Highlighted
Absent Member.
Absent Member.
937 views

UA 45 and Access Manager Logout

I have configured Access Manager to form fill and login to UA (which uses
OSP and all that).

Now, when I log out of userapp, the browser goes into a loop (doing
something which is to fast to see, over and over).

I would like the logout page to be nice, and log the user out.

setup is like this

UserPC -> idm.domain.com > ua.domain.com

I would like the users in UA to logout to https://idm.domain.com/AGLogout

How is that accomplished?

Labels (1)
0 Likes
10 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: UA 45 and Access Manager Logout

On 5/12/17 7:03 AM, Nicolai Jensen wrote:
> I have configured Access Manager to form fill and login to UA (which uses
> OSP and all that).
>
> Now, when I log out of userapp, the browser goes into a loop (doing
> something which is to fast to see, over and over).
>
> I would like the logout page to be nice, and log the user out.
>
> setup is like this
>
> UserPC -> idm.domain.com > ua.domain.com
>
> I would like the users in UA to logout to https://idm.domain.com/AGLogout
>
> How is that accomplished?
>

Greetings,
I do believe there is a note in the docs that outlines Form Fill
and Identity Injection can no longer be utilized when integrating Access
Manager with IDM 4.5.x or 4.6

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

On Sat, 13 May 2017 11:16:22 +0000, Steven Williams wrote:

> On 5/12/17 7:03 AM, Nicolai Jensen wrote:
>> I have configured Access Manager to form fill and login to UA (which
>> uses OSP and all that).
>>
>> Now, when I log out of userapp, the browser goes into a loop (doing
>> something which is to fast to see, over and over).
>>
>> I would like the logout page to be nice, and log the user out.
>>
>> setup is like this
>>
>> UserPC -> idm.domain.com > ua.domain.com
>>
>> I would like the users in UA to logout to
>> https://idm.domain.com/AGLogout
>>
>> How is that accomplished?
>>

> Greetings,
> I do believe there is a note in the docs that outlines Form Fill
> and Identity Injection can no longer be utilized when integrating Access
> Manager with IDM 4.5.x or 4.6


Oh.....
Actually I did try to get it to do SAML first.
The saml endpoint/metadata seems to have a defect though (although I'm not
sure, I cannot get it to work)

In the metadata it mentions that the endpoint is https://
idm.domain.com:8443/osp/a/idm/auth/saml2/metadata

While the actual endpoint is https://430wf1.fmktst.dk:8443/osp/a/idm/auth/
saml2/spmetadata

Even editing the metadata before pasting it into access manager does not
seem to work. AM logs seem to point me to the fact that https://
idm.domain.com:8443/osp/a/idm/auth/saml2/metadata is unreachable (which it
indeed is)

When I gave up on that, I turned to my old pal google, and found a cool
solution, which outlined how to do formfill.

https://www.netiq.com/communities/cool-solutions/integrating-identity-
manager-4-5-4-user-application-access-manager-4-3-access-gateway/

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

On Sat, 13 May 2017 14:59:54 +0000, Nicolai Jensen wrote:


> In the metadata it mentions that the endpoint is https://
> idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
>
> While the actual endpoint is
> https://430wf1.fmktst.dk:8443/osp/a/idm/auth/
> saml2/spmetadata


I should say metadata url, not endpoint.
I cannot get it to work, thats the point 🙂
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: UA 45 and Access Manager Logout

Nicolai Jensen <xnjex@pwc.dk> wrote:
> On Sat, 13 May 2017 14:59:54 +0000, Nicolai Jensen wrote:
>
>
>> In the metadata it mentions that the endpoint is https://
>> idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
>>
>> While the actual endpoint is
>> https://430wf1.fmktst.dk:8443/osp/a/idm/auth/
>> saml2/spmetadata

>
> I should say metadata url, not endpoint.
> I cannot get it to work, thats the point 🙂
>


There was a trick that it doesn't respond/show up until the config of OSP
is switched to SAML and you restart OSP

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

On Sat, 13 May 2017 17:06:58 +0000, Alex McHugh wrote:

> Nicolai Jensen <xnjex@pwc.dk> wrote:
>> On Sat, 13 May 2017 14:59:54 +0000, Nicolai Jensen wrote:
>>
>>
>>> In the metadata it mentions that the endpoint is https://
>>> idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
>>>
>>> While the actual endpoint is
>>> https://430wf1.fmktst.dk:8443/osp/a/idm/auth/ saml2/spmetadata

>>
>> I should say metadata url, not endpoint.
>> I cannot get it to work, thats the point 🙂
>>
>>

> There was a trick that it doesn't respond/show up until the config of
> OSP is switched to SAML and you restart OSP


I have reconfigured and restarted.

