Login to external secret store fails after upgrade to Access Manager 4.0

  • 7014406
  • 14-Jan-2014
  • 22-Nov-2016

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

LDAP error 49 seen in Access Manager logs.
NDStrace shows an NMAS error -1642
Error: "Status: 500 Internal Server Error"

After the upgrade to Access Manager 4.0 external secret store when used returns an nmas error -1642 resulting in a 500 Internal Server error seen at the browser when attempting to use a defined protected resource.

With Access Manager 4.0 the issuer in the assertion has changed.
Up until now, when we were trying to log in to SecretStore, the issuer in the assertion was set to the object DN of the IDP cluster in the config store.
With 4.0, we are now using the standard base URL as the issuer.


NAM 3.2.2:
Created SAMLAssertion for SASL Login:
<saml:Assertion AssertionID="idURNvoN2ctMTPTABa8cGKnS598EA"
IssueInstant="2013-12-16T08:18:25Z"
Issuer="cn=SCCmy7586,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell"
MajorVersion="1" MinorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

NAM 4.0:
Created SAMLAssertion for SASL Login:
<saml:Assertion AssertionID="idt8NRfZnhKh3K1gd9G-jKuwImidE"
IssueInstant="2013-12-16T09:11:06Z"
Issuer="https://idpq.erik.com/nidp/idff/metadata" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

Resolution

You need to change the Provider ID in the Affiliate of the NMAS method in the user store from the object DN
"cn=SCCmy7586,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" to the base url "https://nam1.example.com/nidp/idff/metadata"
 
So in the defined external user store browse for the affiliate object which you can find in the below structure:

Below the security container you have the object called Authorized Login Methods 
Change into this container and then in this container change into the SAML Assertion Container.
In this container there should be an object starting with SCC
Open up this object and there you will see multiple attributes.

One of them is named authsamlProviderID and for this one you need to change the value to match the standard base URL.