Home

Results 1 to 10 of 10

Thread: Intergration with NetIQ Access Manager 4.4

Hybrid View

  1. #1
    Join Date
    Jun 2008
    Posts
    63

    Intergration with NetIQ Access Manager 4.4

    Hello all,

    I have got the integration between NAM 4.4 and Advanced Authentication working fine based on the OAuth2 method.

    Now I have two choices:

    1. Leaving the first authentication in NAM (ldap name/pwd) and the second (smartphone) in NAAF
    2. Setting NAM to use NAAF as primary and secondary authenticator (ldap name/pwd and smartphone e.g.).

    The first choice works, except that after the initial login NAAF asks me again for only the username. This seems to be a bug.

    The second choice works fine. But with the disadvantage that NAM is not able to SSO to a second proxy service with the same login. Somehow NAM has to get the credentials back from NAAF to be able to deliver the SSO for the second. Does anyone know how to do this?

    Jan

  2. #2
    Join Date
    May 2016
    Posts
    1,712

    Re: Intergration with NetIQ Access Manager 4.4

    janvdmeij,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
    all the other self support options and support programs available.
    - Open a service request: https://www.microfocus.com/support
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.microfocus.com)
    - You might consider hiring a local partner to assist you.
    https://www.partnernetprogram.com/pa...nder/find.html

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.microfocus.com/faq.php

    Sometimes this automatic posting will alert someone that can respond.

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot.

    Good luck!

    Your Micro Focus Forums Team
    http://forums.microfocus.com



  3. #3

    Re: Intergration with NetIQ Access Manager 4.4

    On 07-05-2018 10:16 PM, janvdmeij wrote:
    >
    > Hello all,
    >
    > I have got the integration between NAM 4.4 and Advanced Authentication
    > working fine based on the OAuth2 method.
    >
    > Now I have two choices:
    >
    > 1. Leaving the first authentication in NAM (ldap name/pwd) and the
    > second (smartphone) in NAAF
    > 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
    > name/pwd and smartphone e.g.).
    >
    > The first choice works, except that after the initial login NAAF asks me
    > again for only the username. This seems to be a bug.


    Thats weird, NAM should send the username in the json string. Check your IDP logs.




    --
    Cheers,
    Edward

  4. #4
    Join Date
    Jun 2008
    Posts
    63

    Re: Intergration with NetIQ Access Manager 4.4

    Quote Originally Posted by edmaa View Post
    On 07-05-2018 10:16 PM, janvdmeij wrote:
    >
    > Hello all,
    >
    > I have got the integration between NAM 4.4 and Advanced Authentication
    > working fine based on the OAuth2 method.
    >
    > Now I have two choices:
    >
    > 1. Leaving the first authentication in NAM (ldap name/pwd) and the
    > second (smartphone) in NAAF
    > 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
    > name/pwd and smartphone e.g.).
    >
    > The first choice works, except that after the initial login NAAF asks me
    > again for only the username. This seems to be a bug.


    Thats weird, NAM should send the username in the json string. Check your IDP logs.




    --
    Cheers,
    Edward

    Hi Edward,

    Still struggling with it. I can see this in the /var/opt/novell/nam/logs/idp/nidplogs:


    <amLogEntry seq="647" d="2018-06-14T19:15:25Z" lg="Application" lv="SEVERE" th="37" ><msg>Got exception while getting the signed data: java.io.IOException: Server returned HTTP response code: 400 for URL: https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={&quot;username&quot;:&quot;jme&quot;,&q uot;LoginParameters&quot;:{&quot;internal.osp.oidp .aa.chain-name&quot;:&quot;NAMChain&quot;}}</msg></amLogEntry>
    <amLogEntry seq="668" d="2018-06-14T19:48:58Z" lg="Application" lv="SEVERE" th="29" ><msg>Got exception while getting the signed data: java.io.IOException: Server returned HTTP response code: 400 for URL: https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={&quot;username&quot;:&quot;jme&quot;,&q uot;LoginParameters&quot;:{&quot;internal.osp.oidp .aa.chain-name&quot;:&quot;NAMChain&quot;}}</msg></amLogEntry>

    Here I see that the name is send, but refused.

    But the url aa.xxxxxx.xx/osp/a/TOP url is valid and accessible.

    Jan

  5. #5
    PaulK NNTP User

    Re: Intergration with NetIQ Access Manager 4.4

    Jan
    For what it is worth, I am seeing exactly the same: The JSON containing
    the username is posted, but no authentication happens:

    <amLogEntry> 2018-06-08T17:40:03Z SEVERE NIDS Application: Got exception
    while getting the signed data: java.io.IOException: Server returned
    HTTP response code: 400 for URL:
    https://auth.mysite.com/osp/a/TOP/auth/oauth2/sign?data={"username":"testuser"}
    </amLogEntry>

    The 400 reply indicates bad request. I'm guessing the post it is making
    is not trusted as the previous message suggests it has failed to get the
    oauth data.

