Environment
Novell Access Manager 3.1 Linux Access Gateway
Situation
Access Manager 3.1 Support Pack 1 installed. Clustered setup of two Identity (IDP) and Linux Access Gateway (LAG) servers. Everything was working fine ie. all users could hit protected resources and authenticate to the IDP servers.
A few configuration changes were made and applied them to all LAGs in cluster - main of one changes was to enable the 'Enable Caching of Objects with CGI in The Path' option under the caching options. This parameter is disabled by default.
Users started reporting random 300101010 error. This indicates that an assertion was received whose InResponseTo ID did not match that of the authentication request. This would only happen when the ESP would proxy one request to another LAG in the cluster. Looking at the log files when the problem occured, we could see was that the LAG would set 2 JSESSIONID cookies with different values.
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1, Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4EC09B5AA6794A7A239B430B5A40220E; Path=/nesp
Set-Cookie: JSESSIONID=269D6DC871AADD170128FD5851CC8911; Path=/nesp
A few configuration changes were made and applied them to all LAGs in cluster - main of one changes was to enable the 'Enable Caching of Objects with CGI in The Path' option under the caching options. This parameter is disabled by default.
Users started reporting random 300101010 error. This indicates that an assertion was received whose InResponseTo ID did not match that of the authentication request. This would only happen when the ESP would proxy one request to another LAG in the cluster. Looking at the log files when the problem occured, we could see was that the LAG would set 2 JSESSIONID cookies with different values.
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1, Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4EC09B5AA6794A7A239B430B5A40220E; Path=/nesp
Set-Cookie: JSESSIONID=269D6DC871AADD170128FD5851CC8911; Path=/nesp
When the LAG processeses the cookie it is sees two JSESSIONIDs instead of the original one it had set, and invalidates
the original session. This causes the incoming assertion to be invalid as the InResponseTo ID did not
match an authentication request RequestID.
Resolution
Add a PIN list entry for the /nesp/* URL path.
The LAG was caching the 302 redirects from previous sessions and causing the two JSESSIONID cookies to be set.
The LAG was caching the 302 redirects from previous sessions and causing the two JSESSIONID cookies to be set.