SAML Response Invalid Element StatusMessage ADFS

Hi All,

I've setup a Brokering Group and Brokering Rule and when the user is of certain role, the SP deny is set.

https://www.netiq.com/documentation/access-manager-44/admin/data/b1ax7qoc.html says:
If the authorization policy is configured to deny execution, Identity Server sends the following message as part of an assertion response. <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" /> </samlp:StatusCode> <StatusMessage>Authorization is failed</StatusMessage> </samlp:Status>

Which it does so exactly in our case.

<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:StatusCode>
<StatusMessage>Authorization is failed</StatusMessage>
</samlp:Status>


Problem is the ADFS (the SP in this case), doesn't like the SAML response very much. Shows "An error occured" page to the user and the below exception is in the Event Logs.

Exception details:
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadStatus(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadResponse(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.HttpPostSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext
Parents
  • oimastek;2497941 wrote:

    [HTML]<samlp:Status>
    <samlp:StatusCode
    Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
    <samlp:StatusCode
    Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
    </samlp:StatusCode>
    <StatusMessage>Authorization is failed</StatusMessage>
    </samlp:Status>[/HTML]


    Answering my own question, I think it's because of StatusMessage element, which should be samlp:StatusMessage isn't it? Examples from posts online;

    [HTML]<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
    <samlp:StatusMessage>Something is wrong...</samlp:StatusMessage>
    </samlp:Status>

    <samlp:Response ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0" IssueInstant="2013-03-18T08:49:24.405Z" InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">sts.windows.net/.../Issuer>
    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" />
    </samlp:StatusCode>
    <samlp:StatusMessage>AADSTS75006: An error occurred while processing a SAML2 Authentication request. AADSTS90011: The SAML authentication request property 'NameIdentifierPolicy/SPNameQualifier' is not supported.
    Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c
    Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>

    </samlp:Status>[/HTML]

    This must be a bug in NAM, going to raise a support request...
  • On 08-04-2019 11:36 PM, oimastek wrote:
    >
    > oimastek;2497941 Wrote:
    >>
    >>

    > <samlp:Status>
    >> <samlp:StatusCode
    >> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
    >> <samlp:StatusCode
    >>
    >> Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
    >> </samlp:StatusCode>
    >> <StatusMessage>Authorization is failed</StatusMessage>
    >> </samlp:Status>
    >>

    >
    > Answering my own question, I think it's because of StatusMessage
    > element, which should be samlp:StatusMessage isn't it? Examples from
    > posts online;
    >
    >
    > <samlp:Status>
    > <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"
    > />
    > *<samlp:StatusMessage>Something is wrong...</samlp:StatusMessage>*
    > </samlp:Status>
    >
    > <samlp:Response ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0"
    > IssueInstant="2013-03-18T08:49:24.405Z"
    > InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c"
    > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    > <Issuer
    > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">sts.windows.net/.../Issuer>
    > <samlp:Status>
    > <samlp:StatusCode
    > Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
    > <samlp:StatusCode
    > Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" />
    > </samlp:StatusCode>
    > *<samlp:StatusMessage>AADSTS75006: An error occurred while
    > processing a SAML2 Authentication request. AADSTS90011: The SAML
    > authentication request property 'NameIdentifierPolicy/SPNameQualifier'
    > is not supported.
    > Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c
    > Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>*
    > </samlp:Status>
    >
    > This must be a bug in NAM, going to raise a support request...
    >

    What does the inbound SAML AuthNRequest message looks like from the SP? It could be they are requesting a Name Identifier Policy you simply haven't
    enabled for that SP.


    --
    Cheers,
    Edward
  • edmaa;2498008 wrote:
    On 08-04-2019 11:36 PM, oimastek wrote:

    What does the inbound SAML AuthNRequest message looks like from the SP? It could be they are requesting a Name Identifier Policy you simply haven't
    enabled for that SP.


    --
    Cheers,
    Edward


    Hi Edward, thanks for taking the time to respond. Apologies if it was misleading, those lines with name identifier policy were from other example posts from the internet, not in our case. The reason I posted them were examples how the StatusMessage element should be with it's namespace samlp:StatusMessage . NAM response doesn't have the namespace added and the support request we created confirmed that this is a bug and will be taken a look at. Thanks for your time.
Reply
  • edmaa;2498008 wrote:
    On 08-04-2019 11:36 PM, oimastek wrote:

    What does the inbound SAML AuthNRequest message looks like from the SP? It could be they are requesting a Name Identifier Policy you simply haven't
    enabled for that SP.


    --
    Cheers,
    Edward


    Hi Edward, thanks for taking the time to respond. Apologies if it was misleading, those lines with name identifier policy were from other example posts from the internet, not in our case. The reason I posted them were examples how the StatusMessage element should be with it's namespace samlp:StatusMessage . NAM response doesn't have the namespace added and the support request we created confirmed that this is a bug and will be taken a look at. Thanks for your time.
Children
  • On 11-04-2019 12:34 AM, oimastek wrote:
    >
    > edmaa;2498008 Wrote:
    >> On 08-04-2019 11:36 PM, oimastek wrote:
    >>
    >> What does the inbound SAML AuthNRequest message looks like from the SP?
    >> It could be they are requesting a Name Identifier Policy you simply
    >> haven't
    >> enabled for that SP.
    >>
    >>
    >> --
    >> Cheers,
    >> Edward

    >
    > Hi Edward, thanks for taking the time to respond. Apologies if it was
    > misleading, those lines with name identifier policy were from other
    > example posts from the internet, not in our case. The reason I posted
    > them were examples how the StatusMessage element should be with it's
    > namespace samlp:StatusMessage . NAM response doesn't have the namespace
    > added and the support request we created confirmed that this is a bug
    > and will be taken a look at. Thanks for your time.
    >
    >


    Oh...nice find. Interesting how statusCode does have namespace and the statusmessage doesn't. I guess it depends on how the SP parses the XML whether
    this will show up as an issue.

    --
    Cheers,
    Edward