IDM OSP federation partially broken after Access Manager update to 4.3

  • 7018218
  • 01-Nov-2016
  • 06-Sep-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Identity Manager 4.5

Situation

Access Manager 4.2 setup and integrated successfully with IDM 4.5 using SAML 2. Users accessing the IDM landing page would get redirected to the NAM Identity Server login page, and once the credentials were validated users would be single signed on to the IDM landing page.

After upgrading the NAM setup to 4.3, users would get redirected to the NAM IDP login page but instead of single signing on to the IDM landing page, a browser error would appear. The Fiddler trace on the client clearly showed the response coming back from the NAM IDP server with the assertion to submit to IDM, yet the browser never seemed to submit it.

Resolution

Disable the same origin filter in /opt/novell/nam/idp/conf/web.xml AND /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml by commenting out references to both the HttpHeaderSecurityFilter and SameOriginFramingFilter filters.

a) For the HttpHeaderSecurityFilter you can comment out the following in /opt/novell/nam/idp/conf/web.xml

<!--
        <filter>

                <filter-name>
                        httpHeaderSecurity

                </filter-name>
                <filter-class>

                        org.apache.catalina.filters.HttpHeaderSecurityFilter
                </filter-class>


                <async-supported>
                        true

                </async-supported>

                <init-param>
                        <param-name>hstsMaxAgeSeconds</param-name>
                        <param-value>31536000</param-value>

                </init-param>
                <init-param>

                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>

              </init-param>

        </filter>
        <filter-mapping>

        <filter-name>httpHeaderSecurity</filter-name>
                <url-pattern>/*</url-pattern>
                <dispatcher>REQUEST</dispatcher>

        </filter-mapping>
-->


b) for the SameOriginFramingFilter filter, you can do this by setting the "activate' parameter in /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml from true to false as shown below:

        <filter>
                <filter-name>SameOriginFilter</filter-name>
                <description>The NIDP server anti-clickjacking filter.This filter adds 'X-FRAME-OPTIONS: SAMEORIG
IN'
                        header to http responses, and prevents cross domain framing of web pages as best as possi
ble
                        depending on browser compatibility.</description>
                <filter-class>com.novell.nidp.servlets.filters.jsp.SameOriginFramingFilter</filter-class>
                <init-param>
                        <param-name>activate</param-name>
                        <param-value>False</param-value>


With the security enhancements to NAM 4.3, the IDP adds some custom header (X-FRAME-OPTIONS for example) prohibiting the posting of data across domains/hosts. The above issue stems from the fact that the IDP and SP are on two different hosts, and the security changes block the POSTing of the assertion. After you login and access the landing page, IDM generates a SAML AuthnRequest to our NAM IDP server. Immediately we respond with a 200 OK where we send following form with assertion back to browser

<form method="POST" enctype="application/x-www-form-urlencoded" action="https://identity.fdel.net/osp/a/idm/auth/saml2/spassertion_consumer">
<input type="hidden" name="SAMLResponse" value="xxxxxx"
<input type="hidden" name="RelayState" value="MDpjaWQ9c2FtbDItY29udHJhY3Q="/>
</form>

and browser throws error page without submitting. looking closely at the headers, we set

HTTP/1.1 200 OK
Cache-Control no-cache
Cache-Control no-store
Cache-Control no-cache
Connection Keep-Alive
Content-Length 7701
Content-Type text/html;charset=ISO-8859-1
Date Thu, 27 Oct 2016 11:18:13 GMT
Keep-Alive timeout=300, max=100
Pragma No-cache
Strict-Transport-Security max-age=31536000;includeSubDomains
Strict-Transport-Security max-age=31536000
Via 1.1 access.fdel.com (Access Gateway-ag-833FDDCBC5CB414F-2804)
X-Content-Type-Options nosniff
X-FRAME-OPTIONS SAMEORIGIN
X-XSS-Protection 1; mode=block

No changed needed on AG.

Additional Information

here's a snippet from both files where the security header changes are disabled

// /opt/novell/nam/idp/conf/web.xml

 

<!--

        <filter>

                <filter-name>

                        httpHeaderSecurity

                </filter-name>

                <filter-class>

                        org.apache.catalina.filters.HttpHeaderSecurityFilter

                </filter-class>

                <async-supported>

                        true

                </async-supported>

                <init-param>

                        <param-name>hstsMaxAgeSeconds</param-name>

                        <param-value>31536000</param-value>

                </init-param>

                <init-param>

                <param-name>antiClickJackingOption</param-name>

                <param-value>SAMEORIGIN</param-value>

              </init-param>

 

        </filter>

        <filter-mapping>

                <filter-name>httpHeaderSecurity</filter-name>

                <url-pattern>/*</url-pattern>

                <dispatcher>REQUEST</dispatcher>

        </filter-mapping>

-->

 

// /opt/novell/nids/lib/webapp/WEB-INF/web.xml

 

<!--

    <filter>

        <filter-name>SameOriginFilter</filter-name>

        <description>The NIDP server anti-clickjacking filter.This filter adds 'X-FRAME-OPTIONS: SAMEORIGIN'

            header to http responses, and prevents cross domain framing of web pages as best as possible

            depending on browser compatibility.</description>

        <filter-class>com.novell.nidp.servlets.filters.jsp.SameOriginFramingFilter</filter-class>

        <init-param>

                    <param-name>activate</param-name>

                    <param-value>True</param-value>

        </init-param>

        </filter>

    <filter-mapping>

        <filter-name>SameOriginFilter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

 

 

      <filter>

              <filter-name>

                  httpHeaderSecurity

              </filter-name>

              <filter-class>

                  org.apache.catalina.filters.HttpHeaderSecurityFilter

               </filter-class>

               <async-supported>

                  true

               </async-supported>

               <init-param>

                   <param-name>hstsMaxAgeSeconds</param-name>

                   <param-value>31536000</param-value>

               </init-param>

               <init-param>

                   <param-name>antiClickJackingOption</param-name>

                   <param-value>SAMEORIGIN</param-value>

               </init-param>

        </filter>

        <filter-mapping>

                <filter-name>httpHeaderSecurity</filter-name>

                <url-pattern>/*</url-pattern>

                <dispatcher>REQUEST</dispatcher>

        </filter-mapping>

 

        -->