UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Knowledge Partner Knowledge Partner
Knowledge Partner
777 views

NAM as SAML SP and step up authentication

Hi!

 

I have configured NAM as SAML service provider and configured attribute matching.

Everything works, user's are able to log in and NAM matches attributes from SAML response to local users.

Now I would like to add a step up authentication method, as described here: https://www.netiq.com/documentation/access-manager-45/admin/data/b1fd1nte.html#userident

I've moved required method to the left:

Annotation 2020-01-24 143549.png

(btw documentation says "Use the arrow keys to move methods from the available methods list to the step up methods list", but there's no label on top of lists, so I moved method to the left...)

But now when user successfully authenticates with SAML, this method is not executed but method specified in default authentication contract... (Local->Defaults->Authentication Contract).

I have tried and moved other authentication methods to the left, but default authentication contract is always executed.

 

Has anybody any idea what am I doing wrong?

 

Additional info:

  • NAM 4.5 HF1
  • LocationQuery method does not "identify user", but I have also tried to use methods which do "identify user" -> same result
  • Although LocationQuery method uses a custom class, it works perfectly in existing contracts as a second method after user is authenticated (e.g. after Secure Name/password Form method)

 

Kind regards,

Sebastijan 

0 Likes
7 Replies
Micro Focus Expert
Micro Focus Expert

This works well in my testing.

<amLogEntry> 2020-01-29T20:29:57Z INFO NIDS Application: AM#500105048: AMDEVICEID#104C4B8127E21E15: AMAUTHID#658fbe71c41825d7586ed58e3e14e3435279f72c4f0b6df0e413b5c136cd857c: Trusted Provider Authentication needs local step-up. Step-up methods: Profile Select. </amLogEntry>

<amLogEntry> 2020-01-29T20:29:57Z INFO NIDS Application: AM#500105049: AMDEVICEID#104C4B8127E21E15: AMAUTHID#658fbe71c41825d7586ed58e3e14e3435279f72c4f0b6df0e413b5c136cd857c: New Authentication Chain created :
Identity Id - http://WINDOWSWITHNAM.NAMKERBEROSADADFS.COM/adfs/services/trust
Issuer Id - http://WINDOWSWITHNAM.NAMKERBEROSADADFS.COM/adfs/services/trust
Target - https://msingh8.lab.novell.com/phpinfo.php
Step up methods - Profile Select
. </amLogEntry>

 

Please raise a Support ticket for your issue.

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Sebastijan,

this works well in my test environment. this configuration is for local step up configuration. By default it will be ask for re-authentication once the first contract executed on local SP.

e.g. default contract @ SP - NPF

Step up contract @ SP - SNPF

Here will be the log looks like

<amLogEntry> 2020-01-30T07:08:54Z INFO NIDS Application: AM#500105013: AMDEVICEID#C8BCD2A771CBCA0E: AMAUTHID#6563b7b573cdb9690cecda53025518902aa0fa939f0e81ab30655b4269bdb9bc: Authenticated user cn=vneeraj,o=novell in User Store edir-local with roles "NAM_OAUTH2_ADMIN","authenticated". </amLogEntry>

<amLogEntry> 2020-01-30T07:08:54Z INFO NIDS Application: AM#500105048: AMDEVICEID#C8BCD2A771CBCA0E: AMAUTHID#6563b7b573cdb9690cecda53025518902aa0fa939f0e81ab30655b4269bdb9bc: Trusted Provider Authentication needs local step-up. Step-up methods: Secure Name/Password - Form. </amLogEntry>

<amLogEntry> 2020-01-30T07:08:54Z INFO NIDS Application: AM#500105049: AMDEVICEID#C8BCD2A771CBCA0E: AMAUTHID#6563b7b573cdb9690cecda53025518902aa0fa939f0e81ab30655b4269bdb9bc: New Authentication Chain created :
Identity Id - https://www.idp.com:8443/nidp/saml2/metadata
Issuer Id - https://www.idp.com:8443/nidp/saml2/metadata
Target - https://sles12-acidp.labs.blr.novell.com:8443/nidp/app?sid=0
Step up methods - Secure Name/Password - Form
. </amLogEntry>

...

<amLogEntry> 2020-01-30T07:08:54Z INFO NIDS Application: AM#500105050: AMDEVICEID#C8BCD2A771CBCA0E: AMAUTHID#6563b7b573cdb9690cecda53025518902aa0fa939f0e81ab30655b4269bdb9bc: Advancing authentication chain. Current handler : Step-up Handler. </amLogEntry>

.....

<amLogEntry> 2020-01-30T07:08:54Z VERBOSE NIDS Application: Executing authentication method Secure Name/Password - Form </amLogEntry>

this is on 4.5 SP1

please confirm if you are not seeing this behavior.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi!

I've upgraded NAM to 4.5 SP1, And set step up method to NPF (Secure NPF is set as default contract) but I'm still not seeing what you've sent.

