SAML Post Authentication is ignored and access is granted to portal without credentials validation

  • 7021261
  • 30-Aug-2017
  • 06-Sep-2017


Access Manager 4.3
Access Manager 4.2


Access Manager setup as a SAML 2.0 Service Provider, consuming assertions from a 3rd party Identity Server.
When such a remote authentication is done and after NAM finishes parsing the assertion, an administrator can define a Post authentication method to execute. However, when the admin defined this method, the NAM identity Server does not seem to execute the post authentication method and redirects the user to the NIDP portal pages without returning the user to the original URL being accessed.
The attached catalina log, where a post-authentication is executed at line shows the following few entries:
<amLogEntry> 2016-06-24T10:58:31Z INFO NIDS Application: AM#500105009: AMDEVICEID#09F0A73E7CE1B6CE: AMAUTHID#353820D3F3785359920C79ED4704BAD8:  Executing contract postAuthContract. </amLogEntry>
<amLogEntry> 2016-06-24T10:58:31Z VERBOSE NIDS Application: Session has consumed authentications: true </amLogEntry>
<amLogEntry> 2016-06-24T10:58:31Z VERBOSE NIDS Application: Session consumed authentications is 1 and is considered authenticated: true </amLogEntry>
A bit later this is found:
<amLogEntry> 2016-06-24T10:58:31Z INFO NIDS Application: AM#500105010: AMDEVICEID#09F0A73E7CE1B6CE: AMAUTHID#353820D3F3785359920C79ED4704BAD8:  Contract postAuthContract requires additional interaction. </amLogEntry>
At this stage a windows pop-up is presented for credentials. When hitting [Cancel] button the portal page Request URL: is displayed without any further credentials validation
Admin tried with many different methods but all with same problem.


Fixed in NAM 4.4.
With NAM 4.3 and earlier, the documentation states that the post auth methods should only be used to retrieve additional attributes for the user, rather than executing a step up authentication eg. passwordFetch method to retrieve users password.