Highlighted
fsakiyama Absent Member.
Absent Member.
1026 views

Is it possible to configure SAML2 between 2 access managers?

Hi guys,

Currently, we have 2 access managers here, one in 4.0 and one in 4.4

I'm trying to configure saml2 between these two, from 4.4 to 4.0, so even if you're logged in only in 4.4, when you access 4.0, you will not be prompted to enter your credentials again.

So far, I managed to include a Generic NetIQ Access Manager SAML application on NAM 4.4 through:
- Dashboard -> Applications -> '+' -> Generic NetIq Access Manager.

Then configured it pointing to my NAM 4.0.

Unfortunately, it's still asking for my credentials.

Any ideas?
Tags (2)
0 Likes
12 Replies
fsakiyama Absent Member.
Absent Member.

Re: Is it possible to configure SAML2 between 2 access manag

Update:

I managed to configure the federation, but not the single sign-on.
I'm following this article: https://www.netiq.com/documentation/access-manager-44/admin/data/b1fd1nsr.html

So I configured a NAM 4.0 service provider inside NAM 4.4, and configured a NAM 4.4 identity provider inside NAM 4.0.

I can choose to login into NAM 4.0 using 4.4 credentials.

I'm trying now to login into NAM 4.4 and automatically be logged in NAM 4.0 whenever I access a protected resource.
As far as I'm reading the article, it's related to configured a contract. Not sure tho.

Any help is appreciated.

Thanks in advance.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Is it possible to configure SAML2 between 2 access managers?

On 09-11-2018 1:54 AM, fsakiyama wrote:
>
> Update:
>
> I managed to configure the federation, but not the single sign-on.
> I'm following this article:
> https://www.netiq.com/documentation/access-manager-44/admin/data/b1fd1nsr.html
>
> So I configured a NAM 4.0 service provider inside NAM 4.4, and
> configured a NAM 4.4 identity provider inside NAM 4.0.
>
> I can choose to login into NAM 4.0 using 4.4 credentials.
>
> I'm trying now to login into NAM 4.4 and automatically be logged in NAM
> 4.0 whenever I access a protected resource.
> As far as I'm reading the article, it's related to configured a
> contract. Not sure tho.


So when you access the protected resource on the service provider side, how exactly do you do this? Do you login to the 4.4 IDP and then simply browse
to the 4.0 protected resource?





--
Cheers,
Edward
0 Likes
fsakiyama Absent Member.
Absent Member.

Re: Is it possible to configure SAML2 between 2 access manag

edmaa;2490508 wrote:
On 09-11-2018 1:54 AM, fsakiyama wrote:
>
> Update:
>
> I managed to configure the federation, but not the single sign-on.
> I'm following this article:
> https://www.netiq.com/documentation/access-manager-44/admin/data/b1fd1nsr.html
>
> So I configured a NAM 4.0 service provider inside NAM 4.4, and
> configured a NAM 4.4 identity provider inside NAM 4.0.
>
> I can choose to login into NAM 4.0 using 4.4 credentials.
>
> I'm trying now to login into NAM 4.4 and automatically be logged in NAM
> 4.0 whenever I access a protected resource.
> As far as I'm reading the article, it's related to configured a
> contract. Not sure tho.


So when you access the protected resource on the service provider side, how exactly do you do this? Do you login to the 4.4 IDP and then simply browse
to the 4.0 protected resource?





--
Cheers,
Edward


Hi Edward, thanks for answering!

The flow is:

Access the protected resource (which is configured at 4.0), it redirects to 4.0 login page. Inside this page, there's now an option "Remote Login" which allows redirects me to 4.4 login page. After logging in 4.4, it redirects me back to the protected resource at 4.0.

It's working fine, but what I really need is:

Login into 4.4 and access 4.0 protected resource without asking for login. As if there's not difference of where I'm logged in.

I imagine the flow like this:

Login into 4.4 -> Access 4.0 protected resource -> Asks it's identity provider (4.0) to check if the user is logged in -> Confirms it's logged in (because of the login into 4.4) -> returns to the 4.0 protected resource.

