Intersite transfer URL (idpsend) not redirected to defined TARGET URL when assertion is sent

  • 7018106
  • 28-Sep-2016
  • 18-Oct-2016

Environment

NetIQ Access Manager 4.1
NetIQ Access Manager 4.2

Situation

Access Manager 4.1 setup and working fine - users can access SAML SPs and Access Gateway protected resources after authenticating to the Identity Server. The Identity Server is customised with a corporate branded login page, references through the JSP and MainJSP properties.
 
After rolling out a new SAML SP, which could only be accessed using the intersite transfer URL, users would never get redirected to the TARGET URL after authenticating, but would instead see the IDP portal page only. Looking at the logs in more detail, we could confirm that the assertion was sent correctly to the SP, but the target parameter was stripped.
 
Thinking the issue may be related to the custom login pages, we also tried with the default NAM login pages but experienced the same issue. Interestingly, when we removed the MainJSP property, the users were redirected to the TARGET URL correctly.
 
We could dup the issue internally using the following steps:

1. Setup e.g. simple saml as SAML2.0 SP
2. Setup you IDP on simple saml
3. in the auth mehtod used define "MainJSP" "true" and "JSP" "login"
4. access e.g. https://<IDP DNS>/nidp/saml2/idpsend?PID=<SAML2 entity ID>&TARGET=<IPD/AG DNS>
e.g. in my case https://nam41sb.simpsons.gov/nidp/saml2/idpsend?PID=urn:mace:simpsons.gov:kerpen:federation:ie&TARGET=http://nam41sb.simpsons.gov
5. I am renot redirected to the TARGET URL after assertion is sent to SP

Resolution

Upgrade to NAM 4.3. The issue is an encoding issue with the idpsend URL.