Symantec Access Management

  • Private Community
 View Only

  • 1.  SiteMinder SAML Auth Scheme - failing to authenticate a SAML IDP partner

    Posted Sep 07, 2016 02:19 PM
      |   view attached

    *SiteMinder r12.52 SP1 CR05 - RHEL 6

    *Policy store = CA Directory

    *User Store = CA Directory

     

    Hi Folks,

     

    I have a case open with CA Support but hoping to get additional help from folks here at the Community for faster resolution.  We are working with a new SAML IDP partner and unfortunately this partner appeared to be inexperienced with SAML so we are working through various issues with them in their attempt to authenticate to us via SAML 2.0.

     

    The "smtracedefault.log" file had helped me figured out several issues thus far with this particular IDP up until this current error below:

     

    [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][SubjectConfirmation NotOnOrAfter (before skew) = Tue Sep 06 15:57:19 MDT 2016] [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][SubjectConfirmation NotOnOrAfter (after skew) = Tue Sep 06 15:57:49 MDT 2016] [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][SubjectConfirmation rejected - SubjectConfirmation@NotBefore found - not allowed to be there] [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][Assertion rejected (_cea9e581-2307-4982-b4a2-8e2ecf841526) - No Valid SubjectConfirmation with bearer Method found]

     

    I am suspecting that our SiteMinder is complaining about the "subjectconfirmation" statement because it contained the value of "NotBefore":

     

    - - > <saml:SubjectConfirmationData Recipient="https://fedsvc-staging.regence.com/affwebservices/public/saml2assertionconsumer" NotOnOrAfter="2016-09-06T21:57:19.407Z" NotBefore="2016-09-06T21:37:19.407Z"/> 

     

    But CA Support thinks that this SAML response is missing or does not have a valid "Destination" value:

     

    CA Support response - - > " That last log line that shows No Valid SubjectConfirmation with bearer Method found means that the destination attribute is not present in the incoming SAML response assertion as per this wiki guide: <https://cawiki.ca.com/pages/viewpage.action?pageId=51413542>

     Additionally, a number of past cases I found show that the IDP needed to modify this attribute on their side in order for the assertion to pass successfully."

    Attachment(s)

    zip
    heq saml response.txt.zip   2 KB 1 version


  • 2.  Re: SiteMinder SAML Auth Scheme - failing to authenticate a SAML IDP partner
    Best Answer

    Broadcom Employee
    Posted Sep 07, 2016 04:26 PM

    Hi Duc,

     

    I agree with your assessment. The problem is the "NotBefore" value.

     

    1. Please check the Oasis SAML document here: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
    On page 19, you can see the following:
    ------------
    The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If
    the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.
    ------------

    So the "NotBefore" element is not allowed in the SubjectConfirmationData.

     

    Based on the "heq saml response.txt" file you attached, the IDP's response contains this element:

     

    <saml:SubjectConfirmationData Recipient="https://fedsvc-staging.regence.com/affwebservices/public/saml2assertionconsumer" NotOnOrAfter="2016-09-06T21:57:19.407Z" NotBefore="2016-09-06T21:37:19.407Z"/>

     

    So please ask your IDP to modify the SubjectConfirmationData field to NOT include the NotBefore element and retry the transaction.

     

    2. I do not think the issue is with the Destination parameter because it is not missing in the Response. It is present on the first line:

    <samlp:Response Version="2.0" IssueInstant="2016-09-06T21:47:19.407Z" ID="_46c34312-3c3a-4677-8f9a-eeeb0e87eb8a" Destination="https://fedsvc-staging.regence.com/affwebservices/public/saml2assertionconsumer" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

     

    Thanks,

    Akshata



  • 3.  Re: SiteMinder SAML Auth Scheme - failing to authenticate a SAML IDP partner

    Posted Sep 07, 2016 05:06 PM

    Hi Akshata,

     

    Thank you for such a quick response.  You are correct.  I contacted our SAML IDP asking them to remove the "NotBefore" statement and that got us passed the error.  Again, thank you!