Layer 7 Access Management

Tech Tip : CA Single Sign-On : AssertionConsumerServiceURL vaue must match the one specified in partner meta data

  • 1.  Tech Tip : CA Single Sign-On : AssertionConsumerServiceURL vaue must match the one specified in partner meta data

    Posted 04-06-2018 10:14 AM

    Issue:

     


    I'm running Siteminder Federation IdP, and when it receives the following AuthnRequest :

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="https://sp.yourdomain.com/samlconsumer"
    Destination="https://idp.mydomain.com/affwebservices/public/saml2sso"
    ID="_943b1145ec08d2975433e6c8ecc13079"
    IssueInstant="2018-03-28T07:32:21Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0" > <saml:Issuer
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.yourdomain.com/secondserver</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </samlp:AuthnRequest>

    Then, my IdP Server returns the following error :

    "AssertionConsumerServiceURL vaue must match the one specified in partner meta data"

    In my Legacy Federation, I've defined the SP Assertion Consumer Service URL as : https://sp.yourdomain.com/samlconsumer

    How can I fix this problem?

     

    Cause:

     

    The problem you face is that you are referring to the AssertionConsumerServiceURL value from the Federation AuthnRequest. But this functionality doesn't exist for Legacy Federation model. You have to use the Partnership configuration to be able to use it :

    Asserting Party Not Accepting ACS URL in an Authentication Request (170971)
    Symptom:

    CA Single Sign-On Federation was not accepting and processing the
    Assertion Consumer Service URL in the incoming authentication
    request. The system did not verify whether the authentication request
    had an Assertion Consumer Service URL defined.

     

     

    Solution:

     

     

    For an IdP-to-SP partnership, the Administrative UI has a new check
    box labeled Accept ACS URL in the Authnrequest. This check box is in
    the SSO section of the SSO and SLO step of the partnership
    configuration. To confirm that the URL is present and valid in the
    authentication request, and it is in the metadata, select this option.

    STAR issue: 21361990

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52#DefectsFixedin12.52-AssertingPartyNotAcceptingACSURLinanAuthenticationRequest(170971)

    Resolution:


    Configure your Federation as a Partnership instead of a Legacy one, and set the IdP to use the AssertionConsumerServiceURL from the SAML AuthnRequest by checking "Accept ACS URL in the Authnrequest" configuration setting in your Partnership, putting the expected value of AssertionConsumerServiceURL in the list for ACS.

     

    KB : kb000076441