Access Nager IDP Server returns a blank page while executing an AAF Authentication contract

  • 7024633
  • 16-May-2020
  • 16-May-2020

Environment

  • Access Manager 4.5.0
  • Access Manager 4.5.1
  • Access Manager 4.5.2

Situation

  • Access Manager IDP cluster has been configured with AAF Authentication using the OAuth approach
  • Users executing the configured AAF Authentication Contract end up with a blank page after a successful authentication at the AAF server.
  • This issue seems to comes up for users which have been logged before (closing the browser tab, running a logout, session expired)
  • This problem is only showing up with an IDP cluster running more than one node and users getting switched to another node by a L4 switch used to load balance
  • The problem does not come up if all browser cookies have been deleted before accessing NAM or is the browser client has been restarted

Resolution

  • This issue has been addressed to engineering and will be fixed with Access Manager 4.5.3.
    The fix shipped with SP3 will include:
    • a modified logout cleaning up for the "UrnNovellNidpClusterMemberId"
    • adding the IDP to IDP proxy feature for handling requests on the OAuth flow between IDP and AAF

  • To solve the problem with users at least running a proper logout you can use the step documented at KB 702451.
    This will at least make sure the "UrnNovellNidpClusterMemberId" will get deleted on running a proper logout at the IDP.

Cause

  • Access Manager IDP servers use a Cluster Member ID session cookie "UrnNovellNidpClusterMemberId" to track which IDP cluster node initially owns a given user session. In case a valid / authenticated user session might bet switched to another cluster node this cookie will be used to retrieve the existing user session details from the authoritative cluster node by running a Porxy Request.

  • With the current logout process at the IDP / AG "UrnNovellNidpClusterMemberId"  will not get cleaned up due to missing / incorrect  domain and path parameters.

  • In case a user just closes down a browser tab or navigating to another web site without running a clean logout the Cluster Member ID cookies will not get deleted.

  • If a given user will use a stale Cluster Member ID cookie on a new Authentication request referencing another cluster node AAF Authentication contracts will fail. With the OAuth Flow the IDP server receives the Authorization code on a callback URI from the AAF server which would need to be proxied to the authoritative IDP server referenced by the Cluster Member ID ookie. Instead of handling this request the IDP just returns a
    HTTP 302 (redirect) with no location header on which the browser just gets stuck / rendering a blank page
HTTP/1.1 302
Set-Cookie: JSESSIONID=95DD1B0BD98CD63600E23303CC63B57B; Path=/nidp; Secure; HttpOnly; SameSite=None
Content-Length: 0
Date: Thu, 19 Mar 2020 14:48:36 GMT