Environment
NetIQ Access Manager 3.2
Upgrade from Access Manager 3.1.4
Timeout per protected resource (TOPR) NOT enabled prior to upgrade
Identity Server session timeout set to 20 minutes
Situation
After upgrading from Access Manager 3.1 to 3.2, all users appeared to be able to access protected resources on the Access Gateway (AG) without problems ie. the users were redirected to authenticate to the Identity (IDP) server and when successful, were redirected back to the original URL they accessed. However, some users did complain that after going away from their desks or remaining idle for a period of time, subsequent requests for the protected resources would cause the browser to loop between the AG and IDP servers. Firefox actually reports an error regarding looping.
Looking at the HTTP headers on the workstation, one can see that when the user accesses the protected resource after being idel for more than a few minutes, that the browser would redirect the user to the IDP server to see if the session was still valid there. In all cases, the session on the IDP server would still be active and an assertion would be generated by the IDP server and sent back to the AG. The AG would consume the assertion and send the request back to the protected resource which then identified the user session as inactive, causing yet another redirect to the IDP server. Hence the loop.
Resolution
One of the pre-requirements in the 3.1 to 3.2 migration documentation is that Timeout per protected resource (TOPR) must be enabled. In this particular case, TOPR was never enabled on 3.1. Upgrading to 3.2 meant that TOPR was now enabled on the Access Gateways by default, but the settings in the Admin Console configuration store did not include any TOPR parameters.
To fix this issue, either enable TOPR prior to the migration or download the script and do the following:
1. Extract the tar file "AM_32_configuration_upgrade.tar" in primary Admin Console box to any location.
2. Stop the Admin Console using /etc/init.d/novell-ac stop
3. Run the script ConfigUpgrade.sh, and enter the appropriate admin username, password and and cluster name.
2. Stop the Admin Console using /etc/init.d/novell-ac stop
3. Run the script ConfigUpgrade.sh, and enter the appropriate admin username, password and and cluster name.
For the cluster name entered above, the script changes the working configuration for each device with the timeout parameters and marks each device to be updated with an 'UpdateAll' option in UI. The script specifically adds
1. TOPPR attribute EnableTimeoutForProtectedResource="true" if not exist.
2. Adds AuthContractTimeout="20" and AuthContractRefreshRate="14" if not exist.
2. Adds AuthContractTimeout="20" and AuthContractRefreshRate="14" if not exist.
Cause
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file has no
timeout info on 3.2 AG
<AuthenticationProcedure
AuthProcedureID="authprocedure_Secure_Name_Password___Form" Name="Secure
Name/Password - Form" SelectedOption="idp"
UserInterfaceID="authprocedure_Secure_Name_Password___Form"
LastModified="4294967295" LastModifiedBy="String">
<NIDPAuthentication
ContractName="secure%2Fname%2Fpassword%2Furi"/>
</AuthenticationProcedure>
which results in us adding a default of 2 mins in
/etc/opt/novell/apache2/conf/NovellAgSettings.conf
<NAGAuthenticationProcedure authprocedure_Secure_Name_Password___Form>
NAGAuthContractName secure/name/password/uri
NAGAuthTimeout 2
NAGAuthRefreshRate 3
</NAGAuthenticationProcedure>An idle session timeout of 2 mins causes the session to be timed out on the AG whilst the 20 minute sesion timeout is still active on the IDP server.