Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Netware Access Gateway
Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Novell Identity Server
Situation
IDP server configured with a valid DNS name as the base URL and
HTTP as the protocol.
Access Gateway configured to point to the IDP configuration established.
Reverse proxy defined for back end Web server.
When accessing a PUBLIC resource (contract set to NONE), the back end Web server data can be accessed via the Access Gateway. As soon as a protected public resource is accessed (contract set to Username/Password - Form in this example), the users would get the above error with status 100101043 with
Unable to complete authentication request.
Identity Provider failed to load Embedded Provider metadata
Access Gateway configured to point to the IDP configuration established.
Reverse proxy defined for back end Web server.
When accessing a PUBLIC resource (contract set to NONE), the back end Web server data can be accessed via the Access Gateway. As soon as a protected public resource is accessed (contract set to Username/Password - Form in this example), the users would get the above error with status 100101043 with
Unable to complete authentication request.
Identity Provider failed to load Embedded Provider metadata
Resolution
Make sure that the base URL on the Access Gateway is resolvable by
the IDP server AND reboot the IDP server. With the Liberty and
Aplication component logging at the IDP server enabled to 'config'
mode, the following information will be available in the
/var/opt/novell/tomcat4/logs/catalina.out file:
Type: received
RelayState: None
RequestID=idsoZe1LsH8aNoOgO6Eo4DqEFlePY&MajorVersion=1&MinorVersion=2&IssueInstant=2007-02-06T16%3A53%3A22Z&ProviderID=http%3A%2F%2Finteg.ncashell.com%3A80%2Fnesp%2Fidff%2Fmetadata&RelayState=http%3A%2F%2Finteg.ncashell.com%3A8080%2Fnesp%2Fapp%2F&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&AuthnContextStatementRef=name%2Fpassword%2Furi
************************* End Liberty message ****************************
Feb 6, 2007 11:53:44 AM com.novell.nidp.logging.NIDPLog D
FINEST: NIDP TRACE LOG
Method: com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processAuthnRequest()
(Thread: http-8080-Processor4): Process Liberty AuthnRequest
Feb 6, 2007 11:54:26 AM com.novell.nidp.logging.NIDPLog doLog
SEVERE: Unable to load metadata for Embedded Service Provider: http://integ.ncashell.com:80/nesp/idff/metadata, error: connect timed out
Feb 6, 2007 11:54:26 AM com.novell.nidp.logging.NIDPLog doLog
INFO: Error on session AMAUTHID#51F56B28D917D937DD8D0E4B8ACA3B5F, error AM#100101043-954A9AFA66FD7F29, Unable to complete authentication request. Identity Provider failed to load Embedded Provider metadata
Adding an entry to the host file on the idp server for integ.ncashell.com solved the problem. Note that we did an 'update config' after making this change but the error persisted. Only when we manually restarted the IDP server did the problem go away.
Type: received
RelayState: None
RequestID=idsoZe1LsH8aNoOgO6Eo4DqEFlePY&MajorVersion=1&MinorVersion=2&IssueInstant=2007-02-06T16%3A53%3A22Z&ProviderID=http%3A%2F%2Finteg.ncashell.com%3A80%2Fnesp%2Fidff%2Fmetadata&RelayState=http%3A%2F%2Finteg.ncashell.com%3A8080%2Fnesp%2Fapp%2F&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&AuthnContextStatementRef=name%2Fpassword%2Furi
************************* End Liberty message ****************************
Feb 6, 2007 11:53:44 AM com.novell.nidp.logging.NIDPLog D
FINEST: NIDP TRACE LOG
Method: com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processAuthnRequest()
(Thread: http-8080-Processor4): Process Liberty AuthnRequest
Feb 6, 2007 11:54:26 AM com.novell.nidp.logging.NIDPLog doLog
SEVERE: Unable to load metadata for Embedded Service Provider: http://integ.ncashell.com:80/nesp/idff/metadata, error: connect timed out
Feb 6, 2007 11:54:26 AM com.novell.nidp.logging.NIDPLog doLog
INFO: Error on session AMAUTHID#51F56B28D917D937DD8D0E4B8ACA3B5F, error AM#100101043-954A9AFA66FD7F29, Unable to complete authentication request. Identity Provider failed to load Embedded Provider metadata
Adding an entry to the host file on the idp server for integ.ncashell.com solved the problem. Note that we did an 'update config' after making this change but the error persisted. Only when we manually restarted the IDP server did the problem go away.
Additional Information
If the base URL at the IDP server side was HTTPS, then the trusted
root for the IDP server must be imported into the Access Gateway
eSP trust store, and the Access Gateway server certs must also be
imported into the IDP trust store. Failure to do this will cause
the metadata validation process to fail and subsequent 100101043
errors during authentication.