'element attribute missing' error after upgrading to SP1 IR2 or later

  • 7005475
  • 11-Mar-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway

Situation

After upgrading Access Manager to SP1 IR2 or later, error message 'element attribute missing' is diplayed when trying to login to a protected resource.
 
Changes were made in SP1 IR2 that allowed for the IDP to send attributes to the ESP that had no value.  This was done to increase performance and decrease the amount of back traffic between devices. 
 
Prior to SP1 IR2, the ESP (lag) did not know how to handle blank attributes when they were sent as part of the assertion.
 
There are two conditions that have to be met in order for this error to occur:
  1. Attributes have been configured to be sent during authentication and one of the attributes sent has not value. 
  2. The Identity Server has been upgraded to SP1 IR2 or later and the ESP (Lag) remains at any code prior to SP1 IR2. 

Resolution

There are two ways to resolve this error:
  1. Ensure that all devices are running NAM SP1 IR2 or later
  2. Do not send configured attributes at login. 

Instructions on removing attributes that are being sent at login:

    1. Edit the IDP Cluster
    2. Select the 'Liberty' tab
    3. Select the LAG under 'Service Providers'
    4. Select 'Attributes' from the menu
    5. Select '<Not Specified'> in the Attribute Set drop down
    6. Select OK and update the IDP Cluster

Additional Information

none