Quantcast
Channel: Micro Focus Forums
Viewing all 11924 articles
Browse latest View live

add childs in SOAP request in Integration Activity

July 6, 2017, 7:18 am
$
0
0
Hi,
we are using the WSDL of the SAP SolMan (SAP version of Service Desk :) ) web service.

When we want to open a ticket we need to have multiple childs of the same "xpath" in the SOAP message (as permitted by the WSDL). If you load the WSDL into the integration activity you can only use ONE child element in the pre-mapping. Reading through some Cool Solutions I found that it should be possible to add further child elements in the Integration tab of the workflow. But selecting "Add Child" in the Input XML does nothing (no add, no error). If I edit the XML by hand may changes are not saved.

2017-07-06 16_01_36-Designer.jpg

So, how to add further childs to a SOAP message?

regards
Daniel
Attached Images
Search

NAM4.3 temporary re-enable SSLv3 for Identity Server?

July 6, 2017, 7:18 am
$
0
0
Dear all,

How can I temporary enable back SSLv3 for my NAM 4.3 Identity Server?

Thanks

ZCM 11.4.3 console: Page not displayed

July 6, 2017, 9:35 am
$
0
0
Running into issue with one of our two ZCM 11.4.3 appliances where the services are all running and the console comes up---but most of the links, i.e. Workstations comes up with 'Page not displayed' I've bounced it, restarted services but same result. The other primary server brings everything up fine with no issue. Any thoughts before I open an SR?

#HowTo Configure an iOS device with Silk Test

July 6, 2017, 11:10 am

Certificates does not conform to algorithm constraints

July 6, 2017, 3:06 pm
$
0
0
I've dropped in to an environment where auditing is not working. No history. Not sure how we got here from wherever it was last working. Sentinel is 7.4, and there's a Collector Manager that the agents are talking to. The CM was 7.4, last updated July 2016, as far as I can tell. I saw in the log file for the collector that it was trying / failing to communicate using SSLv2 ("xxx.xxx.xxx.xxx:55549: Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled"), and found a few references to upgrading to current version to make it stop doing that. Made sense. So I did a "zypper up", so now it's current, at 8.1?

Code:
sentinel_collector_manager_7000_x86_64-release-0.623.0-0
supportutils-plugin-sentinel-1.0.1-7.1
novell-Sentineljre-8.1.0.0-3732
sentinel_collector_manager_7000_x86_64-update-0.3728.1-1
novell-Sentinelbase-SLES-8.1.0.0-3732
novell-Sentinelcm-8.1.0.0-3732
I'm no longer getting the SSLv2 errors, so that seems to have worked. But now I'm stuck with "Certificates does not conform to algorithm constraints" errors. They look a lot like:

Code:
        /xxx.xxx.xxx.xxx:58322: Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
Thu Jul 06 17:30:07 EDT 2017|SEVERE|Thread-1298|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient

        Root cause: Certificates does not conform to algorithm constraints (java.security.cert.CertificateException)
        javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
                at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
                at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
                at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
                at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
                at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
                at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
                at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
                at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
                at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
                at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
                at java.io.DataOutputStream.write(DataOutputStream.java:88)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient(DeviceSensorAuditListener.java:949)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.handle_LE_CMD_STARTTLS(DeviceSensorAuditListener.java:666)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.performHandShake(DeviceSensorAuditListener.java:607)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.run(DeviceSensorAuditListener.java:462)
        Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
                at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1117)
                at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1043)
                at sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:978)
                at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
                ... 13 more
I found several references to changing java.security to allow for old/broken algorythms (jdk.certpath.disabledAlgorithms=MD2). I've tried that, it doesn't help.

