ESP produces 404 error after upgrade to Access Manager 3.2

  • 7008339
  • 29-May-2012
  • 29-May-2012

Environment

Novell Access Manager 3.2

Situation

Access Manager 3.1 configured and working well ie. users could access protected resources behind the Linux Access Gateway (LAG) after authenticating with the Identity Server.

After installing Novell Access Manager 3.2 and migrating the services, users began to receive the following error at the browser after authenticating to the Identity Provider:

404-esp-[deviceid]

Note: This error may also occur after creating new accelerators.

A header trace of the authentication process produces something similar to the following as the ESP receives the assertion from the Identity Server:

GET /nesp/idff/spassertion_consumer?SAMLart=AAN6L%2ByJ3i2TCtLUQzeucNIogEctqgDOi3qCv4MOX2akI1OXTcTeJtot&RelayState=MA%3D%3D HTTP/1.1
Host: secure.domain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-nz,en-gb;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://secure.domain.com/nidp/idff/sso?sid=0
Cookie: JSESSIONID=4EF58E78762D3E7273E151073EED1590; x-vzr=11123; SSESSbd7c22ec0693efd20fae928b18fbeb3b=b-Dvay3VNq8gZpxmZMQNocwfl9l-ldyTNHCeansa5Vg; Drupal.toolbar.collapsed=0; Drupal.tableDrag.showWeight=0; ZNPCQ003-39353200=bdedded3; has_js=1; ZNPCQ003-37373100=a297f7f6

HTTP/1.1 200 OK
Date: Tue, 29 May 2012 02:16:31 GMT
Pragma: No-cache
Cache-Control: no-cache, no-store, no-cache
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 402
Set-Cookie: IPCZQX0330910c69=03000300000000000000000000000000e789ef4e; path=/; domain=.com
P3p: CP="NOI"
X-Mag:E711964F5E9C5F37;e789ef4e;8;usrLkup->0;usrBase->0;_AUTO_;publicURL->0;_nesp_;RwDis;FP2->17;FP4->93;C003;
Via: 1.1 secure.domain.com (Access Gateway-ag-E711964F5E9C5F37-8)
Keep-Alive: timeout=300, max=94
Connection: Keep-Alive

By default, the cookie domain of any accelerator will be one level removed from the domain associated with the accelerator.

Scenario 1:

An accelerator with the domain www.mydomain.com would have a default cookie domain of .domain.com

Scenario 2:

An accelerator with the domain mydomain.com would have a default cookie domain of .com

In the above two scenarios, only Scenario 2 would cause the 404 error as the cookie domain has defaulted to a Top Level Domain (TLD).

Resolution

Verify cookie domains across all accelerators and adjust accordingly so that no cookie domain utilises Top Level Domains.

For example, in Scenario 2 above, set the cookie domain to mydomain.com instead of the default .com. This is done by selecting the 'Proxy Service' and selecting the appropriate drop down option from the 'Cookie Domain' list.

Cause


Additional Information

Novell Access Manager 3.2 has significant architectural changes and increased security validation. If cookie domains are incorrectly configured, this can interrupt the ESP’s SOAP back channel from receiving necessary assertions from the Identity Provider.

This behaviour may differ from that seen in earlier releases of Novell Access Manager.


Credit to Ben Walter from Directory Concepts for this information.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.