Layer7 API Management

Hi

I am looking at a use-case that requires us to act as an IDP. The Process SAML Authentication Request assertion seemed just the right thing to use. It is being used in a Redirect binding but it throws a 'policy falsified' due to a a missing AssertionConsumerServiceURL. Given that this is optional attribute in SAML it is an over-zealous check and in any case it doesn't seem to be applied to any of the other elements or attributes when processing the AuthnRequest. Two thoughts occur to me:

- maybe there is some option or context variable that relaxes this check, or

- this assertion was only envisaged in strict use-cases so shouldn't be used like this

In either case the documentation isn't assisting me. Has anyone suffered the same issue?

One option to work around is to process the AuthnRequest separately by extracting the SAMLRequest parameter, URL-decoding, base-64-decoding then deflating but it seems that the encode/decode assertion doesn't do inflate/deflate (i guess it is expecting GZIP preambles). While searching around here I saw mention of a tactical gzip assertion. Does that do INFLATE and DEFLATE and if so where do I get it from?

Cheers

- Steve

Hello Steve

Thank you for your enquiry.  I have reviewed the open engineering tickets and can see a few customers have reported that AssertionConsumerServiceURL is mandatory, despite the SAML specs stating this is optional.  At the moment there is no option to relax this check.  For your reference the engineering ticket number is DE220639, however this has not yet been targeted for a release.  I have raised an idea (Process SAML Authentication Request assertion fails without optional AssertionConsumerServiceURL attribute ) to cover this existing case to allow all customers to comment and vote for the feature.

The tactical GZIP assertion does inflate/deflate, if you wish to obtain this please raise a support case and myself or one of my colleagues can provide it for you.

Regards

Christopher Clark

CA Support