Advanced Authentication Email OTP JSP page does not render using IE11 after IDP domain added to local Intranet or compatibility mode enabled

  • 7022722
  • 12-Mar-2018
  • 12-Mar-2018


Access Manager 4.4
Access Manager 4.3
Access Manager 4.2
Access Manager Identity Server
IE 11 Compatibility mode enabled


Access Manager 4.4 Identity Server running on SLES12 SP2 although issue happens on all supported IDP platforms, and also with previous NAM versions.
Using Advanced Authentication 5.6 REST API integration and not the OAuth approach

Access Manager contract configured for two factor secure name password (SNPF) and Email one time password (EmailOTP) methods. Mechanism works well for all users with the exception of those running on IE11 ie. Chrome or Firefox users never see issues.

On IE11, if the NAM IDP Base URL is in the Intranet zone (or compatibility mode is enabled!), then following the execution of the SNPF method where user is asked for credentials, the emailOTP page loads but does not render properly so user cannot enter an OTP. We can clearly see from the AAF logs as well as emails to the user that the OTP was successfully sent.

As soon as you disable compatibility mode or remove NAM IDP Base URL from the Intranet zone the all works fine. Part of the problem is that for Kerberos authentication, we need to have the IDP baseURL in the local intranet domain.
All other AAF methods seem to work fine.

The response appears to be the same, but rendering is the issue.


Need to add the following entry to the nidp_latest.jsp page

response.setHeader("X-UA-Compatible","IE=edge" );

in nidp_latest.jsp right after the first "<% " eg. after

    final String NIDP_JSP_CONTENT_DIV_ID = "theNidpContent";

This would take care of the intranet domain/compatibility view issues.