Configuring eDirectory SAML Assertions

Configuring eDirectory SAML Assertions

You may have seen issues where when working with the IDM User Application or IDMDash after a while, you seem to be logged in yet the application seems to not able to retrieve information from the directory. We first started seeing this behavior when OSP was added in to IDM at version 4.5



Geoff Carman has worked for me for over 10 years. He is my Subject Area Master for Identity and Access Management (yes, SAM-IAM) and has already written a great multi-part highly detailed article on the phenomenon: https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/ as only Geoffrey can.



 

On a side-note, I believe Geoffrey types so fast he dilates time.


 

While this has been documented before, while sometimes I want to see how the sausage is made, more often than not I just I find myself looking for a recipe. So here it is.



The Challenge



The problem, netted out, is that the timeout value in the IDM User Application is longer than the timeout value in the SAML authentication configuration in eDirectory. So you could be working for 18 minutes in User App, have timed out your session to eDirectory but not timed out the session to User App. Application seems happy on the surface but can’t get the data it needs under the hood.



 

It all comes down to one simple thing, which is that
it never comes down to one simple thing” - Rob Rawson


 

The intuitive solution should be to make them match. Ideally these would be similar parameters which actually mean the same thing, so it would be simple. But of course nothing is that simple. Nonetheless, once you know how to tune this parameter through this recipe, you can adjust it longer till it works best for you. So I start with trying to make them as close as possible.



How much time is enough time?



To determine the configured timeout value in the IDM User Application, run configupdate.sh (see /opt/netiq/idm/apps/UserApplication), select advanced options and the authentication tab.



img-1

The timeout for SAML assertions in eDirectory must be longer than this value. In eDirectory the default is 1000 seconds or 16 2/3 minutes. To match the 20 minute UA timeout, the eDirectory value must be 1200 seconds or longer.



Configuring eDirectory



In order to set the timeout, login to iManager as an administrator. Browse to the security container, Authorized Login Methods and select SAML Assertion. Within that container you will find an instance of the configuration



img-2

Under this object you will find the SAML configuration



img-3

Edit this object. Select the authsamlValidAfter attribute.



img-4

Set the value to one second longer in eDirectory than in the IDM User Application; for example, for 20 minutes + one second, set the value to 1201.



img-5

Conclusion


It would be nice if the installation tools for IDM were to configure this for you. However, as I said before, this value might not be sufficient in all cases. If you need to raise the authentication window higher, the security exposure is small. As far as I am aware, the only application that is using this eDirectory NMAS authentication method is the IDM Applications so we should be safe.

Labels (1)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
If you have intruder detection enabled you will see this issue manifest as users getting locked out. The app makes REST calls and each time it tries the user will get another failed attempt.
Top Contributors
Version history
Revision #:
4 of 4
Last update:
‎2020-03-10 18:52
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.