Users getting default login page when accessing SAML2 Intersite Transfer Service URL with a custom contract

  • 7013292
  • 13-Sep-2013
  • 18-Sep-2013


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server acting as SAML 2 Identity Provider
SAML2 Intersite transfer URL setup with corresponding id


NAM 3.2 configured with multiple SAML2 Service Providers (SPs) and each have their own custom contracts.
Using IDP initiated login where each SP has a target defined, and an intersite transfer id configured in the UI.
The admin wants a specific authentication contract executed for each specific SAML2 Service Provider (SP), but users accessing the intersite transfer URL with the SAML2 SPs id always get the default contract executed instead. The TID at was followed so that the contract id could be executed.

The example URL below is used for passing in a specific contract (whose id is nameid) and to use the Intersite Transfer URL as the target (whose intersite transfer id is also called nameid) e.g.

Note: the name "nameid" shows up twice in the URL below:


Change the custom contract name or Intenet Transfer Service ID to have different names or case (case sensitive).
Example 1:
Change the Intersite Transfer Service ID to all uppercase (or to a different name):
We change the Intersite Transfer Service in Admin Consle under Identity Servers | Edit | SAML2 tab | click on the SP service | Intersite Transfer Service | ID: set to NAMEID and update changes.
Note: In this case, changing the Intersite Transfer Service ID from nameid to NAMEID would take two steps. 
Change 'nameid' to any other name, update and then can change it to uppercase NAMEID
The following URL for login is used to match the change that was made in the Admin Console: see uppercase NAMEID in the URL.
Example 2:
Or change to a 'different' name value altogether.
In Admin Console under Identity Servers | Edit | Local tab | Contracts | click the contract | set Display name: to a different name.  In this example set to 'namediff' and update changes.
The following URL for login is used to match these changes:  see 'namediff' in the URL.

Additional Information