janvdmeij Absent Member.
Absent Member.
2529 views

Intergration with NetIQ Access Manager 4.4

Hello all,

I have got the integration between NAM 4.4 and Advanced Authentication working fine based on the OAuth2 method.

Now I have two choices:

1. Leaving the first authentication in NAM (ldap name/pwd) and the second (smartphone) in NAAF
2. Setting NAM to use NAAF as primary and secondary authenticator (ldap name/pwd and smartphone e.g.).

The first choice works, except that after the initial login NAAF asks me again for only the username. This seems to be a bug.

The second choice works fine. But with the disadvantage that NAM is not able to SSO to a second proxy service with the same login. Somehow NAM has to get the credentials back from NAAF to be able to deliver the SSO for the second. Does anyone know how to do this?

Jan
0 Likes
9 Replies
AutomaticReply Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

janvdmeij,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Knowledge Partner
Knowledge Partner

Re: Intergration with NetIQ Access Manager 4.4

On 07-05-2018 10:16 PM, janvdmeij wrote:
>
> Hello all,
>
> I have got the integration between NAM 4.4 and Advanced Authentication
> working fine based on the OAuth2 method.
>
> Now I have two choices:
>
> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
> second (smartphone) in NAAF
> 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
> name/pwd and smartphone e.g.).
>
> The first choice works, except that after the initial login NAAF asks me
> again for only the username. This seems to be a bug.


Thats weird, NAM should send the username in the json string. Check your IDP logs.




--
Cheers,
Edward
0 Likes
janvdmeij Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

edmaa;2480906 wrote:
On 07-05-2018 10:16 PM, janvdmeij wrote:
>
> Hello all,
>
> I have got the integration between NAM 4.4 and Advanced Authentication
> working fine based on the OAuth2 method.
>
> Now I have two choices:
>
> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
> second (smartphone) in NAAF
> 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
> name/pwd and smartphone e.g.).
>
> The first choice works, except that after the initial login NAAF asks me
> again for only the username. This seems to be a bug.


Thats weird, NAM should send the username in the json string. Check your IDP logs.




--
Cheers,
Edward



Hi Edward,

Still struggling with it. I can see this in the /var/opt/novell/nam/logs/idp/nidplogs:


<amLogEntry seq="647" d="2018-06-14T19:15:25Z" lg="Application" lv="SEVERE" th="37" ><msg>Got exception while getting the signed data: java.io.IOException: Server returned HTTP response code: 400 for URL: https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={"username":"jme","LoginParameters":{"internal.osp.oidp.aa.chain-name":"NAMChain"}}</msg></amLogEntry>
<amLogEntry seq="668" d="2018-06-14T19:48:58Z" lg="Application" lv="SEVERE" th="29" ><msg>Got exception while getting the signed data: java.io.IOException: Server returned HTTP response code: 400 for URL: https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={"username":"jme","LoginParameters":{"internal.osp.oidp.aa.chain-name":"NAMChain"}}</msg></amLogEntry>

Here I see that the name is send, but refused.

But the url aa.xxxxxx.xx/osp/a/TOP url is valid and accessible.

Jan
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

Jan
For what it is worth, I am seeing exactly the same: The JSON containing
the username is posted, but no authentication happens:

<amLogEntry> 2018-06-08T17:40:03Z SEVERE NIDS Application: Got exception
while getting the signed data: java.io.IOException: Server returned
HTTP response code: 400 for URL:
https://auth.mysite.com/osp/a/TOP/auth/oauth2/sign?data={"username":"testuser"}
</amLogEntry>

The 400 reply indicates bad request. I'm guessing the post it is making
is not trusted as the previous message suggests it has failed to get the
oauth data.

Just going to recreate the trust between NAM and AAS

PaulK

On 14/06/18 21:16, janvdmeij wrote:
>
> edmaa;2480906 Wrote:
>> On 07-05-2018 10:16 PM, janvdmeij wrote:
>>>
>>> Hello all,
>>>
>>> I have got the integration between NAM 4.4 and Advanced

>> Authentication
>>> working fine based on the OAuth2 method.
>>>
>>> Now I have two choices:
>>>
>>> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
>>> second (smartphone) in NAAF
>>> 2. Setting NAM to use NAAF as primary and secondary authenticator

>> (ldap
>>> name/pwd and smartphone e.g.).
>>>
>>> The first choice works, except that after the initial login NAAF asks

>> me
>>> again for only the username. This seems to be a bug.

