Environment
NetIQ Access Manager 3.2
Situation
Access Manager 3.2 installed. Due to restrictions of devices in the DMZ, the Identity (IDP) server was placed in the internal corporate network, and accelerated by the Access Gateway Appliance (AGA) sitting in the DMZ. As users hit the AGA defined protected resources, the user would get redirected to enter their credentials on the IDP server. As soon as the credentials were submitted, the users would get the following error:
IDP response failed to authenticate: NIDPLOGGING.300101016
Placing the IDP server in parallel and not behind the AGA allowed everything to work fine, but this was not an option.
IDP response failed to authenticate: NIDPLOGGING.300101016
Placing the IDP server in parallel and not behind the AGA allowed everything to work fine, but this was not an option.
Resolution
Make sure that the setup defined in Chapter 7.0 of https://www.netiq.com/documentation/novellaccessmanager32/basicconfig/?page=/documentation/novellaccessmanager32/basicconfig/data/bookinfo.html is followed, and disable the rewriter for the IDP service on the AGA.
Cause
After the user authenticated successfully, an artifact is sent by the AGA to the IDP server that results in an assertion. The IDP server's assertion includes a number of conditions that must be adhered to including times the assertion are valid for, and what audience the assertion is targetting. With the 300101016 error, the assertion contains
non-matching audience restriction condition causing the issue. Looking at the audience conditions when working and non working, we saw the following difference:
// Working scenario shows the following entry in the ESP catalina log file (with rewriter disabled) <saml:Conditions NotBefore="2012-05-28T08:23:35Z" NotOnOrAfter="2012-05-28T08:33:35Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://office.directory.co.nz:443/nesp/idff/metadata </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions>
// When rewriter is enabled, we get the following in the catalina log file causing the 300101016 error <saml:Conditions NotBefore="2012-05-28T08:31:28Z" NotOnOrAfter="2012-05-28T08:41:28Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://office.directory.co.nz/nesp/idff/metadata </saml:Audience> </saml:AudienceRestrictionCondition>
:
:
<amLogEntry> 2012-05-28T08:36:28Z INFO NIDS SAML1: Assertion contains non-matching audience restriction condition </amLogEntry> <amLogEntry> 2012-05-28T08:36:28Z VERBOSE NIDS Application: IDP response failed to authenticate: NIDPLOGGING.300101016 </amLogEntry>
<amLogEntry> 2012-05-28T08:36:28Z DEBUG NIDS IDFF:
Method: LibertySSOProfile.processResponse
Thread: ajp-bio-/127.0.0.1-9009-exec-10
NIDPLOGGING.300101016
Exception message: "NIDPLOGGING.300101016"
y, Line: 3090, Method: validate
y, Line: 1537, Method: verifyResponse
y, Line: 2576, Method: handleAuthentication
y, Line: 297, Method: processResponse
y, Line: 28, Method: processResponse
In both cases, the assertion generated by the IDP server always includes the :443 port but when the AGA processes the assertion and passes it to the ESP, it strips the :443. By disabling the rewriter (not needed as both the published DNS name and TCP ports on the IDP and AGA are identical), the :443 is not removed and the problem goes away.
Note: This issue was not reproducible on multiple platforms so this workaround may not be needed with the default setup.
// Working scenario shows the following entry in the ESP catalina log file (with rewriter disabled) <saml:Conditions NotBefore="2012-05-28T08:23:35Z" NotOnOrAfter="2012-05-28T08:33:35Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://office.directory.co.nz:443/nesp/idff/metadata </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions>
// When rewriter is enabled, we get the following in the catalina log file causing the 300101016 error <saml:Conditions NotBefore="2012-05-28T08:31:28Z" NotOnOrAfter="2012-05-28T08:41:28Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://office.directory.co.nz/nesp/idff/metadata </saml:Audience> </saml:AudienceRestrictionCondition>
:
:
<amLogEntry> 2012-05-28T08:36:28Z INFO NIDS SAML1: Assertion contains non-matching audience restriction condition </amLogEntry> <amLogEntry> 2012-05-28T08:36:28Z VERBOSE NIDS Application: IDP response failed to authenticate: NIDPLOGGING.300101016 </amLogEntry>
<amLogEntry> 2012-05-28T08:36:28Z DEBUG NIDS IDFF:
Method: LibertySSOProfile.processResponse
Thread: ajp-bio-/127.0.0.1-9009-exec-10
NIDPLOGGING.300101016
Exception message: "NIDPLOGGING.300101016"
y, Line: 3090, Method: validate
y, Line: 1537, Method: verifyResponse
y, Line: 2576, Method: handleAuthentication
y, Line: 297, Method: processResponse
y, Line: 28, Method: processResponse
In both cases, the assertion generated by the IDP server always includes the :443 port but when the AGA processes the assertion and passes it to the ESP, it strips the :443. By disabling the rewriter (not needed as both the published DNS name and TCP ports on the IDP and AGA are identical), the :443 is not removed and the problem goes away.
Note: This issue was not reproducible on multiple platforms so this workaround may not be needed with the default setup.