Digging in deeper, I think I see what's going on, but I'm not sure. I found references to needing to update the platform agent(s). I think I see why, too. Looking in the cache directory, there are some ugly named files. Those are the platform agent cache. If you look in them, you'll see that they contain an embedded certificate. In my case, I have two cache files, both with embedded certs that expired in 2013. After upgrading the eDir instrumentation (novell-AUDTedirinst-8.8.8.8-53) and platform agent (novelplatformagent-2.0.2-77), I have a new one with an embedded certificate that expires in 2024. My conclusion is that the upgraded PA uses a newer cert. Interestingly, even the new one has a 1024 bit key size.

But, over on the collector manager, I'm still seeing the certificate validation error above. I think that it may be because the PA is busy trying to send data that has the old cert in it. I haven't been able to find a way to get the CM to accept this and move on with life. I don't really want to lose audit data if I can help it here. Is there a way to configure Java on the CM to accept expired certificates?

Desktop Pro - RunMacro from MS Excel receiving compile error

July 6, 2017, 4:09 pm
$
0
0
Hello. I am coding for my work, using Reflection Desktop 16 and MS Excel v15. I am trying to invoke a macro on Reflection from Excel. When I use the RunMacro method, I get the 'Expected Function or Variable' compile error.

The function called returns a user-defined class and when I run it from Reflection VBA it returns the class nicely, so that isn't the problem. It is a possibility that I don't have the class set up correctly yet on Excel but I am feeling that I'm not coding the arguments correctly to call the function. I am using Early Binding and Intellisense is giving me the macro parameters so it is seeing the terminal object at least. I tried coding this off the example from 'Running Reflection Macros from Excel or Another Application' in your Key Concepts, but that is using RunMacro2 and calling a subroutine and I need to pass a paramter (paramarrays make me want to jump out of a window so I'm desperately hoping to avoid RunMacro3.)

I could use a little guidance, please.

Command line (I have tried both of these with the same result):

Set objMyObject = termRefl.Macro.RunMacro(MacroEnumerationOption_Doc ument, "ThisIbmTerminal.HelpExcel", "(input string)")
Set objMyObject = termRefl.Macro.RunMacro(MacroEnumerationOption_Doc ument, strMac, strInput) (wrapped the strings)


Macro in Reflection --> Public Function HelpExcel(strA As String) As MyObject
(This procedure actually calls another Reflection function because it has to do a little manipulation to that string first, because paramarrays. I think the second function would throw the error in Reflection, not Excel, though.)

My project in the Project Window Looks like this:

MacroContainer (MacroScreen)
|
-> Modules
|
->ExcelSupportMacros

I have tried qualifying the MacroName in the following manners:

ThisIbmTerminal.HelpExcel
ThisIbmTerminal.MacroContainer.Modules.ExcelSuppor tMacros.HelpExcel
MacroContainer.Modules.ExcelSupportMacros.HelpExce l
Modules.ExcelSupportMacros.HelpExcel
MacroContainer.ExcelSupportMacros.HelpExcel
ExcelSupportMacros.HelpExcel
MacroContainer.HelpExcel

(Edit: the space in Document is being added by this form, it is spelled correctly in my code.)

Another "non supported" SAML application (Ping Identity)

July 6, 2017, 6:24 pm
$
0
0
We have been struggling to get OSP to work nicely with our PingIdentity IDP to enable us to use our current infrastructure for SSO. I understand PERFECTLY that OSP currently ONLY supports NAM but perhaps some insight would help us get this working as many others have with different Identity Providers. Working with people at PingIdentity it appears that the assertion OSP is sending is not SAML2.0 compliant. Here is an example of an SP initiated request with sensitive data changed:

We are using the latest osp and 4.6 Identity Apps.

