|Applies To||RSA FIM 4.1 Federated Identity Manager|
|Issue||FIM - Assertion throws error over optional NameQualifier|
SP throws the following error upon recieviing an assertion without NameQualifier:
2013-07-18 22:14:25,545, (SSOHelper.java:631), TWFIM220V, , , , Unable to process the Response message , com.rsa.fim.profile.sso.SSOProfileException: Subject Namespace is not received as part of the assertion. Subject namespace is configured to be required in the association.
There are parameters in the product to control if NameQulifier is required and by default they are set requiring this element shown below in subject piece of an assertion .
If optional NameQulifier is not required, FIM can be configured to changed the default to "Allow No NameQualifier"
Name Qualifier behavior
Name qualifier setting is available at two places in Association level and plugin level for SAML11.
For SAML20 it is available only at Plugin level. And it works straight forward, there is no confusion over precedence. But the setting creates confusion for SAML11.
At Association level (only for SAML11):
At Plugin level: Following settings at plugin level define the settings. Persistent and transient plugins do not have these settings.
Explanation for SMAL11 Behavior:
SAML11 flow as follows:
* At IDP, though plugin will set the NameQualifier in the flow but when the Assertion is created (at later stage) only Association level settings are taken into effect. E.g., If Send Subject Namespace is not set at IDP, even though plugin has Name Qualifier defined, it will not go in Assertion.
|Legacy Article ID||a62136|