Hi all,

I'm in the process of upgrading from 3.1 to 3.2.2 (actually, building
out a parallel environment and manually migrating things). Everything
has been great so far, until I started working on my SAML2 configs. We
make pretty heavy use of the SAML2 stuff in 3.1. For example, we have
remote third-party IdPs, and use NAM as sort of an IdP proxy to
authenticate those remote IdPs, and then send assertions to other remote
third-party SPs based on that authentication. This works great on 3.1.
I can even accept transient authentication from a remote IdP, and then
turn around and generate an assertion to send to another remote SP for
that authentication using the inter-site transfer service:

So I basically duplicated this setup on 3.2, with identical settings
from 3.1 for one remote IdP and SP, and it's not working. After
authenticating the remote IdP, NAM is telling me I do not have an
authenticated session, so I can't send an assertion to the SP. However,
I clearly have an authenticated session from the third-party IdP. NAM's
user portal even says so ("Your session has been authenticated
and...blah blah")! The only way I can seem to get NAM to send an
assertion to a third-party SP is if I authenticate using a local
contract, either first, or using the new step-up feature. I even
configured the NAM consumer for third-party IdP to auto-provision
accounts in a local eDir tree, and NAM still throws the same error when
trying to send assertions out.

Could this be a bug in 3.2, since it worked just fine in 3.1?? It's a
pretty serious show stopper for me upgrading to 3.2 at this time, though
I desperately need to.

Any other ideas/work around I can try?

This seems to be a relevant error I'm seeing in the debug log, with some
preceding info:
<amLogEntry seq="27246" d="2013-10-10T13:59:31Z" lg="Application"
lv="VERBOSE" th="2937" ><msg>Session has consumed authentications:
<amLogEntry seq="27247" d="2013-10-10T13:59:31Z" lg="Application"
lv="VERBOSE" th="2937" ><msg>Session consumed authentications is 1 and
is con
sidered authenticated: true</msg></amLogEntry>
<amLogEntry seq="27248" d="2013-10-10T13:59:31Z" lg="Application"
lv="DEBUG" th="2937" ><msg>Method: SAML2SSOProfile.sendResponse Thread:
Could not create NIDPAuthnContext from SPAuthCard&apos;s satisfiable
contract list.
Will try to send an unsolicited context.</msg></amLogEntry>
<amLogEntry seq="27249" d="2013-10-10T13:59:31Z" lg="Application"
lv="DEBUG" th="2937" ><msg>Method: CacheMap.A
Thread: http-bio-

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@24133e 50
from cache session succeeded using key E5AF3ED7C5C5752B9A613D798268C82
B. Cache size is 7</msg></amLogEntry>
<amLogEntry seq="27250" d="2013-10-10T13:59:31Z" lg="Application"
lv="DEBUG" th="2937" ><msg>Method: CacheMap.A
Thread: http-bio-

Retrieval of object com.novell.nidp.NIDPSubject@5204a4c from cache
subject succeeded using key 9. Cache size is 1</msg></amLogEntry>
<amLogEntry seq="27251" d="2013-10-10T13:59:31Z" lg="Application"
lv="INFO" th="2937" ids="AM#500105039: AMDEVICEID#3117C7A668906606:
E5AF3ED7C5C5752B9A613D798268C82B: " ><msg>Error on session id
E5AF3ED7C5C5752B9A613D798268C82B, error An authenticated
session is re
quired -3117C7A668906606, The request to provide authentication to a
service provider has failed. An authenticated session is r


adamdn01's Profile: https://forums.netiq.com/member.php?userid=2226
View this thread: https://forums.netiq.com/showthread.php?t=48921