IBM Security Verify

Expand all | Collapse all

AssertionConsumerService not valid for auth0 SP config

  • 1.  AssertionConsumerService not valid for auth0 SP config

    Posted Fri August 27, 2021 06:09 AM
    Hello,
    I am setting up an auth0 saml service provider that connects to an external IBM Security Access Manager 9 SAML identity provider.
    The redirect to the SAML IdP login page works fine but once we log in we get a 'FBTSML218E The specifications for the SAML2.AssertionConsumerService endpoint are not valid.' error message

    We have the following on the IBM Security Access Manager 9 IdP: (I have redacted the url and replaced it with <host> but its format is lower case letters with - symbols between words)

    • entityID="urn:auth0:<host>:auth-ppe"
    • AssertionConsumerService Binding = https://<host>.eu.auth0.com/login/callback?connection=auth-ppe
      • index="0"
      • isDefault="true

    The error response seems to indicate that there is some ACS binding format similar to the question asked here:
    https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2863&MessageKey=0af84463-af7d-4b08-add9-82007bdb9896&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer

    Any ideas?
    Does IBM Security Access Manager actually try that url in order to return the error or is it some format validation?

    Many thanks


    ------------------------------
    Andrew Potgieter
    ------------------------------


  • 2.  RE: AssertionConsumerService not valid for auth0 SP config

    Posted Fri August 27, 2021 09:59 AM
    Hi Andrew,

    My guess would be that the Assertion Consumer Service URL sent in the SAML Request doesn't match the ACS that was provided in the metadata used to configure the partner.

    If you edit the partner definition you should be able to see the ACS that was registered from the metadata.  Make sure this is exactly the same (case etc included) as what is being sent in the SAML Request.  You should be able to trace the SAML request using browser tools.  The SAML Tracer addon for Firefox is particularly good for this.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: AssertionConsumerService not valid for auth0 SP config

    Posted Mon September 13, 2021 06:04 AM
    Hello Jon,

    Thanks so much for the reply, it helped find the problem.
    So as it turns out the Assertion Consumer Service URL sent in the SAML request did not match because it was not actually sent in the request by Auth0. Fortunately you are able to hard code the url into the request template. https://gist.github.com/saltukalakus/210685aab42bae0151c687d704af5eae

    Another problem we ran into (which returned the same FBTSML218E error) was that the protocol binding had to be set to `HTTP-POST` on both the Auth0 side and on the IBM partner definition side.

    Sadly I now have another problem but it seems unrelated so I have created a new post for this here

    Many thanks,
    Andrew

    ------------------------------
    Andrew Potgieter
    ------------------------------