Vice Admiral
Vice Admiral
940 views

SAML authentication failing with login hint in SAML request

Jump to solution

Hi!

 

We have IDM federated with NAM using SAML. After upgrade of IDM to 4.8.2.1 last night, users are experiencing errors whenever Identity Application tries to extend user's session (session on IDM has expired).

When IDM is extending session, SAML request is sent with Subject and SPProvidedID, like this:

 

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" Destination="https://nam.server.net/nidp/saml2/sso" ForceAuthn="false" ID="id-e6AkRnHMiYJddujfJQr5dn3WGo" IsPassive="false" IssueInstant="2020-12-15T13:46:24Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" >
	<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idm.server.net/osp/a/idm/auth/saml2/metadata</saml:Issuer>
	<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
	<saml:Subject>
		<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" SPNameQualifier="https://idm.server.net/osp/a/idm/auth/saml2/metadata" SPProvidedID="uaadmin" >uaadmin</saml:NameID>
	</saml:Subject>
</samlp:AuthnRequest>

 

 

Response from NAM is simple, RequestDenied:

 

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://idm.server.net/osp/a/idm/auth/saml2/spassertion_consumer" ID="id3YGeLRMfiTCOB0ukkAdBppo3mYM" InResponseTo="id-e6AkRnHMiYJddujfJQr5dn3WGo" IssueInstant="2020-12-15T13:46:24Z" Version="2.0" >
	<saml:Issuer>https://nam.server.net/nidp/saml2/metadata</saml:Issuer>
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		.............
	</ds:Signature>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
			<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
		</samlp:StatusCode>
	</samlp:Status>
</samlp:Response>

 

 

Looking at catalina, I can see following error:

 

<amLogEntry> 2020-12-15T13:46:24Z WARNING NIDS Application: AM#300105014: AMDEVICEID#929A1803F1E309DD: AMAUTHID#9393cea69c1ad41a38c48faa8a450012b70454ed91cdb60db7af00df4cce81db:  Failed to locate the subject identified in authentication request from https://idm.server.net/osp/a/idm/auth/saml2/metadata </amLogEntry>

 

 

Please note:

  • There is only one uaadmin user in whole userstore (username in SAML request hint)
  • This happens when Identity application tries to reauthenticate, so initial authentication on NAM with uaadmin user was successful
  • When reauthentication happens, NAM session is still live, so if I just go to IDMApps URL, user will be automatically authenticated (because in that case SAML request does not hold <saml:Subject> element)

Has anybody else seen something like this?

 

Kind regards,

Sebastijan

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

you can see that the Transient Name ID value is a long string (LL3DrNPfE4YrbBlKNmwfRDttEUI4aRhGAcWgTQ==) in the assertion. However, SP is sending the Name ID as uaadmin in the next Authentication Request. IDP doesn't have any idea of identifier uaadmin and it is failing.

You can try by changing the SP option to use the NameID value as an attribute in place of random generated string.

SAML2_NAMEID_ATTRIBUTE_NAME can be used for this.

nameid.PNG

 

 

 

View solution in original post

16 Replies
Commodore
Commodore

I haven't done this integration but I'd be VERY surprised if the IDP could find "uaadmin" as all the parameters about what user store and how to search it are tied to contract/method.  Since it's trying to find a Subject, it may be expecting the subject identifier which is a guid tied to an SPNameQualifier.

0 Likes
Micro Focus Expert
Micro Focus Expert

Please check/share the SAML request and response for the very first time. What is the NameID in the response. Is it transient or unspecified.

0 Likes
Vice Admiral
Vice Admiral

Original SAML request has transient NameID:

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" Destination="https://nam.server.net/nidp/saml2/sso" ForceAuthn="false" ID="idHVlp4vKS3HpRpUvIBHBr7e8j1ic" IsPassive="false" IssueInstant="2020-12-15T17:16:26Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" >
	<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idm.server.net/osp/a/idm/auth/saml2/metadata</saml:Issuer>
	<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</samlp:AuthnRequest>

 

And original response also has transient NameID:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://idm.server.net/osp/a/idm/auth/saml2/spassertion_consumer" ID="id0z4-R_VOwzkWqqxJmkke1YD2X9A" InResponseTo="idHVlp4vKS3HpRpUvIBHBr7e8j1ic" IssueInstant="2020-12-15T17:16:26Z" Version="2.0" >
	<saml:Issuer>https://nam.server.net/nidp/saml2/metadata</saml:Issuer>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
	</samlp:Status>
	<saml:Assertion ID="idaAFzbtfLERiEmUWsnQewb_6FRPI" IssueInstant="2020-12-15T17:16:26Z" Version="2.0" >
		<saml:Issuer>https://nam.server.net/nidp/saml2/metadata</saml:Issuer>
		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			...
		</ds:Signature>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://nam.server.net/nidp/saml2/metadata" SPNameQualifier="https://idm.server.net/osp/a/idm/auth/saml2/metadata" >LL3DrNPfE4YrbBlKNmwfRDttEUI4aRhGAcWgTQ==</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData InResponseTo="idHVlp4vKS3HpRpUvIBHBr7e8j1ic" NotOnOrAfter="2020-12-15T17:21:26Z" Recipient="https://idm.server.net/osp/a/idm/auth/saml2/spassertion_consumer" />
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2020-12-15T17:11:26Z" NotOnOrAfter="2020-12-15T17:21:26Z" >
			<saml:AudienceRestriction>
				<saml:Audience>https://idm.server.net/osp/a/idm/auth/saml2/metadata</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2020-12-15T17:16:14Z" SessionIndex="idaAFzbtfLERiEmUWsnQewb_6FRPI" >
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
				<saml:AuthnContextDeclRef>https://server.net/am/idp/unp</saml:AuthnContextDeclRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement>
			<saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >
				<saml:AttributeValue xsi:type="xs:string">uasebastijan</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