>>
>> Thats weird, NAM should send the username in the json string. Check your
>> IDP logs >>
>>
>>
>>
>> --
>> Cheers,
>> Edward

>
>
> Hi Edward,
>
> Still struggling with it. I can see this in the
> /var/opt/novell/nam/logs/idp/nidplogs:
>
>
> <amLogEntry seq="647" d="2018-06-14T19:15:25Z" lg="Application"
> lv="SEVERE" th="37" ><msg>Got exception while getting the signed data:
> java.io.IOException: Server returned HTTP response code: 400 for URL:
> https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={"username":"jme","LoginParameters":{"internal.osp.oidp.aa.chain-name":"NAMChain"}}</msg></amLogEntry>
> <amLogEntry seq="668" d="2018-06-14T19:48:58Z" lg="Application"
> lv="SEVERE" th="29" ><msg>Got exception while getting the signed data:
> java.io.IOException: Server returned HTTP response code: 400 for URL:
> https://aa.xxxxxx.xx/osp/a/TOP/auth/oauth2/sign?data={"username":"jme","LoginParameters":{"internal.osp.oidp.aa.chain-name":"NAMChain"}}</msg></amLogEntry>
>
> Here I see that the name is send, but refused.
>
> But the url aa.xxxxxx.xx/osp/a/TOP url is valid and accessible.
>
> Jan
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Intergration with NetIQ Access Manager 4.4

On 15-06-2018 9:48 PM, PaulK wrote:

> Just going to recreate the trust between NAM and AAS


That was going to be my suggestion as well.


--
Cheers,
Edward
0 Likes
janvdmeij Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

Yes, I think you are right. And I was thinking in the same direction. But the trust is established by filling in the details in the plugin. But see my thread later in in this forum.

What is the servername I have to use here? The internal AAF servername? Or the Access Manager Proxy name? Because AAF itself is also behind Access Manager. And I can see that the trust is established in AAF (endpoint created). But the endpoint that is created is the internal servername of the Access Manager. And that is different from the login url of the Access Manager which is login.domain.com.

I am affraid that the trust is established based on the internal servername of the Access Manager. While the url that is sent is different and there is no way to correct that.

Jan
0 Likes
janvdmeij Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

janvdmeij;2480475 wrote:
Hello all,

I have got the integration between NAM 4.4 and Advanced Authentication working fine based on the OAuth2 method.

Now I have two choices:

1. Leaving the first authentication in NAM (ldap name/pwd) and the second (smartphone) in NAAF
2. Setting NAM to use NAAF as primary and secondary authenticator (ldap name/pwd and smartphone e.g.).

The first choice works, except that after the initial login NAAF asks me again for only the username. This seems to be a bug.

The second choice works fine. But with the disadvantage that NAM is not able to SSO to a second proxy service with the same login. Somehow NAM has to get the credentials back from NAAF to be able to deliver the SSO for the second. Does anyone know how to do this?

Jan


The first bug (asking me for a username for AAF after authenticating to AM) is fixed! After a long SR there is a bug fix. The bugfix is an update to the OAuth plugin in Access Manager. I tested it with AM 4.4SP1 and AAF 6.0 and it works. But the fix will also be in the SP2 update of Access Manager that will be released today.