    Just going to recreate the trust between NAM and AAS

    PaulK

    On 14/06/18 21:16, janvdmeij wrote:
    >
    > edmaa;2480906 Wrote:
    >> On 07-05-2018 10:16 PM, janvdmeij wrote:
    >>>
    >>> Hello all,
    >>>
    >>> I have got the integration between NAM 4.4 and Advanced

    >> Authentication
    >>> working fine based on the OAuth2 method.
    >>>
    >>> Now I have two choices:
    >>>
    >>> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
    >>> second (smartphone) in NAAF
    >>> 2. Setting NAM to use NAAF as primary and secondary authenticator

    >> (ldap
    >>> name/pwd and smartphone e.g.).
    >>>
    >>> The first choice works, except that after the initial login NAAF asks

    >> me
    >>> again for only the username. This seems to be a bug.

    >>
    >> Thats weird, NAM should send the username in the json string. Check your
    >> IDP logs >>
    >>
    >>
    >>
    >> --
    >> Cheers,
    >> Edward

    >
    >
    > Hi Edward,
    >
    > Still struggling with it. I can see this in the
    > /var/opt/novell/nam/logs/idp/nidplogs:
    >
    >
    > <amLogEntry seq="647" d="2018-06-14T19:15:25Z" lg="Application"
    > lv="SEVERE" th="37" ><msg>Got exception while getting the signed data:
    > java.io.IOException: Server returned HTTP response code: 400 for URL:
    > https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={&quot;username&quot;:&quot;jme&quot;,&q uot;LoginParameters&quot;:{&quot;internal.osp.oidp .aa.chain-name&quot;:&quot;NAMChain&quot;}}</msg></amLogEntry>
    > <amLogEntry seq="668" d="2018-06-14T19:48:58Z" lg="Application"
    > lv="SEVERE" th="29" ><msg>Got exception while getting the signed data:
    > java.io.IOException: Server returned HTTP response code: 400 for URL:
    > https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={&quot;username&quot;:&quot;jme&quot;,&q uot;LoginParameters&quot;:{&quot;internal.osp.oidp .aa.chain-name&quot;:&quot;NAMChain&quot;}}</msg></amLogEntry>
    >
    > Here I see that the name is send, but refused.
    >
    > But the url aa.xxxxxx.xx/osp/a/TOP url is valid and accessible.
    >
    > Jan
    >
    >



  6. #6

    Re: Intergration with NetIQ Access Manager 4.4

    On 15-06-2018 9:48 PM, PaulK wrote:

    > Just going to recreate the trust between NAM and AAS


    That was going to be my suggestion as well.


    --
    Cheers,
    Edward

  7. #7
    Join Date
    Jun 2008
    Posts
    63

    Re: Intergration with NetIQ Access Manager 4.4

    Yes, I think you are right. And I was thinking in the same direction. But the trust is established by filling in the details in the plugin. But see my thread later in in this forum.

    What is the servername I have to use here? The internal AAF servername? Or the Access Manager Proxy name? Because AAF itself is also behind Access Manager. And I can see that the trust is established in AAF (endpoint created). But the endpoint that is created is the internal servername of the Access Manager. And that is different from the login url of the Access Manager which is login.domain.com.

    I am affraid that the trust is established based on the internal servername of the Access Manager. While the url that is sent is different and there is no way to correct that.

    Jan

  8. #8
    Join Date
    Jun 2008
    Posts
    63

    Re: Intergration with NetIQ Access Manager 4.4

    Quote Originally Posted by janvdmeij View Post
    Hello all,

    I have got the integration between NAM 4.4 and Advanced Authentication working fine based on the OAuth2 method.

    Now I have two choices:

    1. Leaving the first authentication in NAM (ldap name/pwd) and the second (smartphone) in NAAF
    2. Setting NAM to use NAAF as primary and secondary authenticator (ldap name/pwd and smartphone e.g.).

    The first choice works, except that after the initial login NAAF asks me again for only the username. This seems to be a bug.

    The second choice works fine. But with the disadvantage that NAM is not able to SSO to a second proxy service with the same login. Somehow NAM has to get the credentials back from NAAF to be able to deliver the SSO for the second. Does anyone know how to do this?

    Jan
    The first bug (asking me for a username for AAF after authenticating to AM) is fixed! After a long SR there is a bug fix. The bugfix is an update to the OAuth plugin in Access Manager. I tested it with AM 4.4SP1 and AAF 6.0 and it works. But the fix will also be in the SP2 update of Access Manager that will be released today.

