Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
Access Manager 3.1 Support Pack 2 setup and working fine - users can access web based protected resources behind an Access Gateway successfully after authenticating to the local Identity Server. A SAML 2.0 setup also exists where the Novell Access Manager Identity Server is setup as a SAML 2.0 Service provider (SP) and consume an assertion generated by a 3rd party SAML 2.0 Identity (IDP) Server.
After upgrading to Access Manager 3.1 Support Pack 3, all Access Gateway protected resources continued to function as normal. Users that authenticated to the SAML 2.0 Identity Server and then hit the SAML 2 SP would however get an error at the browser with the following exception being displayed in the catalina.out file on the SP:
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException"
SAML2AuthenticationHandler.java, Line: 296, Method: getValidContext
SAML2AuthenticationHandler.java, Line: 204, Method: getAuthentication
IDPAuthenticationHandler.java, Line: 492, Method: setAuthentication
IDPAuthenticationHandler.java, Line: 439, Method: doProtocolAuthentication
IDPAuthenticationHandler.java, Line: 224, Method: handleAuthentication
SAML2SSOProfile.java, Line: 519, Method: processResponse
SAML2SSOProfile.java, Line: 492, Method: processResponse
SAML2Profile.java, Line: 290, Method: handleInBoundMessage
SAML2SSOProfile.java, Line: 474, Method: processResponse
SAML2Handler.java, Line: 544, Method: handleSSO
SAML2Handler.java, Line: 239, Method: handleRequest
SAML2MeDescriptor.java, Line: 600, Method: handleRequest
NIDPServlet.java, Line: 144, Method: myDoGet
NIDPBaseServlet.java, Line: 89, Method: doGet
NIDPBaseServlet.java, Line: 43, Method: doPost
HttpServlet.java, Line: 647, Method: service
HttpServlet.java, Line: 729, Method: service
ApplicationFilterChain.java, Line: 269, Method: internalDoFilter
ApplicationFilterChain.java, Line: 188, Method: doFilter
StandardWrapperValve.java, Line: 213, Method: invoke
StandardContextValve.java, Line: 172, Method: invoke
StandardHostValve.java, Line: 127, Method: invoke
ErrorReportValve.java, Line: 117, Method: invoke
StandardEngineValve.java, Line: 108, Method: invoke
CoyoteAdapter.java, Line: 174, Method: service
Http11Processor.java, Line: 879, Method: process
Http11BaseProtocol.java, Line: 665, Method: processConnection
PoolTcpEndpoint.java, Line: 528, Method: processSocket
LeaderFollowerWorkerThread.java, Line: 81, Method: runIt
ThreadPool.java, Line: 689, Method: run
Thread.java, Line: 662, Method: run
</amLogEntry>
Warning: Invalid resource key! Null or empty string!
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS Application: Event Id: 3014668, Note 1: ED4E74D6D5701E98F790B179D256CD22, Numeric 1: 0 </amLogEntry>
Federated users can also
After upgrading to Access Manager 3.1 Support Pack 3, all Access Gateway protected resources continued to function as normal. Users that authenticated to the SAML 2.0 Identity Server and then hit the SAML 2 SP would however get an error at the browser with the following exception being displayed in the catalina.out file on the SP:
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS SAML2: Exception message: "java.lang.NullPointerException"
SAML2AuthenticationHandler.java, Line: 296, Method: getValidContext
SAML2AuthenticationHandler.java, Line: 204, Method: getAuthentication
IDPAuthenticationHandler.java, Line: 492, Method: setAuthentication
IDPAuthenticationHandler.java, Line: 439, Method: doProtocolAuthentication
IDPAuthenticationHandler.java, Line: 224, Method: handleAuthentication
SAML2SSOProfile.java, Line: 519, Method: processResponse
SAML2SSOProfile.java, Line: 492, Method: processResponse
SAML2Profile.java, Line: 290, Method: handleInBoundMessage
SAML2SSOProfile.java, Line: 474, Method: processResponse
SAML2Handler.java, Line: 544, Method: handleSSO
SAML2Handler.java, Line: 239, Method: handleRequest
SAML2MeDescriptor.java, Line: 600, Method: handleRequest
NIDPServlet.java, Line: 144, Method: myDoGet
NIDPBaseServlet.java, Line: 89, Method: doGet
NIDPBaseServlet.java, Line: 43, Method: doPost
HttpServlet.java, Line: 647, Method: service
HttpServlet.java, Line: 729, Method: service
ApplicationFilterChain.java, Line: 269, Method: internalDoFilter
ApplicationFilterChain.java, Line: 188, Method: doFilter
StandardWrapperValve.java, Line: 213, Method: invoke
StandardContextValve.java, Line: 172, Method: invoke
StandardHostValve.java, Line: 127, Method: invoke
ErrorReportValve.java, Line: 117, Method: invoke
StandardEngineValve.java, Line: 108, Method: invoke
CoyoteAdapter.java, Line: 174, Method: service
Http11Processor.java, Line: 879, Method: process
Http11BaseProtocol.java, Line: 665, Method: processConnection
PoolTcpEndpoint.java, Line: 528, Method: processSocket
LeaderFollowerWorkerThread.java, Line: 81, Method: runIt
ThreadPool.java, Line: 689, Method: run
Thread.java, Line: 662, Method: run
</amLogEntry>
Warning: Invalid resource key! Null or empty string!
<amLogEntry> 2011-11-28T10:29:07Z WARNING NIDS Application: Event Id: 3014668, Note 1: ED4E74D6D5701E98F790B179D256CD22, Numeric 1: 0 </amLogEntry>
Federated users can also
Resolution
Make sure that the mapping between authentication types and contracts is enabled on the SAML 2.0 Identity server Authentication card settings. This is done by going to the Identity Provider configuration in iManager -> SAML 2.0 -> Identity Server -> Authentication Card and selecting a contract in the 'Satisfies contract' setting. Simply select the contract from the drop-down list which creates a
mapping between external provider class reference to local
authentication contract.
This is a new feature added with Access Manager 3.1 SP3 and documented in the 'Identity Server enhancements' section at https://www.novell.com/documentation/novellaccessmanager313/installation/?page=/documentation/novellaccessmanager313/installation/data/bjm97kd.html
"Mapping Between Types and Contracts: The Identity Server is contract-based and this setting permits an association to be made between a contract and the external provider assertion"
This is a new feature added with Access Manager 3.1 SP3 and documented in the 'Identity Server enhancements' section at https://www.novell.com/documentation/novellaccessmanager313/installation/?page=/documentation/novellaccessmanager313/installation/data/bjm97kd.html
"Mapping Between Types and Contracts: The Identity Server is contract-based and this setting permits an association to be made between a contract and the external provider assertion"