This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
ericveysey
Captain
Captain
‎2020-09-24 16:39
541 views

ACS URL in unsigned request could not be verified

I'm migrating from 4.4.2 to 4.5.3 and I've setup the same SAML SP in both environments using the same certificates. 

There is 2 SP's using the same Entity ID and SP configuration in NAM. 

AuthN1 works in both 4.4.2 / 4.5.3  Entity ID and ACS in the authN request match the metadata.

For example: 

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://ACS.jsp"Destination="https://nam/nidp/saml2/sso" ID="_1da80ed97980b3c1ee153452346bbc"IssueInstant="2020-09-24T14:38:00.931Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://novell.com</saml2:Issuer></saml2p:AuthnRequest>

 

AuthN2 works in 4.4.2 only. EntityID matches the metadata but has a different ACS. 

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://ACS1.jsp"Destination="https://nam/nidp/saml2/sso" ID="_1da80ed97980b3c1ee153452346bbc"IssueInstant="2020-09-24T14:38:00.931Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://novell.com</saml2:Issuer></saml2p:AuthnRequest>

4.5.3 generates that ACS URL in unsigned request could not be verified. 

My understanding that since it's unsigned NAM shouldn't be verifying the ACS..

0 Likes
Reply
Report Inappropriate Content
4 Replies
martintduffy
Lieutenant Commander
Lieutenant Commander
‎2020-09-24 19:57

Verify that the ACS in the SAML request is the same as the ACS in the NAM SP Metadata. I had the same error when I upgraded to 4.5.3 and found that they were not the same.
0 Likes
Reply
Report Inappropriate Content
ericveysey
Captain
Captain
‎2020-09-24 23:27

That's exactly my point, that I know the ACS is different on the second one. It does not match the ACS in the metadata.

 It used to work on 4.4.2 it does not in 4.5.3.  Just wondering if this is a bug or a security related enhancement,. The behaviour has changed. 

Reply
Report Inappropriate Content
ericveysey
Captain
Captain
‎2020-09-29 14:58

Confirmation from backline that this is a new security enhancement.

Starting at 4.5.3 unsigned authN, ACS must match metadata, signed authN ACS is not verified. Essentially the opposite for 4.5.2 and below.  

 

0 Likes
Reply
Report Inappropriate Content
srajamanjit
Micro Focus Expert
Micro Focus Expert
‎2020-09-30 16:37

That's correct.

As per SAML specification: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

ACS.PNG

 

 

Let me know the concern.

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.