The issue seems to be that the metadata points to the wrong metadata url.
The url seems to be postfixed with "sp", and that is not reflected in the
actual metadata from the server.

I have also tried to point access manager to https://430wf1.fmktst.dk:8443/
osp/a/idm/auth/saml2/spmetadata and the url in the metadata returns
https://idm.domain.com:8443/osp/a/idm/auth/saml2/metadata
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

Were you ever able to correct the URLs in the metadata? I'm having an issue where my metadata is stuck with an old URL, I've changed it everywhere but stills the metadata shows the old values.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

Nicolai Jensen;2457174 wrote:
I have configured Access Manager to form fill and login to UA (which uses
OSP and all that).

Now, when I log out of userapp, the browser goes into a loop (doing
something which is to fast to see, over and over).

I would like the logout page to be nice, and log the user out.

setup is like this

UserPC -> idm.domain.com > ua.domain.com

I would like the users in UA to logout to https://idm.domain.com/AGLogout

How is that accomplished?


Dear Nicolai,

We could create two formfill policies

1) Login Form attached to osp and

2) Logout attached to IDMProv and other contexts

Do Form -> Login Failure
CGI Matching Criteria as 'logout'
Page Matching Criteria as none
Redirect to URL: https://<NAM_AGserver>/AGLogout

3) Or the same formfill policies(Login and Logout) attached to both of them(osp and IDMProv/other contexts)

Kindly Note: I'm Looking for Official documentation link about the same, would share if I found any.

Please try and let us know if that works for you on this Form Fill policy.

Thanks and Best Regards,
SivaPrakasamS
Micro Focus
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

On Mon, 15 May 2017 13:34:02 +0000, SPSivasubramanian wrote:

> Nicolai Jensen;2457174 Wrote:
> Please try and let us know if that works for you on this Form Fill
> policy.
>
> Thanks and Best Regards,
> SivaPrakasamS
> Micro Focus


Wow, great. Thanks.
I will try that as soon as possible (might be a few days).

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

On Mon, 15 May 2017 19:32:11 +0000, Nicolai Jensen wrote:

> On Mon, 15 May 2017 13:34:02 +0000, SPSivasubramanian wrote:
>
>> Nicolai Jensen;2457174 Wrote:
>> Please try and let us know if that works for you on this Form Fill
>> policy.
>>
>> Thanks and Best Regards,
>> SivaPrakasamS Micro Focus

>
> Wow, great. Thanks.
> I will try that as soon as possible (might be a few days).


Oh well, I couldn't wait anyway.
My feedback is that it does indeed seem to work like a charm (haven't
checked all the corners yet though)

You sir, are a genius.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: UA 45 and Access Manager Logout

Nicolai Jensen;2457389 wrote:
On Mon, 15 May 2017 19:32:11 +0000, Nicolai Jensen wrote:

> On Mon, 15 May 2017 13:34:02 +0000, SPSivasubramanian wrote:
>
>> Nicolai Jensen;2457174 Wrote:
>> Please try and let us know if that works for you on this Form Fill
>> policy.
>>
>> Thanks and Best Regards,
>> SivaPrakasamS Micro Focus

>
> Wow, great. Thanks.
> I will try that as soon as possible (might be a few days).


Oh well, I couldn't wait anyway.
My feedback is that it does indeed seem to work like a charm (haven't
checked all the corners yet though)

You sir, are a genius.



Dear Nicolai,

Thanks for your quick check on this context, Glad that works well for you.

We'd wait for your further observations as well, kindly let us know once you experimented and observes odd behavior if any.

Thanks and Best Regards,
SivaPrakasamS
MicroFocus.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.