Jan
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

On 29/06/18 15:04, janvdmeij wrote:
>
> janvdmeij;2480475 Wrote:
>> Hello all,
>>
>> I have got the integration between NAM 4.4 and Advanced Authentication
>> working fine based on the OAuth2 method.
>>
>> Now I have two choices:
>>
>> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
>> second (smartphone) in NAAF
>> 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
>> name/pwd and smartphone e.g.).
>>
>> The first choice works, except that after the initial login NAAF asks me
>> again for only the username. This seems to be a bug.
>>
>> The second choice works fine. But with the disadvantage that NAM is not
>> able to SSO to a second proxy service with the same login. Somehow NAM
>> has to get the credentials back from NAAF to be able to deliver the SSO
>> for the second. Does anyone know how to do this?
>>
>> Jan

>
> The first bug (asking me for a username for AAF after authenticating to
> AM) is fixed! After a long SR there is a bug fix. The bugfix is an
> update to the OAuth plugin in Access Manager. I tested it with AM 4.4SP1
> and AAF 6.0 and it works. But the fix will also be in the SP2 update of
> Access Manager that will be released today.
>
> Jan
>
>

Did some testing of the combination of AAF 6.0 and NAM 4.4.2 after it
came out last week, and most of the bugs do seem to have been cleaned out.

You mention that using the AAF General class as the primary
authenticator does not let you then authenticate to a second proxy
service. Is this because you are using the credential password in an
injection or formfill policy? With the OAuth I think only a token with
the username is passed back to NAM; the password is not (and should not)
be returned. I can get round this limitation if the user source is eDir
by the standard means of adding the Password Fetch as a method in the
Contract like we do for Kerberos.

Another issue I have seen, and which is still there, is that if you log
out of the NAM IDP portal after authenticating with an AAF contract that
is the primary authenticator, only the NAM session component is negated;
if you attempt to use the same contract without closing the window,
then AAF continues its existing authenticated session and just returns
silently. So there is no SLO, unlike say a SAML session with O365,
where NAM IDP will try to logout of the external resource as well.

regards
PaulK
0 Likes
janvdmeij Absent Member.
Absent Member.

Re: Intergration with NetIQ Access Manager 4.4

PaulK;2483346 wrote:
On 29/06/18 15:04, janvdmeij wrote:
>
> janvdmeij;2480475 Wrote:
>> Hello all,
>>
>> I have got the integration between NAM 4.4 and Advanced Authentication
>> working fine based on the OAuth2 method.
>>
>> Now I have two choices:
>>
>> 1. Leaving the first authentication in NAM (ldap name/pwd) and the
>> second (smartphone) in NAAF
>> 2. Setting NAM to use NAAF as primary and secondary authenticator (ldap
>> name/pwd and smartphone e.g.).
>>
>> The first choice works, except that after the initial login NAAF asks me
>> again for only the username. This seems to be a bug.
>>
>> The second choice works fine. But with the disadvantage that NAM is not
>> able to SSO to a second proxy service with the same login. Somehow NAM
>> has to get the credentials back from NAAF to be able to deliver the SSO
>> for the second. Does anyone know how to do this?
>>
>> Jan

>
> The first bug (asking me for a username for AAF after authenticating to
> AM) is fixed! After a long SR there is a bug fix. The bugfix is an
> update to the OAuth plugin in Access Manager. I tested it with AM 4.4SP1
> and AAF 6.0 and it works. But the fix will also be in the SP2 update of
> Access Manager that will be released today.
>
> Jan
>
>

Did some testing of the combination of AAF 6.0 and NAM 4.4.2 after it
came out last week, and most of the bugs do seem to have been cleaned out.

You mention that using the AAF General class as the primary
authenticator does not let you then authenticate to a second proxy
service. Is this because you are using the credential password in an
injection or formfill policy? With the OAuth I think only a token with
the username is passed back to NAM; the password is not (and should not)
be returned. I can get round this limitation if the user source is eDir
by the standard means of adding the Password Fetch as a method in the
Contract like we do for Kerberos.

Another issue I have seen, and which is still there, is that if you log
out of the NAM IDP portal after authenticating with an AAF contract that
is the primary authenticator, only the NAM session component is negated;
if you attempt to use the same contract without closing the window,
then AAF continues its existing authenticated session and just returns
silently. So there is no SLO, unlike say a SAML session with O365,
where NAM IDP will try to logout of the external resource as well.

regards
PaulK


Yes, that is what I mean. I used the passwordfetch method also. But even then it did not work. I did not check it after the update.

The other issue I can confirm also.

And what I see is that when NAM is the primary authenticator, when the NAM session times out a re-authentication fails on the secondary NAAF authenticator when the browser is not closed before.

Jan
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.