IDM Form redirect to wrong port in OSP

We are running the following versions of IDM Modules:
IDM Apps 4.8.7
FormBuilder 4.8.7

When we try to load a form from Idmdash (trying to load "Helpdesk Ticket Creation Form"), we're redirected to a url with the wrong port
This is the URL it will redirect to: hostname:8444/.../auth
Correct port is 8443 but it is using 8444

In the /opt/netiq/idm/apps/osp/conf/global.properties we have the following config:
com.netiq.idm.osp.url.host = https://hostname:8443

Cannot find the config where port 8444 is comming from.


Any ideas?

  • 0  

    Forms use the Forms renderer which is hosted under ngnix usually on port 8600.  Did the change that default in 4.8.7?  You should have a reference in ism-config to where the forms renderer is.  (Search for 8600 or ever in your case 8444 to see if you can find it beyond searching for forms).

  • 0  

    The new IDM forms are run by a separate component that runs on Nginx rather than tomcat.

    So it is expected that they will run on a different port (unless you are fronting all of IDM Apps with a reverse proxy)

    Normally this is port 8600

    It could be that when initially configuring the product the 8444 was a typo.

  • 0  

    There are 3 places that need to be checked when there is problem with forms renderer:

    - in ism-configuration.properties check com.netiq.forms.redirect.url and com.netiq.idm.forms.url.host

    - in apps/sites/config.ini check OSPRedirectUrl

    - in apps/sites/ServiceRegistry.json check serviceRegisteries entry

    As Goeffrey mentioned, your misconfiguration is in ism-configuration.properties (most likely com.netiq.forms.redirect.url but also check com.netiq.idm.forms.url.host)

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks for you answer.
    When I look in to these settings it seems right to me.

    ism-configuration.properties:
    com.netiq.idm.forms.url.host = https://hostname:8600
    com.netiq.forms.redirect.url = hostname:8600/.../oauth.html

    apps/sites/config.ini
    OSPRedirectUrl=hostname:8600/.../oauth.html

    apps/sites/ServiceRegistry.json
    {"serviceRegisteries":[{"serviceID":"IDM","restUrl":"https://hostname:8443/IDMProv"}]}

  • 0   in reply to 

    This looks OK.

    So either ism-configuration.properties had setting with 8444 at some point, but after change to 8600 idm apps tomcat was not restarted, or something else is doing strange redirect.

    >When we try to load a form from Idmdash (trying to load "Helpdesk Ticket Creation Form"), we're redirected to a url with the wrong port

    >This is the URL it will redirect to: hostname:8444/.../auth

    Can you provide full URL you are redirected to? (without hostname, of course)

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    I tried to restart tomcat as well but unfortunately with no luck.

    When I press the HelperDesk Ticket icon it first goes to:
    https://hostname:8600/forms/#/form/details?id=cn%3DHelp-desk%20Request%20Form%2Ccn%3DWorkflowForms%2Ccn%3Dappconfig%2Ccn%3DUser%20Application%20Driver%2Ccn%3Ddriverset1%2Co%3Dsystem&recipient=&pid=cn%3Dhelpdeskticket%2Ccn%3Drequestdefs%2Ccn%3Dappconfig%2Ccn%3Duser%20application%20driver%2Ccn%3Ddriverset1%2Co%3Dsystem&sid=IDM&uri=%2Frest%2Faccess%2Fforms&formContainer=RequestForms&locale=en
    Next request is:
    https://hostname:8444/osp/a/idm/auth/oauth2/auth?redirect_uri=https://hostname:8600/forms/oauth.html&client_id=forms&response_type=code
    And it is return a 404

  • 0   in reply to 

    Can you check OSPIssuerUrl parameter in apps/sites/config.ini?

    Also what is the output of

    https://hostname:8443/osp/a/idm/auth/oauth2/.well-known/openid-configuration

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    OSPIssuerUrl=https://hostname:8443/osp/a/idm/auth/oauth2

