oimastek
New Member.
704 views

Roles assigned on NAM IDP not found on AG Policy Evaluation

Hi Everyone,

We have an Identity Server: Roles policy which activates a role named UserHasMoreToDo when an Condition Extension returns true. I've confirmed this works by looking at catalina.out file with below output.

------------------------------------- start of log dump ----------------------
<amLogEntry> 2019-02-27T15:53:56Z INFO NIDS Application: AM#500105014: AMDEVICEID#9D992527BBE6DBF6: AMAUTHID#5b943a8617d7a2f77aa8a04fee1911f9abd0cf25760bd76779eea92884dd61b5: Attempting to authenticate user cn=show.Neelam,ou=xx,ou=xxx,o=xxx,c=xx with provided credentials. </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z INFO NIDS Application: show.neelam authenticated Successfully </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z INFO NIDS Application: status=0 </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z VERBOSE NIDS Application: Authentication method CustomAuthentication Form succeeded </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z VERBOSE NIDS Application: Session has consumed authentications: false </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z INFO NIDS Application: UserLoggedInSPPolicyConditionExtn : ID=1, xxxUserID=49 </amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z INFO NIDS Application: AM#500199050: AMDEVICEID#9D992527BBE6DBF6: AMAUTHID#ce17e364ba72980d028d83849f32380be24be40cc28cbdc044d3d15281e9a50a: IDP RolesPep.evaluate(), policy trace:
~~RL~1~~~~Rule Count: 1~~Success(67)
~~RU~RuleID_1551267319311~Set_MoreToDo_as_a_Role~DNF~~1:1~~Success(67)
~~EC0~1~~MoreToDoRoleConditionExtension~false~~~Pending(5)
~~ECC~1~~MoreToDoRoleConditionExtension~false~~~True(69)
~~CS~1~~ANDs~~1~~True(69)
~~PA~ActionID_1551267634317~~addRoleEntry~UserHasMoreToDo~~~Success(0)
~~PC~ActionID_1551267634317~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(Set_MoreToDo_as_a_Role),Rule=(1::RuleID_1551267319311),Action=(AddRole::ActionID_1551267634317)~~~~Success(0)
</amLogEntry>
<amLogEntry> 2019-02-27T15:53:56Z INFO NIDS Application: AM#500105013: AMDEVICEID#9D992527BBE6DBF6: AMAUTHID#ce17e364ba72980d028d83849f32380be24be40cc28cbdc044d3d15281e9a50a: Authenticated user cn=show.Neelam,ou=xx,ou=xxx,o=xxx,c=xxx in User Store xxxxx Edirectory with roles "UserHasMoreToDo","authenticated". </amLogEntry>
------------------------------------- end of log dump ----------------------

The user ends up having 2 roles, "UserHasMoreToDo" and "authenticated". The problem is in Access Gateway. The Access Gateway: Authorization policy we have doesn't seem to pick up the assigned roles at all. The below log says CurrentRoles(6660):no-param:

------------------------------------- start of log dump ----------------------
<amLogEntry> 2019-02-27T15:53:55Z INFO NIDS Application: AM#501102050: AMDEVICEID#esp-3FF30FB19E85757F: PolicyID#ONM09243-07O9-O977-6N30-5550O2655K00: NXPESID#435: AGAuthorization Policy Trace: ~~RL~1~~~~Rule Count: 2~~Success(0)
~~RU~RuleID_1551276150044~Redirect_to_STS_if_MoreToDo~DNF~~1:1~~Success(0)
~~CS~1~~ANDs~~1~~True(69)
~~CO~1~CurrentRoles(6660):no-param:~com.novell.nxpe.condition.NxpeOperator@string-equals~SelectedRole(6661):hidden-param:hidden-value:~~NOT~True(69)
~~PA~1~~Permit Access~~~~Success(0)
~~PC~1~~Document=(ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(Redirect_to_STS_if_MoreToDo),Rule=(1::RuleID_1551276150044),Action=(Permit::1)~~~~Success(0)
</amLogEntry>

