Environment
NetIQ Access Manager 3.2 Support Pack 2 applied
NetIQ Access Manager 3.2 Identity Server
SAML2 setup with IDP or SP initiated login requests
NetIQ Access Manager 3.2 Identity Server
SAML2 setup with IDP or SP initiated login requests
Situation
A working Access Managers setup roled out a federated application for the first time. After doing so, users would experience problems where any SAML IdP or SP initiated
authentication is being redirected to a customized page from the other
application, no matter what authentication contract is executed.
Comparing a working lab setup with this non working setup, we noted that the non working setup had a configuration setting enabled in main.jsp file of the IdP to block access to the user portal page, as described in Identity Server Guide at https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/bctzflu.html#bprxxa9.
As soon as the following string is added, no federated access will work:
<% if (hand.isAuthenticatedSession()) { String redirectURL = "https://www.novell.com/"; response.sendRedirect(redirectURL); } %>
Comparing a working lab setup with this non working setup, we noted that the non working setup had a configuration setting enabled in main.jsp file of the IdP to block access to the user portal page, as described in Identity Server Guide at https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/bctzflu.html#bprxxa9.
As soon as the following string is added, no federated access will work:
<% if (hand.isAuthenticatedSession()) { String redirectURL = "https://www.novell.com/"; response.sendRedirect(redirectURL); } %>
Removing this configuration allowed users to authenticate and be
redirected to the service provider. However, it also allowed users access to the IDP portal page.
Resolution
apply the following changes:
1) backup main.jsp;
2) edit main.jsp;
3) change current main.jsp entry from:
if (hand.isAuthenticatedSession())
{
String redirectURL = "https://www.novell.com";
response.sendRedirect(redirectURL);
}
{
String redirectURL = "https://www.novell.com";
response.sendRedirect(redirectURL);
}
4) change to:
if (hand.isAuthenticatedSession())
{
String redirectURL = "https://www.novell.com";
String requestedURL = hand.addCardParm(hand.getJSP(hand.isJSPMsg() ? hand.getJSPMessage().getJSP() : NIDPConstants.JSP_CONTENT));
if (requestedURL.indexOf("/nidp/jsp/fedconsent.jsp")!=0) {
{
String redirectURL = "https://www.novell.com";
String requestedURL = hand.addCardParm(hand.getJSP(hand.isJSPMsg() ? hand.getJSPMessage().getJSP() : NIDPConstants.JSP_CONTENT));
if (requestedURL.indexOf("/nidp/jsp/fedconsent.jsp")!=0) {
response.sendRedirect(redirectURL);
}
}
}
}