Access manager 100101044 error: "The reference to entity "StatusCode" must end with the ';' delimiter."

  • Document ID:3601247
  • Creation Date:06-Jul-2007
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Access Manager (NAM)

Environment


Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Linux Novell Identity Server

Situation

Access Manager setup with the Identity Server (IDP) running behind a Linux Access Gateway

ie. accelerated by the Linux Access Gateway proxy service. The documentation was followed

at https://www.novell.com/documentation/novellaccessmanager/basicconfig/index.html?page=/documentation/novellaccessmanager/basicconfig/data/b8985pl.html

but when any user attempted to login to the IDP server, the browser would report the following

100101044 error: Embedded Provider failed to load Identity Provider metadata
The IDP server was serviced by a path based multihomed accelerator, with no stripping of the

path enabled. When the problem occured, the following entries would appear in the catalina.out

file of the IDP server at /var/opt/novell/tomcat4/logs. What we can see from the log

files is that the Linux Access Gateway eSP generates the 10101044 error. The LAN traces

also show that there is no comms between the eSP and IDP server.

<
amLogEntry> 2007-06-14T01:58:58Z NIDS Trace: Method: CacheMap.A()

Thread: http-8080-Processor1

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@50620f from

cache session succeeded using key 337A810C1087B8AFA9AB37C031B81782.  Cache size

is 2

<
 /amLogEntry>
 2007-06-14T01:58:58Z INFO NIDS Application: AM#500105024:

AMDEVICEID#0332: AMAUTHID#337A810C1087B8AFA9AB37C031B81782:  ESP is requesting

metadata from IDP http://idp1.web.com/nidp/idff/metadata

<
amLogEntry> 2007-06-14T01:58:58Z SEVERE NIDS IDFF: AM#100106001:

AMDEVICEID#0332:  Unable to load metadata for Embedded Service Provider:
http://idp1.web.com/nidp/idff/metadata, error: The reference to entity
"StatusCode" must end with the ';' delimiter. 

<
amLogEntry> 2007-06-14T01:58:58Z INFO NIDS Application: AM#500105039:

AMDEVICEID#0332: AMAUTHID#337A810C1087B8AFA9AB37C031B81782:  Error on session

id 337A810C1087B8AFA9AB37C031B81782, error 100101044-esp-033298BB8611818E,

Unable to authenticate.  AM#100101044: AMDEVICEID#0332: : Embedded Provider

failed to load Identity Provider metadata 

<
amLogEntry> 2007-06-14T01:58:58Z INFO NIDS Application: AM#500105010:

AMDEVICEID#0332: AMAUTHID#337A810C1087B8AFA9AB37C031B81782:  Contract IDP

Select requires additional interaction.

Resolution

We switched the reverse proxy on the Linux Access Gateway from being path based to domain based and all started working. Path based should have worked too and the assumption is that there may have been an issue with the rewriter on that server, even though the docs were followed.