<amLogEntry> 2019-02-27T15:53:55Z INFO NIDS Application: AM#501101021: AMDEVICEID#esp-3FF30FB19E85757F: PolicyID#ONM09243-07O9-O977-6N30-5550O2655K00: NXPESID#435: Response sent: Status - success </amLogEntry>
------------------------------------- end of log dump ----------------------

I've tried adding "All Roles" to the attribute set assigned to the Service Provider for AG under Liberty - Trusted Providers. Not sure if there is any further configuration needs doing.

Thanks for taking the time to read my post. Any comments appreciated.

Regards
OI
0 Likes
10 Replies
oimastek
New Member.

Re: Roles assigned on NAM IDP not found on AG Policy Evaluat

I think the AG Policy runs first, before the user is authenticated. Then the protected resource behind AG requests authentication and NAM authenticates user and sets role. Then for any subsequent calls to the PR, the AG doesn't look at the new assigned roles for some reason. Is there any way for AG notice the new roles and run the AG Policy with them every time a request goes through AG?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Roles assigned on NAM IDP not found on AG Policy Evaluation

On 28-02-2019 3:46 AM, oimastek wrote:
>
> I think the AG Policy runs first, before the user is authenticated. Then
> the protected resource behind AG requests authentication and NAM
> authenticates user and sets role. Then for any subsequent calls to the
> PR, the AG doesn't look at the new assigned roles for some reason. Is
> there any way for AG notice the new roles and run the AG Policy with
> them every time a request goes through AG?
>
>

That doesn't sound right. When auth is enabled the first thing that happens is that you get redirected to the IDP for auth, then after authz policies
kick in.

--
Cheers,
Edward
0 Likes
oimastek
New Member.

Re: Roles assigned on NAM IDP not found on AG Policy Evaluat

edmaa;2496128 wrote:
On 28-02-2019 3:46 AM, oimastek wrote:
>
> I think the AG Policy runs first, before the user is authenticated. Then
> the protected resource behind AG requests authentication and NAM
> authenticates user and sets role. Then for any subsequent calls to the
> PR, the AG doesn't look at the new assigned roles for some reason. Is
> there any way for AG notice the new roles and run the AG Policy with
> them every time a request goes through AG?
>
>

That doesn't sound right. When auth is enabled the first thing that happens is that you get redirected to the IDP for auth, then after authz policies
kick in.

--
Cheers,
Edward


Hi Edward, thanks for responding. In our case auth isn't enabled on the PR.

I tried it with enabling auth, the login works fine in that case but an issue occurs with the Logout. The PR is for an ADFS acting as Service Provider in this case. Assuming Auth is on, when ADFS sends a SAML Logout Request to NAM, the response from NAM to ADFS (which goes via Browser) the SAML Logout Response is also intercepted by AG and since not authenticated any more, a login form is shown to authenticate. The SAML Logout Response gets to ADFS after user logs on to NAM. We end up NAM logged in and ADFS logged out. Unfortunately having auth enabled hasn't worked with ADFS logout, unless there is a way to skip authentication for some requests, e.g. to skip the logout SAML response. Please let me know what you think.

Thanks again for your time looking at my post.

Cheers,
Ogeday
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Roles assigned on NAM IDP not found on AG Policy Evaluation

On 01-03-2019 2:44 AM, oimastek wrote:
>
> edmaa;2496128 Wrote:
>> On 28-02-2019 3:46 AM, oimastek wrote:
>>>
>>> I think the AG Policy runs first, before the user is authenticated.

