Formfill fails to SSO users after upgrading from NAM 3.1 to NAM 3.2

  • 7014205
  • 02-Dec-2013
  • 02-Dec-2013

Environment


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 2 applied
Formfill Enabled for SSO to back end Web server

Situation

Access Manager 3.1 setup and working fine ie. users can access all Access Gateway (AG) protected resources and SSO to back end Web Servers after having authenticated to the Identity (IDP) Server. After upgrading to NAM 3.2, users could not SSO to one back end Web server that included a lot of javascript code. Users would simply get presented with the Application login form, where the username and password fields were not even populated.

By setting the following two advanced options (NAGGlobalOptions DebugFormFill=on and LogLevel info), we could see the following info in the error_log file, indicating that the formfill library could not locate the <form> tag even though it was clearly there.


Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [info] AMEVENTID#11148: connected from 10.0.0.0:44682 to 10.0.0.0:8081
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [info] AMEVENTID#11148: sending request to webserver
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [info] AMEVENTID#11148: received response from server
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [info] AMEVENTID#11148: received status 200 from server
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [info] AM#504600404 AMDEVICEID#ag-15AB9889DD8EAA80: AMAUTHID#CF1611A035ED2D5E0F1F261FAC6DA745: AMEVENTID#11148: subreq www.eleven.com:/nesp/app/soap
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [info] AMEVENTID#11148: Cache miss
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [warn] AMEVENTID#11148: FF:fillInteractive: mastercdnForm_SicsNew3310
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [warn] AMEVENTID#11148: FF:fillInteractive FormFill Policy :mastercdnForm_SicsNew3310 Inject JavaScript Policy: mastercdnForm_SicsNew3310 
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [warn] AMEVENTID#11148: FF:Not Found: <form>
Nov 28 03:53:32 semnovamgwp01 httpd[15699]: [warn] AM#304600001 AMDEVICEID#ag-15AB9889DD8EAA80: AMAUTHID#CF1611A035ED2D5E0F1F261FAC6DA745: AMEVENTID#11148: status:200 GET https://www.eleven.com/sicsweb/login.do <01000b000a000809b4e2893011f004a8e9b8e702> X-Mag: <15AB9889DD8EAA80;e9b8e702;11148;usrLkup->0;usrBase->0;LocUsr;getPRBefFind->0;PRAfterFind->0;sicsweb;Contract-valid->0;Sicsweb;default;SH;FF1End->0;FP2->0;WS=5a76025d;default;setupFF-interested;mastercdnForm_SicsNew3310;FF4GUD->16;InterActive;FP4->16;C005;> [10.0.8.9:8361->10.0.1.3:443]service:Sicsweb (4225:5) -

Resolution

Terminate the <script> tag correctly on the back end HTML form.

In the above example, the culprit entry on the page was the following:
 
      <script type="text/javascript">
        !window.jQuery && document.write('<script src="js/jquery-1.6.1.min.js"><\/script>');
      </script>

The formfill library expects the </script> but gets the <\/script> instead.

If access to the page is not available, use the rewriter search and replace functionality to replace <\/script> with </script>.

Rewriter setup:
 
a) If Requested URL Is : Add the URL for this login page
 
b) modify the Search and replace rewriter config with
 
Search for     : !window.jQuery && document.write('<script src="js/jquery-1.6.1.min.js"><\/script>');
Replace with  : !window.jQuery && document.write('<script src="js/jquery-1.6.1.min.js"></script>');
 
or simply search for <\/script> and replace with </script>.