 

Kind regards,

Sebastijan

0 Likes
Micro Focus Expert
Micro Focus Expert

you can see that the Transient Name ID value is a long string (LL3DrNPfE4YrbBlKNmwfRDttEUI4aRhGAcWgTQ==) in the assertion. However, SP is sending the Name ID as uaadmin in the next Authentication Request. IDP doesn't have any idea of identifier uaadmin and it is failing.

You can try by changing the SP option to use the NameID value as an attribute in place of random generated string.

SAML2_NAMEID_ATTRIBUTE_NAME can be used for this.

nameid.PNG

 

 

 

View solution in original post

Vice Admiral
Vice Admiral

Hi Manjit,

I have the same issue as @Sebastijan.  I tried this option and still am getting the error when trying to extend the identity app session.  

Could this be because the requested NameID is set to format:transient but the request subject is format:unspecified?

 <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" SPNameQualifier="https://idm.server.net/osp/a/idm/auth/saml2/metadata" SPProvidedID="uaadmin" >uaadmin</saml:NameID>
</saml:Subject>

 

Thanks,
Jeremiah

0 Likes
Vice Admiral
Vice Admiral

I was thinking to configure OSP to request unspecified nameid (then everything is unspecified and can have username in it), but I don't know if this is possible. Unfortunately I don't have time to do that before Tuesday.

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Fyi:

I just tried suggested workaround after I had run into this issue to use the SAML2 NAMEID ATTRIBUTE NAME option and this sorted out the issue for me.

For value I used CN

 

 

Vice Admiral
Vice Admiral

I can also confirm that setting SAML2 NAMEID ATTRIBUTE NAME to cn solves the problem.

This is a request for reauthentication:

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
                    Destination="https://nam.server.net/nidp/saml2/sso"
                    ForceAuthn="false"
                    ID="id4pBwSE5hjLVB8Z9v--fuy9FDuSU"
                    IsPassive="false"
                    IssueInstant="2020-12-22T10:41:10Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idm.server.net/osp/a/idm/auth/saml2/metadata</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="false"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        />
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                     SPNameQualifier="https://idm.server.net/osp/a/idm/auth/saml2/metadata"
                     SPProvidedID="uasebastijan"
                     >uasebastijan</saml:NameID>
    </saml:Subject>
</samlp:AuthnRequest>

 

And response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                Destination="https://idm.server.net/osp/a/idm/auth/saml2/spassertion_consumer"
                ID="ids_qTTbOpDnTdJ4nIL2N17oihNE0"
                InResponseTo="id4pBwSE5hjLVB8Z9v--fuy9FDuSU"
                IssueInstant="2020-12-22T10:41:14Z"
                Version="2.0"
                >
    <saml:Issuer>https://nam.server.net/nidp/saml2/metadata</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion ID="idoIevG-UsjFyC_FbclBD1PgavOUA"
                    IssueInstant="2020-12-22T10:41:14Z"
                    Version="2.0"
                    >
        <saml:Issuer>https://nam.server.net/nidp/saml2/metadata</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			...
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         NameQualifier="https://nam.server.net/nidp/saml2/metadata"
                         SPNameQualifier="https://idm.server.net/osp/a/idm/auth/saml2/metadata"
                         >uasebastijan</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="id4pBwSE5hjLVB8Z9v--fuy9FDuSU"
                                              NotOnOrAfter="2020-12-22T10:46:14Z"
                                              Recipient="https://idm.server.net/osp/a/idm/auth/saml2/spassertion_consumer"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2020-12-22T10:36:14Z"
                         NotOnOrAfter="2020-12-22T10:46:14Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://idm.server.net/osp/a/idm/auth/saml2/metadata</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2020-12-22T09:53:38Z"
                             SessionIndex="id3V0ghO_AhuZIq0v7faRa74SK9Hc"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            Name="cn"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xsi:type="xs:string">uasebastijan</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
Micro Focus Contributor
Micro Focus Contributor

Hi Sebastijan,

I believe this was introduced with IDM 4.8 
I will work with the IDM team and request when SAML relationship is created on the NAM side to add this option and avoid future issues.
Or as an alternative to make this part of the documentation.

0 Likes
Vice Admiral
Vice Admiral

Regarding:

I will work with the IDM team and request when SAML relationship is created on the NAM side to add this option and avoid future issues.
Or as an alternative to make this part of the documentation.

I would really appreciate if documentation would also hold "manual" steps to configure NAM, not just possibility to "click OK and everything will be done itself".

I understand that this is done to remove complexity, but sometimes IDM admin is not also NAM admin, and NAM admin does not like for some installation to "automatically and magically" configure NAM.

Please give us also instructions to do it manually.

Micro Focus Contributor
Micro Focus Contributor

Hi Sebastijan,

I will include your comments when I make the request to the IDM team.

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.