I'm having a strange problem with one of my implementations. We use a combination of the following software:
- IDM 4.6 (with eDirectory 9.0.3)
- Corresponding Identity Applications. All installed on one server.
- NAAF 5.6-146

We plan to use NAAF as forgotten password tool for several reasons. Therefore I configured SSPR to use the Oauth forgotten password feature.
SSPR is configured with the correct endpoints, passing the username to NAAF and returning an authenticated session which allows the user to set a new password.

The strange thing is: The redirect to NAAF is buggy. The following flow is working correctly:
1. When I visit the old IDMProv URL (http://host/IDMProv the OSP login is displayed
2. I click the 'can't sign in' link
3. OSP redirects me to the SSPR dashboard in which I can choose 'Forgotten password'
4. After clicking that option, SSPR asks me for my username
5. After entering the username, SSPR redirects me to NAAF
6. NAAF asks me for my secret pin code (temporary way of working to test the flow)
7. PIN code is accepted by NAAF and NAAF redirects me back to SSPR
8. SSPR accepts the Oauth token and presents the option to set the password

The same flow also works when you use http://host/sspr in step one.

However: when you use the http://host/idmdash the flow breaks:
1. visit the /idmdash url
2. Can't sign in
3. Redirect to SSPR
4. Select forgotten password
5. Enter the username
6. ....... the portal tries to redirect to NAAF (check using SAML tracer), but nothing happens. The page displays a spinning 'beach ball' indicating that /idmdash is trying
to decide what to display for this user (build the idmdash page). This is a deadlock situation. No error occurs, no redirect occurs.

This happens with the /idmdash and /rra URL. /IDMProv is working fine. /sspr is working fine as well.
Using SAML tracer we can see that the portal uses the exact same GET request in all cases: https://[NAAF host]/osp/a/TOP/auth/oauth2/grant?client_id=[values]

Behavior is observed in both IE, Chrome and FF.

Does anyone have a solution for this. I suspect it to be an Identity Applications bug and not really a NAAF bug, so I posted it here.