fartyalvikram
New Member.
2355 views

IDM User Application SSO using Microsoft AD FS

I want to do SSO on IDM User Application using Microsoft Active Directory Federation Services.
For this I followed the below URL
https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/bycvqfh.html

Now when I hit the below URL, they will redirect me to the AD FS Login Page
https://nam.demo.local/nidp/saml2/spsend?id=local-ad&sid=0
But when I entered login credentials inside AD FS Login Page and hit Login, they redirecting me to the below URL with error "Error: HTTP 500 Internal Server Error" on browser
https://nam.demo.local/nidp/saml2/spassertion_consumer

I also atteched NAM IDP Logs.
I am using NAM Appliance 4.4, IDM 4.6 and Windows Server 2012 R2 Standard.
0 Likes
16 Replies
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 28-12-2017 1:14 AM, fartyalvikram wrote:
>
> I want to do SSO on IDM User Application using Microsoft Active
> Directory Federation Services.
> For this I followed the below URL
> https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/bycvqfh.html
>
> Now when I hit the below URL, they will redirect me to the AD FS Login
> Page
> https://nam.demo.local/nidp/saml2/spsend?id=local-ad&sid=0
> But when I entered login credentials inside AD FS Login Page and hit
> Login, they redirecting me to the below URL with error "Error: HTTP 500
> Internal Server Error" on browser
> https://nam.demo.local/nidp/saml2/spassertion_consumer
>
> I also atteched NAM IDP Logs.
> I am using NAM Appliance 4.4, IDM 4.6 and Windows Server 2012 R2
> Standard.
>
>
> +----------------------------------------------------------------------+
> |Filename: idp_catalina.txt |
> |Download: https://forums.novell.com/attachment.php?attachmentid=6055 |
> +----------------------------------------------------------------------+
>


Looking at your logs i can see:

<amLogEntry> 2017-12-27T12:10:55Z SEVERE NIDS Application: java.lang.ClassCastException
java.lang.NullPointerException cannot be cast to com.novell.nidp.NIDPException
com.novell.nidp.saml2.profile.SAML2SSOProfile: y: A: 2,095
com.novell.nidp.saml2.profile.SAML2SSOProfile: y: processResponse: 2,138
com.novell.nidp.saml2.profile.SAML2SSOProfile: y: processResponse: 739
com.novell.nidp.saml2.profile.SAML2Profile: y: handleInBoundMessage: 2,803
com.novell.nidp.saml2.profile.SAML2SSOProfile: y: processResponse: 1,697
com.novell.nidp.saml2.SAML2Handler: y: A: 1,027
com.novell.nidp.saml2.SAML2Handler: y: handleRequest: 2,785

Not sure what is exactly causing that but going by the saml response doc I see:

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>

There's no actual assertion present. I would check the adfs logs to see what is causing that.


--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: IDM User Application SSO using Microsoft AD FS

AD FS logs are given below
Encountered error during federation passive request. 

Additional Data

Protocol Name:
Saml

Relying Party:
https://nam.demo.local/nidp/saml2/metadata

Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'https://nam.demo.local/nidp/saml2/metadata' identified by thumbprint '385EE37A7C24D089417734A8A8C4738308C278E7' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 28-12-2017 9:54 PM, fartyalvikram wrote:
>
> AD FS logs are given below
>
> Code:
> --------------------
> Encountered error during federation passive request.
>
> Additional Data
>
> Protocol Name:
> Saml
>
> Relying Party:
> https://nam.demo.local/nidp/saml2/metadata
>
> Exception details:
> Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'https://nam.demo.local/nidp/saml2/metadata' identified by thumbprint '385EE37A7C24D089417734A8A8C4738308C278E7' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.



Well...that's a pretty obvious issue. My suggestion is that you fix that first.


--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: IDM User Application SSO using Microsoft AD FS

Thanks for your reply.
I just want to know, I am on the right track and IDM User Application SSO using Microsoft AD FS is possible?
Now I am getting the below Error on AD FS Logs
The SAML authentication request had a NameID Policy that could not be satisfied. 
Requestor: https://nam.demo.local/nidp/saml2/metadata
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: SPNameQualifier: , SPProvidedId: .

This request failed.

User Action
Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.


Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://nam.demo.local/nidp/saml2/metadata

Exception details:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: SPNameQualifier: , SPProvidedId: .
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


IDP Logs are given below
<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application: 
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: ajp-bio-127.0.0.1-9019-exec-19
****** HttpServletRequest Information:
Method: POST
Scheme: https
Context Path: /nidp
Servlet Path: /saml2
Query String: null
Path Info: /spassertion_consumer
Server Name: nam.demo.local
Server Port: 443
Content Length: 3831
Content Type: application/x-www-form-urlencoded
Auth Type: null
Request URL: https://nam.demo.local/nidp/saml2/spassertion_consumer
Host IP Address: 192.168.1.197
Remote Client IP Address: 192.168.1.84
Cookie: (0 of 1): JSESSIONID, z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=
Header: Name: host, Value: nam.demo.local
Header: Name: user-agent, Value: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Header: Name: accept, Value: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Header: Name: accept-language, Value: en-US,en;q=0.5
Header: Name: accept-encoding, Value: gzip, br
Header: Name: referer, Value: https://server.demo.local:444/adfs/ls/
Header: Name: content-type, Value: application/x-www-form-urlencoded
Header: Name: content-length, Value: 3831
Header: Name: DNT, Value: 1
Header: Name: connection, Value: keep-alive
Header: Name: Upgrade-Insecure-Requests, Value: 1
Header: Name: Via, Value: 1.1 nam.demo.local (Access Gateway-ag-AF05FE6544A72488-296)
Session Id: z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=
Session Last Accessed Time: 1514465869143
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application: AM#600105011: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#8niLkLSz/o3g/Ipxji7bLm0/qz5ypHi7FwFF8A01qv4=: SP saml2 handler to process request received for /nidp/saml2 </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.processResponse
Thread: ajp-bio-127.0.0.1-9019-exec-19
Received assertion consumer response </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPContext.getRelayStateDecode
Thread: ajp-bio-127.0.0.1-9019-exec-19
Property read from local file --------> Property:decodeRelayStateParam Value: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Input param url: MA== :: web.xml param value to decode: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPContext.getRelayStateDecode
Thread: ajp-bio-127.0.0.1-9019-exec-19
Property read from local file --------> Property:decodeRelayStateParam Value: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isPostInFlate
Thread: ajp-bio-127.0.0.1-9019-exec-19
Property read from local file --------> Property:IS_SAML2_POST_INFLATE Value: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS SAML2:
Method: SAML2Profile.handleInBoundMessage
Thread: ajp-bio-127.0.0.1-9019-exec-19
InBound POST message was NOT inflated. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS SAML2:
Method: SAML2Profile.traceMessage
Thread: ajp-bio-127.0.0.1-9019-exec-19


************************* SAML2 POST message ********************************

Type: received
RelayState: MA==
<samlp:Response ID="_6a201a18-57e3-4b8a-b1c8-a037f351bd99" Version="2.0" IssueInstant="2017-12-28T12:57:30.630Z" Destination="https://nam.demo.local/nidp/saml2/spassertion_consumer" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="idL0vY6llGAvVKJlei7rpRmSr6ghA" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://server.demo.local/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_6a201a18-57e3-4b8a-b1c8-a037f351bd99"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>uoIrNPjTZRwcXmLDbuiCKd1meAjM4AjmeHGWGEvAS0s=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dgTb1De63AH3efjzWuGlhftOfC/dD2C0IYMufPWErCvh4BjDqO0QifJDmYPC+yj7VqUHgsJztfnugpROv9vqMGmyDmomyslsOzhZ8cZfxj/QQNsLhperQ4+qdP+5mYotfQiPkk0h6kJX2Ll9EHvbTqWiWs4UR7+wEgpf2wd5uW0/t6PPw391oSZuOMAyLl30ns12gr2ZQJJBzfQpUWxxA9zUfW6+tWz/bRHKDoxGZTof7i3/lOjNNmve2y5MgobGZIU+4g0gf2RWQ8EAuzLpRyupbJDL+jp6XyGqrz7plUJxXc6qePIPJhpGxFIwolv9F4qG6+Kr8IwSYKSMSNiutQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC3jCCAcagAwIBAgIQcfXazMWqwp5AdQFCik3Z4jANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBzZXJ2ZXIuQUlUQy5sb2NhbDAeFw0xNzEyMjcwNTU3MDlaFw0xODEyMjcwNTU3MDlaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIHNlcnZlci5BSVRDLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumD5dV9JlbildZQmP85HJHkqXIsBdjhH7HA7/ryENL63JL1k3jHoMtR6IrcnJu9ok2BpA9PrZWmBquifTCG/rDPrCs9Tl9z/C8jV3xPpNwQY6NAmpLnQXlOqlOd+1BdMr/aVSva2rHBF+Hi6okNp4ORgLY8VfOZco23WWEOu7Gy7k6QLhVIXyWzAgIQ/z0NuZO//DQjIKLHRL98Sq5+Qbbr8Afj7te5stofxSIIoG2OOr0Nsql6SD8e/sLsKARd7bp37rxA5cj8Jn0dQaOjrjeOH1ycinbUcNhIuM1A8g5h4JDCifbTm33aWja90ZV76/43Mrm+CgmniIno16NBtiwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA3Eh9brn3OQ8ZmDQGASzpggOa/Flva6B81V87f2iPVscmfNa0JSABMrJr3fEOvcNNHrjNDs4cV32D7PynBoCriJQq4Hc5E0doAJ4CabTKWu7Gl+2vG1+9knVWXiJ/Ta+iWIgJ4oMOOq1fKpgMq2OrEnAskrD1l2qXxkRGDxHgPOQNdI20rhCsiP0igfu5ruCF3k731xindcQp6SzKKD/DyW/KBCGcf2eI4dZv5rvGKiB9vDgnqoBQxfyqw7EOjXbEX76zstRxVh+qHYUy3SxF7pkN6D9/Q68oQh2j1Z9L37xXQeeznHfeft5zuwIeLhLIeXicnnz2/+Trgz0TWx/Ij</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode></samlp:Status></samlp:Response>
************************* End SAML2 message ****************************