As far as I'm reading, it's through contracts, though I'm struggling to do that 😞

Any ideas?

Thanks in advance.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Is it possible to configure SAML2 between 2 access managers?

On 12-11-2018 9:04 PM, fsakiyama wrote:
>
> edmaa;2490508 Wrote:
>> On 09-11-2018 1:54 AM, fsakiyama wrote:
>>>
>>> Update:
>>>
>>> I managed to configure the federation, but not the single sign-on.
>>> I'm following this article:
>>>

>> https://www.netiq.com/documentation/access-manager-44/admin/data/b1fd1nsr.html
>>>
>>> So I configured a NAM 4.0 service provider inside NAM 4.4, and
>>> configured a NAM 4.4 identity provider inside NAM 4.0.
>>>
>>> I can choose to login into NAM 4.0 using 4.4 credentials.
>>>
>>> I'm trying now to login into NAM 4.4 and automatically be logged in

>> NAM
>>> 4.0 whenever I access a protected resource.
>>> As far as I'm reading the article, it's related to configured a
>>> contract. Not sure tho.

>>
>> So when you access the protected resource on the service provider side,
>> how exactly do you do this? Do you login to the 4.4 IDP and then simply
>> browse
>> to the 4.0 protected resource?
>>
>>
>>
>>
>>
>> --
>> Cheers,
>> Edward

>
> Hi Edward, thanks for answering!
>
> The flow is:
>
> Access the protected resource (which is configured at 4.0), it redirects
> to 4.0 login page. Inside this page, there's now an option "Remote
> Login" which allows redirects me to 4.4 login page. After logging in
> 4.4, it redirects me back to the protected resource at 4.0.
>
> It's working fine, but what I really need is:
>
> Login into 4.4 and access 4.0 protected resource without asking for
> login. As if there's not difference of where I'm logged in.
>
> I imagine the flow like this:
>
> Login into 4.4 -> Access 4.0 protected resource -> Asks it's identity
> provider (4.0) to check if the user is logged in -> Confirms it's logged
> in (because of the login into 4.4) -> returns to the 4.0 protected
> resource.
>
> As far as I'm reading, it's through contracts, though I'm struggling to
> do that 😞
>
> Any ideas?


Ok, you can do that but there's a bit more configuration involved. You need to configure whats called a external contract. In your 4.0 config create a
new contract which doesn't need a method but tick the box 'satisfiable by an external provider'. Then on the external IDP you configured make it to
satisfy that new contract. Protect the resource with that particular contract.

I suspect after this there will be some more config to do but give the above a go




--
Cheers,
Edward
0 Likes
fsakiyama Absent Member.
Absent Member.

Re: Is it possible to configure SAML2 between 2 access manag

Hi Edwards,

I created a contract, but now I'm getting this error when accessing a protected resource:

An Identity Provider response was received that failed to authenticate this session. 300101008

Any idea what could it be?

Edit:
I'll look into this:
300101008

No assertion returned in response.

No authentication context specified message in the assertion.

Type: WARN:NIDP:USERMSG:008

Cause: Assertions will not be returned in a response whenever authentication at the identity provider fails. The cause for this can include invalid configurations and canceling the authentication process at the identity provider.

This response is also returned when a user has reached the maximum number of sessions and then attempts to access a protected resource that requires authentication.

Action: Make sure that both the identity and service providers are configured correctly to trust each other. Provide proper credentials during the authentication process at the identity provider.

Cause: Protected resources are configured to access using external contracts, which are being executed at the external identity provider. These contracts are not configured to be satisfied by any of the external identity provider.

Action1: Verify the external identity provider satisfiable contract list at the service provider and ensure that these external contracts are configured under the satisfiable list.

Action 2: Verify the external contract definition at the identity provider and make sure that this contract definition with the matching allowable class or URI is available.

NOTE:URI specifies a value that uniquely identifies the contract from all other contracts.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Is it possible to configure SAML2 between 2 access managers?

