Environment
Access Manager 4.4
Access Manager 4.3
Access Manager 4.2
Access Manager Identity Server
IE 11 Compatibility mode enabled
Situation
Access Manager 4.4 Identity Server running on SLES12 SP2 although issue happens on all supported IDP platforms, and also with previous NAM versions.
Using Advanced Authentication 5.6 REST API integration and not the OAuth approach
Access Manager contract configured for two factor secure name password (SNPF) and Email one time password (EmailOTP) methods. Mechanism works well for all users with the exception of those running on IE11 ie. Chrome or Firefox users never see issues.
On IE11, if the NAM IDP Base URL is in the Intranet zone (or compatibility mode is enabled!), then following the execution of the SNPF method where user is asked for credentials, the emailOTP page loads but does not render properly so user cannot enter an OTP. We can clearly see from the AAF logs as well as emails to the user that the OTP was successfully sent.
As soon as you disable compatibility mode or remove NAM IDP Base URL from the Intranet zone the all works fine. Part of the problem is that for Kerberos authentication, we need to have the IDP baseURL in the local intranet domain.
Using Advanced Authentication 5.6 REST API integration and not the OAuth approach
Access Manager contract configured for two factor secure name password (SNPF) and Email one time password (EmailOTP) methods. Mechanism works well for all users with the exception of those running on IE11 ie. Chrome or Firefox users never see issues.
On IE11, if the NAM IDP Base URL is in the Intranet zone (or compatibility mode is enabled!), then following the execution of the SNPF method where user is asked for credentials, the emailOTP page loads but does not render properly so user cannot enter an OTP. We can clearly see from the AAF logs as well as emails to the user that the OTP was successfully sent.
As soon as you disable compatibility mode or remove NAM IDP Base URL from the Intranet zone the all works fine. Part of the problem is that for Kerberos authentication, we need to have the IDP baseURL in the local intranet domain.
All other AAF methods seem to work fine. The response appears to be the same, but rendering is the issue.
Resolution
Need to add the following entry to the nidp_latest.jsp page
response.setHeader("X-UA-Compatible","IE=edge" );
in nidp_latest.jsp right after the first "<% " eg. after
<%
final String NIDP_JSP_CONTENT_DIV_ID = "theNidpContent";
response.setHeader("X-UA-Compatible","IE=edge" );
in nidp_latest.jsp right after the first "<% " eg. after
<%
final String NIDP_JSP_CONTENT_DIV_ID = "theNidpContent";
This would take care of the intranet domain/compatibility view issues.