*SiteMinder r12.52 SP1 CR05 - RHEL 6
*Policy store = CA Directory
*User Store = CA Directory
Hi Folks,
I have a case open with CA Support but hoping to get additional help from folks here at the Community for faster resolution. We are working with a new SAML IDP partner and unfortunately this partner appeared to be inexperienced with SAML so we are working through various issues with them in their attempt to authenticate to us via SAML 2.0.
The "smtracedefault.log" file had helped me figured out several issues thus far with this particular IDP up until this current error below:
[09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][SubjectConfirmation NotOnOrAfter (before skew) = Tue Sep 06 15:57:19 MDT 2016] [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][SubjectConfirmation NotOnOrAfter (after skew) = Tue Sep 06 15:57:49 MDT 2016] [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][SubjectConfirmation rejected - SubjectConfirmation@NotBefore found - not allowed to be there] [09/06/2016][15:47:20][4013063024][1b2fdeeb-7c198833-3fd51d73-52351897-9a5e5d62-f3b][Saml2Validator.java][checkAssertion][][][][][Assertion rejected (_cea9e581-2307-4982-b4a2-8e2ecf841526) - No Valid SubjectConfirmation with bearer Method found]
I am suspecting that our SiteMinder is complaining about the "subjectconfirmation" statement because it contained the value of "NotBefore":
- - > <saml:SubjectConfirmationData Recipient="https://fedsvc-staging.regence.com/affwebservices/public/saml2assertionconsumer" NotOnOrAfter="2016-09-06T21:57:19.407Z" NotBefore="2016-09-06T21:37:19.407Z"/>
But CA Support thinks that this SAML response is missing or does not have a valid "Destination" value:
CA Support response - - > " That last log line that shows No Valid SubjectConfirmation with bearer Method found means that the destination attribute is not present in the incoming SAML response assertion as per this wiki guide: <https://cawiki.ca.com/pages/viewpage.action?pageId=51413542>
Additionally, a number of past cases I found show that the IDP needed to modify this attribute on their side in order for the assertion to pass successfully."