Environment
Novell Access Manager 3.2
Situation
After installing Novell Access Manager 3.2 and migrating the services, users began to receive the following error at the browser after authenticating to the Identity Provider:
404-esp-[deviceid]
Note: This error may also occur after creating new accelerators.
A header trace of the authentication process produces something similar to the following as the ESP receives the assertion from the Identity Server:
GET
/nesp/idff/spassertion_consumer?SAMLart=AAN6L%2ByJ3i2TCtLUQzeucNIogEctqgDOi3qCv4MOX2akI1OXTcTeJtot&RelayState=MA%3D%3D
HTTP/1.1
Host:
secure.domain.com
User-Agent:
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-nz,en-gb;q=0.7,en;q=0.3
Accept-Encoding:
gzip, deflate
Connection:
keep-alive
Referer:
https://secure.domain.com/nidp/idff/sso?sid=0
Cookie:
JSESSIONID=4EF58E78762D3E7273E151073EED1590; x-vzr=11123;
SSESSbd7c22ec0693efd20fae928b18fbeb3b=b-Dvay3VNq8gZpxmZMQNocwfl9l-ldyTNHCeansa5Vg;
Drupal.toolbar.collapsed=0; Drupal.tableDrag.showWeight=0;
ZNPCQ003-39353200=bdedded3; has_js=1; ZNPCQ003-37373100=a297f7f6
HTTP/1.1
200 OK
Date:
Tue, 29 May 2012 02:16:31 GMT
Pragma:
No-cache
Cache-Control:
no-cache, no-store, no-cache
Content-Type:
text/html;charset=ISO-8859-1
Content-Length:
402
Set-Cookie:
IPCZQX0330910c69=03000300000000000000000000000000e789ef4e; path=/; domain=.com
P3p:
CP="NOI"
X-Mag:E711964F5E9C5F37;e789ef4e;8;usrLkup->0;usrBase->0;_AUTO_;publicURL->0;_nesp_;RwDis;FP2->17;FP4->93;C003;
Via:
1.1 secure.domain.com (Access Gateway-ag-E711964F5E9C5F37-8)
Keep-Alive:
timeout=300, max=94
Connection:
Keep-Alive
By default, the cookie domain of any accelerator will be one level
removed from the domain associated with the accelerator.
Scenario 1:
An accelerator with the domain www.mydomain.com would have a default cookie domain of .domain.com
Scenario 2:
An accelerator with the domain mydomain.com would have a default cookie domain of .com
In the above two scenarios, only Scenario 2 would cause the 404 error as the cookie domain has defaulted to a Top Level Domain (TLD).
Resolution
Verify cookie domains across all accelerators and adjust accordingly so that no cookie domain utilises Top Level Domains.
For example, in
Scenario 2 above, set the cookie domain to mydomain.com
instead of the default .com. This is done by selecting the 'Proxy Service' and selecting the appropriate drop down option from the 'Cookie Domain' list.
Cause
Additional Information
Novell Access Manager 3.2 has significant architectural changes and increased security validation. If cookie domains are incorrectly configured, this can interrupt the ESP’s SOAP back channel from receiving necessary assertions from the Identity Provider.
This behaviour may differ from that seen in earlier releases of Novell Access Manager.
Credit to Ben Walter from Directory Concepts for this information.