Intermittent failure to retrieve LDAP User Name from cached Credential Profile when authenitcating with Kerberos

  • 7013263
  • 12-Sep-2013
  • 14-Jan-2014


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager acting as SAM2 Identity (IDP) server, federated with 3rd party Service Provider (SP) that requires LDAP User Name to be used as the SAML Subject NameIdentifier in the generated SAML assertion (SAML2 Post Binding).
Users initiate the process by accessing a configured Intersite Transfer Service URL
NetIQ Access Gateway is not used or accessed at all in this specific scenario.

Client platforms: tested from IE8, IE9 (Win 2003, 2008 R2, 7)
Identity Server : Win 2008 R2
Admin console: Win 2008 R2
Access Gateway: Appliance/Linux


Users hit the NAM Identity Server intersite transfer URL where the user automatically executed a Kerberos (default) contract. This Kerberos contract was setup with name password basic as the fallback method.

In the 'Authentication Response' settings for the SAML SP, the NameIdentifier was setup to include the Credential Profile -> LDAP UserName

In almost all cases,  the users were successfully able to SSO to the SP after authenticating to the IDP server. However, on random occasions, some users would see the following message after successfully authenticating against Identity Server :

Error "The request to provide authentication to a service provider has failed. SAML Subject NameIdentifier missing required NameIdentifier value"

This message indicated that the Credential Profile -> LDAP UserName was blank. When this problem occured, the catalina log files on the IDP server would confirm this with the following error reported:

<amLogEntry> 2013-03-28T15:37:31Z DEBUG NIDS WSC: 
Method: WSC.A
Thread: http-bio-/
Completed Request. Response:     WSCResponse:
      Status: All Failure
           Model Entry: Entry
           Unique Id:
           Select String:
           Overridden Display Name ResourceId:: SS.WKSELdapCredsUserName

          Status: DataNotAvailable
    WSCQResponse: </amLogEntry>
Interestingly enough, when sending the same Credential Profile -> LDAP UserName in the attribute statement, it would always appear correctly, even when the NameIdentifier did not include it.

The problem only appeared when authenticating with Kerberos.


Fixed in 3.2.2 IR1.