Symantec Access Management

 View Only
  • 1.  The AuthnRequest with AuthnContexts is not supported!

    Posted Mar 01, 2018 06:35 PM

    Hello, I am having trouble getting SAML integration work with a new cloud SP. SM seems to be having an issue with SAML request sent by these folks. Appreciate anyone throwing insights on it.

    SM goes through all authentication/auhtorization fine before creating a SAML response with ERROR as shown below.

    SAML Request:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_5d34a49f-5b71-4713-9afc-830a07618aac" Version="2.0" IssueInstant="2018-03-01T23:12:49Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL=""><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sp cloud</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>

    SAML Response from SM:

    <Response ID="_492aebe2cbd32a85ed3c50bcde2249b8360d" InResponseTo="_10699901-7353-4328-b750-fcca4cdb1874" IssueInstant="2018-03-01T22:59:47Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IdP</ns1:Issuer>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"/>
    <StatusMessage>The AuthnRequest with AuthnContexts is not supported!</StatusMessage>

  • 2.  Re: The AuthnRequest with AuthnContexts is not supported!

    Posted Mar 01, 2018 07:16 PM

    Sam SamWalker


    Could we get the exact version of components being used in CA SSO as IdP.


    The SAML AuthnRequest has AuthnContext specified. But we are missing AuthnContext configuration. in CA SSO as IdP.


    You have two options.


    A. Enable AuthnContext in CA SSO as IdP.


    B. Ask SP to remove the AuthnContext tags in SAML AuthnRequest, if you don't wish to support it.





  • 3.  Re: The AuthnRequest with AuthnContexts is not supported!

    Posted Mar 01, 2018 07:28 PM

    Thanks for the quick response ,Hubert.


    ProductName=CA SiteMinder Policy Server




    Now, How do I enable AuthnContext? I see 'Ignore Requested Authn Context' as an option under SSO And SLO.


    Should I chose "Automatically Detect Authentication Class"? or Use Predefined Authentication Class.


    I am currently using Use Predefined Authentication Class .


    Thanks for your helpo again.

  • 4.  Re: The AuthnRequest with AuthnContexts is not supported!
    Best Answer

    Posted Mar 01, 2018 08:25 PM

    SP is requesting.....

    <samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>


    Even if we tweak using Ignore Requested AuthnContext and try to generate a SAML Assertion, there is a high likelihood that the SP may reject.


    Review the table combination below for Predefined and Automatically detect. We are currently hitting the condition Predefined Class, IgnoreRequestedAuthnContext 'not selected' and SP requests AuthnContext.


    I think we'll have to create Authentication Context Templates first as per this link and use Automatically Detect Class.



    Ignore RequestedAuthnContext check box.




    SP Initiated SSO, AuthnContext Match result