consumer" AttributeConsumingServiceIndex="0" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" Destination="https://nam41sba.lab.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="idz6qdoZfGzcjxNpMyxoxsGIK6g5Q" IsPassive="false" IssueInstant="2016-04-29T15:16:18Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>https://nam42sba.lab.novell.com/nidp/saml2/metadata</saml:Issuer>
We need to be able to set the forceAuthn parameter to true when using external contracts.
Part of the requirements for authentication to the State level IDP is that the forceAuthn parameter must be enabled ie. set to true. There's a configuration setting in NAM when setting up remote SAML IDP server and this works fine ie. if I initiate a SAML AuthnRequest from the NAM IDP server to the Gov IDP server, all works fine and the forceAuthn parameter is set to true.
A problem exists however when the user initiates the AuthnRequest from the AG - the user tries to access the AG protected resource, is redirected to the NAM IDP server where an external contract is executed redirecting the user to the State Identity Server. In the case where we have an external contract on AG, which sends the Liberty AuthnRequest to the NAM IDP server, the forceAuth setting is always set to false, with no option to enable it. The AG sends the following AuthnRequest to Liberty IDP server
https://nam42sba.lab.novell.com/nidp/idff/sso?RequestID=id8OXkv-SbobCoCjzNqYCpELmR9UM&MajorVersion=1&MinorVersion=2&IssueInstant=2016-04-29T15%3A16%3A13Z&ProviderID=https%3A%2F%2Fnam42sba.lab.novell.com%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&agAppNa=namportal&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=https%3A%2F%2Fnam42sba.lab.novell.com%2Fportal%2Fusers%2Fintro%2F&AuthnContextStatementRef=%2Furi%2Fanyauthentication
with the ForceAuth parameter disabled - set to false. When we then proxy the SAML request to the remote IDP server, we set the forceAuthn parameter to false even though it is enabled for that IDP config
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://nam42sba.lab.novell.com/nidp/saml2/spassertion_consumer" AttributeConsumingServiceIndex="0" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" Destination="https://nam41sba.lab.novell.com/nidp/saml2/sso" ForceAuthn="false" ID="idz6qdoZfGzcjxNpMyxoxsGIK6g5Q" IsPassive="false" IssueInstant="2016-04-29T15:16:18Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>https://nam42sba.lab.novell.com/nidp/saml2/metadata</saml:Issuer>
We need to be able to set the forceAuthn parameter to true when using external contracts.
Resolution
Fixed in 4.2.2.
The new code looks at the forceAuthn option configuration on the NAM IDP server for the 3rd party SAML Identity Provider, and always applies this to the proxied AuthnRequest.
The new code looks at the forceAuthn option configuration on the NAM IDP server for the 3rd party SAML Identity Provider, and always applies this to the proxied AuthnRequest.