SAML2 SSO to IDMDASH fails with NAM IDP running Multi-factor Authentication by AAF

  • 7024618
  • 12-May-2020
  • 12-May-2020


  • Access Manager 4.5
  • Access Manager 4.5.1


  • IDMDASH has been configured for SSO using SAML2 with Access Manager Manager.

  • Access Manager IDP server has been configured for Multi-factor Authentication (MFA) using the Advanced Authentication Service (AAF) with OAuth.

  • SSO to IDMDASH works fine by using one of the Form Based Access Manager default authentication contracts

  • As soon as an AAF authentication is getting used IDMDASH returns the following message
Your login process did not complete successfully.

This page is supposed to show up in an iFrame which then calls to the parent
frame to close itself and let you get back to work. However, the security
provider has redirected the parent frame instead of the iFrame which subverts
this mechanism.

You are now logged in, but you will have to manually go back to the application you were using.

see attached capture.
Please let me know what log files or other information to provide to help you investigate this issue 


  • This issue will be fixed with Access Manager 4.5.2

  • With NAM 4.5.0 and 4.5.1 you can modify the "/opt/novell/nids/lib/webapp/jsp/advancedAuth.jsp" after ceating a backup copy with

    <%@ page import="com.novell.nidp.resource.*" %>
    <%@ page import="com.novell.nidp.resource.jsp.*" %>
    <%@ page import="com.novell.nidp.ui.*" %>
       ContentHandler handler = new ContentHandler(request,response);
       String target = (String) request.getAttribute("target");
       String grantURL="";

       if(request.getAttribute("authorizeUrl") != null)
          grantURL = (String) request.getAttribute("authorizeUrl");

        <style type="text/css" media="screen">
          td label       { font-size: 0.85em ; padding-right: 0.2em; }
          label          { font-size: 0.77em; padding-right: 0.2em; }
          input          { font-family: sans-serif; }
           .instructions { color: #4d6d8b; font-size: 0.8em; margin: 0 10px 10px 0 }

      <body >
        <form name="authCodeForm" method="post" action="<%= grantURL%>"></form>


The integration between the Access Manager IDP server and AAF runs a request by using the OAuth flow forcing the browser client to move to the parent frame (loosing its current frame)
    <form name="authCodeForm" method="post" action="<%= grantURL%>"></form>
        top.window.location="<%= grantURL %>"