This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAML2 requestdenied

Hello,

I am having trouble getting a new service provider set up.  NAM always responds with 

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/></samlp:StatusCode></samlp:Status>

Here is the request sent by the SP:

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_d3df52a28f3a7190553fe1ce066e8b078ac19ff4"
Version="2.0"
ProviderName="app SP"
IssueInstant="2023-08-17T15:50:46Z"
Destination="">sso.domain.com/.../sso"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="">dashboard.app.com/.../"
AttributeConsumingServiceIndex="1">
<saml:Issuer>dashboard.app.com/.../saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

I have tested with these options:

SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST = urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
SAML2 REQUEST IGNORE AUTHNCONTEXT = true

IDP initiated auth works.

Any thoughts would be appreciated.

Thanks,

Jeremiah

  • 0  

    Hi!

    Troubleshooting those RequestDenied can sometimes be real pain, but I see 3 things in request that should be checked:

    1. AuthnContextClassRef: This could be an issue if AM is not able to find contract that satisfies requested AuthnContextClassRef. But I think setting SAML2 REQUEST IGNORE AUTHCONTEXT should eliminate AuthnContextClassRef as a possible cause for the problem
    2. There is an AssertionConsumerServiceURL in the request. If this is an unsigned request, auth would fail. You need to set IGNORE_ACS_METADATA_CHECK option to make it work (https://www.microfocus.com/documentation/access-manager/5.0/admin/b1ax7qoc.html#bvdbfae)
    3. In request they want nameid in format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. Do you allow unspecified nameid in service provider configuration?

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks for the suggestions.  I have tried #2 and #3 is allowed and I haven't been able to get it working.  I'll either have to open a support case or just fall back to azuread.