UA 45 and Access Manager Logout

I have configured Access Manager to form fill and login to UA (which uses
OSP and all that).

Now, when I log out of userapp, the browser goes into a loop (doing
something which is to fast to see, over and over).

I would like the logout page to be nice, and log the user out.

setup is like this

UserPC -> idm.domain.com > ua.domain.com

I would like the users in UA to logout to https://idm.domain.com/AGLogout

How is that accomplished?

  • On 5/12/17 7:03 AM, Nicolai Jensen wrote:
    > I have configured Access Manager to form fill and login to UA (which uses
    > OSP and all that).
    >
    > Now, when I log out of userapp, the browser goes into a loop (doing
    > something which is to fast to see, over and over).
    >
    > I would like the logout page to be nice, and log the user out.
    >
    > setup is like this
    >
    > UserPC -> idm.domain.com > ua.domain.com
    >
    > I would like the users in UA to logout to https://idm.domain.com/AGLogout
    >
    > How is that accomplished?
    >

    Greetings,
    I do believe there is a note in the docs that outlines Form Fill
    and Identity Injection can no longer be utilized when integrating Access
    Manager with IDM 4.5.x or 4.6

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus
  • On 5/12/17 7:03 AM, Nicolai Jensen wrote:
    > I have configured Access Manager to form fill and login to UA (which uses
    > OSP and all that).
    >
    > Now, when I log out of userapp, the browser goes into a loop (doing
    > something which is to fast to see, over and over).
    >
    > I would like the logout page to be nice, and log the user out.
    >
    > setup is like this
    >
    > UserPC -> idm.domain.com > ua.domain.com
    >
    > I would like the users in UA to logout to https://idm.domain.com/AGLogout
    >
    > How is that accomplished?
    >

    Greetings,
    I do believe there is a note in the docs that outlines Form Fill
    and Identity Injection can no longer be utilized when integrating Access
    Manager with IDM 4.5.x or 4.6

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus
  • On 5/12/17 7:03 AM, Nicolai Jensen wrote:
    > I have configured Access Manager to form fill and login to UA (which uses
    > OSP and all that).
    >
    > Now, when I log out of userapp, the browser goes into a loop (doing
    > something which is to fast to see, over and over).
    >
    > I would like the logout page to be nice, and log the user out.
    >
    > setup is like this
    >
    > UserPC -> idm.domain.com > ua.domain.com
    >
    > I would like the users in UA to logout to https://idm.domain.com/AGLogout
    >
    > How is that accomplished?
    >

    Greetings,
    I do believe there is a note in the docs that outlines Form Fill
    and Identity Injection can no longer be utilized when integrating Access
    Manager with IDM 4.5.x or 4.6

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus
  • On Sat, 13 May 2017 11:16:22 0000, Steven Williams wrote:

    > On 5/12/17 7:03 AM, Nicolai Jensen wrote:
    >> I have configured Access Manager to form fill and login to UA (which
    >> uses OSP and all that).
    >>
    >> Now, when I log out of userapp, the browser goes into a loop (doing
    >> something which is to fast to see, over and over).
    >>
    >> I would like the logout page to be nice, and log the user out.
    >>
    >> setup is like this
    >>
    >> UserPC -> idm.domain.com > ua.domain.com
    >>
    >> I would like the users in UA to logout to
    >> https://idm.domain.com/AGLogout
    >>
    >> How is that accomplished?
    >>

    > Greetings,
    > I do believe there is a note in the docs that outlines Form Fill
    > and Identity Injection can no longer be utilized when integrating Access
    > Manager with IDM 4.5.x or 4.6


    Oh.....
    Actually I did try to get it to do SAML first.
    The saml endpoint/metadata seems to have a defect though (although I'm not
    sure, I cannot get it to work)

    In the metadata it mentions that the endpoint is https://
    idm.domain.com:8443/osp/a/idm/auth/saml2/metadata

    While the actual endpoint is https://430wf1.fmktst.dk:8443/osp/a/idm/auth/
    saml2/spmetadata

    Even editing the metadata before pasting it into access manager does not
    seem to work. AM logs seem to point me to the fact that https://
    idm.domain.com:8443/osp/a/idm/auth/saml2/metadata is unreachable (which it
    indeed is)

    When I gave up on that, I turned to my old pal google, and found a cool
    solution, which outlined how to do formfill.

