Symantec Access Management

Expand all | Collapse all

Accept ACS URL in Auth Request

Jump to Best Answer
  • 1.  Accept ACS URL in Auth Request

    Posted 06-07-2017 02:41 PM

    Hi,

     

    has anyone used this feature in the Siteminder partnership?

     

    I select this checkbox to accept the ACS URL from the authentication request. But it always picks the first ACS URL mentioned in the list of ACS URLs below in the partnership.


    Regards,

    Anand.



  • 2.  Re: Accept ACS URL in Auth Request
    Best Answer

    Posted 06-08-2017 11:09 AM

    Hi Anand,

     

    Accept ACS URL in the Authnrequest
    Lets the system accept and process the Assertion Consumer Service URL in the incoming authentication request from the relying party. Select this check box so the system confirm that the URL is present and valid, and it is in the metadata.

     

    "Accept ACS URL in the Authnrequest" Flag is unset (OFF):

    When "Accept ACS URL in the Authnrequest" is not set, Siteminder will ignore the AssertionConsumerServiceURL sent in the SAMLRequest and will use the Default ACS URL configured in the Partnership.

     

    "Accept ACS URL in the Authnrequest" Flag is Set (ON):

    When "Accept ACS URL in the Authnrequest" is set, Siteminder will look for AssertionConsumerServiceURL in the SAMLRequest.

    If found, Siteminder will compare the value of the AssertionConsumerServiceURL from the SAMLRequest to the ACS URLs defined in the Partnership.

    If there is a match, the AssertionConsumerServiceURL from the SAMLRequest will be used. If there is no match to any of the ACS URLs defined in the Partnership, the request will be rejected with an http 403 Error.

     

    Something that should be clear is that regardless of how this flag is set, Siteminder will under no conditions allow an assertion to be posted to any ACS URL that is not specified in the Partnership. Enabling this flag merely allows an SP to choose which of the configured ACS URLs to use when multiple ACS URLs are configured in the Partnership.

     

    Please refer below KB for more details.

    How to prevent ACS URL spoof in a Authnrequest 

     

    Thanks,

    Sharan



  • 3.  Re: Accept ACS URL in Auth Request

    Posted 10-15-2018 11:33 AM

    Hello Sharan,

     

    I've followed the described steps and also still getting only 1st (default) ACS value returned in the Response.

     

    To test, I've hit the url directly in my browser as such:

    https://myIdp.com/affwebservices/public/saml2sso?SPID=theProvider&AssertionConsumerServiceIndex=1 

     

    from IdP logs (FWSTrace.log):

    ...
    [10/15/2018][09:27:49][35039][139770561791744][26938175-fd9a5b1d-2b0099a4-baeef735-d13c4d99-dcc][SSO.java][processRequest][ProviderID: theProvider]
    [10/15/2018][09:27:49][35039][139770561791744][26938175-fd9a5b1d-2b0099a4-baeef735-d13c4d99-dcc][SSO.java][processRequest][IsPassive: false]
    [10/15/2018][09:27:49][35039][139770561791744][26938175-fd9a5b1d-2b0099a4-baeef735-d13c4d99-dcc][SSO.java][processRequest][ForceAuthn: false]
    [10/15/2018][09:27:49][35039][139770561791744][26938175-fd9a5b1d-2b0099a4-baeef735-d13c4d99-dcc][SSO.java][processRequest][isSetAssertionConsumerServiceIndex: false]
    [10/15/2018][09:27:49][35039][139770561791744][26938175-fd9a5b1d-2b0099a4-baeef735-d13c4d99-dcc][SSO.java][processRequest][AssertionConsumerServiceIndex: 0]
    ...
    [10/15/2018][09:28:00][35039][139770564949760][17db3ba5-3d0662f5-bcdd6ab2-1fe0a141-769f8313-3bd][SSO.java][getACSURLFromSSORequestContext][Using the Default Assertion Consum
    er Service URL http://theProviderlink.com/Interfaces/AssertionConsumerService.aspx]
    [10/15/2018][09:28:00][35039][139770564949760][17db3ba5-3d0662f5-bcdd6ab2-1fe0a141-769f8313-3bd][SSO.java][processAssertionGeneration][Enforce Force Authn Timeouts is set to
    : false]
    [10/15/2018][09:28:00][35039][139770564949760][17db3ba5-3d0662f5-bcdd6ab2-1fe0a141-769f8313-3bd][SSO.java][processAssertionGeneration][resource is: /SMASSERTIONREF=QUERY&SPI
    D=theProvider&AssertionConsumerServiceIndex=1&SAMLTRANSACTIONID=16f44a3b-f1c538f6-c3ea9f79-040601f1-51ad54a9-bf3&SSOUrl=https://myIdp.com/affwebservic
    es/public/saml2sso&Oid=21-0009f160-bbbb-1bc0-bc5d-b46d0a6c0000]
    [10/15/2018][09:28:00][35039][139770564949760][17db3ba5-3d0662f5-bcdd6ab2-1fe0a141-769f8313-3bd][SSO.java][processAssertionGeneration][resolved variable list is: <RVARS><Var
    name="ConsumerURL" rtype="3"><![CDATA[http://theProviderlink.com/Interfaces/AssertionConsumerService.aspx]]></Var><Var name="FederationAPIVersion" rtype="2"><![CDATA[1]]>
    </Var></RVARS>]

     

    Is there a prerequisite to setting the "Accept ACS URL in the Authnrequest" Flag (ON)?

    What could I be missing?



