000014627 - FIM - Assertion throws error over optional NameQualifier

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014627
Applies ToRSA FIM 4.1  Federated Identity Manager
IssueFIM - Assertion throws error over optional NameQualifier

SP throws the following error upon recieviing an assertion without NameQualifier:

2013-07-18 22:14:25,545, (SSOHelper.java:631), TWFIM220V, , , , Unable to process the Response message , com.rsa.fim.profile.sso.SSOProfileException: Subject Namespace is not received as part of the assertion. Subject namespace is configured to be required in the association.
at com.rsa.fim.profile.sso.SSOHelper.nullCheck(SSOHelper.java:394)

Cause

There are parameters in the product to control if NameQulifier is required and by default they are set requiring this element shown below in subject piece of an assertion .

<Subject>
      <NameIdentifier NameQualifier="nara">rlopez</NameIdentifier>
      <SubjectConfirmation>
        <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509Data>
            <ds:X509Certificate>MIID...</ds:X509Certificate>
          </ds:X509Data>
        </ds:KeyInfo>
      </SubjectConfirmation>
    </Subject>

Resolution

If optional NameQulifier is not required, FIM can be configured to changed the default to "Allow No NameQualifier"

Name Qualifier behavior
========================

 Name qualifier setting is available at two places in Association level and plugin level for SAML11.

For SAML20 it is available only at Plugin level. And it works straight forward, there is no confusion over precedence. But the setting creates confusion for SAML11.

At Association level (only for SAML11):
-IDP SSO Setting: Send Subject Namespace - Set the Name qualifier to be set in Subject element of outgoing Assertion.
-SP SSO Setting: Require Subject Namespace - Set the Name qualifier to be received in Subject element of incoming Assertion

At Plugin level: Following settings at plugin level define the settings. Persistent and transient plugins do not have these settings.
-Name Qualifier: Set the Name qualifier to be set in Subject NameID.
-Allowed Name Qualifier: List of allowed Name qualifier to be received in Subject element of incoming nameID.
-Allow No Name Qualifier: Property decides whether No Name Qualifier is allowed or not. If SET, this allows unmatched qualifiers as well.

Explanation for SMAL11 Behavior:
These settings were defined at Plugin level for generic processing of SAML11 and SAML20 and the logic remains common. The Association level setting allows to override (or say narrow down the list) for each associated partner. Plugins define broader list of Allowed Name Qualifier, however Association will use just one out of it. Association takes precedence over plugin settings.

SAML11 flow as follows:

* At IDP, though plugin will set the NameQualifier in the flow but when the Assertion is created (at later stage) only Association level settings are taken into effect. E.g., If Send Subject Namespace is not set at IDP, even though plugin has Name Qualifier defined, it will not go in Assertion.
* At SP even though "Allow No Name Qualifier" is set at plugin level, at Association level if "Require Subject Namespace" is set it will not allow further processing. And after processing Name Qualifier at Association level, in plugin as well it will be verified against "Allowed Name Qualifier" list. But there is a trick to bypass this check by setting "Allow No Name Qualifier" at Plugin level.

Legacy Article IDa62136

Attachments

    Outcomes