Request:

************************* SAML2 Redirect message ********************************
Type: sent
Sent to: https://samldev.company.com/idp/star...rlencodeddata)
RelayState: MzpZMmxrfmMyRnRiREl0WTI5dWRISmhZM1E9
Message:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unava ilable"
Destination="https://samldev.company.com/idp/startSSO.ping?PartnerSpId=https://server.company.com/osp/a/idm/auth/saml2/metadata"
ForceAuthn="false"
ID="idzh816xwiOwDfOTRynwwWG4kXeGo"
IsPassive="false"
IssueInstant="2017-07-07T00:52:11Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindi ngs:HTTP-POST"
Version="2.0"
intro="false"
refresh="false">

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="https://server.company.com/osp/a/idm/auth/saml2/metadata">https://server.company.com/osp/a/idm/auth/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
************************* End SAML2 message ****************************

The assertion fails with an error referencing illegal attributes and according to Support Engineers at Ping, "intro=" and "refresh=" are not valid attributes for AuthnRequest.

We have also attempted (more successfully) an IDP initiated session which goes through the authentication process properly but doesn't take us to the target page. It puts up a dialog in a box that says

"Error: Authentication was successful but access to the application is unavailable. Please contact your Administrator." I can then enter the proper page in the url "/idmdash" and it works fine.

Looking for any suggestions or recommendations on making this work. Thanks for any help.

Rich

ZCM 11 High CPU

July 7, 2017, 2:44 am
$
0
0
Hello everybody

In the task manager I see that the ZenServer.exe has a very high CPU throughout. It staggered between 50 - 100%.
What could be the problem? I find no cause. It has just happened from now on. Also a reboot of the server did not help.

I also can not install an agent on an Win7 Client - the error: the agent does not find the server. Also zac reg does not work.
Error: "Invalid URI: The URI format could not be determined"

Bye,
excQ
Search

Another "non supported" SAML application (Ping Identity)

July 6, 2017, 6:24 pm
$
0
0
We have been struggling to get OSP to work nicely with our PingIdentity IDP to enable us to use our current infrastructure for SSO. I understand PERFECTLY that OSP currently ONLY supports NAM but perhaps some insight would help us get this working as many others have with different Identity Providers. Working with people at PingIdentity it appears that the assertion OSP is sending is not SAML2.0 compliant. Here is an example of an SP initiated request with sensitive data changed:

We are using the latest osp and 4.6 Identity Apps.

Request:

************************* SAML2 Redirect message ********************************
Type: sent
Sent to: https://samldev.company.com/idp/star...rlencodeddata)
RelayState: MzpZMmxrfmMyRnRiREl0WTI5dWRISmhZM1E9
Message:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unava ilable"
Destination="https://samldev.company.com/idp/startSSO.ping?PartnerSpId=https://server.company.com/osp/a/idm/auth/saml2/metadata"
ForceAuthn="false"
ID="idzh816xwiOwDfOTRynwwWG4kXeGo"
IsPassive="false"
IssueInstant="2017-07-07T00:52:11Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindi ngs:HTTP-POST"
Version="2.0"
intro="false"
refresh="false">

<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="https://server.company.com/osp/a/idm/auth/saml2/metadata">https://server.company.com/osp/a/idm/auth/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
************************* End SAML2 message ****************************

The assertion fails with an error referencing illegal attributes and according to Support Engineers at Ping, "intro=" and "refresh=" are not valid attributes for AuthnRequest.

We have also attempted (more successfully) an IDP initiated session which goes through the authentication process properly but doesn't take us to the target page. It puts up a dialog in a box that says

"Error: Authentication was successful but access to the application is unavailable. Please contact your Administrator." I can then enter the proper page in the url "/idmdash" and it works fine.

Looking for any suggestions or recommendations on making this work. Thanks for any help.

Rich

Landing Page issue

July 7, 2017, 5:33 am
$
0
0
Hi ,

The "Manage roles" in the landing page is showing each role multiple times(15), though the role is not duplicated in the system. Attached the screenshot. Please assist.

Duplicate.JPG



Regards,
Kalai
Attached Images

IPP page question

July 7, 2017, 5:55 am
$
0
0
Hello,

I am using iPrint on OES 11 (latest SP). I have two of my smaller buildings using the same Print manager. Is there a way for each building's users to only see their building's printers when they go to the IPP page to install a printer of is this not possible since they share a Print manager? If this is not possible it is OK, I just wanted to ask.

