Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
oimastek
New Member.
428 views

SAML Response Invalid Element StatusMessage ADFS

Hi All,

I've setup a Brokering Group and Brokering Rule and when the user is of certain role, the SP deny is set.

https://www.netiq.com/documentation/access-manager-44/admin/data/b1ax7qoc.html says:
If the authorization policy is configured to deny execution, Identity Server sends the following message as part of an assertion response. <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" /> </samlp:StatusCode> <StatusMessage>Authorization is failed</StatusMessage> </samlp:Status>

Which it does so exactly in our case.

<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:StatusCode>
<StatusMessage>Authorization is failed</StatusMessage>
</samlp:Status>


Problem is the ADFS (the SP in this case), doesn't like the SAML response very much. Shows "An error occured" page to the user and the below exception is in the Event Logs.

Exception details:
System.Xml.XmlException: 'Element' is an invalid XmlNodeType.
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadStatus(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadResponse(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.HttpPostSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


It may seem like an ADFS related question at first, but of course there may be some configuration that you are aware of in NAM that can sort this response.

Eventually instead of having the "An error occured" page, we would be happy with an "Access is denied" message.

Thanks for your time reading and your responses in advance.
0 Likes
4 Replies
oimastek
New Member.

Re: SAML Response Invalid Element StatusMessage ADFS

oimastek;2497941 wrote:

[HTML]<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:StatusCode>
<StatusMessage>Authorization is failed</StatusMessage>
</samlp:Status>[/HTML]


Answering my own question, I think it's because of StatusMessage element, which should be samlp:StatusMessage isn't it? Examples from posts online;

[HTML]<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
<samlp:StatusMessage>Something is wrong...</samlp:StatusMessage>
</samlp:Status>

<samlp:Response ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0" IssueInstant="2013-03-18T08:49:24.405Z" InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" />
</samlp:StatusCode>
<samlp:StatusMessage>AADSTS75006: An error occurred while processing a SAML2 Authentication request. AADSTS90011: The SAML authentication request property 'NameIdentifierPolicy/SPNameQualifier' is not supported.
Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c
Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>

</samlp:Status>[/HTML]

This must be a bug in NAM, going to raise a support request...
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SAML Response Invalid Element StatusMessage ADFS

On 08-04-2019 11:36 PM, oimastek wrote:
>
> oimastek;2497941 Wrote:
>>
>>

> <samlp:Status>
>> <samlp:StatusCode
>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
>> <samlp:StatusCode
>>
>> Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
>> </samlp:StatusCode>
>> <StatusMessage>Authorization is failed</StatusMessage>
>> </samlp:Status>
>>

>
> Answering my own question, I think it's because of StatusMessage
> element, which should be samlp:StatusMessage isn't it? Examples from
> posts online;
>
>
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"
> />
> *<samlp:StatusMessage>Something is wrong...</samlp:StatusMessage>*
> </samlp:Status>
>
> <samlp:Response ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0"
> IssueInstant="2013-03-18T08:49:24.405Z"
> InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> <Issuer
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
> <samlp:Status>
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
> <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" />
> </samlp:StatusCode>
> *<samlp:StatusMessage>AADSTS75006: An error occurred while
> processing a SAML2 Authentication request. AADSTS90011: The SAML
> authentication request property 'NameIdentifierPolicy/SPNameQualifier'
> is not supported.
> Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c
> Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>*
> </samlp:Status>
>
> This must be a bug in NAM, going to raise a support request...
>

What does the inbound SAML AuthNRequest message looks like from the SP? It could be they are requesting a Name Identifier Policy you simply haven't
enabled for that SP.


--
Cheers,
Edward
0 Likes
oimastek
New Member.

Re: SAML Response Invalid Element StatusMessage ADFS

edmaa;2498008 wrote:
On 08-04-2019 11:36 PM, oimastek wrote:

What does the inbound SAML AuthNRequest message looks like from the SP? It could be they are requesting a Name Identifier Policy you simply haven't
enabled for that SP.


--
Cheers,
Edward


Hi Edward, thanks for taking the time to respond. Apologies if it was misleading, those lines with name identifier policy were from other example posts from the internet, not in our case. The reason I posted them were examples how the StatusMessage element should be with it's namespace samlp:StatusMessage . NAM response doesn't have the namespace added and the support request we created confirmed that this is a bug and will be taken a look at. Thanks for your time.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SAML Response Invalid Element StatusMessage ADFS

On 11-04-2019 12:34 AM, oimastek wrote:
>
> edmaa;2498008 Wrote:
>> On 08-04-2019 11:36 PM, oimastek wrote:
>>
>> What does the inbound SAML AuthNRequest message looks like from the SP?
>> It could be they are requesting a Name Identifier Policy you simply
>> haven't
>> enabled for that SP.
>>
>>
>> --
>> Cheers,
>> Edward

>
> Hi Edward, thanks for taking the time to respond. Apologies if it was
> misleading, those lines with name identifier policy were from other
> example posts from the internet, not in our case. The reason I posted
> them were examples how the StatusMessage element should be with it's
> namespace samlp:StatusMessage . NAM response doesn't have the namespace
> added and the support request we created confirmed that this is a bug
> and will be taken a look at. Thanks for your time.
>
>


Oh...nice find. Interesting how statusCode does have namespace and the statusmessage doesn't. I guess it depends on how the SP parses the XML whether
this will show up as an issue.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.