Users getting default login page when accessing SAML2 Intersite Transfer Service URL with a custom contract

  • 7013292
  • 13-Sep-2013
  • 18-Sep-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server acting as SAML 2 Identity Provider
SAML2 Intersite transfer URL setup with corresponding id

Situation

NAM 3.2 configured with multiple SAML2 Service Providers (SPs) and each have their own custom contracts.
Using IDP initiated login where each SP has a target defined, and an intersite transfer id configured in the UI.
The admin wants a specific authentication contract executed for each specific SAML2 Service Provider (SP), but users accessing the intersite transfer URL with the SAML2 SPs id always get the default contract executed instead. The TID at https://support.microfocus.com/kb/doc.php?id=7005810 was followed so that the contract id could be executed.

The example URL below is used for passing in a specific contract (whose id is nameid) and to use the Intersite Transfer URL as the target (whose intersite transfer id is also called nameid) e.g.

https://idp.yourdomain.com/nidp/app?id=nameid&target=https://idp.yourdomain.com/nidp/saml2/idpsend?id=nameid

Note: the name "nameid" shows up twice in the URL below:

Resolution

Change the custom contract name or Intenet Transfer Service ID to have different names or case (case sensitive).
 
Example 1:
Change the Intersite Transfer Service ID to all uppercase (or to a different name):
We change the Intersite Transfer Service in Admin Consle under Identity Servers | Edit | SAML2 tab | click on the SP service | Intersite Transfer Service | ID: set to NAMEID and update changes.
Note: In this case, changing the Intersite Transfer Service ID from nameid to NAMEID would take two steps. 
Change 'nameid' to any other name, update and then can change it to uppercase NAMEID
The following URL for login is used to match the change that was made in the Admin Console: see uppercase NAMEID in the URL.
https://idp.yourdomain.com/nidp/app?id=nameid&target=https://idp.yourdomain.com.com/nidp/saml2/idpsend?id=NAMEID
Example 2:
Or change to a 'different' name value altogether.
In Admin Console under Identity Servers | Edit | Local tab | Contracts | click the contract | set Display name: to a different name.  In this example set to 'namediff' and update changes.
The following URL for login is used to match these changes:  see 'namediff' in the URL.
https://idp.yourdomain.com/nidp/app?id=namediff&target=https://idp.yourdomain.com/nidp/saml2/idpsend?id=nameid

Additional Information