</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-19
Property read from local file --------> Property:XML_PARSE_ALLOW_DTD Value: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: XMLSignable.logEncryptInfo
Thread: ajp-bio-127.0.0.1-9019-exec-19
Encrypted element [[urn:oasis:names:tc:SAML:2.0:assertion-saml-EncryptedAssertion]s (0)] was decrypted using encryption cert [CN=nam.demo.local] having serial no [195201359136186715809004302038146380038484452339] </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS SAML2:
Method: SAML2Profile.A
Thread: ajp-bio-127.0.0.1-9019-exec-19
Processing artifact for pre-brokering, provider= http://server.demo.local/adfs/services/trust and relayState = MA== </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS SAML2:
Method: SAML2Profile.A
Thread: ajp-bio-127.0.0.1-9019-exec-19
Relaystate does not have Intersite Transfer request.. no brokering policy enforcement is needed </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: IDPAuthenticationHandler.handleAuthentication
Thread: ajp-bio-127.0.0.1-9019-exec-19
Was authnResponse verified: No </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: IDP response failed to authenticate: urn:oasis:names:tc:SAML:2.0:status:Requester->urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z INFO NIDS Application: AM#500105039: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#8niLkLSz/o3g/Ipxji7bLm0/qz5ypHi7FwFF8A01qv4=: Error on session id z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=, error 300101008-6CF8D8AFC3EC4E16, An Identity Provider response was received that failed to authenticate this session.:No assertion returned in response:null </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS IDFF:
Method: LibertySSOProfile.processAuthnRequest
Thread: ajp-bio-127.0.0.1-9019-exec-19
Process Liberty AuthnRequest </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z INFO NIDS Application: AM#500105016: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#8niLkLSz/o3g/Ipxji7bLm0/qz5ypHi7FwFF8A01qv4=: Processing login resulting from Service Provider authentication request. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z INFO NIDS Application: AM#500105009: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#8niLkLSz/o3g/Ipxji7bLm0/qz5ypHi7FwFF8A01qv4=: Executing contract Name/Password - Form. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Executing authentication method Name/Password - Form </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-19
Attribute added to page [login] is [url]=[https://nam.demo.local/nidp/idff/sso?sid=0]. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-19
Attribute added to page [login] is [target]=[https://userapp.demo.local/]. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z VERBOSE NIDS Application: Authentication method Name/Password - Form requires additional interaction. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-19
Attribute added to page [login] is [url]=[https://nam.demo.local/nidp/idff/sso?sid=0&sid=0]. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: ContractExecutionState.exec
Thread: ajp-bio-127.0.0.1-9019-exec-19
Just returned from call to doContract():
Status: SHOW_PAGE
Contract: Name/Password - Form
Contract Authentication Card: com.novell.nidp.authentication.card.LocalAuthenticationCard@139ca397
Contract Authentication Card Id: 11
Auth Class: com.novell.nidp.authentication.local.PasswordClass
Auth Class Page to Show: login
Request Param: option: null
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-19
Attribute added to page [main] is [id]=[11]. </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPServletContext.goJSP
Thread: ajp-bio-127.0.0.1-9019-exec-19
Forwarding to JSP: /jsp/main.jsp </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPResourceManager.A
Thread: ajp-bio-127.0.0.1-9019-exec-19
Locale: en_US mapped to directory en </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: NIDPResourceManager.A
Thread: ajp-bio-127.0.0.1-9019-exec-19
Locale: en_US mapped to directory en </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-19

