When SAML SSO authentication comparison is set to 'better' on hosted SP, SP initiated SSO fails with message 'Invalid status code in response'.
Using https://backstage.forgerock.com/docs/am/5/saml2-guide/#chap-saml2-implementation-console as reference, performed the following in OpenAM 13.5.0, 13.5.1 and AM 5.1:
- Performed initial configuration for two OpenAM instances, idp.amtest1.com and sp.amtest1.com. Both use host cookies (idp.amtest1.com and sp.amtest1.com).
- Configured a hosted IdP in idp.amtest1.com using 'test' signing key, 'test_idp' circle of trust, mail -> mail attribute mapping.
- Configured a hosted SP in sp.amtest1.com using COT test_sp.
- Created a remote SP in idp.amtest1.com, attr mapping mail -> mail.
- Created a remote IdP in sp.amtest1.coma
- In sp.amtest1.com, created a saml2 auth'n module, and an auth'n chain which included the saml2 module as Required.
- For the realm / in sp.amtest1.com, set User Profile as dynamic.
- Created two test subjects, including a mail address attribute value for each.
- In sp.amtest1.com, modified hosted SP to change ACS service endpoints from .../Consumer/... to .../AuthConsumer/... Did the same for remote SP in idp.amtest1.com.
- In sp.amtest1.com, enabled auto-federation, using mail as attribute.
- In sp.amtest1.com, set Default Auth'n context to unspecified, Authn comparison as 'better' and enabled the following Context References: unspecified, level 0; PasswordProtected, 5; Kerberos, level 10; and MobileTwoFactorUnregistered, 20.
- In idp.amtest1.com, mirrored the above SP settings for Authentication Context, enabling each of the above as Modules, with the same levels as above. Default auth'n contextset to unspecified.
- In separate browser, performed SP initiated SSO. Navigated to https://sp.amtest1.com:7443/access?service=saml2Chain. In 13.5.0, this results in being able to login at IdP and am taken to a created profile page for authenticated user in SP. In 13.5.1 and 5.1 (14.1), navigation to above url results in error message in browser 'Invalid status code in response'.
- Using a SAML tracer plugin to browser, for the error case above, in 13.5, first saml request response includes:
- <saml2p:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/><saml2p:RequestedAuthnContext Comparison="better"><saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></saml2p:AuthnRequest>
- In 13.5.1 and above, the above response includes the status NoAuthnContextSpecified.
Customer has modified configuration to use exact match. This enables successful SSO for the above scenario in 5.1
Issue looks to be in