Mobile access endpoint called on AGLogout

I was watching a fiddler trace when calling /AGLogout against a protected resource on the AG.

I see first a GET for

/nesp/jsp/logoutSuccess.jsp?sid=5&login_hint&uiDestination=contentDiv

That results in a 200, as expected.

Next I see a GET request for 

/nidp/mobileaccess/endpoint/configuration?refresh=true&output=json

Which normally results in a 302 redirect on most of the systems I checked.

However, I'm seeing on one system that this is resulting in a 404 not found and sometimes the end user gets left on that broken page. I'm trying to figure out why this happens in this one configuration.

All the systems I looked at are 4.5.3.1 running on SLES 12 SP5.  All the systems I have compared to work properly and result in a 302 redirect.  Some have mobile access enabled and some do not.

So my questions are...

1. How does this even work at all calling /nidp/mobileaccess from the AG (IdP is NOT proxied)?

2. How do I fix my broken system?

Matt

 

 

  • This request doesn't make sense for AG server and it is a bug.

    The reason you are getting redirection or 404 is due to request matching a PR which has an Authentication Procedure set(for redirection) and not set (404).


  •  wrote:

    This request doesn't make sense for AG server and it is a bug.

    The reason you are getting redirection or 404 is due to request matching a PR which has an Authentication Procedure set(for redirection) and not set (404).


    I don't have any /nidp protected resources configured, so how would I be getting a 302 redirect?

    I can understand the 404, because the proxy is passing that on to the default protected resource which has no idea what the heck it is.  

    How can I block/stop this from happening?  Do I need to modify logoutSuccess (TID?)?

    Matt

  • Verified Answer

    if you don't have /nidp configured, it means AG must be matching it against "/*". This is completely useless call made to the AG server.

    Try this to avoid Browser calling this request :

    • Go to AG server using SSH
    • Go to folder /opt/novell/nam/mag/webapps/nesp/jsp
    • Open the jsp file nidp_latest.jsp
    • comment the part where showMobileAccessSmartBanner() function is called.

    <!--

    <script>
    window.onload = function() {
    showMobileAccessSmartBanner();
    };
    </script>


    -->
    </body>

    • Repeat the same change for all the AG servers.

    After above changes Browser will not make the mobileaccess endpoint configuration request to AG server.

     

  •  

    Thanks Manjit.  That seems to have done the trick!

     

    Matt