Introduction

This cool solution will provide directions on how to configure NetIQ Access Manager Single Sign-on using Azure Active Directory as your identity provider. To do this configuration you need a Microsoft Azure Active Directory account. Azure Active Directory is Microsoft’s multi-tenant, cloud based directory, and identity management service. Azure Active Directory editions are 3 types, choose premium to try out with a trial version.

Why is this useful?

This allows users to do SSO with Azure Active Directory authentication and seamless access to Enterprise applications or SaaS applications. Users can access Azure Active Directory and access NAM SSO with other applications without additional login. Azure Active Directory allows to create local user to Azure Active Directory. Those users can authenticate to Azure Active Directory and authenticate with NAM to access additional services. NetIQ Access Manager supports Risk Based Authentication and strong authentication using Advanced Authentication Framework can be combined with SAML2 process to secure services.

Goal of this solution

NetIQ Access Manager provides documentation which lists steps on how to configure SAML2 Identity Provider.

Microsoft’s Azure Active Directory documentation provides information on how to configure application and its Single Sign-on settings.

This Solution will guide you with the basic steps to setting up NAM as a Service Provider and Azure Active Directory as an Identity Provider.

This cool solution consists of two main building blocks:

  1. Adding NetIQ Access Manager as Managed SaaS Application
  2. Configuring and testing Azure Active Directory single sign-on

Adding NetIQ Access Manager as Managed SaaS Application

To configure the integration of NetIQ Access Manager into Azure AD, you need to add NAM to your list of managed SaaS apps.

Configuration steps

  1. Gather Azure AD login credentials or sign in for trial
  2. Login to Azure at https://portal.azure.com
  3. Click on “Azure Active Directory” from the left side menu
  4. Click on “Enterprise applications”

    1

  5. Click on “New application” or right click on right pane and select “New Application”

    2

  6. Select “Non-gallery application”

    3

  7. Provide “Name”

    as4

  8. Application is created

Configuring and testing Azure AD single sign-on

In this section, you configure and test Azure AD single sign-on with NAM, you need to complete the following building blocks:

  1. Configuring Azure AD Single Sign-On – to enable your users to use this feature
  2. Creating an Azure AD test user – to test Azure AD single sign-on
  3. Configuring NetIQ Access Manager Single Sign-On – to enable single sign-on within NAM
  4. Assigning the Azure AD test user – to enable test user to use Azure AD single sign-on
  5. Testing Single Sign-On – to verify whether the configuration works

Configuring Azure AD Single Sign-On

In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your NAM application

To configure Azure AD single sign-on with NAM, perform these following steps:

  1. In the Azure portal, on the NAM application integration page, click on “Configure single sign-on (required)” or “Single sign-on” on left side menu.

    as5

  2. Select “Single Sign-on Mode” as “SAML-based Sign-on”

    as6

  3. Enter “identifier” value as NAM entitID “https://www.idp.com/nidp/saml2/metadata”

    as7

  4. Enter “Reply URL” value as NAM assertion consumer URL “https://www.idp.com/nidp/saml2/spassertion_consumer”
  5. Select checkbox “View and edit all other user attributes” and view what attributes are sent with assertion.

    as8

  6. Download Metadata XML

    as9

  7. Click on Configure “NAM-test” for more help on federation information

Creating an Azure AD test user

The Objective of this section is to create a test user in the Azure portal

  1. On the left navigation pane in the Azure Portal, click Azure Active Directory
  2. Click on Users and groups

    as10

  3. Click on “All users”

    as11

  4. Click on “New User”

    as12

  5. On the User dialog page, enter test user information

    as13

  6. Click on “Create”

Configuring NetIQ Access Manager Single Sign-On

  1. Open downloaded metadata xml file from previous setups of “Configuring Azure AD Single Sign-On“
  2. Remove / delete RoleDescriptor tags and make sure only EntityDescriptor and IDPSSODescriptor tags exists

    as14

  3. Save modified metadata xml file
  4. Login to Access Manager admin console
  5. Edit cluster configuration navigate to SAML2 tab
  6. Click New and select identity provider
  7. Select “Metadata Text” as source from drop down list
  8. Enter name for this IDP
  9. Copy paste the metadata from modified metadata xml file at previous step

    as15

  10. Click next and ok
  11. Select just now created Identity provider from the list under SAML2 tab

    as16

  12. Navigate to “Authentication Card” and select “Authentication Request”
  13. Modify the “Response protocol binding” to “Post”

    as17

  14. Click OK and update IDP Configuration

Assigning the Azure AD test user

  1. In the Azure portal, open applications view, and then navigate to the directory view and go to “Enterprise applications” then click “All applications”

    as18

  2. In the applications list, select NAM

    as19

  3. In the menu on the left Click on “Users and groups”

    as20

  4. Click “Add user”, then select “Users and groups” on “Add Assignment”

    as21

  5. Select user from existing list or create a new user going back to left side menu “more services” filter by users

    as22

  6. Click “Assign” button on “Add Assignment” dialog.

Testing Single sign-on

  1. Access Access Manager Portal page https://www.idp.com/nidp/
  2. Select Authentication card for Azure IDP
  3. On redirect to Azure enter test user credentials
  4. Azure IDP Sends SAML2 Assertion response to NAM and shows federation login page, Enter login user credentials to map to local user, if one don’t want user identification rule has to be created with Azure IDP configuration of NetIQ Access Manager.

References

Please share your comments!!

2 votes, average: 4.00 out of 52 votes, average: 4.00 out of 52 votes, average: 4.00 out of 52 votes, average: 4.00 out of 52 votes, average: 4.00 out of 5 (2 votes, average: 4.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: cstumula
Oct 23, 2017
2:14 pm
Reads:
336
Score:
4
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow