Highlighted
Valued Contributor.
Valued Contributor.
135 views

Access request - Approval failed

Jump to solution

Hi,

Running IGA 3.5.1 on SLES 12.4 with MSSQL.
OSP 6.2 is installed on identity apps server (4.7.3)

We have issues with approving access requests.

I have a permission that I have connected to a request- and an approval policy. The approval policy contains one approval step (approval by specific user).

Case:
I log in as an end-user and request the permission.
The approval request is sent to the approver, and there are no errors in the interface when approving the request. However, when submitting the approval this gets logged in Catalina:

[WARNING] 2020-05-25 14:49:17 com.netiq.iac.server.j2ee.AuthFilter doFilter - [IG-SERVER] User Service: null (null) is authenticated and logged in, but does not have access to the Identity Governance application.

If I log back in as the requester and check "My requests", the request status is now "Approval Failed". No errors if I expand the request, "Approval Step 1" is listed as completed. The request is not sent to fulfillment.

Would appreciate suggestions on how to resolve this.

 

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Access request - Approval failed

Jump to solution

Greetings,

This has been covered in the following thread:

"User Service: iac is authenticated and logged in, but does not have access to the Identity Governance application."

https://community.microfocus.com/t5/IGA-User-Discussions/User-Service-iac-is-authenticated-and-logged-in-but-does-not/m-p/2254791#M264

 

Here is the solution I had posted in the above thread:

"
ID Gov 3.5.x and newer require that OSP provide it a JWT token. When OSP is installed from the ID Gov media, the necessary property and value will be added in the ism-configuration.properties file:

com.netiq.idm.osp.oauth.access-token-format.format = jwt


However, the early versions of IDM 4.7.x when installing OSP did not add the necessary entries. There was a patch around January 2019 and documentation for IDM 4.7.1 https://download.microfocus.com/Download?buildid=weejwXqB_gg~ from the IDM outlining this accordingly. Then for ID 4.7.2 it was fully added to the docs:
https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm472/data/releasenotes_idm472.html
https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_472/data/configure-idm-for-ig.html

That one had to add the following two (2) properties in ism-configuration.properties file on the ID Apps/OSP server:
com.netiq.idm.osp.oauth.access-token-format.format = jwt
com.netiq.idm.osp.oauth.attr.roles.maxValues = 1

 

In your case, on the ID Apps/OSP sever the two (2) entries are in the ism-configuration.properties file but, they are not complete:

com.netiq.idm.osp.oauth.access-token-format.format =
com.netiq.idm.osp.oauth.attr.roles.maxValues = 1


When the property (com.netiq.idm.osp.oauth.access-token-format.format )is either not present or empty OSP will default to opaque tokens insteak of JWT. Outlining the use of JWT token on the IDM does no harm because IDM 4.7.x is not utilizing them so all will default back to opaque for them.


At this point, the you just need to update the property on the ID Apps/OSP server, clear out the localhost folder, and restart. After that, a new request within Access Request of ID Gov should work.
"

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

View solution in original post

2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Access request - Approval failed

Jump to solution

Greetings,

This has been covered in the following thread:

"User Service: iac is authenticated and logged in, but does not have access to the Identity Governance application."

https://community.microfocus.com/t5/IGA-User-Discussions/User-Service-iac-is-authenticated-and-logged-in-but-does-not/m-p/2254791#M264

 

Here is the solution I had posted in the above thread:

"
ID Gov 3.5.x and newer require that OSP provide it a JWT token. When OSP is installed from the ID Gov media, the necessary property and value will be added in the ism-configuration.properties file:

com.netiq.idm.osp.oauth.access-token-format.format = jwt


However, the early versions of IDM 4.7.x when installing OSP did not add the necessary entries. There was a patch around January 2019 and documentation for IDM 4.7.1 https://download.microfocus.com/Download?buildid=weejwXqB_gg~ from the IDM outlining this accordingly. Then for ID 4.7.2 it was fully added to the docs:
https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm472/data/releasenotes_idm472.html
https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_472/data/configure-idm-for-ig.html

That one had to add the following two (2) properties in ism-configuration.properties file on the ID Apps/OSP server:
com.netiq.idm.osp.oauth.access-token-format.format = jwt
com.netiq.idm.osp.oauth.attr.roles.maxValues = 1

 

In your case, on the ID Apps/OSP sever the two (2) entries are in the ism-configuration.properties file but, they are not complete:

com.netiq.idm.osp.oauth.access-token-format.format =
com.netiq.idm.osp.oauth.attr.roles.maxValues = 1


When the property (com.netiq.idm.osp.oauth.access-token-format.format )is either not present or empty OSP will default to opaque tokens insteak of JWT. Outlining the use of JWT token on the IDM does no harm because IDM 4.7.x is not utilizing them so all will default back to opaque for them.


At this point, the you just need to update the property on the ID Apps/OSP server, clear out the localhost folder, and restart. After that, a new request within Access Request of ID Gov should work.
"

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

View solution in original post

Highlighted
Valued Contributor.
Valued Contributor.

Re: Access request - Approval failed

Jump to solution
Thank you Steven. That resolved the issue.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.