Related Tips & Info

Howto: Preventing Access Manager Users From Accessing the Identity Server Portal Page

MigrationDeletedUser
1 Likes

Identity Server Portal page details:

When a user authenticates in an Access Manager environment, they are redirected to the Identity (IDP) server login page to submit their credentials. This is normally a stepping stone to accessing some back end applications, via either the Linux Access Gateway or SAML/Liberty service providers. If however, a user is already authenticated and accesses the Identity server, the user will be presented with the IDP server portal page. This page (shown below) provides a wealth of information about the logged in user, including all:

  • federations this user may have with 3rd party service providers
  • identity attributes such as Liberty Personal or employee profile attributes, or Access Manager credential or custom profile attributes
  • policy attributes users/administrators have selected with other service providers.


    Click to view.

Why prevent Access to the Identity Server Portal page:

Administrators may want to prevent users from seeing this IDP server portal page for:

  • security reasons: As mentioned above, users accessing this page have access to sensitive information that administrators may want to hide from users. Some of this information (mentioned above) includes attributes for the user, federations existing with other 3rd party SAML or Liberty providers.

    Administrators may already block access to some of the IDP pages through configuration settings eg. '2.7.3 Blocking Access to the WSDL Services Page' at http://www.novell.com/documentation/novellaccessmanager31/identityserver/?page=/documentation/novellaccessmanager31/identityserver/data/bookinfo.html

  • to avoid calls into the helpdesk: Most users will never need to have access to the information presented in this page, and as a result maybe confused should they ever fall onto this page. By preventing access to the page, any potential calls into the helpdesk will be avoided.

Solution:

The nidp.jap page (/opt/novell/nids/lib/webapp/jsp directory) includes a basic check on whether the user is authenticated. It is also called with every access to the IDP login page. By manipulating this page to check the users status, an administrator can determine whether the user is already authenticated and if so, redirect the user to another page.

Editing this nidp.jar file, locate the existing default entry of

'if (handler.isAuthenticatedSession() && handler.getUserName() != null)'

and add the following lines just above this:

<%
if (handler.isAuthenticatedSession())
{
    String redirectURL = "http://www.novell.com/";
    response.sendRedirect(redirectURL);
}
%>

When a user accesses this page and is not authenticated, the login process will continue as is by default ie. user is presented with the login page where they submit their credentials. If the user is already logged in however, the isAuthenticatedSession() returns true and instead of being redirected to the default IDP portal page, the new code is executed to redirect to a predefined URL. The following ieHTTPHeaders output confirms this

GET /nidp/app HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-US,en-IE;q=0.5
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: idp126.lab.novell.com:8443
Connection: Keep-Alive
Cookie: JSESSIONID=11AB34250B3E79DEC11186168C23B34D; novell_language=en-us; CoreID6=23495995982212440449949; __utma=64695856.419410920.1252432782.1270822885.1271090179.10; __utmz=64695856.1270722077.8.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=83.147.135.44-1904004976.30060919:lv=1266928072031:ss=1266927852968; WT_DC=tsp=1; IPCZQX03a36c6c0a=000002009302249462bb469a9f0f5b43243b858a

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Location: http://www.novell.com/
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Thu, 29 Apr 2010 09:17:19 GMT

Labels:

How To-Best Practice
Comment List
Parents
  • The real place to make the change is in MENUS.JSP

    The other miss leading thing is there are the 'if (handler.isAuthenticatedSession() && handler.getUserName() != null)' is already in a set of 'if (handler.isAuthenticatedSession() && handler.getUserName() != null)' line.

    Second to make this work, you need to tell them to delete main_jsp.class and main_jsp.java from the work directory to force it to recreate the page into memory.

    I was then able to get this to work.
Comment
  • The real place to make the change is in MENUS.JSP

    The other miss leading thing is there are the 'if (handler.isAuthenticatedSession() && handler.getUserName() != null)' is already in a set of 'if (handler.isAuthenticatedSession() && handler.getUserName() != null)' line.

    Second to make this work, you need to tell them to delete main_jsp.class and main_jsp.java from the work directory to force it to recreate the page into memory.

    I was then able to get this to work.
Children
No Data
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.