>> Then
>>> the protected resource behind AG requests authentication and NAM
>>> authenticates user and sets role. Then for any subsequent calls to the
>>> PR, the AG doesn't look at the new assigned roles for some reason. Is
>>> there any way for AG notice the new roles and run the AG Policy with
>>> them every time a request goes through AG?
>>>
>>>

>> That doesn't sound right. When auth is enabled the first thing that
>> happens is that you get redirected to the IDP for auth, then after authz
>> policies
>> kick in.
>>
>> --
>> Cheers,
>> Edward

>
> Hi Edward, thanks for responding. In our case auth isn't enabled on the
> PR.
>
> I tried it with enabling auth, the login works fine in that case but an
> issue occurs with the Logout. The PR is for an ADFS acting as Service
> Provider in this case. Assuming Auth is on, when ADFS sends a SAML
> Logout Request to NAM, the response from NAM to ADFS (which goes via
> Browser) the SAML Logout Response is also intercepted by AG and since
> not authenticated any more, a login form is shown to authenticate. The
> SAML Logout Response gets to ADFS after user logs on to NAM. We end up
> NAM logged in and ADFS logged out. Unfortunately having auth enabled
> hasn't worked with ADFS logout, unless there is a way to skip
> authentication for some requests, e.g. to skip the logout SAML response.
> Please let me know what you think.
>
> Thanks again for your time looking at my post.


uhm....i'm utterly confused what you have built here. You protected ADFS with NAM and then you have some SP trying to use that ADFS instance for a
SAML auth?


--
Cheers,
Edward
0 Likes
oimastek
New Member.

Re: Roles assigned on NAM IDP not found on AG Policy Evaluat

edmaa;2496204 wrote:
On 01-03-2019 2:44 AM, oimastek wrote:
>
> edmaa;2496128 Wrote:
>> On 28-02-2019 3:46 AM, oimastek wrote:
>>>
>>> I think the AG Policy runs first, before the user is authenticated.

>> Then
>>> the protected resource behind AG requests authentication and NAM
>>> authenticates user and sets role. Then for any subsequent calls to the
>>> PR, the AG doesn't look at the new assigned roles for some reason. Is
>>> there any way for AG notice the new roles and run the AG Policy with
>>> them every time a request goes through AG?
>>>
>>>

>> That doesn't sound right. When auth is enabled the first thing that
>> happens is that you get redirected to the IDP for auth, then after authz
>> policies
>> kick in.
>>
>> --
>> Cheers,
>> Edward

>
> Hi Edward, thanks for responding. In our case auth isn't enabled on the
> PR.
>
> I tried it with enabling auth, the login works fine in that case but an
> issue occurs with the Logout. The PR is for an ADFS acting as Service
> Provider in this case. Assuming Auth is on, when ADFS sends a SAML
> Logout Request to NAM, the response from NAM to ADFS (which goes via
> Browser) the SAML Logout Response is also intercepted by AG and since
> not authenticated any more, a login form is shown to authenticate. The
> SAML Logout Response gets to ADFS after user logs on to NAM. We end up
> NAM logged in and ADFS logged out. Unfortunately having auth enabled
> hasn't worked with ADFS logout, unless there is a way to skip
> authentication for some requests, e.g. to skip the logout SAML response.
> Please let me know what you think.
>
> Thanks again for your time looking at my post.


uhm....i'm utterly confused what you have built here. You protected ADFS with NAM and then you have some SP trying to use that ADFS instance for a
SAML auth?



Yes indeed what we have is a peculiar case, where a third party SP is using ADFS as IDP and ADFS is a SP to NAM IDP. The login and logout works fine in this case. But we have also a requirement to redirect the user to a different server depending on a user role. So in order to redirect, I've created a Protected Resource for ADFS and put it behind AG. So currently ADFS is both and SP to NAM, and also a Protected Resource to AG. An authorization policy checks the role and deny->redirect to url to a different server depending on user role. Maybe this is not the best way but please please let me know if there is another way to redirect. Thanks for taking the time and sorry for confusion.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Roles assigned on NAM IDP not found on AG Policy Evaluation

On 02-03-2019 12:16 AM, oimastek wrote:
>


> Yes indeed what we have is a peculiar case, where a third party SP is
> using ADFS as IDP and ADFS is a SP to NAM IDP. The login and logout
> works fine in this case. But we have also a requirement to redirect the
> user to a different server depending on a user role. So in order to
> redirect, I've created a Protected Resource for ADFS and put it behind
> AG.


