Unable to access the IDM Home and Provisioning dashboard when integrated with NAM 4.3

  • 7018468
  • 10-Jan-2017
  • 16-Jan-2017

Environment

NetIQ Access Manager 4.3
NetIQ Identity Manager 4.5
NetIQ Identity Manager Roles Based Provisioning Module

Situation

Access Manager 4.3 integrated with Identity Manager using SAML2 protocol. When accessing the Identity Manager Home and Provisioning dashboard, the user should be redirected to the Access Manager Identity (IDP) Server login page but instead of getting this IDP server login page, Internet Explorer returns

"This content cannot be displayed in a frame".

Accessing the Identity Manager Home and Provisioning dashboard from Chrome or Firefox browser simply returns a blank page without any errors.

The User Application (IDMProv) service can be accessed normally ie. users are redirected to the IDP login page and login without issues before SSOing to the IDMProv service.

Resolution

Backup and modify the /var/opt/novell/tomcat/webapps/nidp/WEB-INF/web.xml file of the Access Manager IDP server before making the following changes:

Comment out the following section:

           <init-param>
                   <param-name>antiClickJackingOption</param-name>
                   <param-value>SAMEORIGIN</param-value>
               </init-param>

Add modify the antiClickJackingOption to add the ALLOW-FROM parameter, with an additional option antiClickJackingUri specifying the domain we allow content from. In our case, this must match the domain we are running the IDM software on.

            <init-param>
                   <param-name>antiClickJackingOption</param-name>
                   <param-value>ALLOW-FROM</param-value>
               </init-param>
               <init-param>
                   <param-name>antiClickJackingUri</param-name>
                   <param-value>URI that should be allowed/</param-value>
               </init-param>

For example:

            <!--init-param>
                   <param-name>antiClickJackingOption</param-name>
                   <param-value>SAMEORIGIN</param-value>
               </init-param-->
            <init-param>
                   <param-name>antiClickJackingOption</param-name>
                   <param-value>ALLOW-FROM</param-value>
               </init-param>
               <init-param>
                   <param-name>antiClickJackingUri</param-name>
                   <param-value>https://idm.domain.com:443/</param-value>
               </init-param>

Restart the IDP by executing: "rcnovell-idp restart".

Cause

The SAML AuthnRequest arrives at the NAM IDP server from an untrusted source due to security policy with NAM 4.3, which has CORS and Clickjacking checks enabled by default. This did not occur with NAM 4.2 and earlier as the tomcat security filter was not enabled on NAM IDP server (https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#HTTP_Header_Security_Filter).

Additional Information

https://idm.domain.com:443 is the URL for the Application Server hosting the Identity Apps.