    Jan

  9. #9
    PaulK NNTP User

    Re: Intergration with NetIQ Access Manager 4.4

    On 29/06/18 15:04, janvdmeij wrote:
    >
    > janvdmeij;2480475 Wrote:
    >> Hello all,
    >>
    >> I have got the integration between NAM 4.4 and Advanced Authentication
    >> working fine based on the OAuth2 method.
    >>
    >> Now I have two choices:
    >>
    >> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
    >> second (smartphone) in NAAF
    >> 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
    >> name/pwd and smartphone e.g.).
    >>
    >> The first choice works, except that after the initial login NAAF asks me
    >> again for only the username. This seems to be a bug.
    >>
    >> The second choice works fine. But with the disadvantage that NAM is not
    >> able to SSO to a second proxy service with the same login. Somehow NAM
    >> has to get the credentials back from NAAF to be able to deliver the SSO
    >> for the second. Does anyone know how to do this?
    >>
    >> Jan

    >
    > The first bug (asking me for a username for AAF after authenticating to
    > AM) is fixed! After a long SR there is a bug fix. The bugfix is an
    > update to the OAuth plugin in Access Manager. I tested it with AM 4.4SP1
    > and AAF 6.0 and it works. But the fix will also be in the SP2 update of
    > Access Manager that will be released today.
    >
    > Jan
    >
    >

    Did some testing of the combination of AAF 6.0 and NAM 4.4.2 after it
    came out last week, and most of the bugs do seem to have been cleaned out.

    You mention that using the AAF General class as the primary
    authenticator does not let you then authenticate to a second proxy
    service. Is this because you are using the credential password in an
    injection or formfill policy? With the OAuth I think only a token with
    the username is passed back to NAM; the password is not (and should not)
    be returned. I can get round this limitation if the user source is eDir
    by the standard means of adding the Password Fetch as a method in the
    Contract like we do for Kerberos.

    Another issue I have seen, and which is still there, is that if you log
    out of the NAM IDP portal after authenticating with an AAF contract that
    is the primary authenticator, only the NAM session component is negated;
    if you attempt to use the same contract without closing the window,
    then AAF continues its existing authenticated session and just returns
    silently. So there is no SLO, unlike say a SAML session with O365,
    where NAM IDP will try to logout of the external resource as well.

    regards
    PaulK

  10. #10
    Join Date
    Jun 2008
    Posts
    63

    Re: Intergration with NetIQ Access Manager 4.4

    Quote Originally Posted by PaulK View Post
    On 29/06/18 15:04, janvdmeij wrote:
    >
    > janvdmeij;2480475 Wrote:
    >> Hello all,
    >>
    >> I have got the integration between NAM 4.4 and Advanced Authentication
    >> working fine based on the OAuth2 method.
    >>
    >> Now I have two choices:
    >>
    >> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
    >> second (smartphone) in NAAF
    >> 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
    >> name/pwd and smartphone e.g.).
    >>
    >> The first choice works, except that after the initial login NAAF asks me
    >> again for only the username. This seems to be a bug.
    >>
    >> The second choice works fine. But with the disadvantage that NAM is not
    >> able to SSO to a second proxy service with the same login. Somehow NAM
    >> has to get the credentials back from NAAF to be able to deliver the SSO
    >> for the second. Does anyone know how to do this?
    >>
    >> Jan

    >
    > The first bug (asking me for a username for AAF after authenticating to
    > AM) is fixed! After a long SR there is a bug fix. The bugfix is an
    > update to the OAuth plugin in Access Manager. I tested it with AM 4.4SP1
    > and AAF 6.0 and it works. But the fix will also be in the SP2 update of
    > Access Manager that will be released today.
    >
    > Jan
    >
    >

    Did some testing of the combination of AAF 6.0 and NAM 4.4.2 after it
    came out last week, and most of the bugs do seem to have been cleaned out.

    You mention that using the AAF General class as the primary
    authenticator does not let you then authenticate to a second proxy
    service. Is this because you are using the credential password in an
    injection or formfill policy? With the OAuth I think only a token with
    the username is passed back to NAM; the password is not (and should not)
    be returned. I can get round this limitation if the user source is eDir
    by the standard means of adding the Password Fetch as a method in the
    Contract like we do for Kerberos.

    Another issue I have seen, and which is still there, is that if you log
    out of the NAM IDP portal after authenticating with an AAF contract that
    is the primary authenticator, only the NAM session component is negated;
    if you attempt to use the same contract without closing the window,
    then AAF continues its existing authenticated session and just returns
    silently. So there is no SLO, unlike say a SAML session with O365,
    where NAM IDP will try to logout of the external resource as well.

    regards
    PaulK
    Yes, that is what I mean. I used the passwordfetch method also. But even then it did not work. I did not check it after the update.

    The other issue I can confirm also.

    And what I see is that when NAM is the primary authenticator, when the NAM session times out a re-authentication fails on the secondary NAAF authenticator when the browser is not closed before.

    Jan

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •