Identity Injection fails to inject correct credentials into Authorization header when browsers send Authorization headers to proxy

  • 7002512
  • 30-Jan-2009
  • 26-Apr-2012

Environment

Novell Access Manager 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 4 applied

Situation

Customer has a Linux Access Gateway (LAG) protected resource with a Basic Auth enabled contract. 
The authentication process to the Identity (IDP) server works great - the browser requests to the
IDP server includes the HTTP Authorization as expected.

The LAG protected resource also has an Identity Injection policy enabled, that injects the users
email address and password into the HTTP Auth header for single sign on to the applications running on the
Web server.

When accessing these applications through the LAG, users were being asked to authenticate again using
the basic auth pop up. Turns out that the Authorization header sent to the back end Web server
by the LAG will always include the HTTP Auth header details from the incoming browser, and not those
retrieved for the Identity Injection policy.

This is working as designed. When the LAG receives a HTTP Auth header from the browser or user-agent,
it forwards that Auth header to the back end Web server. This occurs independent of whether the LAG
protected resources for that application has an Identity Injection policy enabled to inject credentials
into the Auth header or not.

Resolution

Install the Access Manager 3.0 SP4 IR2 patch and touch the /var/novell/.overwrite_AuthHeader_With_IIData.

With this touch file existing, we change the current behaviour of having the LAG forward the Authorization HTTP headers from browser to the back end Web server directly to sending the Authorization header populated by Identity Injection i.e. even though we have a browser Authorization header, we send the credentials retrieved executing the II policy.