IGA 4.2 - Login Failed

After starting a fresh install of IGA and authentication server on the same sever, I'm not able to login.

Tthe OSP-IDM.date.log says:

Log Data: Validation of authentication service configuration resulted in one or more errors:

Validation messages (10):
1) Error:
AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/Client[id=workflow]
Duplicate client identifier.
2) Warning:
AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=wfconsole,uri=/wfconsole/oauth.html]/Url
Redirect URI missing scheme.
3) Warning:
AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/Client[id=workflow]
Client[id=workflow] is disabled due to configuration errors.

.... And som more warnings referring to RFC 6819

and then at the time when trying to login :

Preamble: [OIDP idm]
Txn: a3Nm4cm2EgrdawBQVpqprw
Priority Level: WARNING
Java: internal.osp.oidp.service.source.ldap.LDAPSource.search() [734] thread=https-openssl-nio-443-exec-7
Elapsed time: 35.28 milliseconds
Time: 2024-02-12T16:41:42.328+0100
Log Data: Admin search:
Admin search:

Can't figure out where installation/configuration gone wrong ...

  • 0  

    Hello,
    The errors/warns you outlined will not stop one from being able to Authenticate. There is a major difference between Authentication and Authorization.

    Authentication for most customers is handled by OSP (some use Access Manager as the OAuth provider). OSP will look-up the user in eDirectory or Active Directory, if found update information on that user in the Identity Vault, create an OAuth token, and redirect back to Identity Governance, Identity Reporting, or External Workflow.

    Authorization then happens at Identity Governance, Identity Reporting, or External Workflow. Meaning these modules/components then parse the OAuth Token and utilize that information to confirm if the Authenticated user is allowed to perform actions in their module/component. Based upon their look-up the user is the granted certain access rights or presented with a message outlining they are not authorized. If the user is unknown to the module/component, they can receive a message similar to:

    Steven Williams is authenticated, but does not have any rights to this system. Please logout.

    Questions:
    1) When one tries to access Identity Governance, Identity Reporting, or External Workflow, are you redirected to the OSP Login page?

    2) If yes #1, after providing an ID and Password do you receive message about invalid ID/Password OR are you redirected back to one (1) of the above applications and then receive a different message in the UI OR the page does not render?

    3) Is OSP deployed on the same tomcat as Identity Governance?

    4) Is OSP pointing to eDirectory or Active Directory for the Identity Vault?


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Thanx for answering.

    1) Yes - i'm redirected to OSP login page. And as it is a clean install,

    2)  "Logon failed - try again" (translated from Swedish)  I'm trying to log on using the bottstrap account (from Active Directory - not from file)

    3) Yes

    4) Active Directory

  • 0   in reply to 

    Hello,

    Most of the time when a customer outlines they are unable to Login when using Active Directory as the Identity Vault, it is because they did not extend the schema as outlined in the Installation Guide: https://www.microfocus.com/documentation/identity-governance/4.2/install-guide/b1iq4nvf.html#t4b64uo9k3m6 

    In your set-up, I have a feeling that OSP is set to WARN for the logging level in the setenv.sh. If you change this to ALL, restart, and test again there will be more information. If I am correct about the above, in the osp log will be an error about not being able to write on the user in AD.  If that is the case, you need to extend the schema in your AD server.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hi!

    We do have the schema extension so that is not the problem.

    The problem seems to be with my newly created bootsrap account i AD.

    I tried logging on with my own account - and it worked! But it wasn't authorized to do anything which is correct.
    I then configured my own account as bootstrap account - and it works, but thats not an option.
    If i try to log on with my account (and some other) supplying wrong password i get a message in osp-idm-date.log:

    Priority Level: WARNING
    Java: internal.atlaslite.jcce.ldap.jndi.JNDIConnectionPool.getUserConnection() [966] thread=https-openssl-nio-443-exec-7
    Time: 2024-02-13T11:57:45.586+0100
    Log Data: Leaving: Exception on CreatedNewUserConn:JNDIExceptionIncorrectPassword, Interval:59

    If I try to log on with the new bootstrap account I get 

    Preamble: [OIDP idm]
    Txn: RV0Z0speEQVpqprw
    Priority Level: WARNING
    Java: internal.osp.oidp.service.source.ldap.LDAPSource.search() [734] thread=https-openssl-nio-443-exec-6
    Time: 2024-02-13T11:58:23.093+0100
    Elapsed time: 24.623 milliseconds
    Log Data: Admin search:
    Admin search:

    It seems that the bootstrap account isn't found. Is there a maximal length of DN? (differs between my own account and bootsrap which is substansially longer).

    Or is it the LDAP-search in Active Diretory which only returns the first 500/1000 accounts ? Seen such behaviour in other systems.

  • 0   in reply to 

    Hello,

    During the OSP installation:
    1) You were asked to define an "Admin" account that would be used to connect and search. Does this user have rights to see your "bootstrap" user?

    2.a) You were asked to supply/define two (2) LDAP containers (they were labeled a user container and an Admin container). Is the "bootstrap" user within one (1) of those containers or a subcontainer or are they out of scope?

    For Example if both are set to: OU=active,OU=workforce,DC=company,DC=com
    and the BootStrap user is: CN=BootAdmin,OU=admin,OU=workforce,DC=company,DC=com

    Then they will not be found by the ldap search.

    2.b) Did you allow Subtree/container searching?

    2.c) Did you make any changes post install via confgupdate?

    3) Are you logging in with just the sAMAccountName or providing the full DN of the "bootstrap" user?

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Thanx,

    I just realized that the bootstrap account was not within the scope of user or admin container.
    So there is the problem, and its solved.

    Is there a way to add multiple LDAP containers for  Admins or Users?
    The way our AD-structure is build we'd have to add the LDAP root container to cover all users ...

    The admin accounts would be in a subcontainer to the user accounts. Will that be a problem?
    Is this configuration just to limit the LDAP-search or does users and admin LDAP containers allow for different usage of accounts whether your account is in admin or user container?

  • 0   in reply to 

    Hello,

    1) It is only possible to put one (1) container in each of the container settings fields/filters. You can limit subcontainer searching by launching configupdate and change the settings.

    2) Please refer back to my original post in this thread where I defined the difference between Authentication and Authorization. Just because one might be able to Authenticate does not mean they will actually be able to utilize Identity Governance, Identity Reporting, or External Workflow. Within Identity Governance, you will create Identity Collector(s), that is how the users will be known. If a user is not collected, they will not be able to access (except for the Bootstrap user as outlined in the documentation) If a user is collected, they will be able to access once they have been Authenticated, but what they can see will be limited to what Authorizations you set.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity