Access Manager SAML2 IDP server reports "Request was from an untrusted provider"

  • 7024241
  • 06-Nov-2019
  • 06-Nov-2019

Environment

Access Manager 4.4
Access Manager 4.5
Access Manager 4.5.1

Situation

  • Access Manager has been configured as SAML2 IDP server
  • The SAML2 Service Provider Metadata includes two signing Certificate where one of them is expired.
  • The Service Provider does not get initialized / loaded at the IDP server with the following error:
    <amLogEntry> SEVERE NIDS Application:AM#100105007:AMDEVICEID#5BD7DB57BD3EC3A0:AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02:Error verifying metadata certificates while loading trusted provider http://login.kgast.org /adfs/services/trust com.novell.nidp.NIDPException: Certification path could not be validated.Could not validate certificate: NotAfter: Sat Jan 14 14:23:34 CET 2017 Root Cause: java.security.cert.CertPathBuilderException: Certification path could not be validated.</amLogEntry>

  • SAML Authentication Requests fail with the error (catalina.out):
    <amLogEntry> 2019-10-28T13:05:21Z WARNING NIDS SAML2: Entity Provider not found with the provider id as http://login.kgast.org/adfs/services/trust </amLogEntry>
    Warning: Invalid resource key: Request was from an untrusted provider. No prefix!

Resolution

  • This issue has been addressed to engineering

  • As a workaround:
    • edit the SAML2 SP metadata and remove the expired signing certificate entry
    • re-import the modified metadata and apply the change

Additional Information


Troubleshooting:
  • Enable the following IDP cluster  Auditing and Logging options
    • File Logging  Enabled
    • Echo To Console: checked
    • Component File Logger Levels: Application, Liberty, SAML2


  • stop the IDP Server and clear out the catalina.out: " > /opt/novell/nam/idp/logs/catalina.out"
  • start the IDP Server and wait until it is up and running
  • use: grep "trusted provider" /opt/novell/nam/idp/logs/catalina.out to review the catalina.out
    <amLogEntry> 2019-11-06T11:35:39Z SEVERE NIDS Application: AM#100105007: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02:  Error verifying metadata certificates while loading trusted provider http://login.kgast.org/adfs/services/trust
    <amLogEntry> 2019-11-06T11:35:40Z INFO NIDS Application: AM#500105038: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02:  Loaded trusted provider urn:federation:MicrosoftOnline of protocol SAML 2 </amLogEntry>
    <amLogEntry> 2019-11-06T11:35:40Z INFO NIDS Application: AM#500105038: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02:  Loaded trusted provider https://dmuacademic.myprintdesk.net/DSF/asp11/ of protocol SAML 2 </amLogEntry>
    <amLogEntry> 2019-11-06T11:35:40Z INFO NIDS Application: AM#500105038: AMDEVICEID#5BD7DB57BD3EC3A0: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02:  Loaded trusted provider IDPCluster of protocol SAML 2 </amLogEntry>
  • If there is no error make sure the SAML Authentication Request includes a valid entity ID (using a tool like SAML Tracer Plugin or fiddler)