This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access manager and Advanced Authentication integration problems

I’m having a few issues getting NAM working with AA for MFA though (using this guide; Advanced Authentication - NetIQ Access Manager 5.0 Administration Guide (microfocus.com) ), I have set up the connection between the two using oauth, but I keep getting the following error after entering the username and password “Error: The service may be disabled or an invalid request was made to an active service. Please contact your system administrator. (An invalid OAuth2 request was received.)”

The AA webauthn log states the following which is where I think the problem lies.

Preamble: [OIDP]

Priority Level: SEVERE

Java: internal.osp.oidp.service.oauth2.handler.RequestHandler.respondWithPageError() [1075] thread=http-nio-0.0.0.0-10088-exec-13

Time: 2023-03-07T10:14:40.853+0000Log Data: Code: internal.osp.oidp.service.oauth2.handler.HandlerException.<init>() [183]

Text: Client-supplied redirect URI is not registered: https://<NAM server FQDN>/nidp/oauth/nam/callback

It looks like NAM is feeding a duff URI to the AA server but I can’t figure out where this is a.) set, or b.) what it should be?

  • Suggested Answer

    0  

    Check this guide https://www.microfocus.com/documentation/access-manager/5.0/nam_aa_integration_guide/nam_aa_integration_guide.html#nam_aa_integration_guide.

    Step 6 in "Configure the Advanced Authentication Server" talks about registering redirect URIs on AA side

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi Sebastijan, thanks for your reply.

    This section is configured as per the guide you have linked (I have followed this to the letter) and it still has the issue. Is there a way in NAM to see if the /nidp/oauth/nam/callback section is correct?

    Cheers

    Matt

  • Verified Answer

    +1   in reply to 

    > Is there a way in NAM to see if the /nidp/oauth/nam/callback section is correct?

    No, not in AM, but error message that you see on AA tells that this is correct path.

    Let's start from beginning, with your error message.

    Error message you see in AA means that redirect URI that AM is sending (https://<NAM server FQDN>/nidp/oauth/nam/callback) is not registered on AA side.

    In step 6 of guide I've mentioned before you should register AM redirect URI on AA side.

    So if you have done step 6 and AA is still complaining, there must be an error in your configuration.

    Please keep in mind that OAuth protocol is very picky regarding redirect URIs, so make sure that you register exactly the same URL that you see in error message. Make sure there are no leading/trailing spaces, also check for any dots at the end that could sneak in while copy/pasting URLs.

    Also pay attention regarding different approaches. Since you are using OAuth-based approach, you should create new event in AA (described in the beginning of step 6), not edit/change existing NAM event, which is used for plugin-based approach.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Cheers Sebastijan, 'Please keep in mind that OAuth protocol is very picky regarding redirect URIs' pointed me to double check the URI and noticed that the FQDN in the error log had an upper case server name and the event in AA was a lower case, changed this to match the one in the error log and it asks me for the MFA passcode, success!

    I'm now one step further and get a "HTTP Status 500, Internal server error" page instead of the expected NAM page so need to move onto the next stage of troubleshooting!

    Thanks for your help with the above.

    Matt