After login, Chrome and Firefox browsers are redirected to retrieve favicon.ico on the proxy URL

  • 7009697
  • 07-Nov-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Running Access Manager 3.1 SP3 IR2 (3.1.3-292)

Situation

After hitting a protected resource on the Linux Access Gateway (LAG), users are being redirected to login at the Identity (IDP) server. During this phase, users running Chrome and Firefox browser sessions are not correctly redirected onward to their intended target URLs on the LAG appliance but are instead they are sent to "favicon.ico" at the root of the LAG proxy they are hitting.

On the IDP login page, if you view source you can clearly see that the hidden "target" field is correctly indicating the LAG URL that the user was originally trying to access before they were redirected to the IDP to authenticate.

This problem doesn't happen on any version of Internet Explorer.

Resolution

Create a public resource for /favicon.ico at the root of the proxy accelerated web server. Alternatively, one can remove the feature from the Firefox or Chrome browsers via the browser configuration options (see http://en.wikipedia.org/wiki/Favicon).

The issue only occured when

a) The Identity Provider tab on the IDP configuration had the option 'require signed authentication requests' enabled and
b) the URL that users were trying to access on the LAG was large

In this scenario, the Authentication request with signatures would be greater than 1024 characters. When this happens, we switch from the default redirect binding to the POST binding, where the AUthentication requests is auto submitted to the IDP server from the browser. When this happens, the Chrome and Firefox browsers will always attempt to retrieve a favicon.ico object at the root of the proxy service we are trying to fix.

Access Manager 3.2 will have the option to increase the 1024 threshold to switch from the redirect to the POST binding. This could be used in the cases where the above two workarounds are impossible at customer sites.

Additional Information

For 3.2, one will need to modify the web.xml (/opt/novell/nesp/lib/webapp/WEB-INF/web.xml) param at the LAG/ESP to increase the configurable IDFF redirect bind url max limit by adding the following:
 
 <context-param>
                <param-name>IDFFMaxURLLength</param-name>
                <param-value>2048</param-value>
        </context-param>

In the above example, the POST binding will only be used to send the Liberty AUthentication Request if the request length is greater than 2048 bytes.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.