Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Situation
After upgrading Access Manager to SP1 IR2 or later, error message 'element attribute missing' is diplayed when trying to login to a protected resource.
Changes were made in SP1 IR2 that allowed for the IDP to send attributes to the ESP that had no value. This was done to increase performance and decrease the amount of back traffic between devices.
Prior to SP1 IR2, the ESP (lag) did not know how to handle blank attributes when they were sent as part of the assertion.
There are two conditions that have to be met in order for this error to occur:
- Attributes have been configured to be sent during authentication and one of the attributes sent has not value.
- The Identity Server has been upgraded to SP1 IR2 or later and the ESP (Lag) remains at any code prior to SP1 IR2.
Resolution
There are two ways to resolve this error:
- Ensure that all devices are running NAM SP1 IR2 or later
- Do not send configured attributes at login.
Instructions on removing attributes that are being sent at login:
- Edit the IDP Cluster
- Select the 'Liberty' tab
- Select the LAG under 'Service Providers'
- Select 'Attributes' from the menu
- Select '<Not Specified'> in the Attribute Set drop down
- Select OK and update the IDP Cluster
Additional Information
none