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6a6b0788 from cache session succeeded using key z9ZHBbCSJ1nuxj+aqhWK/IP4zeIpJKC+1TU415dYxBg=. Cache size is 4
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: LDAPAuthority.getObjectByDn
Thread: ajp-bio-127.0.0.1-9019-exec-19
dn = cn=mobileAccess,cn=SCCpqaf3f,ou=idpClusters,o=amSystem </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: LDAPAuthority.getObjectByDn
Thread: ajp-bio-127.0.0.1-9019-exec-19
dn1 = cn=mobileAccess,cn=SCCpqaf3f,ou=idpClusters,o=amSystem </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-19
Target object dn: cn=mobileAccess,cn=SCCpqaf3f,ou=idpClusters,o=amSystem
Acting as: ou=nidsUser,ou=UsersContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Attrs: null or zero! </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-19
getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-19
Closing LDAP connection due to connection timeout! Interval: 21004, Timeout: 10000, Connection: Id: ac0a87a9-77d9-4e39-b46a-abad2bfcf3cc, host: ldaps://192.168.1.197 </amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-19
Connection: 550b7e85-cc4d-4554-8517-82c2ea876570, Environment Parameters for InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://192.168.1.197:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: ou=nidsUser,ou=UsersContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value: com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
</amLogEntry>

<amLogEntry> 2017-12-28T12:58:04Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-19
Added property to DirContext Environment: Property Name: java.naming.ldap.attributes.binary, Value: GUID nDSPKITrustedRootCertificate </amLogEntry>
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 29-12-2017 12:24 AM, fartyalvikram wrote:
>
> Thanks for your reply.
> Now I am getting the below Error on AD FS Logs
>
> Code:
> --------------------
> The SAML authentication request had a NameID Policy that could not be satisfied.
> Requestor: https://nam.demo.local/nidp/saml2/metadata
> Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
> SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata
> Exception details:
> MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: SPNameQualifier: , SPProvidedId: .
>
> This request failed.
>
> User Action
> Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
>
>
> Encountered error during federation passive request.
>
> Additional Data
>
> Protocol Name:
> Saml
>
> Relying Party:
> https://nam.demo.local/nidp/saml2/metadata
>
> Exception details:
> Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: SPNameQualifier: , SPProvidedId: .
> at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
> at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
> at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
> at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
> at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
> at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
> at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
> --------------------
>


To fix that you want to create a custom claim rule for the SP in ADFS with the following code:

c:
[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=>
issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer,
Value = c.Value,
ValueType = c.ValueType,
Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://appliance.site.com/nidp/saml2/metadata"
);

Obviously replace the appropriate content with whatever applies to your environment. FOr the above rule to fire email address needs to be populated in
AD (which is a mandatory attribute in AD from memory)




--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: IDM User Application SSO using Microsoft AD FS

I created a custom rule as you suggested inside AD FS
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://nam.demo.local/nidp/saml2/metadata");

But I am getting the same error, AD FS logs are given below
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata. Actual NameID properties: null.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

Unable to issue a token.

Exception: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: https://nam.demo.local/nidp/saml2/metadata. Actual NameID properties: null.
StackTrace: at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