On 15-11-2018 5:54 AM, fsakiyama wrote:
>
> Hi Edwards,
>
> I created a contract, but now I'm getting this error when accessing a
> protected resource:
>
> An Identity Provider response was received that failed to authenticate
> this session. 300101008
>
> Any idea what could it be?
>
> Edit:
> I'll look into this:
> 300101008
>
> No assertion returned in response.
>
> No authentication context specified message in the assertion.
>
> Type: WARN:NIDP:USERMSG:008
>
> Cause: Assertions will not be returned in a response whenever
> authentication at the identity provider fails. The cause for this can
> include invalid configurations and canceling the authentication process
> at the identity provider.
>
> This response is also returned when a user has reached the maximum
> number of sessions and then attempts to access a protected resource that
> requires authentication.
>
> Action: Make sure that both the identity and service providers are
> configured correctly to trust each other. Provide proper credentials
> during the authentication process at the identity provider.
>
> Cause: Protected resources are configured to access using external
> contracts, which are being executed at the external identity provider.
> These contracts are not configured to be satisfied by any of the
> external identity provider.
>
> Action1: Verify the external identity provider satisfiable contract list
> at the service provider and ensure that these external contracts are
> configured under the satisfiable list.
>
> Action 2: Verify the external contract definition at the identity
> provider and make sure that this contract definition with the matching
> allowable class or URI is available.
>
> NOTE:URI specifies a value that uniquely identifies the contract from
> all other contracts.
>
>

Use F12 in IE (or whatever browser you use, Chrome has similar capabilities) and check if an assertion is actually being sent from the IDP to the SP.
It sounds like some config is still missing.

--
Cheers,
Edward
0 Likes
fsakiyama Absent Member.
Absent Member.

Re: Is it possible to configure SAML2 between 2 access manag

Usually I use firefox SAML Tracer plugin to check saml authnrequest and saml response.

In this case, I'm getting only the authnrequest:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
ForceAuthn="false"
ID="idsTwrLCd1htuX6YrEdJ8B21mEfvE"
IsPassive="false"
IssueInstant="2018-11-19T10:38:43Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0"
>
<saml:Issuer>https://idpmobdev.embraer.com.br/nidp/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextDeclRef>fabio/teste</saml:AuthnContextDeclRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>



Couldnt find the problem, still debugging.

Also, here's the NAM 4.0 configs (the one that will be the service provider), where I create an identity provider config pointing to NAM 4.4.
Imported metadata (NAM 4.4): https://idpmobqas.embraer.com.br/nidp/saml2/metadata
https://pasteboard.co/HNSn8XT.png
https://pasteboard.co/HNSnhOCN.png
https://pasteboard.co/HNSnowR.png
https://pasteboard.co/HNSnvPN.png
https://pasteboard.co/HNSnAWr.png
https://pasteboard.co/HNSnHKZh.png
https://pasteboard.co/HNSnOFg.png
https://pasteboard.co/HNSnU2B.png

And the NAM 4.4 configs (the one that will be the identity provider), I just creataed a normal service provider config pointing to NAM 4.0, setting the 'cn' as the attribute of the auth response. Binding method is POST.
Imported metadata (NAM 4.0): https://idpmobdev.embraer.com.br/nidp/saml2/metadata

I'll get the debug log as well.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Is it possible to configure SAML2 between 2 access managers?

On 19-11-2018 10:04 PM, fsakiyama wrote:
>
> Usually I use firefox SAML Tracer plugin to check saml authnrequest and
> saml response.
>
> In this case, I'm getting only the authnrequest:
>
>
> Code:
> --------------------
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable"
> ForceAuthn="false"
> ID="idsTwrLCd1htuX6YrEdJ8B21mEfvE"
> IsPassive="false"
> IssueInstant="2018-11-19T10:38:43Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
> Version="2.0"
> >

