Access request - Approval failed

Hi,

Running IGA 3.5.1 on SLES 12.4 with MSSQL.
OSP 6.2 is installed on identity apps server (4.7.3)

We have issues with approving access requests.

I have a permission that I have connected to a request- and an approval policy. The approval policy contains one approval step (approval by specific user).

Case:
I log in as an end-user and request the permission.
The approval request is sent to the approver, and there are no errors in the interface when approving the request. However, when submitting the approval this gets logged in Catalina:

[WARNING] 2020-05-25 14:49:17 com.netiq.iac.server.j2ee.AuthFilter doFilter - [IG-SERVER] User Service: null (null) is authenticated and logged in, but does not have access to the Identity Governance application.

If I log back in as the requester and check "My requests", the request status is now "Approval Failed". No errors if I expand the request, "Approval Step 1" is listed as completed. The request is not sent to fulfillment.

Would appreciate suggestions on how to resolve this.

 

Parents
  • Verified Answer

    Greetings,

    This has been covered in the following thread:

    "User Service: iac is authenticated and logged in, but does not have access to the Identity Governance application."

    https://community.microfocus.com/t5/IGA-User-Discussions/User-Service-iac-is-authenticated-and-logged-in-but-does-not/m-p/2254791#M264

     

    Here is the solution I had posted in the above thread:

    "
    ID Gov 3.5.x and newer require that OSP provide it a JWT token. When OSP is installed from the ID Gov media, the necessary property and value will be added in the ism-configuration.properties file:

    com.netiq.idm.osp.oauth.access-token-format.format = jwt


    However, the early versions of IDM 4.7.x when installing OSP did not add the necessary entries. There was a patch around January 2019 and documentation for IDM 4.7.1 https://download.microfocus.com/Download?buildid=weejwXqB_gg~ from the IDM outlining this accordingly. Then for ID 4.7.2 it was fully added to the docs:
    https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm472/data/releasenotes_idm472.html
    https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_472/data/configure-idm-for-ig.html

    That one had to add the following two (2) properties in ism-configuration.properties file on the ID Apps/OSP server:
    com.netiq.idm.osp.oauth.access-token-format.format = jwt
    com.netiq.idm.osp.oauth.attr.roles.maxValues = 1

     

    In your case, on the ID Apps/OSP sever the two (2) entries are in the ism-configuration.properties file but, they are not complete:

    com.netiq.idm.osp.oauth.access-token-format.format =
    com.netiq.idm.osp.oauth.attr.roles.maxValues = 1


    When the property (com.netiq.idm.osp.oauth.access-token-format.format )is either not present or empty OSP will default to opaque tokens insteak of JWT. Outlining the use of JWT token on the IDM does no harm because IDM 4.7.x is not utilizing them so all will default back to opaque for them.


    At this point, the you just need to update the property on the ID Apps/OSP server, clear out the localhost folder, and restart. After that, a new request within Access Request of ID Gov should work.
    "

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus

Reply
  • Verified Answer

    Greetings,

    This has been covered in the following thread:

    "User Service: iac is authenticated and logged in, but does not have access to the Identity Governance application."

    https://community.microfocus.com/t5/IGA-User-Discussions/User-Service-iac-is-authenticated-and-logged-in-but-does-not/m-p/2254791#M264

     

    Here is the solution I had posted in the above thread:

    "
    ID Gov 3.5.x and newer require that OSP provide it a JWT token. When OSP is installed from the ID Gov media, the necessary property and value will be added in the ism-configuration.properties file:

    com.netiq.idm.osp.oauth.access-token-format.format = jwt


    However, the early versions of IDM 4.7.x when installing OSP did not add the necessary entries. There was a patch around January 2019 and documentation for IDM 4.7.1 https://download.microfocus.com/Download?buildid=weejwXqB_gg~ from the IDM outlining this accordingly. Then for ID 4.7.2 it was fully added to the docs:
    https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm472/data/releasenotes_idm472.html
    https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_472/data/configure-idm-for-ig.html

    That one had to add the following two (2) properties in ism-configuration.properties file on the ID Apps/OSP server:
    com.netiq.idm.osp.oauth.access-token-format.format = jwt
    com.netiq.idm.osp.oauth.attr.roles.maxValues = 1

     

    In your case, on the ID Apps/OSP sever the two (2) entries are in the ism-configuration.properties file but, they are not complete:

    com.netiq.idm.osp.oauth.access-token-format.format =
    com.netiq.idm.osp.oauth.attr.roles.maxValues = 1


    When the property (com.netiq.idm.osp.oauth.access-token-format.format )is either not present or empty OSP will default to opaque tokens insteak of JWT. Outlining the use of JWT token on the IDM does no harm because IDM 4.7.x is not utilizing them so all will default back to opaque for them.


    At this point, the you just need to update the property on the ID Apps/OSP server, clear out the localhost folder, and restart. After that, a new request within Access Request of ID Gov should work.
    "

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus

Children