Access Manager 4.3
Access Manager 4.3
Access Manager 4.4
An integration project with SAP Fiori was started where we used the SAML protocol with the objective of authenticating users at the IDP and generating an assertion to the SAP service provider to single sign on. The SAP SAML SP was also protected by the Access Manager AG.
The authentication process is working correctly where users can authenticate to the IDP server, but user receive the following error on SAP Home Page instead of getting SSOd.
"unable to load groups".
Looking through the SAP info page it would appear that there is a problem using a Reverse Proxy in front of SAP in terms of the URL decoded. To confirm whether the AG was the issue or not, we installed a seperate Apache proxy where we got it all working. The key was the addition of the "nocanon" parameters.
The NAM 4.3 Release notes Documentation (https://www.netiq.com/documentation/access-manager-43/accessmanager43-release-notes/data/accessmanager43-release-notes.html) mentions the following:
Web Server Request URL Does Not Retain Encoded Characters#
Issue: When the Web server requests for a URL, the URL does not retain the encoded characters before sending it to the back end Web server. [Bug 934320]
Fix: To fix this issue, a new advance option NoCanonicalization=on is introduced. This option is added to the proxy service level which adds the nocanon keyword to the ProxyPass directives. You also need to enable NAGGlobalOptions noURLNormalize=on and AllowEncodedSlashes=on.advance options at the proxy service level.
These options cause Apache to fail to load on NAM 4.3.2.
1. Global Advance Option
2. Proxy service label Advance option
AllowEncodedSlashes On3. Proxy service label Advance option
After making these changes all worked fine. The docs included an '=' parameter between name and value which was not correct. Access Gateway Advanced Options docs did not cover these above options. The documentation is being updated to correct both.