AG configuration Pending because of invalid contract URI defined on IDP

  • 7016423
  • 15-Apr-2015
  • 15-Apr-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1

Situation

Installed NAM 4.0 appliance and confirmed access to the test application worked fine afterwords. Administrator then added a contract for an external SAML Identity Server (IDP), as well as the SAML2 trust relationship and found that they needed to update the IDP (expected) and AG (unexpected).

After applying the IDP update, the device went green; after applying the AG update, the device went into a pending state. We never come out of this pending state.

Looking at the pending config.xml and current config.xml, I found the following difference

>         <AuthenticationProcedure AuthProcedureID="authProcedure_ePass" Name="ePass" SelectedOption="idp" UserInterfaceID="authProcedure_ePass" AuthContractTimeout="60" AuthContractRefreshRate="42" AuthContractLevel="0" SatisfiableByOtherContracts="FALSE">
>           <NIDPAuthentication ContractName="ePass+Secure+Name%2FPassword+-+Form" />

The update was failing because of this contract change.

Resolution

Removed and recreated the contract on the IDP server, making sure there were no blank spaces in the URI definition. Even though the apply worked on the IDP server, the AG check failed when a space is included. Opened defect to add check for white spaces on IDP contract URI screen.