First off I am running NetIQ Access Manager 4.0.0.110 on Windows 2008
R2.

I have a new SAML 2 Service Provider to setup and configure,
Syncplicity. I have successfully setup the SP and SSO works with the
browser and desktop clients, but not with the mobile client.

According to what I can determine, the mobile client is attempting to
use TLSClient Authentication. Below is the SAML AuthRequest sent by the
mobile client to my IDP server.

<samlp:AuthnRequest ID="_11a14b75-c295-48c7-99db-2dacf4bd5293"

Version="2.0"

IssueInstant="2014-07-01T13:33:24.085Z"

Destination="https://idpq.xxx.com/nidp/saml2/sso"

ForceAuthn="false"

IsPassive="false"

ProtocolBinding="urnasis:names:tc:SAML:2.0:bindings:HTTP-POST"

AssertionConsumerServiceURL="https://xxx.syncplicity.com/Auth/AssertionConsumerService.aspx"

ProviderName="https://xxx.syncplicity.com/sp"

xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"

>


<saml:Issuer
xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">https://xxx.syncplicity.com/sp</saml:Issuer>


<samlp:NameIDPolicy AllowCreate="true"
/>


<samlp:RequestedAuthnContext
Comparison="maximum">



<saml:AuthnContextClassRef
xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">urnasis:names:tc:SAML:2.0:ac:classes:TLSClient</saml:AuthnContextClassRef>


</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

After which the mobile client returns to the login page, with the
message "Could not verify your identity, please try again".

According to Syncplicity, they have not configured their system with
NetIQ before, they support ADFS SAML with supports TLSClient as a SAML
Authentication Context Class.
I am not sure if NetIQ does?

Any suggestions on where to go from here would be greatly appreciated.

Thanks,

Paul.


--
pdumbleton
------------------------------------------------------------------------
pdumbleton's Profile: https://forums.netiq.com/member.php?userid=6463
View this thread: https://forums.netiq.com/showthread.php?t=51226