The Identity Server is the central authentication and identity access point for all services performed by Access Manager. Whereas Access Gateway performs the authorization and access check for resources protected by Access Manager.
If you would like to perform authentication and authorization together without making any changes in the underline application (protected resources) and would like to show different error messages for authentication and authorization errors, you need to extend the NetIQ Authentication class and write your own authentication class.
In this document, I have an example and a step-by-step process for creating a custom authentication class and how to perform authentication and authorization together. The class will also return authentication or authorization errors to the login form and the login form will display the error messages accordingly.
Please follow the developer guide to get familiar with all customization opportunities with NAM.
Create a Java project and copy the following code. You will need nidp.jar, higgins-sts-api_1.0.0.jar and servlet-api.jar to compile and build the project.
MyAuthenticalClass code: MyAuthenticationClass
This custom authentication class has the following logic:
You can modify the code and build your own authorization logic as per your requirement.
If you would like to understand the authentication class and its implementation, please use the NetIQ Developer guide link: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/b96adnj.html
Right click on the Java project and export as a JAR file. Copy the JAR file to IDP server (Path: “/opt/novell/nids/lib/webapp/WEB-INF/lib”).
You must restart the IDP service to use this Authentication Class.
Command to restart IDP: /etc/init.d/novell-idp restart
Display Name: MyAuthenticationClass
Java Class: Other
Java class path: com.nam.authn.MyAuthenticationClass
Here is the mylogin.jsp file: mylogin.jsp
If you look at the doAuthenticate() method in the MyAuthentication.java file, you will find the following code snippet at line number 114. If there is any authorization error, the authentication class will add an attribute to the request.
if(noAuthz) m_PageToShow.addAttribute("AuthZError", noAuthz);
You need to look for the attribute in the login page and show authorization message to the user.
Here is the code block (mylogin.jsp, line number 160) which is looking for the authorization error and shows the authorization error message to the user.
Boolean isAuthZError = (Boolean) request.getAttribute("AuthZError"); String strAuthZErrorMessage = "You are not authorized to access this application.";
If you login as a user who is not authorized (Does not have membership of the group), you will get following unauthorized error message.
Also, you will find the following log in the IDP log file, run following command:
tail -f /var/opt/novell/nam/logs/idp/tomcat/catalina.out |grep -i "MyAuthenticationClass ---->"
Log entries from IDP server:
MyAuthenticationClass ----> Property Values in groupName : CN=ServiceDesk,OU=All Groups,DC=Novell,DC=com MyAuthenticationClass ----> Inside doAuthenticate Method MyAuthenticationClass ----> Admin Defined LDAP Query : null MyAuthenticationClass ----> Inside doAuthenticate Method MyAuthenticationClass ----> Admin Defined LDAP Query : null MyAuthenticationClass ----> Inside doAuthenticate Method MyAuthenticationClass ----> Admin Defined LDAP Query : null MyAuthenticationClass ----> authenticateWithPassword: AUTHENTICATED with LDAP MyAuthenticationClass ----> authorizationWithQuery : (&(objectClass=user)(sAMAccountName=jondoe)(memberOf=CN=ServiceDesk,OU=All Groups,DC=Novell,DC=com)) MyAuthenticationClass ----> Authorization Error : true
Please contact me if you have any questions.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.