Highlighted
Super Contributor.
Super Contributor.
291 views

OSP 6.3.8 and Chrome / Edge browsers

Jump to solution

We recently updated our Dev environment from 4.7.3 to 4.7.4.1

We use Shibboleth with OSP

After the upgrade the application works fine, however when trying to login with Chrome or Edge we get the following error: Error: An Identity Provider response was received that failed to authenticate this session.

The issue is that this error doesn't happen in firefox and even more odd is that if you refresh Edge or Chrome a few times it may log in.  The OSP logs haven't been a lot of help, nor the IDP logs, From the Shib side everything appears normal, however in the OSP log the only error is : Forwarding:
Page: /idm/jsp/err.jsp
Attributes:
usermessage=An Identity Provider response was received that failed to authenticate this session.

 

Has anyone else encountered this type of issue with OSP 6.3.8?

Labels (1)
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

This issue could be related to Tomcat bug https://bz.apache.org/bugzilla/show_bug.cgi?id=64210.

The suggestion is to upgrade Tomcat 9.0.31 that was bundled with IDM 4.7.4 and replace it with the current 9.x version (9.0.37)

--
Norbert

View solution in original post

5 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

This issue could be related to Tomcat bug https://bz.apache.org/bugzilla/show_bug.cgi?id=64210.

The suggestion is to upgrade Tomcat 9.0.31 that was bundled with IDM 4.7.4 and replace it with the current 9.x version (9.0.37)

--
Norbert

View solution in original post

Highlighted
Super Contributor.
Super Contributor.
This was the issue. I'm not sure if MF knows about the flaw or not but I'm going to email our contact to let them know. Thank you so much for the assist.
Highlighted
Micro Focus Expert
Micro Focus Expert

This is tracked in Bug 1172712 - Workflows fail with CSRF (Cross-site Request Forgery) after upgrade to 4.7.4

--
Norbert
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi Norbert,

 

according to an teammate IDM 4.8.1 running Tomcat 9.0.33 is affected as well by this and/or other known issues where useres were affected by slow resonse times. In this case support suggested to manually upgrade Tomcat as well to (at least) 9.0.37.

Can you confirm, that it suggested to manually upgrade Tomcat in IDM 4.8..1 environments as well? Would it be safe and sufficient to simply replace /opt/netiq/idm/tomcat with the content of the current tomcat*.tar.gz?

Do you know, if there is an official patch on the way 😉

Kind regards,

 

Throsten

 

Tags (1)
Highlighted
Outstanding Contributor.
Outstanding Contributor.
Hi everybody,

meanwhile I received the information from support, that tomcat 9.0.37 is recomended to be used with IDM 4.8.1 as well!
After stopping tomcat I renamed the /opt/netiq/idm/tomcat folder and placed a new folder extracted from the tomcat 9.0.37 archive in /opt/netiq/idm.
It is mandatory to change the ownership of all new files to novlua:novlua after extraction.
At last I created a sym-link to the new tomcat directory with the name tomcat.
There were no issues restarting netiq-tomcat.service after this changes and catalina.out is now showing the current tomcat version.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.