Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
AUthentication methods defined at Identity Server have the real and temporary user overwrite options enabled (default is disabled)
Can duplicate in an environment with a single Identity server and Access Gateway
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
AUthentication methods defined at Identity Server have the real and temporary user overwrite options enabled (default is disabled)
Can duplicate in an environment with a single Identity server and Access Gateway
Situation
The Nocell Access Manager Identity (IDP) Server is setup to send a list of user attributes with every
assertion to the Access Gateway following the document at https://www.novell.com/communities/node/9321/how-configure-access-gateway-embedded-service-provider-reduce-access-gateway-load-and-impr. The IDP server includes two contracts exist with two different authentication levels Contract 1 references Method 1 which has 'real user overwrite' enabled Contract 2 references Method 2 which has 'real user overwrite' enabled User logs in to protected resource 1 with contract 1. Identity Injection shows that all required attributes are sent to back end web server. User then hits protected resource 2 which has contract 2 associated with it. The user is redirected to the IDP login page and authenticates succesfully. However, the II policy enabled for this protected resource does NOT include the attributes that were supposedly sent at authentication time so single sign on to the back end
applications fail. The only workaround is to remove the attributes to be sent at auth time so that the ESP manually queries them from the IDP server, but this may introduce some performance issues. From the log files, one can see the following exception ebeing thrown<amLogEntry> 2011-11-14T16:04:52Z SEVERE NIDS WSP: AM#200102016: AMDEVICEID#73E1209002AC0C68: Unable to locate a cached NIDPPrincipal object given the local id: 866956067978d511a12c001083fde2f2 </amLogEntry><amLogEntry> 2011-11-14T16:04:52Z DEBUG NIDS WSP: Method: IDSISAuthorityLdap.getPolicyMarkup Thread: http-161.215.36.25-8443-Processor4 Exception message: ":UnexpectedError; An unexpected error occurred! System error code: NIDPLOGGING.200102016 " y, Line: 3363, Method: getLibertyIdentity y, Line: 305, Method: getPolicyMarkup y, Line: 3168, Method: A y, Line: 3317, Method: processQuery y, Line: 2277, Method: lookupAtLocalService y, Line: 1275, Method: A y, Line: 955, Method: getDataWithoutInteraction y, Line: 111, Method: A y, Line: 1089, Method: authenticate y, Line: 1127, Method: exec y, Line: 1439, Method: execute y, Line: 131, Method: executeContract y, Line: 1074, Method: spLogin y, Line: 800, Method: doAuthentication y, Line: 1659, Method: handleAuthnRequest y, Line: 623, Method: processAuthnRequest y, Line: 2958, Method: processSSOEndpoint y, Line: 670, Method: E y, Line: 3101, Method: handleRequest y, Line: 1277, Method: handleRequest y, Line: 2459, Method: myDoGet y, Line: 2679, Method: doGet y, Line: 2043, Method: doPost HttpServlet.java, Line: 647, Method: service HttpServlet.java, Line: 729, Method: service ApplicationFilterChain.java, Line: 269, Method: internalDoFilter ApplicationFilterChain.java, Line: 188, Method: doFilter StandardWrapperValve.java, Line: 213, Method: invoke
Resolution
Reported to engineering. Workaround for the time being is to disable the sending of the LDAP attributes at authentication time to the LAG ESP, or disable the overwrite temporary user option.
The issue is resolved in Access Manager 3.2.