Environment
NetIQ Access Manager 3.2 SUpport Pack 1 applied
CA Siteminder SAML2 Identity (IPD) server
NAM acting as SAML2 Service Provider (SP)
Web applications accelerated by Access GAteway Appliance
CA Siteminder SAML2 Identity (IPD) server
NAM acting as SAML2 Service Provider (SP)
Web applications accelerated by Access GAteway Appliance
Situation
NAM Identity Server defines an external contract - which redirects users to authenticate to a 3rd party Siteminder IDP server from CA. This external contract is applied to an Access Gateway (AG) protected resource. When users hit the AG protected resource, they are initially redirected to the NAM IDP server which in turn automatically redirects them to the Siteminder IDP server to provide login credentials. After the login is successful on the Siteminder IDP server, an assertion is sent back to the NAM IDP server, which in turn sends it back to the AG. The AG should consume the assertion and redirect the user to the original application they were trying to access.
In the setup above, everything worked fine apart from the last stage. Instead of having the users access the application, users would simply be redirected to the NAM IDP portal page (at /nidp/app) with a message indicating that they are logged in for 60 mins (or whatever session timeout is define for the contract).
In the setup above, everything worked fine apart from the last stage. Instead of having the users access the application, users would simply be redirected to the NAM IDP portal page (at /nidp/app) with a message indicating that they are logged in for 60 mins (or whatever session timeout is define for the contract).
Resolution
Two options exist:
- Make sure the 3rd party IDP server sends and populates the userPassword attribute when generating an assertion.
- Apply 3.2.1 IR1 where a check to handle the null attribute for userPassword has been added
- Make sure the 3rd party IDP server sends and populates the userPassword attribute when generating an assertion.
- Apply 3.2.1 IR1 where a check to handle the null attribute for userPassword has been added
Cause
When the AG consumes the assertion, it looks at each attribute and corresponding value. In the above setup, we have DEBUG logging enabled on the NAM IDP server and saw the following exception:
<amLogEntry> 2012-12-14T15:09:30Z DEBUG NIDS IDFF:
Method: LibertySSOProfile.processResponse
Thread: ajp-bio-/127.0.0.1-9009-exec-24
null
Exception message: "java.lang.NullPointerException"
y, Line: 1202, Method: getTemporaryPrincipal
y, Line: 1403, Method: authenticateByIdentity
y, Line: 507, Method: J
y, Line: 2769, Method: handleAuthentication
y, Line: 2068, Method: processResponse
y, Line: 1570, Method: processResponse
y, Line: 2420, Method: handledInBoundResponse
y, Line: 3158, Method: processResponse
y, Line: 3430, Method: E
y, Line: 376, Method: handleRequest
y, Line: 471, Method: handleRequest
y, Line: 789, Method: myDoGet
The NullPointerException was caused by one of the attributes in the assertion not having a value ie.
Looking at the assertion, we can see that the userpassword attribute is blank,
causing the ESP to throw the null pointer exception
<saml:Attribute AttributeName="userPassword"
AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion"/>
COmparing this attribute to other attributes, the other attributes all showed a value of ** (masked for security reasons).