Cannot single sign on to back end Web application when passwordfetch class is enabled

  • 7007376
  • 15-Dec-2010
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server


Access Manager setup to protected back end Web applications. Authentication to the Identity (IDP) server works fine, and the Linux Access Gateway (LAG) successfully proxies requests to multiple web servers.

New users are added to the system that already sign into a local Kerberos AD domain. A corresponding kerberos contract is created on the IDP server that is used to single sign on (SSO) these already logged in kerberos users to the Access Manager environment.

Since the back end applications protected by the LAG require LDAP attributes and passwords, the password fetch class is configured. The formfill and identity injection policies both need to inject user passwords, which are retrieved by the password fetch class. However, when accessing these back end applications through the LAG, users cannot successfully SSO. The user password is never sent from the LAG to the back end web server (via the HTTP Authorization basic header, or HTML form). Users get login errors or/and manually prompted for the credentials.


Make sure that the password fetch method has the 'identifies user' flag enabled.

When the user executes the password fetch class, an LDAP search request is made into the defined user store to retrieve either the Universal or Simple password (uses LDAP extensions). When the password is returned, the data is only cached and available to the LAG ESP when the identifies user flag is enabled. Without it, then LAG ESP will never receive the users password and SSO to back end Web servers will fails when a policy is configured to send that password.