Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Linux Novell Identity Server
Access Manager setup with the Identity Server (IDP) running behind a Linux Access Gateway
ie. accelerated by the Linux Access Gateway proxy service. The documentation was followed
but when any user attempted to login to the IDP server, the browser would report the following
100101044 error: Embedded Provider failed to load Identity Provider metadata
The IDP server was serviced by a path based multihomed accelerator, with no stripping of the
path enabled. When the problem occured, the following entries would appear in the catalina.out
file of the IDP server at /var/opt/novell/tomcat4/logs. What we can see from the log
files is that the Linux Access Gateway eSP generates the 10101044 error. The LAN traces
also show that there is no comms between the eSP and IDP server.
< amLogEntry> 2007-06-14T01:58:58Z NIDS Trace: Method: CacheMap.A()
Retrieval of object com.novell.nidp.servlets.NIDPServletSession@50620f from
cache session succeeded using key 337A810C1087B8AFA9AB37C031B81782. Cache size
2007-06-14T01:58:58Z INFO NIDS Application: AM#500105024:
AMDEVICEID#0332: AMAUTHID#337A810C1087B8AFA9AB37C031B81782: ESP is requesting
metadata from IDP http://idp1.web.com/nidp/idff/metadata
< amLogEntry> 2007-06-14T01:58:58Z SEVERE NIDS IDFF: AM#100106001:
AMDEVICEID#0332: Unable to load metadata for Embedded Service Provider:
http://idp1.web.com/nidp/idff/metadata, error: The reference to entity
"StatusCode" must end with the ';' delimiter.
< amLogEntry> 2007-06-14T01:58:58Z INFO NIDS Application: AM#500105039:
AMDEVICEID#0332: AMAUTHID#337A810C1087B8AFA9AB37C031B81782: Error on session
id 337A810C1087B8AFA9AB37C031B81782, error 100101044-esp-033298BB8611818E,
Unable to authenticate. AM#100101044: AMDEVICEID#0332: : Embedded Provider
failed to load Identity Provider metadata
< amLogEntry> 2007-06-14T01:58:58Z INFO NIDS Application: AM#500105010:
AMDEVICEID#0332: AMAUTHID#337A810C1087B8AFA9AB37C031B81782: Contract IDP
Select requires additional interaction.
We switched the reverse proxy on the Linux Access Gateway from being path based to domain based and all started working. Path based should have worked too and the assumption is that there may have been an issue with the rewriter on that server, even though the docs were followed.