Novell Home

My Favorites

Close

Please to see your favorites.

Login to external secret store fails after upgrade to Access Manager 4.0

This document (7014406) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Access Management 4.0

Situation

LDAP error 49 seen in Access Manager logs.
NDStrace shows an NMAS error -1642
Error: "Status: 500 Internal Server Error"

After the upgrade to Access Manager 4.0 external secret store when used returns an nmas error -1642 resulting in a 500 Internal Server error seen at the browser when attempting to use a defined protected resource.

With Access Manager 4.0 the issuer in the assertion has changed.
Up until now, when we were trying to log in to SecretStore, the issuer in the assertion was set to the object DN of the IDP cluster in the config store.
With 4.0, we are now using the standard base URL as the issuer.


NAM 3.2.2:
Created SAMLAssertion for SASL Login:
<saml:Assertion AssertionID="idURNvoN2ctMTPTABa8cGKnS598EA"
IssueInstant="2013-12-16T08:18:25Z"
Issuer="cn=SCCmy7586,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell"
MajorVersion="1" MinorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

NAM 4.0:
Created SAMLAssertion for SASL Login:
<saml:Assertion AssertionID="idt8NQfZnhKh3K1gd9G-jKuwImidE"
IssueInstant="2013-12-16T09:11:06Z"
Issuer="https://idpq.erik.com/nidp/idff/metadata" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

Resolution

You need to change the Provider ID in the Affiliate of the NMAS method in the user store from the object DN
"cn=SCCmy7586,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" to the base url "https://nam1.example.com/nidp/idff/metadata"
 
So in the defined external user store browse for the affiliate object which you can find in the below structure:

Below the security container you have the object called Authorized Login Methods 
Change into this container and then in this container change into the SAML Assertion Container.
In this container there should be an object starting with SCC
Open up this object and there you will see multiple attributes.

One of them is named authsamlProviderID and for this one you need to change the value to match the standard base URL.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014406
  • Creation Date:14-JAN-14
  • Modified Date:14-JAN-14
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback