Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Access Administration
Novell Access Management 3 Netware Access Gateway
Situation
Trying to access IBM and HP service providers (SP) from Novell
Access Manager using the Intersite Transfer Link. We created the
SP's in the Novell Access Manager configuration by
- importing the IBM metadate from a file (copy and paste) and creating a SP object
- importing the HP metadate from a file (copy and paste) and creating a SP object
Doing this, one can see that both vendor's EntityID are not reachable using HTTP, unlike the Novell Access Manager metadata. Subsequent access to these SPs via the Intersite Transfer Link will fail as we are unable to get NAM to identify the target SPs. We do this by copying the "entityID" from IBM and HP's metadata as the PID value in the Intersite Transfer Link e.g.
[SAML 2.0 IDP Base URL]/saml2/idpsend?PID=[The SAML 2.0 SP Provider ID]&TARGET=[final destination URL]
I get the following error for both IBM and HP:
unable to send authentication to service provider
cause/code : invalid or no provider is specified - 15DD
- importing the IBM metadate from a file (copy and paste) and creating a SP object
- importing the HP metadate from a file (copy and paste) and creating a SP object
Doing this, one can see that both vendor's EntityID are not reachable using HTTP, unlike the Novell Access Manager metadata. Subsequent access to these SPs via the Intersite Transfer Link will fail as we are unable to get NAM to identify the target SPs. We do this by copying the "entityID" from IBM and HP's metadata as the PID value in the Intersite Transfer Link e.g.
[SAML 2.0 IDP Base URL]/saml2/idpsend?PID=[The SAML 2.0 SP Provider ID]&TARGET=[final destination URL]
I get the following error for both IBM and HP:
unable to send authentication to service provider
cause/code : invalid or no provider is specified - 15DD
Resolution
Disable strict security checking when loading the partner's test
metadata. The property can be set manually on the server where the
app can pick it up. For example, on The Access Manager Linux
Identity server, add the following to the
{tomcat_home}/conf/tomcat4.conf file.
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
You will have to restart tomcat after making the change.
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
You will have to restart tomcat after making the change.