• Planning for mandatory multifactor authentication for Azure

    Microsoft has announced that starting in October of this year, MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center. We have several customers who are using NAM as an IdP via WS-Fed federation, and I…
  • SAML: 500 Internal Error when user logs in with expired password

    Hello Everyone, I am facing an issue when a users logs in with expired password that has authenticated using Risk Based Policy. The configurations are as follows: - I have defined a Risk Based Policy that authenticates users via Form based method…
  • SEVERE: AM#100702018: Error regenerating JCC cert

    Hi, Authentication stopped working. Error seen in bowsers are: " Unable to authenticate. (100101044NIDPMAIN.405-esp-347AC5083E98F281) " ids jcc-0.log.0 says: SEVERE: AM#100702018: Error sending periodic health com.novell.jcc.client.HealthDispatcher…
  • Malformed XML when importing metadata into Access Manager v5.0.4

    Dear Community, I am trying to configure SAML2 SSO between Access Manager and GitLab which should be supported since GitLab is able to act as SAML2 SP and AM can act as an SAML2 IdP. I clicked to edit on IDP and wanted to create new trusted provider…
  • DMZ node setup for NetIQ Access Manager Appliance

    I have already deployed an Access Manager Appliance in DC(internal network). I want to setup one Appliance node in DMZ. All of my applications are integrated in internal appliance (DC). We need to configure appliance which is in DMZ to act like reverse…
  • SAML authentication microservice

    We have a requirement to implement NAM SAML authentication in a number of our webapps and rather than doing it in each I was exploring if we could implement the SAML authentication as a microservice to provide this functionality to any of our webapps…
  • offload IDP certificate authentication to external reverse proxy (SSL offloading) usage of sid parameter values

    Dear All, We are trying to offload the certificate authentication to our F5 Big IP proxy server and insert a specific header with certificate information in it, this is working fine more information on how we do that is explained here. However the solution…
  • Protection against Denial of Service (DOS) attack in NAM

    What are the available protections in NAM against the DOS attack for end user authentication requests where the attacker use randomly generated username/password combinations in authentication requests to NAM.
  • NAM 5 Risk failing

    Anyone get Post Risk Auth working in NAM 5? Only thing I see in risk-core log is this (appears remote ip is not being forwarded correctly despite NAT being configured and NIDP logs showing remote ip correctly): 2021 Oct 02 11:00:06 AEST DEBUG RiskService_core…
  • Form Fill Authentication Issues

    We are experiencing issues with Form-Fill Authentication, the actual use-case we are trying to achieve is the Login Form has a method POST and have three fields, Username/password and an extra hidden field passwordAd which is used to connect with their…
  • Oauth Password mode not register session

    Hi I use one app use password mode, I want to use the app is portal, but the app login , click other app need re-input user/password on idp. So I want to use the password mode app by pass username/password , and click other app don't need input username…
  • How to use "Access Gateway injects the Access token on behalf of web applications"

    Dear community, I would like to use Access gateways to implement the scenario described here: https://www.netiq.com/documentation/access-manager-45-appliance/admin/data/b1dj6b2f.html#t40y6o6qwlhe The user sends request to access a web application protected…
  • How to restrict access by Device ID (Fingerprint?)

    Hi, We want to limit access to previously registered devices. It seems that the solution would be to use the risk policies with Fingerprint, but all the information that it seems that we can capture from the device is descriptive (version, language, operating…
  • Risk-based policies for Win10 workstations with Intune

    Hi, Having NAM Federated with AzureAD (acting NAM as the IDP), does anyone know if it's possible to deny the access to O365 to any workstation that is not registered with Intune? I think it's possible to achive this with Azure AD Conditional Access, but…
  • Sharepoint 2013 with NTLM authentication

    Hi, Has anyone managed to SSO Sharepoint with NTLM authentication without having to federate? Something like basic authentication and Identity Injection. Regards José luis
  • OAuth userinfo endpoint attribute format and NAM 4.5 SP3

    Yesterday evening we've patched NAM 4.5 from SP2 to SP3. Today morning hell breaked loose because users of all applications that are using NAM as OpenID Connect IDP were not able to properly use applications. What went wrong. Before patching, userinfo…
  • Clear IDP Login Form upon Invalid Credentials

    Hi, I am noticing a behavior in IDP Login. Apparently if we input wrong credentials and return error "Login failed. Invalid credentials....". The username field value remains there whereas the password field had the focus. How to overcome this to clear…
  • x509 certificate based authentication fallback not happening

    I have setup for x509 certificate based authentication everything works fine if UPN matches exactly. In case UPN doesn't match / found it gives error on NAM page saying " User Certificate Authentication Failed : No matching Principal found! ". I'm trying…
  • Customize AM Login to lookup User first then Prompt Password

    Hi, Have anyone customize current NAM 4.5 NIDP Login page to display Username first -> click Next to lookup User -> Prompt Password if user exist in User Store else display message like "Your User ID does not exist, please contact...". The flow is just…
  • NullPointerException building acr field for OIDC ID token

    I have following setup. NAM acts as OpenID Connect identity provider for different clients. Clients are calling NAM with Authorization code flow, requesting scope openid and profile. If user authenticates on NAM using standard username/password or any…
  • Authorization policy and OAuth claims

    Hi! We have a customer using AM to protect REST APIs using OAuth authentication. They would like to enforce which users have access to which REST URLs. Currently they are using a lot of authorization policies with static conditions (URL Path equal Data…
  • Post SSL certificate upgrade - metadata still gives the old certificate

    We are using the external CA signed certificate for signing and encryption. Its going to expire in some days. So i have created a new CSR and get it signed and added those in trusted roots and assigned it for the IDP and AG devices. I have replaced the…
  • x509 Two factor authentication with redirection error

    I am trying two factor authentication which would use X509 (certificate based authentication) as first contract followed by another contract for form based authentication(Secure username password form). At first the user is getting authenticated using…
  • REST API to take number of Active sessions

    Am using the rest API for the health report. I need to take the active sessions. But using the api I can be able to get only the for particular user like below. https://************************:8443/amsvc/v1/idpclusters/SCCi3emcx/sessions?userid=palanisas…
  • Identity Provider response was received that failed to authenticate this session.

    Can anyone help in this error ? I tried configuring the user app OSP for NAM SSO under SAML 2.O Error: An Identity Provider response was received that failed to authenticate this session.