Novell Access Manager 3.2
After installing Novell Access Manager 3.2 and migrating the services, users began to receive the following error at the browser after authenticating to the Identity Provider:
Note: This error may also occur after creating new accelerators.
A header trace of the authentication process produces something similar to the following as the ESP receives the assertion from the Identity Server:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=4EF58E78762D3E7273E151073EED1590; x-vzr=11123; SSESSbd7c22ec0693efd20fae928b18fbeb3b=b-Dvay3VNq8gZpxmZMQNocwfl9l-ldyTNHCeansa5Vg; Drupal.toolbar.collapsed=0; Drupal.tableDrag.showWeight=0; ZNPCQ003-39353200=bdedded3; has_js=1; ZNPCQ003-37373100=a297f7f6
Date: Tue, 29 May 2012 02:16:31 GMT
Cache-Control: no-cache, no-store, no-cache
Set-Cookie: IPCZQX0330910c69=03000300000000000000000000000000e789ef4e; path=/; domain=.com
Via: 1.1 secure.domain.com (Access Gateway-ag-E711964F5E9C5F37-8)
Keep-Alive: timeout=300, max=94
By default, the cookie domain of any accelerator will be one level removed from the domain associated with the accelerator.
An accelerator with the domain www.mydomain.com would have a default cookie domain of .domain.com
An accelerator with the domain mydomain.com would have a default cookie domain of .com
In the above two scenarios, only Scenario 2 would cause the 404 error as the cookie domain has defaulted to a Top Level Domain (TLD).
Verify cookie domains across all accelerators and adjust accordingly so that no cookie domain utilises Top Level Domains.
For example, in
Scenario 2 above, set the cookie domain to mydomain.com
instead of the default .com. This is done by selecting the 'Proxy Service' and selecting the appropriate drop down option from the 'Cookie Domain' list.
Novell Access Manager 3.2 has significant architectural changes and increased security validation. If cookie domains are incorrectly configured, this can interrupt the ESPâs SOAP back channel from receiving necessary assertions from the Identity Provider.
This behaviour may differ from that seen in earlier releases of Novell Access Manager.
Credit to Ben Walter from Directory Concepts for this information.