NIDP server returns error: HTTP Status 500 - Illegal character in path at index 14: /UserAttribute[@ldap:targetAttribute="cn"]

  • 7016821
  • 04-Sep-2015
  • 04-Sep-2015

Environment

NetIQ Access Manager 4.1
NetIQ Access Manager 4.1 Identity Server
SAML or WS-federation with Microsoft Applications


Situation

NAM Identity server acting as a Ws-Federation Identity server, generating claims towards a Ws-Federation SP (Office365 as an example). Under the Ws-Federation settings, a list of attributes have been defined to get sent with the claim. WHen the incoming WS-Federation authentication request comes in to the NAM Identity server, the user submits their credentials and are validated successfully. Instead of getting redirected to the SP with a valid claim, the user gets presented with the following exception error in the browser:

HTTP Status 500 - Illegal character in path at index 14: /UserAttribute[@ldap:targetAttribute="initials"]


type Exception report

message Illegal character in path at index 14: /UserAttribute[@ldap:targetAttribute="initials"]

description The server encountered an internal error that prevented it from fulfilling this request.

exception 
java.lang.IllegalArgumentException: Illegal character in path at index 14: /UserAttribute[@ldap:targetAttribute="initials"]
	java.net.URI.create(URI.java:859)
	com.novell.nidp.sts.handler.STSIdentityHandler.invoke(y:2128)
	org.eclipse.higgins.sts.server.token.compound.CompoundHandler.invoke(CompoundHandler.java:117)
	org.eclipse.higgins.sts.server.trust.SecurityTokenService.invoke(SecurityTokenService.java:158)
	com.novell.nidp.sts.NIDPSTS.requestSecurityToken(y:1443)
	com.novell.nidp.wsfed.profile.WSFedSSOProfile.processRST(y:298)
	com.novell.nidp.wsfed.profile.WSFedSSOProfile.processRequest(y:1)


Resolution

Go to the "Shared settings" configuration on the IDP server and select attribute set. Make sure all attributes have the "Remote Attribute" field defined which maps local attribute to Remote Attribute.

If this value is not there, delete and add with Remote Attribute value which is string. for e.g., Local Attribute maps to Remote Attribute Ldap Attribute:cn[LDAP Attribute Profile] <--> CN