IDP Logs are given below
<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application: 
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: ajp-bio-127.0.0.1-9019-exec-10
****** HttpServletRequest Information:
Method: GET
Scheme: https
Context Path: /nidp
Servlet Path: /saml2
Query String: id=local-ad&sid=0&target=https%3A//userapp.demo.local/
Path Info: /spsend
Server Name: nam.demo.local
Server Port: 443
Content Length: -1
Content Type: null
Auth Type: null
Request URL: https://nam.demo.local/nidp/saml2/spsend
Host IP Address: 192.168.1.197
Remote Client IP Address: 192.168.1.84
Cookie: (0 of 1): JSESSIONID, miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=
Header: Name: host, Value: nam.demo.local
Header: Name: user-agent, Value: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Header: Name: accept, Value: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Header: Name: accept-language, Value: en-US,en;q=0.5
Header: Name: accept-encoding, Value: gzip, br
Header: Name: referer, Value: https://nam.demo.local/nidp/idff/sso?RequestID=idf6JddRG6_Z0UmdPhH3fV99COn10&MajorVersion=1&MinorVersion=2&IssueInstant=2017-12-29T09%3A51%3A08Z&ProviderID=https%3A%2F%2Fnam.demo.local%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&agAppNa=userapp&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=https%3A%2F%2Fuserapp.demo.local%2F&AuthnContextStatementRef=%2Furi%2Fanyauthentication
Header: Name: DNT, Value: 1
Header: Name: connection, Value: keep-alive
Header: Name: Upgrade-Insecure-Requests, Value: 1
Header: Name: Via, Value: 1.1 nam.demo.local (Access Gateway-ag-AF05FE6544A72488-697)
Session Id: miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=
Session Last Accessed Time: 1514541069638
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application: AM#600105011: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#+4lF3efCisE6M0qbbI2pflJHEUYMSSjmC3DqxYlelZw=: SP saml2 handler to process request received for /nidp/saml2 </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.A
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML_ASSERTION_INCLUDE_MILLISECS -null </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.getOptionValue
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_CHANGE_ISSUER is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_AVOID_NAMEIDPOLICY is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_AVOID_NAMEIDPOLICY value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2IDPAuthenticationCard.getRequestContext
Thread: ajp-bio-127.0.0.1-9019-exec-10
The authn context type is either not defined or does not have any authn contracts or authn classes. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_AVOID_PROXYCOUNT is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_AVOID_PROXYCOUNT value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_AVOID_PROXYCOUNT is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_AVOID_PROXYCOUNT value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_REQUEST_IGNORE_AUTHNCONTEXT is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_REQUEST_IGNORE_AUTHNCONTEXT value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_REQUEST_IGNORE_AUTHNCONTEXT is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_REQUEST_IGNORE_AUTHNCONTEXT value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z VERBOSE NIDS SAML2: Processing SAML2 SSO request
//////////////////////////////////////////////////////////////
/ SAML2 AuthnRequest
/ Card Name: federation-ad
/ Profile: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
/ Name ID Request:
<samlp:NameIDPolicy(urn:oasis:names:tc:SAML:2.0:protocol)>:
/ Is Passive: false
/ Is Intro : false
/ Is refresh: false
/ Force Authentication: false
/ Affilation ID: null
/ Contract URI: null
/ Target: https://userapp.demo.local/
//////////////////////////////////////////////////////////////
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_AVOID_ISPASSIVE is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_AVOID_ISPASSIVE value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_AVOID_PROTOCOLBINDING is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_AVOID_PROTOCOLBINDING value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:SAML2_ISSUER_NAMEQUALIFIER Value: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:SAML2_ISSUER_FORMAT Value: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_NAMEIDPOLICY_ALLOWCREATE is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_NAMEIDPOLICY_ALLOWCREATE value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Utils.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
SAML2_REQUEST_IGNORE_AUTHNCONTEXT is not configured as service provider's ui option </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - http://server.demo.local/adfs/services/trust->SAML2_REQUEST_IGNORE_AUTHNCONTEXT value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.getSaml2TPValueBoolean
Thread: ajp-bio-127.0.0.1-9019-exec-10
[nidpconfig.properties] Options - ->SAML2_RESPONSE_AVOID_REMOVE_EXTRANEOUS_NAMESPACES value returned: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isPostDeFlate
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:SAML2_POST_DEFLATE_TRUSTEDPROVIDERS Value: false Trusted Provider:http://server.demo.local/adfs/services/trust </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Profile.sendMessage
Thread: ajp-bio-127.0.0.1-9019-exec-10
Outbound POST message was NOT deflated for the TARGET with Provider ID: 'http://server.demo.local/adfs/services/trust' </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: NIDPServletContext.goJSP
Thread: ajp-bio-127.0.0.1-9019-exec-10
Forwarding to JSP: /jsp/saml2post.jsp </amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS SAML2:
Method: SAML2Profile.traceMessage
Thread: ajp-bio-127.0.0.1-9019-exec-10


************************* SAML2 POST message ********************************

Type: sent
Sent to: https://server.demo.local:444/adfs/ls/ RelayState: MA==
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idTueR_tnsEkUvdewKApAq9wAeG3w" IsPassive="false" IssueInstant="2017-12-29T09:51:40Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>https://nam.demo.local/nidp/saml2/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="https://nam.demo.local/nidp/saml2/metadata"/></samlp:AuthnRequest>
************************* End SAML2 message ****************************