  • 4.  Re: Accept ACS URL in Auth Request

    Posted 06-08-2017 02:27 PM

    We use it pretty extensively without any problems with 12.52 SP1. Just make sure the ACS URL is trusted at the partnership as Sharana mentioned.

     

    So far never run into any problem with it.



  • 5.  Re: Accept ACS URL in Auth Request

    Posted 06-09-2017 11:23 AM

    CBertagnolli I got this to work with the AssertionConsumerServiceIndex='number' in the SAML Authentication request.

     

    However, what I notice is, siteminder when it generates the response, in the "destination" field of the response, it always populates the first value. Is there any way to get siteminder to populate the ACS mentioned in the particular index in the "destination field"?

     

    For example, if this is what I have in the partnership

     

    1-  ACS_URL1

    2-  ACS_URL2

     

    I get a SAML Request with ACSIndex=2. It generates the response and posts correctly to ACS_URL2.

    But when the response is generated, but the destination has ACS_URL1

     

    Is there any way to get SM to write the proper destination value?



  • 6.  Re: Accept ACS URL in Auth Request

    Posted 06-12-2017 11:11 AM

    Hmm I haven't run into that particular issue. Can't recall ever having to setup anything special for it.

     

    Just tested again to verify, and here is an authentication request using ACS URL #2 (index 2). 

     

    <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="https://my.index2.acs.url:443/acs"
    Destination="https://myidp.com/affwebservices/public/saml2sso"
    ID="BC5D8BFD7BF524D"
    IssueInstant="2017-06-12T15:01:55.669Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0"
    >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://myEntityID/</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="true"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    SPNameQualifier="https://myEntityID/"
    />
    <saml2p:RequestedAuthnContext Comparison="exact">
    <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
    </saml2p:AuthnRequest>

     

     

    And here's the response which had the same destination as the request.

     

    <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
    Destination="https://my.index2.acs.url:443/acs"
    ID="_58e304b097am75ca613f86a7411f26fe3fe"
    InResponseTo="BC5D8BFD7BF524D"
    IssueInstant="2017-06-12T15:01:57Z"
    Version="2.0"
    >
    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
    >https://myidp.com</ns1:Issuer>



  • 7.  Re: Accept ACS URL in Auth Request

    Posted 06-12-2017 12:49 PM

    What version are you on? I might be hitting a bug.

     

    Regards,

    Anand

     

    On Jun 12, 2017 11:12 AM, "CBertagnolli" <



  • 8.  Re: Accept ACS URL in Auth Request

    Posted 06-12-2017 12:57 PM

    Tried it on my 12.52 SP1 and 12.7 Policy Servers.



  • 9.  Re: Accept ACS URL in Auth Request

    Posted 06-26-2017 09:08 AM

    Anyone else stumbling here.

     

    This works as documented for SAML HTTP Post Profile endpoints.

     

    But when you use HTTP Artifact profile endpoints, it always populates the first index in the response.

     

    This is the behaviour in r12.52 SP1. It is supposedly fixed in 12.6 and 12.7

     

    I will update the thread once I test it out after my upgrade.

     

    Regards,

    Anand.



  • 10.  Re: Accept ACS URL in Auth Request

    Posted 08-17-2017 01:09 AM

    Hey!

    I run into the same problem even with HTTP-POST profiles. I need to be able to redirect the users to the consumer URL that's sent in the request. But for some reason the first URL in the partnership is the one that gets picked all the time. I even tried with a number as the index of the ACS URL, but no result. I keep seeing the below though:

    "getServiceProviderInfo][Obtained service provider information from cache for:*****"

     

    So, I went ahead and flushed the PS cache as well, but no result. Is it possible that I should try a FWS+PS restart ?

     

    Any suggestions are helpful.

     

    Thanks,

    Lalitha



  • 11.  Re: Accept ACS URL in Auth Request

    Posted 08-17-2017 01:16 AM

    Hi Lalitha,

     

    You have to ensure that the incoming SAMLRequest from the SP has ACSIndex

    set.

     

    If you want the assertion to be submitted to ACSIndex 2, then the

    SAMLRequest should be sending that index.

     

    If you can, can you paste your SAMLRequest here?

     

    Regards,

    Anand.

     

    On Thu, Aug 17, 2017 at 1:10 AM, lalitha.lakshmi <



  • 12.  Re: Accept ACS URL in Auth Request

    Posted 08-17-2017 01:27 AM

    Sure, this is how the SAML request looks like:

     

    [08/15/2017][15:29:51][23421][1737755536][35a2e295-63364e60-3c165a93-44fb6588-a93b78e0-87d][SSO.java][getAuthnRequestData][AuthnRequest: <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://abc.com/wfc/logonWithUID" Destination="https://xyz.com/affwebservices/public/saml2sso?SPID=https://abc.com/wfc/logonWithUID" ID="_c447e1aa28972cbec1daadbbdd0e80d2" IssueInstant="2017-08-15T15:29:39.815Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="abc.com" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">abc.com</saml2:Issuer></saml2p:AuthnRequest>]

     

    Like you mentioned, there is no ACSIndex thats being sent from the SP. If I am understanding it correctly, we as IDP will not have a control on this value right? It should be formed by the SP in such a way as to include the ACSIndex?

     

    Regards,

    Lalitha



  • 13.  Re: Accept ACS URL in Auth Request

    Posted 08-17-2017 01:47 AM

    Instead of assertionconsunerserviceurl the service provider should send

    assertionconsumerserviceindex. This index should correspond to the index of

    the acs url in your partnership

     

    On Aug 17, 2017 12:28 AM, "lalitha.lakshmi" <