I'm currently replacing a NAM 4.0 environment with the latest and
greatest 4.3 SP1 release (new install on RHEL 6.8 with NAM services on
it). The current NAM 4.0 IDP setup is using ctarget in the login form to
do a check on the PWM CommandServlet for expired passwords, setup of
Challenge Responses etc.

With the NAM 4.3 SP1 setup the addition of ctarget inside the IDP login
form seems to be ignored. Is there any documentation on this change of
behaviour? The IDP login form gets a ctarget posted, but after device
finger printing it is not applied.

As a workaround I tried to convert the ctarget functionality to the new
way of doing redirects upon Login: I've configured the "Login Redirect
URL" on each contract via the Administration Console with the following
value:

https://example.com/account/private/CommandServlet?processAction=checkAll&forwardURL=< RETURN_URL>

This however, does not work. No redirect is being performed. Moreover, I
get the following Exception on the IDP:


Code:
--------------------
<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: NIDPSessionAssurance.initiateDeviceFingerprint
Thread: http-nio-132.229.42.190-8443-exec-8
User authenticated to the IDP for the first time, so initiating device fingerprinting for session assurance! </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: ContractExecutionState.handledLoginRedirect
Thread: http-nio-132.229.42.190-8443-exec-8
Query parameter value w.r.t expiry servlet URL, is: processAction=checkAll </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: ContractExecutionState.handledLoginRedirect
Thread: http-nio-132.229.42.190-8443-exec-8
Query parameter value w.r.t expiry servlet URL, is: forwardURL=https://login.example.com/nidp/idff/sso?sid=0&id=ulcn </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-132.229.42.190-8443-exec-8
Attribute added to page [expiredpwd] is [redirect]=[authenticate]. </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-132.229.42.190-8443-exec-8
Attribute added to page [expiredpwd] is [url]=[https://example.com/account/private/CommandServlet]. </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: http-nio-132.229.42.190-8443-exec-8
Attribute added to page [expiredpwd] is [authUrl]=[https://login.example.com/nidp/idff/sso?sid=0]. </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: NIDPServletContext.goJSP
Thread: http-nio-132.229.42.190-8443-exec-8
Forwarding to JSP: /jsp/expiredpwd.jsp </amLogEntry>

<amLogEntry> 2017-03-09T06:25:13Z DEBUG NIDS Application:
Method: NIDPServletContext.goJSP
Thread: http-nio-132.229.42.190-8443-exec-8
Unable to forward to JSP: expiredpwd
Exception message: "Cannot forward after response has been committed"
ApplicationDispatcher.java, Line: 328, Method: doForward
ApplicationDispatcher.java, Line: 318, Method: forward
y, Line: 1968, Method: goJSP
y, Line: 3372, Method: showPage
y, Line: 2323, Method: handledLoginRedirect
y, Line: 1716, Method: spLogin
y, Line: 1131, Method: doAuthentication
y, Line: 2882, Method: handleAuthnRequest
y, Line: 880, Method: processAuthnRequest
y, Line: 1255, Method: processSSOEndpoint
y, Line: 3556, Method: E
y, Line: 2293, Method: handleRequest
y, Line: 11, Method: handleRequest
y, Line: 2505, Method: myDoGet
y, Line: 21, Method: doGet
y, Line: 1012, Method: doPost
HttpServlet.java, Line: 648, Method: service
HttpServlet.java, Line: 729, Method: service
ApplicationFilterChain.java, Line: 292, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
WsFilter.java, Line: 52, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
ContentSecurityPolicyFilter.java, Line: 157, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
KrbFallbackFilter.java, Line: 98, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
FilterChainInvocation.java, Line: 66, Method: doFilter
FilterDefinition.java, Line: 168, Method: doFilter
FilterChainInvocation.java, Line: 58, Method: doFilter
ManagedFilterPipeline.java, Line: 118, Method: dispatch
GuiceFilter.java, Line: 113, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
y, Line: 1070, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
HttpHeaderSecurityFilter.java, Line: 120, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
y, Line: 2652, Method: doFilter
ApplicationFilterChain.java, Line: 240, Method: internalDoFilter
ApplicationFilterChain.java, Line: 207, Method: doFilter
StandardWrapperValve.java, Line: 212, Method: invoke
StandardContextValve.java, Line: 106, Method: invoke
AuthenticatorBase.java, Line: 502, Method: invoke
StandardHostValve.java, Line: 141, Method: invoke
ErrorReportValve.java, Line: 79, Method: invoke
StandardEngineValve.java, Line: 88, Method: invoke
CoyoteAdapter.java, Line: 509, Method: service
AbstractHttp11Processor.java, Line: 1104, Method: process
AbstractProtocol.java, Line: 684, Method: process
NioEndpoint.java, Line: 1520, Method: doRun
NioEndpoint.java, Line: 1476, Method: run
ThreadPoolExecutor.java, Line: 1142, Method: runWorker
ThreadPoolExecutor.java, Line: 617, Method: run
TaskThread.java, Line: 61, Method: run
Thread.java, Line: 745, Method: run
</amLogEntry>
--------------------


This raises multiple questions and shows me a couple of issues:


- a forward to JSP "expiredpwd" is being done, while the response to
the client is already commited (bug?)
- the <RETURN_URL> is incorrect: this should be the protected
resource I initially requested (bug?)
- It looks like the IDP treats the "Login Redirect URL" as "Password
expiration servlet URL". "Password expiration servlet URL" is not
configured in my setup. (bug?)
- Why is ctarget ignored in the IDP login form of NAM 4.3 SP1? (bug
or feature?)


I've seen TID https://www.novell.com/support/kb/doc.php?id=7018493, but
I'm already on 4.3 SP1.

Any thoughts or ideas are welcome :-)


--
sveldhuisen
------------------------------------------------------------------------
sveldhuisen's Profile: https://forums.netiq.com/member.php?userid=1813
View this thread: https://forums.netiq.com/showthread.php?t=57519