    {
    "issuer":"https://hostname:8443/osp/a/idm/auth/oauth2",
    "authorization_endpoint":"https://hostname:8443/osp/a/idm/auth/oauth2/auth",
    "token_endpoint":"https://hostname:8443/osp/a/idm/auth/oauth2/token",
    "userinfo_endpoint":"https://hostname:8443/osp/a/idm/auth/oauth2/userinfo",
    "jwks_uri":"https://hostname:8443/osp/a/idm/auth/oauth2/jwks",
    "revocation_endpoint":"https://hostname:8443/osp/a/idm/auth/oauth2/revoke",
    "introspection_endpoint":"https://hostname:8443/osp/a/idm/auth/oauth2/introspect",
    "end_session_endpoint":"https://hostname:8443/osp/a/idm/auth/oauth2/logout",
    "scopes_supported":[
    "openid",
    "phone",
    "email",
    "profile",
    "ism"
    ],
    "response_types_supported":[
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "token",
    "id_token",
    "id_token token"
    ],
    "response_modes_supported":[
    "fragment",
    "query",
    "form_post"
    ],
    "grant_types_supported":[
    "authorization_code",
    "implicit",
    "password",
    "client_credentials",
    "refresh_token"
    ],
    "acr_values_supported":[
    "idm:login:user:np",
    "idm:login:user:ro-np"
    ],
    "subject_types_supported":[
    "public"
    ],
    "id_token_signing_alg_values_supported":[
    "RS256",
    "RS384",
    "RS512",
    "HS256",
    "HS384",
    "HS512"
    ],
    "id_token_encryption_alg_values_supported":[
    "dir",
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OAEP-256",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128KW",
    "A192KW",
    "A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW"
    ],
    "id_token_encryption_enc_values_supported":[
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
    ],
    "userinfo_signing_alg_values_supported":[
    "RS256",
    "RS384",
    "RS512",
    "HS256",
    "HS384",
    "HS512"
    ],
    "userinfo_encryption_alg_values_supported":[
    "dir",
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OAEP-256",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128KW",
    "A192KW",
    "A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW"
    ],
    "userinfo_encryption_enc_values_supported":[
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
    ],
    "request_object_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
    ],
    "request_object_encryption_alg_values_supported":[
    "dir",
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OAEP-256",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128KW",
    "A192KW",
    "A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW"
    ],
    "request_object_encryption_enc_values_supported":[
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
    ],
    "token_endpoint_auth_methods_supported":[
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported":[
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
    ],
    "display_values_supported":[
    "page"
    ],
    "claim_types_supported":[
    "normal"
    ],
    "claims_supported":[
    "phone_number",
    "email",
    "name",
    "family_name",
    "given_name",
    "middle_name",
    "preferred_username",
    "acr",
    "last_name",
    "first_name",
    "initials",
    "roles",
    "language",
    "cacheable",
    "expiration",
    "auth_src_id",
    "client",
    "txn",
    "auth_time",
    "iss",
    "sub",
    "aud",
    "exp",
    "iat"
    ],
    "claims_parameter_supported":true,
    "request_parameter_supported":true,
    "request_uri_parameter_supported":true,
    "authorization_response_iss_parameter_supported":true,
    "code_challenge_methods_supported":[
    "S256"
    ]
    }

  • 0   in reply to 

    This is getting strange Blush

    So what happens:

    - you click on Helpdesk icon

    - you are properly redirected to forms renderer (https://hostname:8600/forms/#/form/)

    - forms renderer figures out it needs authentication/OAuth token and redirects you to OSP (calling authorization endpoint)

    - you are redirected to authorization endpoint but it has port 8444 in it.

    Now there are two possibilities:

    - form renderer sends you to wrong URL (but based on information you've posted, config looks OK)

    - maybe nginx sitting in front of form renderer does some strange rewrite.

    Can you please post /opt/netiq/common/nginx/nginx.conf?

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Yes, totally agree Slight smile

    user novlua;
    load_module modules/ngx_http_headers_more_filter_module.so;
    worker_processes 1;
    
    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;
    
    #pid logs/nginx.pid;
    
    
    events {
    worker_connections 1024;
    }
    
    
    http {
    include mime.types;
    more_clear_headers Server;
    default_type application/octet-stream;
    
    #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    # '$status $body_bytes_sent "$http_referer" '
    # '"$http_user_agent" "$http_x_forwarded_for"';
    
    access_log logs/access.log main;
    
    sendfile on;
    
    server_tokens off;
    
    #tcp_nopush on;
    
    #keepalive_timeout 0;
    keepalive_timeout 90;
    
    #gzip on;
    
    server {
    listen 8600 ssl;
    server_name hostname;
    ssl on;
    ssl_protocols TLSv1.2;
    ssl_password_file /opt/netiq/common/nginx/cert/pass.txt;
    ssl_certificate /opt/netiq/common/nginx/cert/nginx.crt;
    ssl_certificate_key /opt/netiq/common/nginx/cert/nginx.key;
    
    #charset koi8-r;
    
    access_log logs/host.access.log main;
    
    location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:3000;
    }
    location /forms {
    root /opt/netiq/idm/apps/sites/;
    index index.html;
    }
    
    #error_page 404 /404.html;
    
    # redirect server error pages to the static page /50x.html
    #
    
    error_page 500 503 504 502 /502.html;
    error_page 404 /404.html;
    location /502.html {
    root /opt/netiq/idm/apps/sites/forms/;
    index 502.html;
    }
    location /404.html {
    root /opt/netiq/idm/apps/sites/forms/;
    index 404.html;
    }
    
    
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
    
    
    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    # proxy_pass http://127.0.0.1;
    #}
    
    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    # root html;
    # fastcgi_pass 127.0.0.1:9000;
    # fastcgi_index index.php;
    # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    # include fastcgi_params;
    #}
    
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    # deny all;
    #}
    }
    
    
    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    # listen 8600 ssl00;
    # listen somename:8080;
    # server_name somename alias another.alias;
    
    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    
    
    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name hostname;
    ssl on;
    ssl_protocols TLSv1.2;
    ssl_password_file /opt/netiq/common/nginx/cert/pass.txt;
    ssl_certificate /opt/netiq/common/nginx/cert/nginx.crt;
    ssl_certificate_key /opt/netiq/common/nginx/cert/nginx.key;
    
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;
    
    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;
    
    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;
    
    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    
    }