</amLogEntry>

<amLogEntry> 2017-12-29T09:51:40Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: ajp-bio-127.0.0.1-9019-exec-10
****** HttpServletRequest Information:
Method: POST
Scheme: https
Context Path: /nidp
Servlet Path: /saml2
Query String: null
Path Info: /spassertion_consumer
Server Name: nam.demo.local
Server Port: 443
Content Length: 3831
Content Type: application/x-www-form-urlencoded
Auth Type: null
Request URL: https://nam.demo.local/nidp/saml2/spassertion_consumer
Host IP Address: 192.168.1.197
Remote Client IP Address: 192.168.1.84
Cookie: (0 of 1): JSESSIONID, miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=
Header: Name: host, Value: nam.demo.local
Header: Name: user-agent, Value: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Header: Name: accept, Value: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Header: Name: accept-language, Value: en-US,en;q=0.5
Header: Name: accept-encoding, Value: gzip, br
Header: Name: referer, Value: https://server.demo.local:444/adfs/ls/
Header: Name: content-type, Value: application/x-www-form-urlencoded
Header: Name: content-length, Value: 3831
Header: Name: DNT, Value: 1
Header: Name: connection, Value: keep-alive
Header: Name: Upgrade-Insecure-Requests, Value: 1
Header: Name: Via, Value: 1.1 nam.demo.local (Access Gateway-ag-AF05FE6544A72488-699)
Session Id: miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=
Session Last Accessed Time: 1514541100235
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application: AM#600105011: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#+4lF3efCisE6M0qbbI2pflJHEUYMSSjmC3DqxYlelZw=: SP saml2 handler to process request received for /nidp/saml2 </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS SAML2:
Method: SAML2SSOProfile.processResponse
Thread: ajp-bio-127.0.0.1-9019-exec-10
Received assertion consumer response </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPContext.getRelayStateDecode
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:decodeRelayStateParam Value: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Input param url: MA== :: web.xml param value to decode: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPContext.getRelayStateDecode
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:decodeRelayStateParam Value: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isPostInFlate
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:IS_SAML2_POST_INFLATE Value: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS SAML2:
Method: SAML2Profile.handleInBoundMessage
Thread: ajp-bio-127.0.0.1-9019-exec-10
InBound POST message was NOT inflated. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS SAML2:
Method: SAML2Profile.traceMessage
Thread: ajp-bio-127.0.0.1-9019-exec-10


************************* SAML2 POST message ********************************

Type: received
RelayState: MA==
<samlp:Response ID="_82f95d9e-8026-415e-a8aa-f74eb07d8a0e" Version="2.0" IssueInstant="2017-12-29T09:51:11.053Z" Destination="https://nam.demo.local/nidp/saml2/spassertion_consumer" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="idTueR_tnsEkUvdewKApAq9wAeG3w" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://server.demo.local/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_82f95d9e-8026-415e-a8aa-f74eb07d8a0e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>/0XUqQTMlB1Yh5sfydXA2lSiyZgsjolLhZFOHX3kZus=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ldIDlwOGbFkvm2/hSkjUb0eJRiGuuGQJTJlM7mXUj/7zUp9R1+Kt/eLqPo60/9i7m0QOp3mYEx9negRvM2gY7HahOAdRQ9JJdCeP6Np6YMF711mCcbb73sHojtSO+afnWZupRJd1GSfXJLN5gdbI27QvFvH2THe15Dr8SxT5fwk2RaxBtPYl9Nb95xKfwJas1x0xx1zjNB5oab1q3boLVrp6h0qF8cYe/j+DvjPn09FG1zf2Q8H6C1HXh5kmsXCvep9w53NAlsJ78h4OsJIjWAw1CbfZ61n0SbbY64+hUK2fU/cC5K0SV8Sb+bZMZzPYs3+OnuYsGjJkisSPckGx/g==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC3jCCAcagAwIBAgIQcfXazMWqwp5AdQFCik3Z4jANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBzZXJ2ZXIuQUlUQy5sb2NhbDAeFw0xNzEyMjcwNTU3MDlaFw0xODEyMjcwNTU3MDlaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIHNlcnZlci5BSVRDLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumD5dV9JlbildZQmP85HJHkqXIsBdjhH7HA7/ryENL63JL1k3jHoMtR6IrcnJu9ok2BpA9PrZWmBquifTCG/rDPrCs9Tl9z/C8jV3xPpNwQY6NAmpLnQXlOqlOd+1BdMr/aVSva2rHBF+Hi6okNp4ORgLY8VfOZco23WWEOu7Gy7k6QLhVIXyWzAgIQ/z0NuZO//DQjIKLHRL98Sq5+Qbbr8Afj7te5stofxSIIoG2OOr0Nsql6SD8e/sLsKARd7bp37rxA5cj8Jn0dQaOjrjeOH1ycinbUcNhIuM1A8g5h4JDCifbTm33aWja90ZV76/43Mrm+CgmniIno16NBtiwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA3Eh9brn3OQ8ZmDQGASzpggOa/Flva6B81V87f2iPVscmfNa0JSABMrJr3fEOvcNNHrjNDs4cV32D7PynBoCriJQq4Hc5E0doAJ4CabTKWu7Gl+2vG1+9knVWXiJ/Ta+iWIgJ4oMOOq1fKpgMq2OrEnAskrD1l2qXxkRGDxHgPOQNdI20rhCsiP0igfu5ruCF3k731xindcQp6SzKKD/DyW/KBCGcf2eI4dZv5rvGKiB9vDgnqoBQxfyqw7EOjXbEX76zstRxVh+qHYUy3SxF7pkN6D9/Q68oQh2j1Z9L37xXQeeznHfeft5zuwIeLhLIeXicnnz2/+Trgz0TWx/Ij</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></samlp:StatusCode></samlp:Status></samlp:Response>
************************* End SAML2 message ****************************

