Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 1st Class
Cadet 1st Class
432 views

ACS URL in unsigned request

After applying supportpack 4.5.3, saml is not working anymore:
Unable to complete request at this time. (ACS URL in unsigned request could not be verified) 

Tried to set the option: SAML2_ACS_URL_RESTRICT  and SAML2_ACS_DOMAIN_WHITELIST
without any results

request:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://asmlitsmdev.service-now.com"
Destination="https://idp-acc.asml.com/nidp/saml2/sso"
ForceAuthn="false"
ID="SNCc7ea13829699ce82662023cc8f568f01"
IsPassive="false"
IssueInstant="2020-08-19T12:31:34.861Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="https://asmlitsmdev.service-now.com"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://asmlitsmdev.service-now.com</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
/>
</saml2p:AuthnRequest>

-------------------------------------------------------------------

nam config:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://asmlitsmdev.service-now.com">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://asmlitsmdev.service-now.com/navpage.do"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://asmlitsmdev.service-now.com/navpage.do" />
<AssertionConsumerService isDefault="false" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://asmlitsmdev.service-now.com/consumer.do" />
</SPSSODescriptor>
</EntityDescriptor>

 

0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

As per SAML specification:

AssertionConsumerServiceURL in SAML Authentication Request should match with the one of the values in the SAML metadata.

The SAML authentication request can only contains the AssertionConsumerServiceURL  which is not included in metadata if the authentication request is signed.

I would suggest to contact your Service Provider and ask them to sign the authentication request.

 

0 Likes
Cadet 1st Class
Cadet 1st Class

Thank you for your replay.
So it isn't possible anymore to "work around" this issue with the advanced option?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.