After configuring the Advanced Authentication server and enabling the Integrate using OAuth option, adding a new Identity Server cluster creates the following issue:
Cannot create the Advanced Authentication Generic class. Access Manager displays a message to configure the OAuth integration settings.
NOTE:Adding a new Identity Server cluster after configuring the Advanced Authentication server is not recommended. However, if you must create a new Identity Server cluster, then perform the workaround steps.
To workaround this issue, delete and re-create the endpoints.
Perform the following steps:
Click Devices > Identity Servers > Shared Settings > Advanced Authentication.
Delete the domain name or IP address of the Advanced Authentication server and specify a dummy IP address. For example, 10.10.10.11.
Click Apply.
Delete the config.xml file of Advanced Authentication Plug-in from the Identity Server cluster. For Access Manager 5.0 and prior versions, config.xml is located at /etc/aaplugin/config.xml. From Access Manager 5.0 and later versions, config.xml is located at /opt/novell/nam/idp/plugins/aa/config.xml.
Go to the Advanced Authentication administration portal and delete the endpoints.
At Access Manager, navigate to Devices > Identity Servers > Shared Settings > Advanced Authentication again and specify the domain name or IP address of the Advanced Authentication server.
Click Apply.
Verify that the endpoint’s ID and secret key are generated in the config.xml file.
Verify that the endpoint has been created in the Advanced Authentication server. Go to the Advanced Authentication administration portal and verify that the hostname or domain name of the Identity Server cluster is displayed as the endpoint under Endpoints.
The name of the endpoint on Advanced Authentication server should be similar to the following:
The hostname of the Identity Server node if there are many clusters and nodes involved in this setup.
The name of the Identity Server cluster if there is only one cluster with one node.
You can validate the hostname by copying the <id>xxxxxxxx<id> part from config.xml file and paste it in the current URL of the AA server’s endpoint on Administration Console.
Example: https://<aaserver-address>:443/admin/endpoints/xxxxxxxxxxxxxxxxxxx
If the response from Advanced Authentication server displays a page with details of the currently added endpoint it means the endpoint is successfully created, else an AuCoreError is displayed.
This resolves the issue. You can now navigate to Devices > Identity Servers > Edit > Local and create an authentication class, method, and contract.
Creating a FIDO method in the preceding step creates another issue:
Users authenticating through FIDO contract cannot log in. When the user activates the FIDO device, Access Manager displays an error message that the authentication has failed.
To workaround this issue, perform the following steps:
Click Security > Trusted Roots.
Add the Advanced Authentication server certificate to the Trust store of the new Identity Server cluster:
Select the Advanced Authentication server certificate that was generated when you configured the Advanced Authentication server.
Click Add Trusted Roots to Trust Stores.
Select the Trust store and click OK.
Update Identity Server.