Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Custom login pages created on the Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Custom login pages created on the Identity Server
Situation
Administrator customises the Access Manager 3.1 login pages based on the Access Manager 3.0 model. This involves creating a seperate JSP page and using the two properties of the login method, JSP and UseJSP, to render the custom login page. More details on this process are available at http://www.novell.com/documentation/novellaccessmanager31/installation/?page=/documentation/novellaccessmanager31/installation/data/bgfx9yh.html#bjyje5t (7.2.4 Modifying 3.0 Login Pages for 3.1 SP1).
With this custom login page setup, users accessing protected resources on the Linux Access Gateway (LAG) sometimes get presented with the Identity (IDP) server portal page and not the LAG protected resource after submitting their credentials. This will happen if the user, after getting redirected to the IDP login page, waits for a timeout greater than the IDP session timeout before submitting the credentials.
In this scenario the IDP, upon receiving the credentials, realises that the original session is invalid and creates a new session to validate the credentials. With this new session, we lose the original users context that includes the target, or redirect URL to be used after validating the credentials.
With this custom login page setup, users accessing protected resources on the Linux Access Gateway (LAG) sometimes get presented with the Identity (IDP) server portal page and not the LAG protected resource after submitting their credentials. This will happen if the user, after getting redirected to the IDP login page, waits for a timeout greater than the IDP session timeout before submitting the credentials.
In this scenario the IDP, upon receiving the credentials, realises that the original session is invalid and creates a new session to validate the credentials. With this new session, we lose the original users context that includes the target, or redirect URL to be used after validating the credentials.
Resolution
When customising the login JSP page, the following code needs to be added somewhere within the form content of the JSP to get the hidden target/redirect field added to the form. With this code available, the new session will still reference the URL to redirect the user too even if the session has timed out.
<%
String target = (String) request.getAttribute("target");
if (target != null)
{
%>
<input type="hidden" name="target" value="<%=target%>">
<%
}
%>
<%
String target = (String) request.getAttribute("target");
if (target != null)
{
%>
<input type="hidden" name="target" value="<%=target%>">
<%
}
%>