SSO fails to application after upgrading to NAM 3.2 Support Pack 2

  • 7012584
  • 10-Jun-2013
  • 11-Jun-2013

Environment

NetIQ Access Manager 3.2 Support Pack 2 applied
NetIQ Access Manager 3.2 Access Gateway

Situation

Access Manager 3.2 Support Pack 1 system running fine - all users could single sign on (SSO) to back end applications protected by the Access Gateway (AG) after having successfully authenticated to the Identity (IDP) server. The AG protected resources had identity injection policies enabled injecting user credentials to the back end Web server.

After upgrading to 3.2 Support Pack 2, users accessing one of the applications (an SAP Portal Server) protected by the AG would get prompted to authenticate to the SAP server, despite having already authenticated to the IDP server. The Identity Injection policy appeared to be failing.

Resolution

Make sure that all the required protected resources for identity injection are setup correctly.

3.2 SP2 addressed a previous bug that caused this change in behaviour. Consider the following setup with two protected resources:

- Protected Resource PR1 is enabled on path /path/portal/* with both Identity Injection and Authentication.
- Protected Resource PR2 is enabled on /* as a public resource

When hitting the following paths on the proxy defined with these Protected resources with NAM versions prior to 3.2.2 (and with the lAG on 3.1.x)

- https://www.domain.com/path/portal
- https://www.domain.com/path/portal/neil

both requests will incorrectly match PR1 above. Technically, the second request above matches PR2, and therefor does not inject any of the users credentials in the Identity Injection Header.

If PR2 requires the Identity Injection Headers to be sent, we need to create a seperate PR3 for path /path/portal/neil with the Identity Injection header enabled. This only applies to 3.2.2 builds and greater.

Cause

Versions of the AG prior to 3.2.2 were incorrectly evaluating the protected resource. Here's a sample request of the error_log on the AG server showing the PR evaluation.

// Test accessing object under /sap/portal Protected resource - with no authentication or policy evaluation

Jun 10 14:49:39 magapp-1 httpd[21568]: [info] AM#504600000 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#: AMEVENTID#65: Requ: GET https://www.domain.com/sap/portal  service:service_acc1 (164.99.137.175:40480->164.99.184.185:443)
Jun 10 14:49:39 magapp-1 httpd[21568]: [info] AM#504600100 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#: AMEVENTID#65: Public URL
Jun 10 14:49:39 magapp-1 httpd[21568]: [info] AM#504600000 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#: AMEVENTID#65: matched PR:index-public-url

// Test accessing object under /sap/portal/* Protected resource - with successful policy evaluation

Jun 10 14:49:51 magapp-1 httpd[21568]: [info] AM#504600000 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#: AMEVENTID#70: Requ: GET https://www.domain.com/sap/portal/test.html  service:service_acc1 (164.99.137.175:40480->164.99.184.185:443)
Jun 10 14:49:51 magapp-1 httpd[21568]: [info] AM#504600000 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: validateCookie:local user.
Jun 10 14:49:51 magapp-1 httpd[21568]: [info] AM#504600100 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: Restricted URL
Jun 10 14:49:51 magapp-1 httpd[21568]: [info] AMEVENTID#70: IIPolicy is configured for the url /sap/portal/test.html

Jun 10 14:49:51 magapp-1 httpd[21568]: [info] AM#504600404 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: subreq www.domain.com:/nesp/app/soap
Jun 10 14:49:51 magapp-1 httpd[21568]: [info] AMEVENTID#70: Cache miss
Jun 10 14:49:51 magapp-1 httpd[19095]: [info] Connection to child 903 established (server neil.domain.com:443)
Jun 10 14:49:51 magapp-1 httpd[19095]: [info] Seeding PRNG with 288 bytes of entropy
Jun 10 14:49:51 magapp-1 httpd[19095]: [info] (70014)End of file found: SSL input filter read failed.
Jun 10 14:49:51 magapp-1 httpd[19095]: [info] Connection closed to child 903 with standard shutdown (server www.domain.com:443)

Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504602100 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: K5630PP0-P0OO-5950-777N-M5L7O5P0365L
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504600000 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: matched PR:pr1_sap_ii
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504600000 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: Contract-valid contract(name/password/uri -> name/password/uri) updateActivity to agscd
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AMEVENTID#70: Cache miss
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504600005 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: sending II eval req
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504601203 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: Sending value 98266210A90175AA7790B3C00F2EE01A for enum LibertyID
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504601203 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: II policy id:K5630PP0-P0OO-5950-777N-M5L7O5P0365L
Jun 10 14:49:52 magapp-1 httpd[21568]: [info] AM#504600404 AMDEVICEID#ag-6FD41AB01AB591F0: AMAUTHID#98266210A90175AA7790B3C00F2EE01A: AMEVENTID#70: subreq www.domain.com:/nesp/app/soap