Advanced Authentication related with Access Manager integration OAuth-based approach

Hi.

I have some issue regarding Advanced Authentication related with Access Manager integration OAuth-based approach.
The Advanced Authentication (AA) and Access Manager (AM) are integrated with OAuth-based approach. Advanced Authentication Generic Class is configured on AM. AA method is set with Advanced Authentication Generic Class. Users can authenticate to AA with mail attribute and AA return user information to AM.

Log from AM: "User details returned by AA Server, uname:mail@some-domain repo: ORG </amLogEntry>"
So far so good.

The problem occurs when AA send the user information to AM mail attribut AM begin LDAPsearch with sAMAccountName query and the authentication failed because the search result is 0.
<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Performing LDAP search (&(sAMAccountName=mail@some-domain)(objectClass=User)) in context com.novell.nam.common.ldap.jndi.JNDIUserStoreSearchContext@333bd310 </amLogEntry>

I have set the query on AA method for mail search (&(objectClass=Person)(mail=%Ecom_User_ID%)) but it is look like Advanced Authentication Generic Class method ignore custom modified queries.

This is catalina.out log from AM

<amLogEntry> 2021-05-10T10:54:37Z INFO NIDS Application: AM#500105016: AMDEVICEID#B39F42596174331E: AMAUTHID#74ea79d16881258161e67b1c672346e4571495c4a08004eb11274533d6e11327: Processing login resulting from Service Provider authentication request. </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z INFO NIDS Application: AM#500105009: AMDEVICEID#B39F42596174331E: AMAUTHID#74ea79d16881258161e67b1c672346e4571495c4a08004eb11274533d6e11327: Executing contract M_AA. </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Executing authentication method M_AA_OAuth </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: AdvancedAuthenticationClass.doAuthenticate
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
User details returned by AA Server, uname:mail@some-domain repo: ORG </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Performing LDAP search (&(sAMAccountName=mail@some-domain)(objectClass=User)) in context com.novell.nam.common.ldap.jndi.JNDIUserStoreSearchContext@333bd310 </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: LDAPUserAuthority.searchUser
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
1011790: Searching: (&(sAMAccountName=mail@some-domain)(objectClass=User)) in context com.novell.nam.common.ldap.jndi.JNDIUserStoreSearchContext@333bd310preferredReplica ID: null </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Base context: dc=org,dc=org, Filter: (&(sAMAccountName=mail@some-domain)(objectClass=User)), Scope: 2, Request Controls: null, UserId: koihn135iac4p2 </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Closing LDAP connection due to connection timeout! Interval: 82988, Timeout: 10000, Connection: Id: 6d2994c9-9bc8-486b-ab93-db8f59f388ec, host: ldaps://xxx.yyy.zzz.www </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Connection: 28ff0450-8c70-4da1-a157-d9ed88894fe4, Environment Parameters for InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.referral, Value: follow
Key: java.naming.security.principal, Value: cn=AdminORG,dc=org,dc=org
Key: com.sun.jndi.ldap.connect.timeout, Value: 10000
Key: java.naming.ldap.attributes.binary, Value: mS-DS-ConsistencyGuid
Key: com.sun.jndi.ldap.read.timeout, Value: 15000
Key: java.naming.provider.url, Value: ldaps://xxx.yyy.zzz.www:636
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value: com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
</amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Augmented property of DirContext Environment: Property Name: java.naming.ldap.attributes.binary, Value: mS-DS-ConsistencyGuid objectGUID nDSPKITrustedRootCertificate </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Try connection: ldaps://xxx.yyy.zzz.www </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Found 0 results! </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: LDAP search objects found: 0 </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: AdvancedAuthenticationClass.doAuthenticate
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
User not found. AAUser Name: mail@some-domain NAMUser name: </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z VERBOSE NIDS Application: Authentication method M_AA_OAuth failed while executing the class com.mf.nam.oauth.client.nidp.AdvancedAuthenticationClass@512f3cdb </amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z DEBUG NIDS Application:
Method: ContractExecutionState.exec
Thread: https-jsse-nio-xxx.yyy.zzz.www-8443-exec-10
Just returned from call to doContract():
Status: NOT_AUTHENTICATED
Contract: M_AA
Contract Authentication Card: com.novell.nidp.authentication.card.LocalAuthenticationCard@21298dfe
Contract Authentication Card Id: auth-aa
Auth Class: com.mf.nam.oauth.client.nidp.AdvancedAuthenticationClass
Auth Class Page to Show: advancedAuth
Request Param: option: null
</amLogEntry>

<amLogEntry> 2021-05-10T10:54:37Z INFO NIDS Application: AM#500105011: AMDEVICEID#B39F42596174331E: AMAUTHID#74ea79d16881258161e67b1c672346e4571495c4a08004eb11274533d6e11327: Contract M_AA failed. </amLogEntry>

Any idea what did I miss?

Thanks for feedback in advanced.

Gregor

Click to add a signature