</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPLocalConfigUtil.isOptionConfigured
Thread: ajp-bio-127.0.0.1-9019-exec-10
Property read from local file --------> Property:XML_PARSE_ALLOW_DTD Value: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: XMLSignable.logEncryptInfo
Thread: ajp-bio-127.0.0.1-9019-exec-10
Encrypted element [[urn:oasis:names:tc:SAML:2.0:assertion-saml-EncryptedAssertion]s (0)] was decrypted using encryption cert [CN=nam.demo.local] having serial no [195201359136186715809004302038146380038484452339] </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS SAML2:
Method: SAML2Profile.A
Thread: ajp-bio-127.0.0.1-9019-exec-10
Processing artifact for pre-brokering, provider= http://server.demo.local/adfs/services/trust and relayState = MA== </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS SAML2:
Method: SAML2Profile.A
Thread: ajp-bio-127.0.0.1-9019-exec-10
Relaystate does not have Intersite Transfer request.. no brokering policy enforcement is needed </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: IDPAuthenticationHandler.handleAuthentication
Thread: ajp-bio-127.0.0.1-9019-exec-10
Was authnResponse verified: No </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: IDP response failed to authenticate: urn:oasis:names:tc:SAML:2.0:status:Requester->urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z INFO NIDS Application: AM#500105039: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#+4lF3efCisE6M0qbbI2pflJHEUYMSSjmC3DqxYlelZw=: Error on session id miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=, error 300101008-6CF8D8AFC3EC4E16, An Identity Provider response was received that failed to authenticate this session.:No assertion returned in response:null </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS IDFF:
Method: LibertySSOProfile.processAuthnRequest
Thread: ajp-bio-127.0.0.1-9019-exec-10
Process Liberty AuthnRequest </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z INFO NIDS Application: AM#500105016: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#+4lF3efCisE6M0qbbI2pflJHEUYMSSjmC3DqxYlelZw=: Processing login resulting from Service Provider authentication request. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z INFO NIDS Application: AM#500105009: AMDEVICEID#6CF8D8AFC3EC4E16: AMAUTHID#+4lF3efCisE6M0qbbI2pflJHEUYMSSjmC3DqxYlelZw=: Executing contract Name/Password - Form. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Executing authentication method Name/Password - Form </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-10
Attribute added to page [login] is [url]=[https://nam.demo.local/nidp/idff/sso?sid=0]. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-10
Attribute added to page [login] is [target]=[https://userapp.demo.local/]. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z VERBOSE NIDS Application: Authentication method Name/Password - Form requires additional interaction. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-10
Attribute added to page [login] is [url]=[https://nam.demo.local/nidp/idff/sso?sid=0&sid=0]. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: ContractExecutionState.exec
Thread: ajp-bio-127.0.0.1-9019-exec-10
Just returned from call to doContract():
Status: SHOW_PAGE
Contract: Name/Password - Form
Contract Authentication Card: com.novell.nidp.authentication.card.LocalAuthenticationCard@5d62e186
Contract Authentication Card Id: 7
Auth Class: com.novell.nidp.authentication.local.PasswordClass
Auth Class Page to Show: login
Request Param: option: null
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-10
Attribute added to page [main] is [id]=[7]. </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPServletContext.goJSP
Thread: ajp-bio-127.0.0.1-9019-exec-10
Forwarding to JSP: /jsp/main.jsp </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPResourceManager.A
Thread: ajp-bio-127.0.0.1-9019-exec-10
Locale: en_US mapped to directory en </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: NIDPResourceManager.A
Thread: ajp-bio-127.0.0.1-9019-exec-10
Locale: en_US mapped to directory en </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-10

