Hello All,

I have configured a SAML 2.0 connection between ADFS and NetIQ AM.
ADFS being an SP and NETIQ is the IDP.

I have few SAML applications added on the ADFS side which requires a
specific authentication context.
I run into error , when accessing such applications with NETIQ as IDP.

The error is
INVALID STATUS CODE IN RESPONSE.
SAML RESPONSE STATUS:
URN:OASIS:NAMES:TC:SAML:2.0:STATUS:NOAUTHNCONTEXT

also added the SAML authentication requests from the

1.APPLICATION TO ADFS

> <samlp:AuthnRequest xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
> ID="s20c080509fe6cbc4b981c7915f284ab8ee28759da"
> Version="2.0"
> IssueInstant="2015-11-04T15:18:43Z"
>
> Destination="https://cs-auto11-01-ax01.cloud.com:9643/adfs/ls/"
> ForceAuthn="false"
> IsPassive="false"
>
> ProtocolBinding="urnasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> AssertionConsumerServiceURL="http://cs-auto11-01-ax01.cloud.com/ConsumeSAMLToken"
> >

> <saml:Issuer
> xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">http://cs-auto11-01-ax01.cloud.com/account/login</saml:Issuer>
> <samlp:NameIDPolicy
> xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
>
> Format="urnasis:names:tc:SAML:2.0:nameid-format:transient"
>
> SPNameQualifier="http://cs-auto11-01-ax01.cloud.com/account/login"
> AllowCreate="true"
> />
> <samlp:RequestedAuthnContext
> xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
> Comparison="exact"
> >

> <saml:AuthnContextClassRef
> xmlns:saml="urnasis:names:tc:SAML:2.0:assertion">urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport</saml:AuthnContextClassRef>
> </samlp:RequestedAuthnContext>
> </samlp:AuthnRequest>


2.ADFS TO NETIQ

>
> <samlp:AuthnRequest ID="id-3f558fcc-82fa-4539-b81d-0bfe235f73b9"
> Version="2.0"
> IssueInstant="2015-11-04T15:18:43.000Z"
>
> Destination="https://susedev01.nam.com/nidp/saml2/sso"
>
> Consent="urnasis:names:tc:SAML:2.0:consent:unspecified"
> xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
> >

> <Issuer
> xmlns="urnasis:names:tc:SAML:2.0:assertion">http://cs-auto11-01-ax01.cloud.com/adfs/services/trust</Issuer>
> <samlp:NameIDPolicy
> Format="urnasis:names:tc:SAML:1.1:nameid-format:unspecified"
> AllowCreate="true"
> />
> <samlp:RequestedAuthnContext>
> <samlp:AuthnContextClassRef
> xmlns:samlp="urnasis:names:tc:SAML:2.0:assertion">urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport</samlp:AuthnContextClassRef>
> </samlp:RequestedAuthnContext>
> </samlp:AuthnRequest>


3. SAML RESPONSE FROM NETIQ TO ADFS

>
> <samlp:Response xmlns:samlp="urnasis:names:tc:SAML:2.0rotocol"
> xmlns:saml="urnasis:names:tc:SAML:2.0:assertion"
>
> Destination="https://cs-auto11-01-ax01.cloud.com:9643/adfs/ls/"
> ID="idXIvEye9hCkBnmLo21jPb0MTRvJQ"
> InResponseTo="id-3f558fcc-82fa-4539-b81d-0bfe235f73b9"
> IssueInstant="2015-11-04T15:18:42Z"
> Version="2.0"
> >

>
> <saml:Issuer>https://susedev01.nam.com/nidp/saml2/metadata</saml:Issuer>
> <samlp:Status>
> <samlp:StatusCode
> Value="urnasis:names:tc:SAML:2.0:status:Success" />
> </samlp:Status>
> <saml:Assertion ID="id8p9OkN5zi3vQKpCAWEqrmBnRT1U"
> IssueInstant="2015-11-04T15:18:42Z"
> Version="2.0"
> >

>
> <saml:Issuer>https://susedev01.nam.com/nidp/saml2/metadata</saml:Issuer>
>
> <saml:Subject>
> <saml:NameID
> Format="urnasis:names:tc:SAML:1.1:nameid-format:unspecified"
>
> NameQualifier="https://susedev01.nam.com/nidp/saml2/metadata"
>
> SPNameQualifier="http://cs-auto11-01-ax01.cloud.com/adfs/services/trust"
>
> >o/0GfdOmhrRNSTxtFUE0bhtLP2wZTj9hJmJ29A==</saml:NameID>

> <saml:SubjectConfirmation
> Method="urnasis:names:tc:SAML:2.0:cm:bearer">
> <saml:SubjectConfirmationData
> InResponseTo="id-3f558fcc-82fa-4539-b81d-0bfe235f73b9"
>
> NotOnOrAfter="2015-11-04T16:18:42Z"
>
> Recipient="https://cs-auto11-01-ax01.cloud.com:9643/adfs/ls/"
> />
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Conditions NotBefore="2015-11-04T15:13:42Z"
> NotOnOrAfter="2015-11-04T15:23:42Z"
> >

> <saml:AudienceRestriction>
>
> <saml:Audience>http://cs-auto11-01-ax01.cloud.com/adfs/services/trust</saml:Audience>
> </saml:AudienceRestriction>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2015-11-04T15:16:22Z"
>
> SessionIndex="idzCUIFYdsKKaWV3w0mk9EXaBlowM"
> >

> <saml:AuthnContext>
>
> <saml:AuthnContextClassRef>urnasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
>
> <saml:AuthnContextDeclRef>urnasis:names:tc:SAML:2.0:ac:classes:PasswordProtecte dTransport</saml:AuthnContextDeclRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> <saml:AttributeStatement>
> <saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
>
> NameFormat="urnasis:names:tc:SAML:2.0:attrname-format:unspecified"
> >

> <saml:AttributeValue
> xsi:type="xs:string">test1@mydomain.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </samlp:Response>



Forgot to mention , i created a Authentication Contract in NAM and set
it as default.
urnasis:names:tc:SAML:2.0:ac:classes:Password URI and with the name
password form method.

Please help me fix the issue.

Kbasa


--
kbasa6
------------------------------------------------------------------------
kbasa6's Profile: https://forums.netiq.com/member.php?userid=10667
View this thread: https://forums.netiq.com/showthread.php?t=54595