Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
Identity Injection Policy enabled on public and protected resources
NetIQ Access Manager 3.2 Support Pack 1 applied
Identity Injection Policy enabled on public and protected resources
Situation
Access Gateway (AG) Custom header injection of directory attributes is not working consistently
in 3.2 SP1 for public resources. Identity injection works consistently on resources that are
protected by an authentication method though. When the AG cluster includes only a single device,
it appears like it works fine all the time - so there seems to be an issue when requests must be proxied
from one AG to another. This affects applications that are public, but rely on identity injection for authenticated users. One example is the www.novell.com theme, which displays your name if you are authenticated.
This worked fine with the Linux ACcess Gateway (LAG) appliance in 3.1.
Resolution
Fixed in 3.2 SP2.
Cause
If you start a session with one AG in the cluster and the load balancer starts sending you to a different AG, the second MAG doesn't pick up the session from the first AG on a public resource.
What shows up on the customer side is that identity injections are then not sent and it appears
as if they are not logged in. Hitting a protected resource will cause the second MAG to start
using the session properly.