But this protected resource doesn't have authentication enabled (correct?), so the access gateway wouldn't have a clue about what role the user has as
the user is still anonymous when the authz policy gets executed.....I'm not sure how you gonna fix this. Would you know what type of SAML profile you
are using by any chance? Browser/Post only or also artefacts?


--
Cheers,
Edward
0 Likes
oimastek
New Member.

Re: Roles assigned on NAM IDP not found on AG Policy Evaluat

edmaa;2496245 wrote:
On 02-03-2019 12:16 AM, oimastek wrote:
>


> Yes indeed what we have is a peculiar case, where a third party SP is
> using ADFS as IDP and ADFS is a SP to NAM IDP. The login and logout
> works fine in this case. But we have also a requirement to redirect the
> user to a different server depending on a user role. So in order to
> redirect, I've created a Protected Resource for ADFS and put it behind
> AG.


But this protected resource doesn't have authentication enabled (correct?), so the access gateway wouldn't have a clue about what role the user has as
the user is still anonymous when the authz policy gets executed.....I'm not sure how you gonna fix this. Would you know what type of SAML profile you
are using by any chance? Browser/Post only or also artefacts?


You're right the auth not enabled on this PR currently. The idea was that after the user is authenticated (it's a SAML POST, not artifact) the SAML response also goes through Access Gateway and since the user has been authenticated then, I would expect that SAML response would be redirected, but AG policy doesn't run again for some reason, or it does run but uses a cache (which it was anonymous the first time). If there was a way to clear the cache, or redirect any other means it would be great. Thanks for your responses, appreciate your time.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Roles assigned on NAM IDP not found on AG Policy Evaluation

On 04-03-2019 9:04 PM, oimastek wrote:
>
> You're right the auth not enabled on this PR currently. The idea was
> that after the user is authenticated (it's a SAML POST, not artifact)
> the SAML response also goes through Access Gateway and since the user
> has been authenticated then,


NAM doesn't work that due to the fact the AG and IDP are kinda autonomous in their function and rely on WS-Federation to transfer sessions from the
IDP to the ESP (which is the part of the Access Gateway that handles authentication).

> I would expect that SAML response would be
> redirected, but AG policy doesn't run again for some reason, or it does
> run but uses a cache (which it was anonymous the first time). If there
> was a way to clear the cache, or redirect any other means it would be
> great. Thanks for your responses, appreciate your time.


So if you only rely on browser/POST with SAML you could theoretically enable authentication on the PR for ADFS I reckon. When the user hits it for the
first time, they'll get challenged for creds but from there they are fine and your role stuff works. Have you tried that? If so, what was the issue there?

--
Cheers,
Edward
0 Likes
oimastek
New Member.

Re: Roles assigned on NAM IDP not found on AG Policy Evaluat

edmaa;2496328 wrote:
On 04-03-2019 9:04 PM, oimastek wrote:
>
> You're right the auth not enabled on this PR currently. The idea was
> that after the user is authenticated (it's a SAML POST, not artifact)
> the SAML response also goes through Access Gateway and since the user
> has been authenticated then,


NAM doesn't work that due to the fact the AG and IDP are kinda autonomous in their function and rely on WS-Federation to transfer sessions from the
IDP to the ESP (which is the part of the Access Gateway that handles authentication).

> I would expect that SAML response would be
> redirected, but AG policy doesn't run again for some reason, or it does
> run but uses a cache (which it was anonymous the first time). If there
> was a way to clear the cache, or redirect any other means it would be
> great. Thanks for your responses, appreciate your time.


