Environment
- Access Manager 4.5.2
- Access Manager 4.5.3
Situation
- Access Manager has been configured as SAML IDP server
- SAML Authentication Requests initiated to the NAM IDP server seem to hang or loop (rendering a blank page) with Google Chrome and Microsoft Egde
- running the same request with Firefox does not cause any problems
Resolution
- Configure the IDP server to make use of SameSite cookies by modifying the "/opt/novell/nids/lib/webapp/WEB-INF/web.xml"
- The section to enable the SameSite Cookie already exists with supported versions of Access Manager and just has to be un-comment
Cause
- Chrome and Edge require SameSite cookies which are not set per default at the IDP server
Additional Information
- For all issues your browser client might render a blank page or seems to hang at the IDP server use:
- The browser internal developer tools. In most of the cases these kind of symptoms are caused by a browser security policy. This can be due to CORS / CSP. Check for any kind of errors reported
- Use a browser header trace utility like Telerik Fiddler to follow the exact flow of the browser. Take traces for a working and non-working scenario in order to compare them step by step and heck the used browser session cookie and how the will get used
- The IDP server uses the JSESSIONID cookie to authorize a user session. This cookie will be set on the very first request to the IDP server during the user authentication phase and use in all subsequent requests. For example on the response to a SAML2 Authentication request
