SAML Assertion based user authentication failed

Document ID : KB000115922
Last Modified Date : 26/09/2018
Show Technical Document Details
Issue:
CA Siteminder is SP in federation setup. IDP is not CA Siteminder.
When SAML assertion is received by CA Siteminder, user gets error "SAML Assertion based user authentication failed" during assertion consuming process.

FWStrace.log
[09/10/2018][07:55:51][14195][757815040][8ff98cba-04a46a86-5e0a2b50-65f83888-9547284f-7][FWSBase.java][authenticateUser][result code from AgentAPI login call: 2] 
[09/10/2018][07:55:51][14195][757815040][8ff98cba-04a46a86-5e0a2b50-65f83888-9547284f-7][FWSBase.java][authenticateUser][Login failure [CHECKPOINT = SSO_LOGINFAILURE_RSP]] 
[09/10/2018][07:55:51][14195][757815040][8ff98cba-04a46a86-5e0a2b50-65f83888-9547284f-7][FWSBase.java][processFailedAuthentication][SAML Assertion based user authentication failed.] 


 
Environment:
OS: ALL
Policy Server: 12.7, 12.6, 12.52
Cause:

After further investigation, the failure is due to inclusion of NotBefore attribute inside <saml2:SubjectConfirmationData>.
Failed assertion content sample: 
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotBefore="2018-09-03T01:14:16.121Z" NotOnOrAfter="2018-09-16T22:34:16.121Z" Recipient="https://www.sp.com/public/saml2assertionconsumer"/></saml2:SubjectConfirmation> 

Siteminder by design does not take parameters NotBefore within <SubjectConfirmationData> element. 

Please check the Oasis SAML document here: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
On page 19, you can see the following:
------------
The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If
the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.
------------

So the "NotBefore" element is not allowed in the SubjectConfirmationData.

Resolution:
SP partner needs to change its raw saml request to adhere to standard by removing parameter NotBefore within <saml2:SubjectConfirmationData> element, but still keep NotOnOrAfter parameter.
Additional Information:
https://communities.ca.com/thread/241760639-siteminder-saml-auth-scheme-failing-to-authenticate-a-saml-idp-partner