Thanks,
Andrew

Upgrading from 11.4 to 2017

July 7, 2017, 7:29 am
$
0
0
Running the upgrade from 11.4 latest version to 2017. It seems to be stuck at the Installing upgrading database schema step. It has been at that stage for over 12 hours. Using the internal sys database. About 400 devices in the database. Should I leave it running or do something else?

SLES 12 sp2 server.

Thanks

Paul

Reflection 2014 Quick Access Toolbar

July 7, 2017, 7:39 am
$
0
0
Hi,

I have been trying out different appearances for my Reflection Session Window, and would like to know if there is a way to increase the size of the Quick Access Toolbar? I would like to make these icons somewhat bigger. I found a goggle post that tells me how to increase the size of the Microsoft Windows Menu bar, which I thought would do it for this window also, but it does not seem to change in the Reflection Session window.
Thanks in advance for any info with this.

Nancy

conflicting NCP server object found when updating OES

July 7, 2017, 10:40 am
$
0
0
Hello,

I am updating my SLES11sp3/OES11sp2 servers to SLES11sp4/OES11sp3 and the first server upgraded perfectly with no issues at all and it upgraded eDirectory to 8.8.8. My second server I am doing, during the eDirectory config part gives me a message stating "Conflicting NCP Server Object found." This server obviously does have an NCP server object because it was already in the tree I was just updating it. Why am I getting this message and what can I do to fix this and get this server update to complete?

Thanks,
Andre

Missing distinguishedName in response

July 7, 2017, 1:36 pm
$
0
0
I have a Groupwise system that I'm told has all of the sudden stopped returning distingushedName in the Items when read from the addressbook. I have been doing some testing with SoapUI and sure enough its not there, I've tried logging in with a couple different user account and none of them return it. I also tried changing the view but that didn't seem to help.

Here is hopefully the relevant part of the soap messages.
<!-- SOAP Request -->
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://schemas.novell.com/2005/01/GroupWise/types" xmlns:met="http://schemas.novell.com/2005/01/GroupWise/methods">
<soapenv:Header>
<typ:gwTrace>false</typ:gwTrace>
<typ:session>1l1qGUnDfKZQCZxt</typ:session>
</soapenv:Header>
<soapenv:Body>
<met:createCursorRequest>
<met:container>GroupWiseSystemAddressBook@52</met:container>
<met:view>all</met:view>
</met:createCursorRequest>
</soapenv:Body>
</soapenv:Envelope>

<!-- SOAP Response -->
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header></soapenv:Header>
<soapenv:Body>
<gwm:createCursorResponse xmlns:gwm="http://schemas.novell.com/2005/01/GroupWise/methods" xmlns:gwt="http://schemas.novell.com/2005/01/GroupWise/types">
<gwm:cursor>-1328233433</gwm:cursor>
<gwm:status>
<gwt:code>0</gwt:code>
</gwm:status>
</gwm:createCursorResponse>
</soapenv:Body>
</soapenv:Envelope>

<!-- SOAP Request -->
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:typ="http://schemas.novell.com/2005/01/GroupWise/types" xmlns:met="http://schemas.novell.com/2005/01/GroupWise/methods">
<soapenv:Header>
<typ:session>1l1qGUnDfKZQCZxt</typ:session>
</soapenv:Header>
<soapenv:Body>
<met:readCursorRequest>
<met:container>GroupWiseSystemAddressBook@52</met:container>
<met:cursor>-1328233433</met:cursor>
<met:forward>true</met:forward>
<met:position>current</met:position>
<met:count>2</met:count>
</met:readCursorRequest>
</soapenv:Body>
</soapenv:Envelope>

