Environment
- Access Manager 4.5
- Access Manager 4.5.1
Situation
- IDMDASH has been configured for SSO using SAML2 with Access
Manager Manager.
- Access Manager IDP server has been configured for Multi-factor
Authentication (MFA) using the Advanced Authentication Service
(AAF) with OAuth.
- SSO to IDMDASH works fine by using one of the Form Based Access
Manager default authentication contracts
- As soon as an AAF authentication is getting used IDMDASH returns the following message
Your login process did not complete successfully.
This page is supposed to show up in an iFrame which then calls to the parent
frame to close itself and let you get back to work. However, the security
provider has redirected the parent frame instead of the iFrame which subverts
this mechanism.
You are now logged in, but you will have to manually go back to the application you were using.
see attached capture.
Please let me know what log files or other information to provide to help you investigate this issue
Resolution
- This issue will be fixed with Access Manager 4.5.2
- With NAM 4.5.0 and 4.5.1 you can modify the "/opt/novell/nids/lib/webapp/jsp/advancedAuth.jsp"
after ceating a backup copy with
<%@ page import="com.novell.nidp.resource.*" %>
<%@ page import="com.novell.nidp.resource.jsp.*" %>
<%@ page import="com.novell.nidp.ui.*" %>
<%
ContentHandler handler = new ContentHandler(request,response);
String target = (String) request.getAttribute("target");
String grantURL="";
if(request.getAttribute("authorizeUrl") != null)
{
grantURL = (String) request.getAttribute("authorizeUrl");
}
%>
<html>
<head>
<style type="text/css" media="screen">
td label { font-size: 0.85em ; padding-right: 0.2em; }
label { font-size: 0.77em; padding-right: 0.2em; }
input { font-family: sans-serif; }
.instructions { color: #4d6d8b; font-size: 0.8em; margin: 0 10px 10px 0 }
</style>
</head>
<body >
<form name="authCodeForm" method="post" action="<%= grantURL%>"></form>
<script>document.forms['authCodeForm'].submit();</script>
</body>
</html>
Cause
The integration between the Access Manager IDP server and AAF
runs a request by using the OAuth flow forcing the browser client
to move to the parent frame (loosing its current frame)
<body>
<form name="authCodeForm" method="post" action="<%= grantURL%>"></form>
<script>
top.window.location="<%= grantURL %>"
</script>
</body>