lelle1 Absent Member.
Absent Member.

AAF as Saml IDP


new setup with Netiq Access Manager 4.4.4 as SP and AAF 6.2 fully patched as IDP
Have exchanged metadata, looks alright. Have validated the metadata online at onelogin online validator
But when trying to authenticate to AAF I get a error in web auth page "Unable to complete request at this time. "
And the webbauth log shows this (I have changed the domain name here)

"Error sending SAML 2.0 message.: internal.atlaslite.jcce.exception.CoreInvalidObjectException: 'AuthnResponse' failed validation.
RelayState: MA==
Type: SAMLResponse
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Log Data: Sending SAML 2.0 message.
Time: 2019-06-03T10:07:15.725+0000
Elapsed time: 1.316 milliseconds
Java: internal.osp.oidp.service.saml2.profile.SAML2Profile.sendMessage() [622] thread=http-nio-
Priority Level: FINER
Preamble: [OIDP]

Text: This request came from an untrusted service provider. Provider id "https://am4.domain.com/nidp/saml2/metadata" could not be resolved.
Correlation Id: 1615ab50-ef21-42de-a670-79cbd645ab41
Thread: http-nio-
Code: internal.osp.oidp.service.saml2.protocol.SAML2Type.validate() [474]
1) Error: AuthnRequest
Log Data: AuthnRequest failed to validate: Validation messages (1):
Time: 2019-06-03T10:07:15.724+0000
Java: internal.osp.oidp.service.saml2.protocol.SAML2Type.validate() [734] thread=http-nio-
Priority Level: INFO
Preamble: [OIDP]

Provider identifier: https://am4.domain.com/nidp/saml2/metadata
Log Data: Trusted entity not found."

Name resolution works fine. certificates in metadata is a signed wildcard certificate (both servers are under same domain name)
I have tested to import the intermidiate CA cert in AAF to sure, RootCA is already there
If I use curl in AAF server to test the url it goes fine
"aaf:~ # curl https://am4.domain.com/nidp/saml2/metadata
<?xml version="1.0" encoding="UTF-8" ?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="idPUBFKc1hADlc9Wf76Mxe3ApV5Ns" entityID="https://am4.domain.com/nidp/saml2/metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#idPUBFKc1hADlc9Wf76Mxe3ApV5Ns">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">9kSy119PFdnjsdslRaa1yE142SmT67Q0mjtK/VEKd3o=</DigestValue>
</ds:SignedInfo><SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">
Rest left out"

I have this setup
Access Manager 4.4.4
Advanced Auth 6.2
I have the same configuration in production and there its working, but it was setup first on a earlier version of AAF
In AAF it's not really much you can fiddle with when it comes to settings, but any suggestions are welcome

4 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: AAF as Saml IDP

Hi Lelle,
AAF components runnning under different docker containers, can you please try to open container with "docker exec -ti aaf_webauth_1" and try to execute "wget https://am4.domain.com/nidp/saml2/metadata", will it be successfuly downloaded?
lelle Valued Contributor.
Valued Contributor.

Re: AAF as Saml IDP


Thanks for your reply, now I have tried "Docker exec" and it does download the metadata, so that is working as it should. Something must have changed between ver 6.1 and 6.2 when it comes to the Saml enginee.

When I compare a saml assertion between 6.1 and 6.2 I can't see a difference, but for some reason the request is in 6.2 get forward to Access manager portal instead of the originating protected resource

Any other suggestions I can try?


Micro Focus Contributor
Micro Focus Contributor

Re: AAF as Saml IDP

Hi Lennart,
I would like to request some sensitive data, such as metadata, service provider certificate, i think it will be better continue investigation within service request, do you have access customer portal?
lelle Valued Contributor.
Valued Contributor.

Re: AAF as Saml IDP






The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.