Symantec Access Management

Hello, I am having trouble getting SAML integration work with a new cloud SP. SM seems to be having an issue with SAML request sent by these folks. Appreciate anyone throwing insights on it.

SM goes through all authentication/auhtorization fine before creating a SAML response with ERROR as shown below.

SAML Request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_5d34a49f-5b71-4713-9afc-830a07618aac" Version="2.0" IssueInstant="2018-03-01T23:12:49Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://spcloud.com/control=samlResponse"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sp cloud</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /><samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>

SAML Response from SM:

<Response ID="_492aebe2cbd32a85ed3c50bcde2249b8360d" InResponseTo="_10699901-7353-4328-b750-fcca4cdb1874" IssueInstant="2018-03-01T22:59:47Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IdP</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"/>
</StatusCode>
<StatusMessage>The AuthnRequest with AuthnContexts is not supported!</StatusMessage>
</Status>
</Response>

Sam SamWalker

Could we get the exact version of components being used in CA SSO as IdP.

The SAML AuthnRequest has AuthnContext specified. But we are missing AuthnContext configuration. in CA SSO as IdP.

You have two options.

A. Enable AuthnContext in CA SSO as IdP.

B. Ask SP to remove the AuthnContext tags in SAML AuthnRequest, if you don't wish to support it.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/authentication-context-processing-saml-2-0

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/authentication-context-processing-saml-2-0/enable-authentication-context-processing-at-the-local-idp-partnership

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/authentication-context-processing-saml-2-0/enable-authentication-context-requests-at-the-sp

Thanks for the quick response ,Hubert.

ProductName=CA SiteMinder Policy Server

FullVersion=12.52.105.2113

Location=/opt/ca/siteminder

Now, How do I enable AuthnContext? I see 'Ignore Requested Authn Context' as an option under SSO And SLO.

Should I chose "Automatically Detect Authentication Class"? or Use Predefined Authentication Class.

I am currently using Use Predefined Authentication Class .

Thanks for your helpo again.

SP is requesting.....

<samlp:RequestedAuthnContext Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>

Even if we tweak using Ignore Requested AuthnContext and try to generate a SAML Assertion, there is a high likelihood that the SP may reject.

Review the table combination below for Predefined and Automatically detect. We are currently hitting the condition Predefined Class, IgnoreRequestedAuthnContext 'not selected' and SP requests AuthnContext.

I think we'll have to create Authentication Context Templates first as per this link and use Automatically Detect Class.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/authentication-context-processing-saml-2-0/authentication-context-template-configuration

Ignore RequestedAuthnContext check box.

SP Initiated SSO, AuthnContext Match result