Hi

We have successfully implemented OSP in IDM 4.5 with a front end SAML
provider (not NAM). Please see below steps for the details of the flow.

1) User logs in to the simpleSAMLphp module along with a cookie
containing userid as the value (via HTTP proxy)
2) simpleSAMLphp retrieves the User ID from cookie after verifying the
signature, generates and POSTs the SAML Response to OSP (IDM)
3) OSP validates and verifies the SAML Response, retrieves User ID and
authenticates the user
4) OSP sends SAML Authentication request to the simpleSAMLphp with OAuth
End point as TARGET url
5) simpleSAMLphp resends SAML Response using existing session of the
user to OSP
6) OSP then instructs OAuth endpoint to generate the OAuth SSO token and
user is then redirected to IDM User App Default Page

All the above flow happens over IP address: 192.168.x.x

It all works well as long as the user is internal to the network
(accessing through IP address), but fails completely when accessed from
outside the network using external FQDN. Initial clues were around that
OSP might have been configured only to use the IP address.

So, we changed via configupdate tool and SSPR configuration editor for
OSP to use extranet FQDN (a.external.com). It still fails, see the flow
below that happens when accessed using external FQDN:

1) User logs in via Web application firewall (WAF) using extranet FQDN
(a.external.com) and requests access to the IDM User App Default Page.
WAF calls the simpleSAMLphp module along with a cookie containing userid
as the value (via HTTP proxy)

2) simpleSAMLphp retrieves the User ID from cookie after verifying the
signature, generates and POSTs the SAML Response to SAML Assertion
Consumer URL over external
URL(https://a.external.com/osp/a/idm/aut...rtion_consumer)
This step happens over below two sub steps under the covers:
a. SAML response is sent over the external address (a.external.com) to
the assertion consumer service of OSP, since external users cannot
access any internal hostnames.
b. The Web application firewall (via proxy configuration) that is
serving external network changes (due to forward rule) to internal IP
address, 192.168.x.x. So SAML Response is sent to OSP in the end as
(http://192.168.x.x/osp/a/idm/auth/sa...rtion_consumer). At this
point, OSP listening only on a.external.com throws an error highlighted
below. This is due to IP to External FQDN changes explained above in OSP
and SSPR configuration

Due to step 2b, the flow stop with the error : HTTP Status 403 -
Unrecognized interface. Invalid Host Header Name or Request URL Domain
Name.

Any thoughts, on where it might be going wrong? Also any configuration
hints that we are missing in OSP (ism-configuration/global.properties)
OR configupdate tool

Please write your suggestions or if you have had a problem like these.

Best Regards,
Srinath

P. S. reposting this thread again, since previous once failed to load
images. I have explained the flow in detail in this post.


--
srinathu
------------------------------------------------------------------------
srinathu's Profile: https://forums.netiq.com/member.php?userid=10138
View this thread: https://forums.netiq.com/showthread.php?t=54345