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@398ce7cb from cache session succeeded using key miQ/m8LovpxvHRmFqisOzRT65r+kVSEeke+Q5bDenrY=. Cache size is 1
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: LDAPAuthority.getObjectByDn
Thread: ajp-bio-127.0.0.1-9019-exec-10
dn = cn=mobileAccess,cn=SCCpqaf3f,ou=idpClusters,o=amSystem </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: LDAPAuthority.getObjectByDn
Thread: ajp-bio-127.0.0.1-9019-exec-10
dn1 = cn=mobileAccess,cn=SCCpqaf3f,ou=idpClusters,o=amSystem </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-10
Target object dn: cn=mobileAccess,cn=SCCpqaf3f,ou=idpClusters,o=amSystem
Acting as: ou=nidsUser,ou=UsersContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Attrs: null or zero! </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-10
getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-10
Closing LDAP connection due to connection timeout! Interval: 34053, Timeout: 10000, Connection: Id: 2e202f4d-7f39-407f-a9bd-5c2e3185783f, host: ldaps://192.168.1.197 </amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-10
Connection: e57dc2ea-92af-4587-9dc2-450ba088cb3a, Environment Parameters for InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://192.168.1.197:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: ou=nidsUser,ou=UsersContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value: com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
</amLogEntry>

<amLogEntry> 2017-12-29T09:51:43Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: ajp-bio-127.0.0.1-9019-exec-10
Added property to DirContext Environment: Property Name: java.naming.ldap.attributes.binary, Value: GUID nDSPKITrustedRootCertificate </amLogEntry>
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 29-12-2017 9:14 PM, fartyalvikram wrote:
>
> I created a custom rule as you suggested inside AD FS


do you still need help with this?


--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: IDM User Application SSO using Microsoft AD FS

Yes Please
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 10-01-2018 5:26 PM, fartyalvikram wrote:
>
> Yes Please
>
>


In the notes i created when i built this lab a while ago i created the following 2 rules in ADFS:

1)
Rule template: Send LDAP Attribute as claims

LDAP Attribute: E-mail addresses
Outgoing claim type: Email Address

2)
Rule template: Send claims using a custom rule

rule:

c:
[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=>
issue(
Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer,
OriginalIssuer = c.OriginalIssuer,
Value = c.Value,
ValueType = c.ValueType,
Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://appliance.site.com/nidp/saml2/metadata"
);



See if that works

--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: IDM User Application SSO using Microsoft AD FS

I am getting the same error and the rules screen are given below



When you done that in your lab, at that time you using Windows Server 2012 R2?
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 11-01-2018 12:24 AM, fartyalvikram wrote:
>
> I am getting the same error and the rules screen are given below
>
> 6079
>
> When you done that in your lab, at that time you using Windows Server
> 2012 R2?


I built it with ADFS on Win2016. I'll run up a lab on 2012R2.


--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: IDM User Application SSO using Microsoft AD FS

Can you please share some documents with screen shots, when you run that scenario on your lab with Windows Server 2012 R2.
So I can configure the same as you have done.
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

On 12-01-2018 1:04 AM, fartyalvikram wrote:
>
> Can you please share some documents with screen shots, when you run that
> scenario on your lab with Windows Server 2012 R2.
> So I can configure the same as you have done.


So i just built it on ADFS 2012 R2 and it works fine with those 2 rules. Make sure email address is populated on the user (its not by default), make
sure the format matches the one from the request (i set mine to transient) and make sure the spnamequalifier matches.




--
Cheers,
Edward
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM User Application SSO using Microsoft AD FS

from memory you might need a nameID policy. If you're happy to wait for a week until i have access to my notes i can dig them up or you ask in the adfs forums as this is an adfs issue really.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.