My log have this (logging for application and SAML set to info):

Jan 30, 2020 5:06:45 PM org.apache.xml.security.signature.Reference verify
INFO: Verification successful for URI "#idmCiDF7-nXA8wKYnTG9OZECb0yjE"
<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS IDFF: AM#500106004: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Created new identity for 8abd6e908bde994fb9758abd6e908bde with identity id of <external saml idp> </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS Application: AM#500199050: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: IDP RolesPep.evaluate(), policy trace:
~~RL~1~~~~Rule Count: 0~~Success(67)
</amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS Application: AM#500105013: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Authenticated user cn=A101,ou=Test,ou=Users,o=IDV in User Store IDV with roles "authenticated". </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS IDFF: AM#500106004: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Created new identity for 8abd6e908bde994fb9758abd6e908bde with identity id of <external saml idp> </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS SAML2: AM#500105017: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: nLogin succeeded, redirecting to /nidp/app?sid=0. </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS Application: AM#500105015: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Processing login request with TARGET = , saved TARGET = . </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS Application: AM#500105009: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Executing contract Secure Name/Password - Form. </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS Application: AM#500105015: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Processing login request with TARGET = , saved TARGET = . </amLogEntry>

<amLogEntry> 2020-01-30T16:06:45Z INFO NIDS Application: AM#500105009: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Executing contract Secure Name/Password - Form. </amLogEntry>

<amLogEntry> 2020-01-30T16:07:20Z INFO NIDS Application: AM#500105015: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Processing login request with TARGET = , saved TARGET = . </amLogEntry>

<amLogEntry> 2020-01-30T16:07:20Z INFO NIDS Application: AM#500105009: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Executing contract Secure Name/Password - Form. </amLogEntry>

<amLogEntry> 2020-01-30T16:07:20Z INFO NIDS Application: AM#500105014: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#e920f0d53b6e49a87cb6cbc7303a575e450ffdf48b67f25d599f6ae6a0633bdf: Attempting to authenticate user cn=A101,ou=Test,ou=Users,o=IDV with provided credentials. </amLogEntry>

<amLogEntry> 2020-01-30T16:07:20Z INFO NIDS Application: AM#500199050: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#6fa56c4a0259f7ce50e5efc93f7566301fd165931aea551cba99ac3b57ee2602: IDP RolesPep.evaluate(), policy trace:
~~RL~1~~~~Rule Count: 0~~Success(67)
</amLogEntry>

<amLogEntry> 2020-01-30T16:07:20Z INFO NIDS Application: AM#500105013: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#6fa56c4a0259f7ce50e5efc93f7566301fd165931aea551cba99ac3b57ee2602: Authenticated user cn=A101,ou=Test,ou=Users,o=IDV in User Store IDV with roles "authenticated". </amLogEntry>

<amLogEntry> 2020-01-30T16:07:20Z INFO NIDS Application: AM#500105017: AMDEVICEID#B555D30C1E7A8D11: AMAUTHID#6fa56c4a0259f7ce50e5efc93f7566301fd165931aea551cba99ac3b57ee2602: nLogin succeeded, redirecting to https://<idp hostname>/nidp/app. </amLogEntry>

 

Please note that External IDP is sending transient NameID. I've tried with setting NameID format (SAML IDP->Authentication Card->Authentication Request->Name Identifier Format) to both Transient and Unspecified but that does not change the outcome.

I'm also confused because my logs are talking about executing contract, but when you're adding step up authentication you're adding method, not contract...

 

Kind regards,
Sebastijan

0 Likes
Micro Focus Expert
Micro Focus Expert

Please raise a support ticket for faster analysis and solution.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

I've managed to make it work in my lab environment, but only if I made a federation with persistent name identifier. I assume that both in your tests had name identifier set to persistent (probably because it is a default value)

nameid.jpg

But if you switch it to transient, step up authentication stops working (step-up method is not triggered, instead default contract is fired).

Please bare with me and read my findings till the end.

Important information regarding base setup:

  • We have external IDP and NAM, acting as SP
  • We are using attribute matching to match SAML assertion coming from external IDP to local user (matching CN)

Facts discovered during testing:

  • If NameID is set to transient, step-up authentication method is not triggered but user is prompted for username/password -> default contract is executed
  • If NameID is set to persistent, step-up authentication method is triggered, but not the first time user is authenticated. For the first time, NAM behaves like when using transient NameID (default contract is fired instead of step-up method)

If I understand this correctly, when the link between NAM user and SAML assertion is already established (persistent name identifier), step-up method is fired.

But when link is not yet established and matching needs to kick in (when using transient nameID or first time when user is authenticating using persistent nameID), step-up method is not working, instead default contract is executed.

Can you confirm my findings?

 

Kind regards,

Sebastijan

0 Likes
Vice Admiral
Vice Admiral

Are you sure your matching is working when your set to transient? The default is to have the user log in to link the accounts if matching fails.

Second, transient implicitly means you do not have a local user account. How do you do local authentication with no account?

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner


@jwcombs wrote:

Are you sure your matching is working when your set to transient? The default is to have the user log in to link the accounts if matching fails.


Yes, matching works, because if I just remove step-up method, user is properly matched to local userstore account and authenticated.

Also I have changed default for "if match is not found". It is set to "Do nothing", so when match is not found error is thrown (which is exactly what we want). But for that particular user, match is found, which can be confirmed when authenticating without step-up method (user is authenticated)


@jwcombs wrote:

Second, transient implicitly means you do not have a local user account. How do you do local authentication with no account?


If nameid is set to transient it means that it is not persistent through sessions. So with every authentication, NAM must perform matching to connect attributes in SAML assertion to attributes of account in local userstore.

But maybe I don't understand your comment. Can you please rephrase?

 

Kind regards,

Sebastijan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.