Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Situation
Access Manager setup on 3.1 where authentication to the Access Gateway protected resources are working fine. Multiple proxy services exist where the ESP (embedded service provider) enable proxy and non ESP enabled proxy are in the same DNS domain. The ESP secure cookie flag is also enabled so that the ESP enabled cookie have the secure attribute when set.
When the user hit a protected resource on the ESP enabled and non ESP enabled, the user is redirected to the Identity server (IDP) login page to authenticate.
After upgrading to Access Manager 3.1 Support Pack 1, and confirming that the Secure cookie option was enabled (
Access Gateway -> Authentication Settings -> Secure Cookies), users accessing the non ESP enabled protected resources would get a blank page - no IDP login page would be presented to the user. This would occurs if the following conditions held true:
1. the top level domain included two characters eg. .de, .fr, .ie
2. multiple proxy services exist - one assigned to be the ESP and a non ESP proxy service - or a domain based proxy service existed on the ESP
3. the ESP and non ESP proxy are part of the same DNS domain
No error is visible on the browser - the only visible error is presented in the tomcat logs in debug mode, where the following string is output:
<amLogEntry> 2009-07-28T11:22:49Z WARNING NIDS Application: Exception:
NIDPMAIN.112 </amLogEntry>
When the user hit a protected resource on the ESP enabled and non ESP enabled, the user is redirected to the Identity server (IDP) login page to authenticate.
After upgrading to Access Manager 3.1 Support Pack 1, and confirming that the Secure cookie option was enabled (
Access Gateway -> Authentication Settings -> Secure Cookies), users accessing the non ESP enabled protected resources would get a blank page - no IDP login page would be presented to the user. This would occurs if the following conditions held true:
1. the top level domain included two characters eg. .de, .fr, .ie
2. multiple proxy services exist - one assigned to be the ESP and a non ESP proxy service - or a domain based proxy service existed on the ESP
3. the ESP and non ESP proxy are part of the same DNS domain
No error is visible on the browser - the only visible error is presented in the tomcat logs in debug mode, where the following string is output:
<amLogEntry> 2009-07-28T11:22:49Z WARNING NIDS Application: Exception:
NIDPMAIN.112 </amLogEntry>
Resolution
Fixed in Access Manager 3.1 Support Pack 1 Interim Release 1. A security enhancement was added to the 3.1 SP1 code base to prevent phishing attacks, but caused this issue.