"unable to load groups" error on SAP Fiori homepage when accelerated with Access Gateway due to URL encoding issue

  • 7022304
  • 09-Nov-2017
  • 09-Nov-2017


Access Manager 4.3

Access Manager 4.3
Access Manager 4.4


Access Manager 4.3.2 setup and working well - users can authenticate at the Identity (IDP) Provider and access protected resources behind the Access Gateway (AG), or SAML 2.0 Service Providers in a trust relationship with IDP.

An integration project with SAP Fiori was started where we used the SAML protocol with the objective of authenticating users at the IDP and generating an assertion to the SAP service provider to single sign on. The SAP SAML SP was also protected by the Access Manager AG.

The authentication process is working correctly where users can authenticate to the IDP server, but user receive the following error on SAP Home Page instead of getting SSOd.

"unable to load groups".

Looking through the SAP info page it would appear that there is a problem using a Reverse Proxy in front of SAP in terms of the URL decoded. To confirm whether the AG was the issue or not, we installed a seperate Apache proxy where we got it all working. The key was the addition of the "nocanon" parameters.

The NAM 4.3 Release notes Documentation (https://www.netiq.com/documentation/access-manager-43/accessmanager43-release-notes/data/accessmanager43-release-notes.html) mentions the following:

Web Server Request URL Does Not Retain Encoded Characters#

Issue: When the Web server requests for a URL, the URL does not retain the encoded characters before sending it to the back end Web server. [Bug 934320]

Fix: To fix this issue, a new advance option NoCanonicalization=on is introduced. This option is added to the proxy service level which adds the nocanon keyword to the ProxyPass directives. You also need to enable NAGGlobalOptions noURLNormalize=on and AllowEncodedSlashes=on.advance options at the proxy service level.

These options cause Apache to fail to load on NAM 4.3.2.


Enabled the following 3 advanced option on the Access Gateway:

1. Global Advance Option

NAGGlobalOptions noURLNormalize=on

2. Proxy service label Advance option

 AllowEncodedSlashes On

3. Proxy service label Advance option

NoCanonicalization on

After making these changes all worked fine. The docs included an '=' parameter between name and value which was not correct. Access Gateway Advanced Options docs did not cover these above options. The documentation is being updated to correct both.