2 Replies Latest reply on Mar 11, 2015 8:20 AM by Jayesh Panchal

    ASSO and CA Site Minder SAML Federation Issue

    Jayesh Panchal
      Share This:

      Hi Folks,

       

      I am facing a challenge in integrating ASSO and CA site minder using SAML federation. I am using SP initiated SAML federation where Site Minder acts as an IDP.

       

      ASSO uses openSSO and it is setting some parameters in SAML authnrequest which Site Minder does not support like "IsPassive" (please find the text from Site Minder documentation).

       

      Note: SiteMinder Identity Providers do not support the IsPassive query parameter. A

      third-party Service Provider can include the IsPassive parameter in an AuthnRequest

      message.

       

      Due to this, Site Minder is not able to generate the SAML response and throwing HTTP 500 error.

       

      And I don't see any GUI in openAM console to hide those optional parameters in authnrequest.

       

      I know BMC had given a fix to block optional RequestedAuthnContext tag in authnrequest(SW00465191) by just adding blockAuthContext=true parameter into an agent's Login URI in ASSO 8.1.00.03.12.

       

      I know that the authnrequest optional parameters are coming from FSAuthnRequest.java in openfedlib.jar but Can it be solved by any kind of configuration?

       

      below is the sample authnrequest generated by ASSO(sp)

       

      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        ID="s206efb4e8484fa872f2260ff2d28ac0f31aa1a55f"

        Version="2.0"

        IssueInstant="2014-09-01T10:39:48Z"

        Destination="https://xyz.com/affwebservices/public/saml2sso"

        ForceAuthn="false"

        IsPassive="false"

        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        AssertionConsumerServiceURL="https://xyz:8443/atriumsso/Consumer/metaAlias/BmcRealm/sp"

        >

        <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">AtriumSSO-QA-Local-SP</saml:Issuer>

        <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

        AllowCreate="false"

        />

      </samlp:AuthnRequest>

       

       

       

      Regards,

      Jayesh