> <saml:Issuer>https://idpmobdev.embraer.com.br/nidp/saml2/metadata</saml:Issuer>
> <samlp:NameIDPolicy AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> />
> <samlp:RequestedAuthnContext Comparison="exact">
> <saml:AuthnContextDeclRef>fabio/teste</saml:AuthnContextDeclRef>
> </samlp:RequestedAuthnContext>
> </samlp:AuthnRequest>
> --------------------
>
>
>
> Couldnt find the problem, still debugging.
>
> Also, here's the NAM 4.0 configs (the one that will be the service
> provider), where I create an identity provider config pointing to NAM
> 4.4.
> Imported metadata (NAM 4.4):
> https://idpmobqas.embraer.com.br/nidp/saml2/metadata
> https://pasteboard.co/HNSn8XT.png
> https://pasteboard.co/HNSnhOCN.png
> https://pasteboard.co/HNSnowR.png
> https://pasteboard.co/HNSnvPN.png
> https://pasteboard.co/HNSnAWr.png
> https://pasteboard.co/HNSnHKZh.png
> https://pasteboard.co/HNSnOFg.png
> https://pasteboard.co/HNSnU2B.png
>
> And the NAM 4.4 configs (the one that will be the identity provider), I
> just creataed a normal service provider config pointing to NAM 4.0,
> setting the 'cn' as the attribute of the auth response. Binding method
> is POST.
> Imported metadata (NAM 4.0):
> https://idpmobdev.embraer.com.br/nidp/saml2/metadata
>
> I'll get the debug log as well.
>
>


Yeah, we'll need the catalina.out from the 4.4 server. Ensure you have Application and SAML2 set to debug level

--
Cheers,
Edward
0 Likes
fsakiyama Absent Member.
Absent Member.

Re: Is it possible to configure SAML2 between 2 access manag

Here's the NIDP.xml: https://pastebin.com/q9PUEKfk

Here's the catalina.out: https://pastebin.com/5YvxTZ0b

I couldn't find the root cause, although this NPE seems suspicious:

Failed to read AA server details: java.lang.NullPointerException

Either a bug or, most likely, missing something but couldn't find out what.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Is it possible to configure SAML2 between 2 access managers?

On 20-11-2018 1:04 AM, fsakiyama wrote:
>
> Here's the NIDP.xml: https://pastebin.com/q9PUEKfk
>
> Here's the catalina.out: https://pastebin.com/5YvxTZ0b
>
> I couldn't find the root cause, although this NPE seems suspicious:
>
> Failed to read AA server details: java.lang.NullPointerException
>
> Either a bug or, most likely, missing something but couldn't find out
> what.
>
>


AA???? Do you have advanced authentication in the mix here? I haven't looked at the logs yet

--
Cheers,
Edward
0 Likes
fsakiyama Absent Member.
Absent Member.

Re: Is it possible to configure SAML2 between 2 access manag

edmaa;2491197 wrote:
On 20-11-2018 1:04 AM, fsakiyama wrote:
>
> Here's the NIDP.xml: https://pastebin.com/q9PUEKfk
>
> Here's the catalina.out: https://pastebin.com/5YvxTZ0b
>
> I couldn't find the root cause, although this NPE seems suspicious:
>
> Failed to read AA server details: java.lang.NullPointerException
>
> Either a bug or, most likely, missing something but couldn't find out
> what.
>
>


AA???? Do you have advanced authentication in the mix here? I haven't looked at the logs yet

--
Cheers,
Edward


Hmm didn't notice that. I didn't even know what AA was until now (actually I just read about it). If I understood AA concept, I'm not using it here.
We use only OAuth2 and SAML2, and for some legacy apps we use formfill/injection.
Any config in admin console that I can check this info?

Thanks in advance.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Is it possible to configure SAML2 between 2 access managers?

On 20-11-2018 9:34 PM, fsakiyama wrote:

> Hmm didn't notice that. I didn't even know what AA was until now
> (actually I just read about it). If I understood AA concept, I'm not
> using it here.
> We use only OAuth2 and SAML2, and for some legacy apps we use
> formfill/injection.
> Any config in admin console that I can check this info?


Going by your logs there's no AA involved. The downside is that you have multiple IDPs in your cluster and there's a bit of proxying going on between
the two. I can see the saml sso request coming in but its proxied from .8 to .9 which seems to be successful as later in the logs (line 181) i can see
the remote SP attempting to request the SAML assertion with the artefact (line 256) but again, that request is proxied to .9 as that one handled
authentication. Again, this proxied request seems to be successful but we can't see what SAML token is generated as the logs don't show it.




--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.