Cannot access Web application when authenticating to 3rd party SAML IDP server - only see IDP portal page

  • 7011702
  • 25-Jan-2013
  • 18-Feb-2013


NetIQ Access Manager 3.2 SUpport Pack 1 applied
CA Siteminder SAML2 Identity (IPD) server
NAM acting as SAML2 Service Provider (SP)
Web applications accelerated by Access GAteway Appliance


NAM Identity Server defines an external contract - which redirects users to authenticate to a 3rd party Siteminder IDP server from CA. This external contract is applied to an Access Gateway (AG) protected resource. When users hit the AG protected resource, they are initially redirected to the NAM IDP server which in turn automatically redirects them to the Siteminder IDP server to provide login credentials. After the login is successful on the Siteminder IDP server, an assertion is sent back to the NAM IDP server, which in turn sends it back to the AG. The AG should consume the assertion and redirect the user to the original application they were trying to access.

In the setup above, everything worked fine apart from the last stage. Instead of having the users access the application, users would simply be redirected to the NAM IDP portal page (at /nidp/app) with a message indicating that they are logged in for 60 mins (or whatever session timeout is define for the contract).


Two options exist:

- Make sure the 3rd party IDP server sends and populates the userPassword attribute when generating an assertion.
- Apply 3.2.1 IR1 where a check to handle the null attribute for userPassword has been added


When the AG consumes the assertion, it looks at each attribute and corresponding value.  In the above setup, we have DEBUG logging enabled on the NAM IDP server and saw the following exception:

<amLogEntry> 2012-12-14T15:09:30Z DEBUG NIDS IDFF: 
Method: LibertySSOProfile.processResponse
Thread: ajp-bio-/
Exception message: "java.lang.NullPointerException"
     y, Line: 1202, Method: getTemporaryPrincipal
     y, Line: 1403, Method: authenticateByIdentity
     y, Line: 507, Method: J
     y, Line: 2769, Method: handleAuthentication
     y, Line: 2068, Method: processResponse
     y, Line: 1570, Method: processResponse
     y, Line: 2420, Method: handledInBoundResponse
     y, Line: 3158, Method: processResponse
     y, Line: 3430, Method: E
     y, Line: 376, Method: handleRequest
     y, Line: 471, Method: handleRequest
     y, Line: 789, Method: myDoGet

The NullPointerException was caused by one of the attributes in the assertion not having a value ie.
Looking at the assertion, we can see that the userpassword attribute is blank, causing the ESP to throw the null pointer exception <saml:Attribute AttributeName="userPassword" AttributeNamespace="urn:oasis:names:tc:SAML:1.0:assertion"/>
COmparing this attribute to other attributes, the other attributes all showed a value of ** (masked for security reasons).