New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Captain
Captain
313 views

ACS URL in unsigned request could not be verified

I'm migrating from 4.4.2 to 4.5.3 and I've setup the same SAML SP in both environments using the same certificates. 

There is 2 SP's using the same Entity ID and SP configuration in NAM. 

AuthN1 works in both 4.4.2 / 4.5.3  Entity ID and ACS in the authN request match the metadata.

For example: 

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://ACS.jsp"Destination="https://nam/nidp/saml2/sso" ID="_1da80ed97980b3c1ee153452346bbc"IssueInstant="2020-09-24T14:38:00.931Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://novell.com</saml2:Issuer></saml2p:AuthnRequest>

 

AuthN2 works in 4.4.2 only. EntityID matches the metadata but has a different ACS. 

<saml2p:AuthnRequest AssertionConsumerServiceURL="https://ACS1.jsp"Destination="https://nam/nidp/saml2/sso" ID="_1da80ed97980b3c1ee153452346bbc"IssueInstant="2020-09-24T14:38:00.931Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://novell.com</saml2:Issuer></saml2p:AuthnRequest>

4.5.3 generates that ACS URL in unsigned request could not be verified. 

My understanding that since it's unsigned NAM shouldn't be verifying the ACS..

0 Likes
4 Replies
Highlighted
Lieutenant Commander
Lieutenant Commander

Verify that the ACS in the SAML request is the same as the ACS in the NAM SP Metadata. I had the same error when I upgraded to 4.5.3 and found that they were not the same.
0 Likes
Highlighted
Captain
Captain

That's exactly my point, that I know the ACS is different on the second one. It does not match the ACS in the metadata.

 It used to work on 4.4.2 it does not in 4.5.3.  Just wondering if this is a bug or a security related enhancement,. The behaviour has changed. 

Highlighted
Captain
Captain

Confirmation from backline that this is a new security enhancement.

Starting at 4.5.3 unsigned authN, ACS must match metadata, signed authN ACS is not verified. Essentially the opposite for 4.5.2 and below.  

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

That's correct.

As per SAML specification: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

ACS.PNG

 

 

Let me know the concern.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.