IBM Security Verify

Hello,
I am setting up an auth0 saml service provider that connects to an external IBM Security Access Manager 9 SAML identity provider.
The redirect to the SAML IdP login page works fine but once we log in we get a 'FBTSML218E The specifications for the SAML2.AssertionConsumerService endpoint are not valid.' error message

We have the following on the IBM Security Access Manager 9 IdP: (I have redacted the url and replaced it with <host> but its format is lower case letters with - symbols between words)

• entityID="urn:auth0:<host>:auth-ppe"
• AssertionConsumerService Binding = https://<host>.eu.auth0.com/login/callback?connection=auth-ppe
  • index="0"
  • isDefault="true

The error response seems to indicate that there is some ACS binding format similar to the question asked here:
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2863&MessageKey=0af84463-af7d-4b08-add9-82007bdb9896&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer

Any ideas?
Does IBM Security Access Manager actually try that url in order to return the error or is it some format validation?

Many thanks

------------------------------
Andrew Potgieter
------------------------------

Hi Andrew,

My guess would be that the Assertion Consumer Service URL sent in the SAML Request doesn't match the ACS that was provided in the metadata used to configure the partner.

If you edit the partner definition you should be able to see the ACS that was registered from the metadata.  Make sure this is exactly the same (case etc included) as what is being sent in the SAML Request.  You should be able to trace the SAML request using browser tools.  The SAML Tracer addon for Firefox is particularly good for this.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri August 27, 2021 06:05 AM
From: Andrew Potgieter
Subject: AssertionConsumerService not valid for auth0 SP config

Hello,
I am setting up an auth0 saml service provider that connects to an external IBM Security Access Manager 9 SAML identity provider.
The redirect to the SAML IdP login page works fine but once we log in we get a 'FBTSML218E The specifications for the SAML2.AssertionConsumerService endpoint are not valid.' error message

We have the following on the IBM Security Access Manager 9 IdP: (I have redacted the url and replaced it with <host> but its format is lower case letters with - symbols between words)

• entityID="urn:auth0:<host>:auth-ppe"
• AssertionConsumerService Binding = https://<host>.eu.auth0.com/login/callback?connection=auth-ppe
  • index="0"
  • isDefault="true

The error response seems to indicate that there is some ACS binding format similar to the question asked here:
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2863&MessageKey=0af84463-af7d-4b08-add9-82007bdb9896&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer

Any ideas?
Does IBM Security Access Manager actually try that url in order to return the error or is it some format validation?

Many thanks

------------------------------
Andrew Potgieter
------------------------------

Hello Jon,

Thanks so much for the reply, it helped find the problem.
So as it turns out the Assertion Consumer Service URL sent in the SAML request did not match because it was not actually sent in the request by Auth0. Fortunately you are able to hard code the url into the request template. https://gist.github.com/saltukalakus/210685aab42bae0151c687d704af5eae

Another problem we ran into (which returned the same FBTSML218E error) was that the protocol binding had to be set to `HTTP-POST` on both the Auth0 side and on the IBM partner definition side.

Sadly I now have another problem but it seems unrelated so I have created a new post for this here

Many thanks,
Andrew

------------------------------
Andrew Potgieter
------------------------------

Original Message:
Sent: Fri August 27, 2021 09:59 AM
From: Jon Harry
Subject: AssertionConsumerService not valid for auth0 SP config

Hi Andrew,

My guess would be that the Assertion Consumer Service URL sent in the SAML Request doesn't match the ACS that was provided in the metadata used to configure the partner.

If you edit the partner definition you should be able to see the ACS that was registered from the metadata.  Make sure this is exactly the same (case etc included) as what is being sent in the SAML Request.  You should be able to trace the SAML request using browser tools.  The SAML Tracer addon for Firefox is particularly good for this.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri August 27, 2021 06:05 AM
From: Andrew Potgieter
Subject: AssertionConsumerService not valid for auth0 SP config

Hello,
I am setting up an auth0 saml service provider that connects to an external IBM Security Access Manager 9 SAML identity provider.
The redirect to the SAML IdP login page works fine but once we log in we get a 'FBTSML218E The specifications for the SAML2.AssertionConsumerService endpoint are not valid.' error message

We have the following on the IBM Security Access Manager 9 IdP: (I have redacted the url and replaced it with <host> but its format is lower case letters with - symbols between words)

• entityID="urn:auth0:<host>:auth-ppe"
• AssertionConsumerService Binding = https://<host>.eu.auth0.com/login/callback?connection=auth-ppe
  • index="0"
  • isDefault="true

The error response seems to indicate that there is some ACS binding format similar to the question asked here:
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2863&MessageKey=0af84463-af7d-4b08-add9-82007bdb9896&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer

Any ideas?
Does IBM Security Access Manager actually try that url in order to return the error or is it some format validation?

Many thanks

------------------------------
Andrew Potgieter
------------------------------