Configuring Access Manager for UserApp and SAML


By: ScorpionSting

December 5, 2007 12:58 pm





If the IDM User Application is installed, it is often in a larger context. One of the common requirements is to integrate User Application or specific parts into a portal, granting the users a single sign-on experience. Another common requirement is a strong authentication, e.g., via a certificate login to the portal.

Leveraging the power of Novell Access Manager and SAML, the solution described in this article makes true single sign-on capability available to any part of User Application, with any form of authentication method possible.

This document assumes that you are familiar with the Novell Access Manager configuration. If you are not, please refer to the Novell Access Manager documentation:

How it Works

When the user first accesses the User Application, he must authenticate to the IDP, if he hasn’t already done so. After a successful authentication, the Access Gateway will inject a SAML assertion into HTTP header of the Get request. User application will recognize this and, if the user is not already authenticated, will use the SAML assertion to authenticate the user to the user store via LDAP. For this to work, the NMAS method “SAML Assertion” must be installed and correctly configured on the user store, as User Application uses this method for a successful authentication.


This document is designed for use with the following as minimum software requirements:

  • Access Manager 3.0.1
  • User Application 3.5.1

Access Manager and User Application must be configured to use the same user store. The user store must be eDirectory. The NMAS method must be present and configured on the user store (see the User Store section at the end of this document). The method described in this document will work regardless of the authentication method used by Access Manager.

Access Manager

Access Gateway Resources

1. Create a new path-based resource for /IDM.

Figure 1 – Path-based resource for /IDM

2. Correct the server port and enable Forwarding of Encoding Header.

Figure 2 – Enabling Forwarding of Encoding Header

3. Under the HTTP Options for the Path-Based Multi-Homing tab, enable X-Forward-For.

Figure 3 – Enabling X-Forward-For

4. Create two new Protected Resources, if you use username and password. If you don’t use a password, e.g. because you use a certificate login, you do not need the second resource UserAppForgotPassword.

Figure 4 – Creating Protected Resources


The base resource for User Application is shown below.

Figure 5 – URL Path for UserApp

1. Assign an Authorization Policy to this resource.

Figure 6 – Authorization Policy

2. Assign Identity Injection policies to inject the Access Manager Session Cookie and HTTP_AUTHORIZATION header.

Figure 7 – Injection Policy list


The UserAppForgotPassword resource is a public resource and will have the following paths:

Figure 8 – Path for UserAppForgotPassword resource

1. Add a Bypass PIN for the whole of User Application.

Figure 9 – Bypass PIN


Below are the two policies required for the Identity Injection:

Figure 10 – II_Authorization Rule

Figure 11 – II_AG_Cookie Rule

Password Handling

If Access Manager uses Username/Password as its authentication method, you should use the following methods for a smooth user experience.

Password Expiry Handling

In the IDP Contracts, modify the Password Expiry URL to be:<RETURN_URL>&store=<STOREID>&dn=<USERID>&action=expire

This will populate certain values to aid the user experience. For example, <USERID> will be replaced with the user DN, such as cn=jbloggs,ou=unit,ou=location,o=organization).

Forgot Password Link

An example of the JSP code for a link to use of the Forgot Password feature on the Access Manager login page is shown below:

<a href="javascript:document.fpwdForm1.submit();" onmouseover="window.status='Forgot Password';return true;">Forgot Password Link</a>
<form name="fpwdForm1" method="POST" action="">
<input type="hidden" name="idp_return_url" value="<%= (String) request.getAttribute("url") %>" />

User Application

To lock down UserApp so requests can be made only by Access Manager,

1. Stop UserApp.

2. Edit the [path to jboss]/server/IDM/deploy/jbossweb-tomcat55.saw/context.xml file with the following modifications:

3. Add privileged=”true” to the Context element.

4. Add a new parameter to the Context element as follows:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="," deny="" />

5. Start UserApp and test that the /IDM path can only be requested by Access Manager.

You will have to do the following steps only if you use Username/Password as the Access Manager authentication method and want to use User Application to handle forgotten passwords.

1. Log in to User Application with Administration rights.

2. Verify the Forgot Password settings.

Figure 12 – Forgot Password settings

User Store

On the user store, you must check the configuration the NMAS Method “SAML Assertion”. This method should be automatically installed by NAM once you configure the user store in NAM. Additionally, NAM should have installed the required signing certificates.

1. On the user store, go to NMAS > NMAS Login Methods > SAML Assertion and choose the Affiliates tab. The page should look like this:

Figure 13 – SAML Assertion

2. Check the configured affiliate, and your page should look like this:

Figure 14 – Configured affiliate for SAML Assertion

If the Trusted Certificate field is empty, you can just choose the Public Key certificate that’s in the Trusted Root Container named in the Trusted Root Container field. NAM should have created this certificate automatically.

If the Signing Certificate is not present on the user store, you will have to export it from the NAM config store and import it into the user store.

Make sure your time is synchronized between IDP, AG and the user store server you access. By default, the SAML Assertion has a validation window of 3 minutes. If the time is not synchronized, the login will fail.

More articles on my Website.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Categories: Access Manager, Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.