    https://www.netiq.com/communities/cool-solutions/integrating-identity-
    manager-4-5-4-user-application-access-manager-4-3-access-gateway/

  • On Sat, 13 May 2017 14:59:54 0000, Nicolai Jensen wrote:


    > In the metadata it mentions that the endpoint is https://
    > idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
    >
    > While the actual endpoint is
    > https://430wf1.fmktst.dk:8443/osp/a/idm/auth/
    > saml2/spmetadata


    I should say metadata url, not endpoint.
    I cannot get it to work, thats the point :-)
  • Nicolai Jensen <xnjex@pwc.dk> wrote:
    > On Sat, 13 May 2017 14:59:54 0000, Nicolai Jensen wrote:
    >
    >
    >> In the metadata it mentions that the endpoint is https://
    >> idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
    >>
    >> While the actual endpoint is
    >> https://430wf1.fmktst.dk:8443/osp/a/idm/auth/
    >> saml2/spmetadata

    >
    > I should say metadata url, not endpoint.
    > I cannot get it to work, thats the point :-)
    >


    There was a trick that it doesn't respond/show up until the config of OSP
    is switched to SAML and you restart OSP

  • On Sat, 13 May 2017 17:06:58 0000, Alex McHugh wrote:

    > Nicolai Jensen <xnjex@pwc.dk> wrote:
    >> On Sat, 13 May 2017 14:59:54 0000, Nicolai Jensen wrote:
    >>
    >>
    >>> In the metadata it mentions that the endpoint is https://
    >>> idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
    >>>
    >>> While the actual endpoint is
    >>> https://430wf1.fmktst.dk:8443/osp/a/idm/auth/ saml2/spmetadata

    >>
    >> I should say metadata url, not endpoint.
    >> I cannot get it to work, thats the point :-)
    >>
    >>

    > There was a trick that it doesn't respond/show up until the config of
    > OSP is switched to SAML and you restart OSP


    I have reconfigured and restarted.

    The issue seems to be that the metadata points to the wrong metadata url.
    The url seems to be postfixed with "sp", and that is not reflected in the
    actual metadata from the server.

    I have also tried to point access manager to https://430wf1.fmktst.dk:8443/
    osp/a/idm/auth/saml2/spmetadata and the url in the metadata returns
    https://idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
  • Nicolai Jensen;2457174 wrote:
    I have configured Access Manager to form fill and login to UA (which uses
    OSP and all that).

    Now, when I log out of userapp, the browser goes into a loop (doing
    something which is to fast to see, over and over).

    I would like the logout page to be nice, and log the user out.

    setup is like this

    UserPC -> idm.domain.com > ua.domain.com

    I would like the users in UA to logout to https://idm.domain.com/AGLogout

    How is that accomplished?


    Dear Nicolai,

    We could create two formfill policies

    1) Login Form attached to osp and

    2) Logout attached to IDMProv and other contexts

    Do Form -> Login Failure
    CGI Matching Criteria as 'logout'
    Page Matching Criteria as none
    Redirect to URL: https://<NAM_AGserver>/AGLogout

    3) Or the same formfill policies(Login and Logout) attached to both of them(osp and IDMProv/other contexts)

    Kindly Note: I'm Looking for Official documentation link about the same, would share if I found any.

    Please try and let us know if that works for you on this Form Fill policy.

    Thanks and Best Regards,
    SivaPrakasamS
    Micro Focus
  • On Mon, 15 May 2017 13:34:02 0000, SPSivasubramanian wrote:

    > Nicolai Jensen;2457174 Wrote:
    > Please try and let us know if that works for you on this Form Fill
    > policy.
    >
    > Thanks and Best Regards,
    > SivaPrakasamS
    > Micro Focus


    Wow, great. Thanks.
    I will try that as soon as possible (might be a few days).

  • On Mon, 15 May 2017 19:32:11 0000, Nicolai Jensen wrote:

    > On Mon, 15 May 2017 13:34:02 0000, SPSivasubramanian wrote:
    >
    >> Nicolai Jensen;2457174 Wrote:
    >> Please try and let us know if that works for you on this Form Fill
    >> policy.
    >>
    >> Thanks and Best Regards,
    >> SivaPrakasamS Micro Focus

    >
    > Wow, great. Thanks.
    > I will try that as soon as possible (might be a few days).


    Oh well, I couldn't wait anyway.
    My feedback is that it does indeed seem to work like a charm (haven't
    checked all the corners yet though)

    You sir, are a genius.