<-- SOAP Response -->
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:gwm="http://schemas.novell.com/2005/01/GroupWise/methods" xmlns:gwt="http://schemas.novell.com/2005/01/GroupWise/types">
<s:Header/>
<s:Body>
<gwm:readCursorResponse>
<gwm:items>
<gwt:item xsi:type="gwt:Resource">
<gwt:id>C166CF81-1018-0000-AD45-97EDA8AF8BB5@55:GroupWiseSystemAddressBook@52</gwt:id>
<gwt:name>106 MDB RM 3</gwt:name>
<gwt:container>GroupWiseSystemAddressBook@52</gwt:container>
<gwt:uuid>C166CF81-1018-0000-AD45-97EDA8AF8BB5</gwt:uuid>
<gwt:domain>secmps</gwt:domain>
<gwt:postOffice>mps4po</gwt:postOffice>
<gwt:userid>106 MDB RM 3</gwt:userid>
<gwt:email>106 MDB RM 3.mps4po.secmps@removed.org</gwt:email>
</gwt:item>
<gwt:item xsi:type="gwt:Resource">
<gwt:id>08ED5B81-1019-0000-AD45-74FF17188929@55:GroupWiseSystemAddressBook@52</gwt:id>
<gwt:name>106 MDB RM 6</gwt:name>
<gwt:container>GroupWiseSystemAddressBook@52</gwt:container>
<gwt:uuid>08ED5B81-1019-0000-AD45-74FF17188929</gwt:uuid>
<gwt:domain>secmps</gwt:domain>
<gwt:postOffice>mps4po</gwt:postOffice>
<gwt:userid>106 MDB RM 6</gwt:userid>
<gwt:email>106 MDB RM 6.mps4po.secmps@removed.org</gwt:email>
</gwt:item>
</gwm:items>
<gwm:status>
<gwt:code>0</gwt:code>
</gwm:status>
</gwm:readCursorResponse>
</s:Body>
</s:Envelope>

Thanks
Mike
Search

Community Sites – An Update

July 7, 2017, 8:30 pm
$
0
0
If you’ve been watching on our community*sites, you’ve probably noticed some subtle, but important updates. * We’re still in the process of planning a consolidated community, but in the meantime, we’re working to make what we have as useful as possible. *We’ve made some changes that will help you find information about your Micro Focus …
+read more
The post Community Sites – An Update appeared first on Cool Solutions. kgroneman


More...

Error in AD driver , sync password in publisher channel

July 8, 2017, 8:29 pm
$
0
0
Hi,

My Customer have IDM integrated with Active Directory.

When the users change password from computer in Windows domain , the password is not sync in IDM.

They see the following error: Code(-8021) Unable to set NMAS password: -215 DSERR_DUPLICATE_PASSWORD



<nds dtdversion="2.2">
<source>
<product build="20140409_120000" instance="\COMPENSAR-PROD\system\DriverSet01\AD-MID" version="4.0.0.4">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify-password class-name="User" dest-dn="compensar\usuarios\internos\20933432" dest-entry-id="149192" event-id="AD-MID##15d1d4a6441##0" password-admin-reset="true" src-dn="CN=ALBA ROCIO SUAREZ TORRES,OU=PSS,OU=OU USUARIOS,DC=COMPENSAR,DC=CCF">
<association>c66d0628467b8f42aeb0dc7709eb5130</association>
<password><!-- content suppressed --></password>
</modify-password>
<modify class-name="User" dest-dn="compensar\usuarios\internos\20933432" dest-entry-id="149192" event-id="pwd-publish" src-dn="CN=ALBA ROCIO SUAREZ TORRES,OU=PSS,OU=OU USUARIOS,DC=COMPENSAR,DC=CCF">
<association>c66d0628467b8f42aeb0dc7709eb5130</association>
<modify-attr attr-name="nspmDistributionPassword" enforce-password-policy="true"><!-- content suppressed -->
</modify-attr>
</modify>
</input>
</nds>


