SAML IdP or SP initiated authentication is being redirected to a customized page when blocking Access to the User Portal Page

  • 7014618
  • 25-Feb-2014
  • 25-Feb-2014

Environment

NetIQ Access Manager 3.2 Support Pack 2 applied
NetIQ Access Manager 3.2 Identity Server
SAML2 setup with IDP or SP initiated login requests

Situation

A working Access Managers setup roled out a federated application for the first time. After doing so, users would experience problems where any SAML IdP or SP initiated authentication is being redirected to a customized page from the other application, no matter what authentication contract is executed.

Comparing a working lab setup with this non working setup, we noted that the non working setup had a configuration setting enabled in main.jsp file of the IdP to block access to the user portal page, as described in Identity Server Guide at https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/bctzflu.html#bprxxa9.

As soon as the following string is added, no federated access will work:

<% if (hand.isAuthenticatedSession()) { String redirectURL = "https://www.novell.com/"; response.sendRedirect(redirectURL); } %>
 
Removing this configuration allowed users to authenticate and be redirected to the service provider. However, it also allowed users access to the IDP portal page.

Resolution

apply the following changes:

1) backup main.jsp;
2) edit main.jsp;
3) change current main.jsp entry from:
 
    if (hand.isAuthenticatedSession())
    {
        String redirectURL = "
https://www.novell.com";
        response.sendRedirect(redirectURL);
    }
 
4) change to:
 
    if (hand.isAuthenticatedSession())
    {
        String redirectURL = "
https://www.novell.com";
String requestedURL = hand.addCardParm(hand.getJSP(hand.isJSPMsg() ? hand.getJSPMessage().getJSP() : NIDPConstants.JSP_CONTENT));
if (requestedURL.indexOf("/nidp/jsp/fedconsent.jsp")!=0) {
 
        response.sendRedirect(redirectURL);
}
    }