I have an issue with Identity Manager 2.7 and Access Point 2.7. When a user tries to login through the Access Point, the login hangs. I see a rotating cursor-thingie in the middle. When I enter an incorrect password, I get the response immediately. The certificate seems to be correct on the Access Point, the users get to the login-screen of the portal.
Anyone have got this configuration working? Configuration of the Access Point:
"Identifier": "WEB_REVERSE_PROXY",
"enabled": true,
"proxyDestinationURL": "https://vidmserver.example.com",
"proxyPattern": "(/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*))",
"unSecurePattern": "(/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*))",
"authCookie": "HZN",
"loginRedirectURL": "/SAAS/auth/login?dest=%s"
Hello,
I get a similar problem : once the login and password are sent, the login hangs.
Tough, when I reload the page the page, the user gets authenticated (only if one authentication factor)
If i have two auth factors, the login fails
Best regards,
Anyone get anywhere with this issue? I am experiencing the same thing, I imagine it's in the unSecurePattern or proxyPattern. I tried with and without the leading ( and ending ) in the documentation and still no luck. I did see errors in the audit log on vIDM that requests had been denied for malformed url, I'm thinking the list is either messed up or missing something.
Well I managed to get around the issue by deploying additional Access Points just for Identity Manager, I don't think it plays well trying to use a single Access Point for both View and Identity Manager.
Here is what I ended up using and so far so good and remember the admin functions won't work externally!
{
"identifier": "WEB_REVERSE_PROXY",
"enabled": true,
"proxyDestinationUrl": "https://workspace.example.com:443",
"healthCheckUrl": "/favicon.ico",
"proxyPattern": "/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)",
"unSecurePattern": "/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*)",
"authCookie": "HZN",
"loginRedirectURL": "/SAAS/auth/login?dest=%s"
}
{
"locale": "en_US",
"adminPassword": "*****",
"cipherSuites": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
"honorCipherOrder": false,
"ssl30Enabled": false,
"tls10Enabled": false,
"tls11Enabled": true,
"tls12Enabled": true,
"healthCheckUrl": "/favicon.ico",
"cookiesToBeCached": "none",
"ipMode": "STATICV4",
"sessionTimeout": 36000000,
"quiesceMode": false,
"monitorInterval": 60
}
It seems like this is still a problem with Access Point 2.8. After looking at what is being sent and received we are noticing that the HZN cookie is not getting set when accessing through the Access Point.
The spinning circle issue is most likely related to the HZN cookie not getting passed to the Identity Manager from the Access Point. I discovered that the default setting for cookiesToBeCached to be set to *. This blocks the HZN cookie from getting passed and why if the powershell script is used for deployment the login process works without issue due to the setting "cookiesToBeCached": "none". I will have to do more testing but I believe that this is the problem that everyone is having.
Nick
Hi All,
Actually, I deployed pair of APs behind a LB using PowerShell script, not OVF Tool. I used both of them for both of Identity Manager and View entry point.
I attached the swagger UI json parameters used of mine after sanitizing it.
HTH.