So if you only rely on browser/POST with SAML you could theoretically enable authentication on the PR for ADFS I reckon. When the user hits it for the
first time, they'll get challenged for creds but from there they are fine and your role stuff works. Have you tried that? If so, what was the issue there?



Thanks Edward for your response. Yes you're right if the auth enabled on the PR for ADFS, when the user hits it first time, they get challenge for creds and they're fine, role is picked up. I've tried that, the issue is with logging out. Unfortunately, the logout url of ADFS is the same as login (i.e. /adfs/ls/ ) and when someone using the web application clicks on the logout link (that points to /adfs/ls/?wa=wsignout1.0), they go via public PR (that I defined with url being /adfs/ls/?wa=wsignout1.0 so it goes through). Then the ADFS sends a SAML Logout request to NAM, NAM Logs out and sends the SAML Logout response to browser in a 302 redirect request that should go to ADFS but that response is intercepted by Access Gateway, because it's POST request to the same /adfs/ls endpoint as login, since NAM has been logged out, there is no auth and AG prompts for login again (for the SAML Logout response), user enters creds, and then ADFS logout screen appears. This is obviously not acceptable for the user. If there was a way to have ADFS different endpoints for logout, such as /adfs/lso or /adfs/logout then we could add that to a public PR and it would go through without prompting for cred wouldn't it? I've had a look into creating an additional endpoint for logout on ADFS, it doesn't seem possible. I've also tried redirecting /adfs/ls/?wa=wsignout1.0 to AGLogout url on AG, that ended logging out NAM and AG, and shows the logout confirmation from AG, but ADFS isn't then made aware of this logout, and the web application the session is still there and they appear logged in. Any comments much appreciated, let me know your thoughts. Thanks for your time.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Roles assigned on NAM IDP not found on AG Policy Evaluation

On 09-03-2019 2:06 AM, oimastek wrote:
>


> Thanks Edward for your response. Yes you're right if the auth enabled on
> the PR for ADFS, when the user hits it first time, they get challenge
> for creds and they're fine, role is picked up. I've tried that, the
> issue is with logging out. Unfortunately, the logout url of ADFS is the
> same as login (i.e. /adfs/ls/ ) and when someone using the web
> application clicks on the logout link (that points to
> /adfs/ls/?wa=wsignout1.0), they go via public PR (that I defined with
> url being /adfs/ls/?wa=wsignout1.0 so it goes through). Then the ADFS
> sends a SAML Logout request to NAM, NAM Logs out and sends the SAML
> Logout response to browser in a 302 redirect request that should go to
> ADFS but that response is intercepted by Access Gateway, because it's
> POST request to the same /adfs/ls endpoint as login, since NAM has been
> logged out, there is no auth and AG prompts for login again (for the
> SAML Logout response), user enters creds, and then ADFS logout screen
> appears. This is obviously not acceptable for the user. If there was a
> way to have ADFS different endpoints for logout, such as /adfs/lso or
> /adfs/logout then we could add that to a public PR and it would go
> through without prompting for cred wouldn't it? I've had a look into
> creating an additional endpoint for logout on ADFS, it doesn't seem
> possible. I've also tried redirecting /adfs/ls/?wa=wsignout1.0 to
> AGLogout url on AG, that ended logging out NAM and AG, and shows the
> logout confirmation from AG, but ADFS isn't then made aware of this
> logout, and the web application the session is still there and they
> appear logged in. Any comments much appreciated, let me know your
> thoughts. Thanks for your time.


Ah ok, so you imported the default metadata. In my opinion, the Single Logout (SLO) feature in SAML 2 is crap and it can cause a lot of issues (as per
above). Is SLO a must have? If not, you can very easily disable it. Export the NAM metadata, remove the metadata signature and under the IDP section
remove all the references to single logout. Import whats left into ADFS and then the above problem shoulnd't occur. Now obviously the challenge then
is how to logout the user from NAM once they have logged out from ADFS....


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.