Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Access Administration
Novell Access Management 3 Netware Access Gateway
Novell ACcess Manager 3 Support Pack 1 Beta 1 applied
Identity Server accelerated by Access Gateway
Situation
Novell Access Manager installed and configured with Linux Access
Gateway (Sp1 beta 1 applied). The Linux Access Gateway (LAG)
configured to accelerate the Identity (IDP) Server. When accessing
a protected resource requiring authentication, the users would be
prompted for the credentials and would get the 300101016 error
after submitting them. The same users were able to authenticate and
access the same protected resource when the IDP is configured in
parallel with the LAG, and not as a resource available through the
LAG. Note that SSL is used for all access.
Debug catalina.out logs on the IDP server show that the user authentication to the eDirectory store is successful, and it appears that it is able to successfully create and store a session. After the client browser is redirected back to the original resource on the LAG, the session cannot be successfully retrieved from the IDP.
Debug catalina.out logs on the IDP server show that the user authentication to the eDirectory store is successful, and it appears that it is able to successfully create and store a session. After the client browser is redirected back to the original resource on the LAG, the session cannot be successfully retrieved from the IDP.
Resolution
Make sure that HTML rewriting is configured for the IDP protected
resource. To do so:
Click
> > > > >Make sure the
option is selected.In the
, click , then specify a name for the profile and select for the .Enter the following URLs in the login.novell.com/nidp as the DNS name of the reverse proxy for the Identity Server.
section. The following URLs uselogin.novell.com/nidp/idff/soap
login.novell.com/nidp/idff/soap/
login.novell.com/nidp/idff/soap/*
login.novell.com:443/nidp/idff/soap
login.novell.com:443/nidp/idff/soap/
login.novell.com:443/nidp/idff/soap/*Click
.Use the up arrow icon to move your profile to the top of the list.
Additional Information
When a SAML assertion is generated, there are certain conditions
that need to be validated based on the
tag. For example, the following assertions shows that the
assertion is not valed before or after the the following
timestamps, and only valid for https://login.novell.com:80 audience.
In certain cases, the :80 or :443 (with https) is appended yet the
ProviderID in the metadata does not include the port numbers. In
order to work around the issue, we should add rewriter entries for
the TCP ports too.
https://login.novell.com:80/nesp/idff/metadata
https://login.novell.com:80/nesp/idff/metadata