WAF blocking initial redirects to ESP from AG PR because of URL string used

  • 7018110
  • 28-Sep-2016
  • 18-Oct-2016


NetIQ Access Manager 4.2
NetIQ Access Manager 4.1


Multiple customers have Web Application Firewalls (WAFs) protecting their Web components, including Access Manager components. In the case of the IDP or AG, the WAF fronting the AG/IDP intercepts and checks all requests/responses.
One such customer found that their WAF is blocking AG ESP requests because it doesn't recognize the parameters.
When users hit a protected resource <ProtRetURL> and are not authenticated to the AG, they are redirected to the ESP with a URL that looks like this:


ProtRetURL in this case is a parameter, and the WAF doesn't like this. The problem the customer has is that they would have to enter all of their Protected Resource URLs as parameters in the WAF, and since this is a parameter, the WAF won't accept wildcards. This also means that all possible deep links would have to be entered, so that is not a possible solution.
This is not what you would call best practice, and that there should be a real parameter like RelayState or something similar that a WAF could be configured to key off.

Some WAFs may be able to handle this with regex but this one cannot.

// AG response towards ESP

<amLogEntry> 2016-05-13T10:05:09Z VERBOSE NIDS IDFF: Processing ProxyLoginProfile login agAppNa=formfill-pbmh-proxy-srvc&c=/uri/anyauthentication&%22https://nam42sba.lab.novell.com/formfill/phpinfo.php%22 </amLogEntry>

// ESP processes request and generates AuthnRequest to /nidp/idff/sso




Upgrade to NAM 4.3. The redirect to the ESP now has the "target=" in front of the <ProtRetURL> to make it "name= value", allowing the WAF to be configured to scan for this allowable URL.