DirXML Log Event -------------------
Driver: \COMPENSAR-PROD\system\DriverSet01\AD-MID
Channel: Publisher
Object: CN=ALBA ROCIO SUAREZ TORRES,OU=PSS,OU=OU USUARIOS,DC=COMPENSAR,DC=CCF (compensar\usuarios\internos\20933432)
Status: Success
[07/07/17 08:43:21.004]:AD-MID ST: (if-association associated) = TRUE.
[07/07/17 08:43:21.005]:AD-MID PT:
DirXML Log Event -------------------
Driver: \COMPENSAR-PROD\system\DriverSet01\AD-MID
Channel: Publisher
Object: CN=ALBA ROCIO SUAREZ TORRES,OU=PSS,OU=OU USUARIOS,DC=COMPENSAR,DC=CCF (compensar\usuarios\internos\20933432)
Status: Warning
Message: Code(-8021) Unable to set NMAS password: -215 DSERR_DUPLICATE_PASSWORD.




How they can resolve this problem?

TIA

Export and Import Correlation Rule

July 10, 2017, 1:50 am
$
0
0
Hi All,

Is there a way to export/import list of created correlation rules?

Thanks

About Geo-fencing

July 10, 2017, 1:56 am
$
0
0
Hi All
I am interesting about Geo fencing policy, I had configure use smartphone method and let windows workstation login event use samrtphone well.
But when I enable Geo fencing policy and add my company location then let windows event enable geo fencing ...All workstation could not login .
I disable geo fencing setting in windows event , workstation could login well immediately, do the same testing ==>get same result.

Who has tested geo functing policy and test it well ?? could provide information to me ?

thanks!!

wencheng

Identity Apps 4.6 problems with NAAF 5.6 forgotten password

July 10, 2017, 2:36 am
$
0
0
I'm having a strange problem with one of my implementations. We use a combination of the following software:
- IDM 4.6 (with eDirectory 9.0.3)
- Corresponding Identity Applications. All installed on one server.
- NAAF 5.6-146

We plan to use NAAF as forgotten password tool for several reasons. Therefore I configured SSPR to use the Oauth forgotten password feature.
SSPR is configured with the correct endpoints, passing the username to NAAF and returning an authenticated session which allows the user to set a new password.

The strange thing is: The redirect to NAAF is buggy. The following flow is working correctly:
1. When I visit the old IDMProv URL (http://host/IDMProv the OSP login is displayed
2. I click the 'can't sign in' link
3. OSP redirects me to the SSPR dashboard in which I can choose 'Forgotten password'
4. After clicking that option, SSPR asks me for my username
5. After entering the username, SSPR redirects me to NAAF
6. NAAF asks me for my secret pin code (temporary way of working to test the flow)
7. PIN code is accepted by NAAF and NAAF redirects me back to SSPR
8. SSPR accepts the Oauth token and presents the option to set the password

The same flow also works when you use http://host/sspr in step one.

However: when you use the http://host/idmdash the flow breaks:
1. visit the /idmdash url
2. Can't sign in
3. Redirect to SSPR
4. Select forgotten password
5. Enter the username
6. ....... the portal tries to redirect to NAAF (check using SAML tracer), but nothing happens. The page displays a spinning 'beach ball' indicating that /idmdash is trying
to decide what to display for this user (build the idmdash page). This is a deadlock situation. No error occurs, no redirect occurs.

This happens with the /idmdash and /rra URL. /IDMProv is working fine. /sspr is working fine as well.
Using SAML tracer we can see that the portal uses the exact same GET request in all cases: https://[NAAF host]/osp/a/TOP/auth/oauth2/grant?client_id=[values]

Behavior is observed in both IE, Chrome and FF.

Does anyone have a solution for this. I suspect it to be an Identity Applications bug and not really a NAAF bug, so I posted it here.
Viewing all 11924 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>