Access Manager 300101016 error - No matching audience

  • Document ID:3260366
  • Creation Date:29-May-2007
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Access Manager (NAM)

Environment


Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Access Administration
Novell Access Management 3 Netware Access Gateway
Novell ACcess Manager 3 Support Pack 1 Beta 1 applied
Identity Server accelerated by Access Gateway

Situation

Novell Access Manager installed and configured with Linux Access Gateway (Sp1 beta 1 applied). The Linux Access Gateway (LAG) configured to accelerate the Identity (IDP) Server. When accessing a protected resource requiring authentication, the users would be prompted for the credentials and would get the 300101016 error after submitting them. The same users were able to authenticate and access the same protected resource when the IDP is configured in parallel with the LAG, and not as a resource available through the LAG. Note that SSL is used for all access.

Debug catalina.out logs on the IDP server show that the user authentication to the eDirectory store is successful, and it appears that it is able to successfully create and store a session. After the client browser is redirected back to the original resource on the LAG, the session cannot be successfully retrieved from the IDP.

Resolution

Make sure that HTML rewriting is configured for the IDP protected resource. To do so:

  1. Click Access Manager>Access Gateways>Edit>[Name of Reverse Proxy]>[Name of Proxy Service]>HTML Rewriting

  2. Make sure the Enable HTML Rewriting option is selected.

  3. In the HTML Rewriter Profile List, click New, then specify a name for the profile and select Word for the Search Boundary.

  4. Enter the following URLs in the And Requested URL Is Not section. The following URLs use login.novell.com/nidp as the DNS name of the reverse proxy for the Identity Server.

    login.novell.com/nidp/idff/soap
    
login.novell.com/nidp/idff/soap/
    
login.novell.com/nidp/idff/soap/*
    
login.novell.com:443/nidp/idff/soap
    
login.novell.com:443/nidp/idff/soap/
    
login.novell.com:443/nidp/idff/soap/*

  5. Click OK.

  6. Use the up arrow icon to move your profile to the top of the list.

Additional Information

When a SAML assertion is generated, there are certain conditions that need to be validated based on the tag. For example, the following assertions shows that the assertion is not valed before or after the the following timestamps, and only valid for https://login.novell.com:80 audience. In certain cases, the :80 or :443 (with https) is appended yet the ProviderID in the metadata does not include the port numbers. In order to work around the issue, we should add rewriter entries for the TCP ports too.




https://login.novell.com:80/nesp/idff/metadata