Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
When defining the Intersite transfer URL within the Admin Console, the administrator can define an id and target for the SAML service provider (SP) being accessed.
Users can then access this SAML SP via the intersite transfer Service (/nidp/saml2/idpsend) on the SAML Identity (IDP) server so that they are prompted for authentication on the IDP server first before being redirected to the SP by hitting the following URL:
http(s)://<$idp_host_name/nidp/saml2/idpsend?id=<$saml_sp_identifier>
If the IDP server has a default contract defined, this is what will be executed at the IDP server. If no contract is defined, a list of available authentication cards will be displayed for selection on the IDP server. Neither of these options may suit the administratior.
Users can then access this SAML SP via the intersite transfer Service (/nidp/saml2/idpsend) on the SAML Identity (IDP) server so that they are prompted for authentication on the IDP server first before being redirected to the SP by hitting the following URL:
http(s)://<$idp_host_name/nidp/saml2/idpsend?id=<$saml_sp_identifier>
If the IDP server has a default contract defined, this is what will be executed at the IDP server. If no contract is defined, a list of available authentication cards will be displayed for selection on the IDP server. Neither of these options may suit the administratior.
Resolution
Send users to the IDP login service, which supports passing in a specific contract, and use the intersite transfer URL as the target. For the example above, the following URL would work:
http(s)://<$idp_host_name/nidp/app?id=<$contract_to_be_executed>&target=http(s)://<$idp_host_name/nidp/saml2/idpsend?id=<$saml_sp_identifier>
The request will be handled by the login service on the IDP server, which handles the passing in of a contract id. When the user is successfully authenticated, the user is redirected to the target URL. In our case above, the target URL is the intersite transfer URL which will redirect the user to the SAML SP.
http(s)://<$idp_host_name/nidp/app?id=<$contract_to_be_executed>&target=http(s)://<$idp_host_name/nidp/saml2/idpsend?id=<$saml_sp_identifier>
The request will be handled by the login service on the IDP server, which handles the passing in of a contract id. When the user is successfully authenticated, the user is redirected to the target URL. In our case above, the target URL is the intersite transfer URL which will redirect the user to the SAML SP.
Additional Information
One limitation of this URL is that, if the user is already logged into the IDP server and we hit the login service URL, the user will have the IDP user portal page displayed and NOT the SP. This limitation will be addressed in a future version ofthe product.