IBM Support

Failed to invoke a SAML IdP federation with multiple partners that have dupicate ACS

Troubleshooting


Problem

Created a SAML Identity Provider with multiple Service Provider partners.
When 2 or more partner definitions have same Assertion Consumer Service URL entry, IdP initiated SSO or SP initiated SSO is failed.

Symptom

Cause

An Identity Provider definition can have multiple Service Provider partners.
Each partner has individual partner ID. However, some of partners can have same Assertion Consumer Service URL.
When multiple partner definitions have same Assertion Consumer Service URL entry, the Identity Provider sends assertion with incorrect attributes to Assertion Consumer Service URL for Service Provider.

Diagnosing The Problem

On LMI, show each partner definition for the Identity Provider federation definition.
Switch Single Sign-on setting tab and get binding URL
Compare binding URL of each partner to find partners that have same Binding method and URL pair.

Resolving The Problem

Create duplicate Identity Provider federation for each Service Provider partner that has duplicate Assertion Consumer Service URL. For example, myidp and myidp2 Identity Providers.
  • www.myidp.ibm.com/isam/sps/myidp/saml20/
  • www.myidp.ibm.com/isam/sps/myidp2/saml20/
Import partner metadata for each Service Provider into each Identity Provider.
Make sure to import correct Identity Provider metadata on each Service Providers.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRGTL","label":"IBM Security Verify Access"},"ARM Category":[{"code":"a8m0z000000cxugAAA","label":"Security Verify Access-\u003EFederation"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 April 2023

UID

ibm16987449

Page Feedback