topic Re: Identity Manager 2.7 and Access Point 2.7, cannot login in Workspace ONE Discussions

Identity Manager 2.7 and Access Point 2.7, cannot login

VirtualSven — Tue, 23 Aug 2016 08:45:18 GMT

I have an issue with Identity Manager 2.7 and Access Point 2.7. When a user tries to login through the Access Point, the login hangs. I see a rotating cursor-thingie in the middle. When I enter an incorrect password, I get the response immediately. The certificate seems to be correct on the Access Point, the users get to the login-screen of the portal.

Anyone have got this configuration working? Configuration of the Access Point:

"Identifier": "WEB_REVERSE_PROXY",

"enabled": true,

"proxyDestinationURL": "https://vidmserver.example.com",

"proxyPattern": "(/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*))",

"authCookie": "HZN",

"loginRedirectURL": "/SAAS/auth/login?dest=%s"

Re: Identity Manager 2.7 and Access Point 2.7, cannot login

RGEORGET — Wed, 12 Oct 2016 15:56:19 GMT

Hello,

I get a similar problem : once the login and password are sent, the login hangs.

Tough, when I reload the page the page, the user gets authenticated (only if one authentication factor)

If i have two auth factors, the login fails

Best regards,

Re: Identity Manager 2.7 and Access Point 2.7, cannot login

chadc1979 — Fri, 21 Oct 2016 14:42:38 GMT

Anyone get anywhere with this issue? I am experiencing the same thing, I imagine it's in the unSecurePattern or proxyPattern. I tried with and without the leading ( and ending ) in the documentation and still no luck. I did see errors in the audit log on vIDM that requests had been denied for malformed url, I'm thinking the list is either messed up or missing something.

Re: Identity Manager 2.7 and Access Point 2.7, cannot login

chadc1979 — Sat, 22 Oct 2016 14:56:07 GMT

Well I managed to get around the issue by deploying additional Access Points just for Identity Manager, I don't think it plays well trying to use a single Access Point for both View and Identity Manager.

Here is what I ended up using and so far so good and remember the admin functions won't work externally!

{
"identifier": "WEB_REVERSE_PROXY",
"enabled": true,
"proxyDestinationUrl": "https://workspace.example.com:443",
"healthCheckUrl": "/favicon.ico",
"proxyPattern": "/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)",
"unSecurePattern": "/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*)",
"authCookie": "HZN",
"loginRedirectURL": "/SAAS/auth/login?dest=%s"
}

{
"locale": "en_US",
"adminPassword": "*****",
"cipherSuites": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
"honorCipherOrder": false,
"ssl30Enabled": false,
"tls10Enabled": false,
"tls11Enabled": true,
"tls12Enabled": true,
"healthCheckUrl": "/favicon.ico",
"cookiesToBeCached": "none",
"ipMode": "STATICV4",
"sessionTimeout": 36000000,
"quiesceMode": false,
"monitorInterval": 60
}

Re: Identity Manager 2.7 and Access Point 2.7, cannot login

opie81 — Mon, 06 Feb 2017 17:09:56 GMT

It seems like this is still a problem with Access Point 2.8. After looking at what is being sent and received we are noticing that the HZN cookie is not getting set when accessing through the Access Point.

Re: Identity Manager 2.7 and Access Point 2.7, cannot login

opie81 — Mon, 06 Feb 2017 19:06:31 GMT

The spinning circle issue is most likely related to the HZN cookie not getting passed to the Identity Manager from the Access Point. I discovered that the default setting for cookiesToBeCached to be set to *. This blocks the HZN cookie from getting passed and why if the powershell script is used for deployment the login process works without issue due to the setting "cookiesToBeCached": "none". I will have to do more testing but I believe that this is the problem that everyone is having.

Nick

Re: Identity Manager 2.7 and Access Point 2.7, cannot login

ShadyMalatawey — Mon, 27 Mar 2017 07:12:45 GMT

Hi All,

Actually, I deployed pair of APs behind a LB using PowerShell script, not OVF Tool. I used both of them for both of Identity Manager and View entry point.

I attached the swagger UI json parameters used of mine after sanitizing it.

HTH.