PROBLEM:

When using Access Manager 4.0 as an SP in a SAML2 federation, adding a
post-authentication method will cause the relay state to be lost. The
effect is that the user does not get redirected to the originally
requested resource after authenticating with a valid SAML assertion.
The Access Manager has not developed a fix yet, but a filter can be
added to the IDP as a workaround.

SOLUTION:


- Download and extract
http://cdn2.novell.com/cached/files/redirectionfix.zip
- Copy the JAR file to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib on
your IDPs
- Back up the current nidp.jsp in
/opt/novell/nam/idp/webapps/nidp/jsp/ and replace it with the JSP from
the extracted ZIP file
- Replace the filter section in
/opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml with the code below:



Code:
--------------------
<filter>
<filter-name>nidpJspFilter</filter-name>
<display-name>NIDP Jsp Filter</display-name>
<description>The NIDP server JSP filter. Enforces authentication and handles clustering.</description>
<filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJsp Filter</filter-class>
<init-param>
<param-name>publicAccess</param-name>
<param-value>main.jsp;err.jsp;err2.jsp;login.jsp;nmaslogi n.jsp;logoutSuccess.jsp;banner.jsp;nav.jsp;menus.j sp;footer.jsp;content.jsp;cards.jsp;title.jsp;erro r.jsp;curcard.jsp;createacct.jsp;x509err.jsp</param-value>
</init-param>
</filter>
<filter>
<filter-name>SAML2ConsumerFilter</filter-name>
<filter-class>com.netiq.custom.SPAssertionConsumerFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>nidpJspFilter</filter-name>
<url-pattern>/jsp/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SAML2ConsumerFilter</filter-name>
<url-pattern>/saml2/spassertion_consumer</url-pattern>
</filter-mapping>
--------------------


Once that is done, restart the IDP process, and you should now redirect
successfully after the post-authentication method executes.


--
MatthewEhle
------------------------------------------------------------------------
MatthewEhle's Profile: https://forums.netiq.com/member.php?userid=4
View this thread: https://forums.netiq.com/showthread.php?t=49965