Environment
Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Novell Identity Server
Access Manager Support Pack 1 applied
Situation
SAML 1.1 setup exists between two Access Manager Identity Servers
(one acting as a SAML Service Provider and one as an Indentity
provider). An Access Gateway is installed and acts as a Liberty
service provider in a liberty relationship with one of the SAML
service provider. When a user accesses a protected resource on the
Access Gateway and gets redirected to the Liberty Identity server
for authentication, there is no link on this Identity Server
offering the option to login at the SAML 1.1 Indentity
server.
Performing the same request with SAML 2 as the protocol between the two Access Manager Identity server provides users with a link to login to the SAML 2 Identity server.
Performing the same request with SAML 2 as the protocol between the two Access Manager Identity server provides users with a link to login to the SAML 2 Identity server.
Resolution
Working as designed. SAML 2 as a protocol allows users to do an SP
initiated Single Sign On (SSO), and therefor the link to redirect
the user from the SAML SP to the SAML IDP is provided.
With SAML 1.1, the only option is an IDP initiated SSO. In this setup, you could never hit the protected resource on the AG, get redirected to the Liberty Identity server and then hit another option to take you to the SAML 1.1 Identity server. You have to go to the SAML 1.1 IDP server and hit the IDP initiated SSO link (see"Specifying the Intersite Transfer Service URL" at https://www.novell.com/documentation/novellaccessmanager/adminguide/index.html?page=/documentation/novellaccessmanager/adminguide/data/b5m572b.html for more details.
Authenticating to the SAML 1.1 IDP server using this intersite transfer link will allow you to SSO to the Access Gateway protected resources.
With SAML 1.1, the only option is an IDP initiated SSO. In this setup, you could never hit the protected resource on the AG, get redirected to the Liberty Identity server and then hit another option to take you to the SAML 1.1 Identity server. You have to go to the SAML 1.1 IDP server and hit the IDP initiated SSO link (see"Specifying the Intersite Transfer Service URL" at https://www.novell.com/documentation/novellaccessmanager/adminguide/index.html?page=/documentation/novellaccessmanager/adminguide/data/b5m572b.html for more details.
Authenticating to the SAML 1.1 IDP server using this intersite transfer link will allow you to SSO to the Access Gateway protected resources.