Environment
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Running Access Manager 3.1 SP3 IR2 (3.1.3-292)
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Running Access Manager 3.1 SP3 IR2 (3.1.3-292)
Situation
After hitting a protected resource on the Linux Access Gateway (LAG), users are being redirected to login at the Identity (IDP) server. During this phase, users running Chrome and Firefox browser sessions are not correctly redirected onward to their intended target URLs on the LAG appliance but are instead they are sent to "favicon.ico" at the root of the LAG proxy they are hitting.
On the IDP login page, if you view source you can clearly see that the hidden "target" field is correctly indicating the LAG URL that the user was originally trying to access before they were redirected to the IDP to authenticate.
This problem doesn't happen on any version of Internet Explorer.
On the IDP login page, if you view source you can clearly see that the hidden "target" field is correctly indicating the LAG URL that the user was originally trying to access before they were redirected to the IDP to authenticate.
This problem doesn't happen on any version of Internet Explorer.
Resolution
Create a public resource for /favicon.ico at the root of the proxy accelerated web server. Alternatively, one can remove the feature from the Firefox or Chrome browsers via the browser configuration options (see http://en.wikipedia.org/wiki/Favicon).
The issue only occured when
a) The Identity Provider tab on the IDP configuration had the option 'require signed authentication requests' enabled and
b) the URL that users were trying to access on the LAG was large
In this scenario, the Authentication request with signatures would be greater than 1024 characters. When this happens, we switch from the default redirect binding to the POST binding, where the AUthentication requests is auto submitted to the IDP server from the browser. When this happens, the Chrome and Firefox browsers will always attempt to retrieve a favicon.ico object at the root of the proxy service we are trying to fix.
Access Manager 3.2 will have the option to increase the 1024 threshold to switch from the redirect to the POST binding. This could be used in the cases where the above two workarounds are impossible at customer sites.
The issue only occured when
a) The Identity Provider tab on the IDP configuration had the option 'require signed authentication requests' enabled and
b) the URL that users were trying to access on the LAG was large
In this scenario, the Authentication request with signatures would be greater than 1024 characters. When this happens, we switch from the default redirect binding to the POST binding, where the AUthentication requests is auto submitted to the IDP server from the browser. When this happens, the Chrome and Firefox browsers will always attempt to retrieve a favicon.ico object at the root of the proxy service we are trying to fix.
Access Manager 3.2 will have the option to increase the 1024 threshold to switch from the redirect to the POST binding. This could be used in the cases where the above two workarounds are impossible at customer sites.
Additional Information
For 3.2, one will need to modify the web.xml
(/opt/novell/nesp/lib/webapp/WEB-INF/web.xml) param at the LAG/ESP to
increase the configurable IDFF redirect bind url max limit by adding
the following:
<context-param>
<param-name>IDFFMaxURLLength</param-name>
<param-value>2048</param-value>
</context-param>
In the above example, the POST binding will only be used to send the Liberty AUthentication Request if the request length is greater than 2048 bytes.
<context-param>
<param-name>IDFFMaxURLLength</param-name>
<param-value>2048</param-value>
</context-param>
In the above example, the POST binding will only be used to send the Liberty AUthentication Request if the request length is greater than 2048 bytes.