Access Manager error 100101043 - IDP is unable to load ESP metadata

  • 3539104
  • 15-Feb-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Netware Access Gateway
Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Novell Identity Server

Situation

IDP server configured with a valid DNS name as the base URL and HTTP as the protocol.
Access Gateway configured to point to the IDP configuration established.
Reverse proxy defined for back end Web server.

When accessing a PUBLIC resource (contract set to NONE), the back end Web server data can be accessed via the Access Gateway. As soon as a protected public resource is accessed (contract set to Username/Password - Form in this example), the users would get the above error with status 100101043 with

Unable to complete authentication request.
Identity Provider failed to load Embedded Provider metadata

Resolution

Make sure that the base URL on the Access Gateway is resolvable by the IDP server AND reboot the IDP server. With the Liberty and Aplication component logging at the IDP server enabled to 'config' mode, the following information will be available in the /var/opt/novell/tomcat4/logs/catalina.out file:

Type: received
RelayState: None
RequestID=idsoZe1LsH8aNoOgO6Eo4DqEFlePY&MajorVersion=1&MinorVersion=2&IssueInstant=2007-02-06T16%3A53%3A22Z&ProviderID=http%3A%2F%2Finteg.ncashell.com%3A80%2Fnesp%2Fidff%2Fmetadata&RelayState=http%3A%2F%2Finteg.ncashell.com%3A8080%2Fnesp%2Fapp%2F&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&AuthnContextStatementRef=name%2Fpassword%2Furi
************************* End Liberty message ****************************



Feb 6, 2007 11:53:44 AM com.novell.nidp.logging.NIDPLog D
FINEST: NIDP TRACE LOG
Method: com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processAuthnRequest()
(Thread: http-8080-Processor4): Process Liberty AuthnRequest

Feb 6, 2007 11:54:26 AM com.novell.nidp.logging.NIDPLog doLog
SEVERE: Unable to load metadata for Embedded Service Provider: http://integ.ncashell.com:80/nesp/idff/metadata, error: connect timed out
Feb 6, 2007 11:54:26 AM com.novell.nidp.logging.NIDPLog doLog
INFO: Error on session AMAUTHID#51F56B28D917D937DD8D0E4B8ACA3B5F, error AM#100101043-954A9AFA66FD7F29, Unable to complete authentication request. Identity Provider failed to load Embedded Provider metadata


Adding an entry to the host file on the idp server for integ.ncashell.com solved the problem. Note that we did an 'update config' after making this change but the error persisted. Only when we manually restarted the IDP server did the problem go away.

Additional Information

If the base URL at the IDP server side was HTTPS, then the trusted root for the IDP server must be imported into the Access Gateway eSP trust store, and the Access Gateway server certs must also be imported into the IDP trust store. Failure to do this will cause the metadata validation process to fail and subsequent 100101043 errors during authentication.