Author: Gaurav Vaidya
Novell Service Desk (NSD) is a complete service management solution based on LiveTime. It provides various end-user roles (customers, Supervisors, Technician, Partner, etc) who can access the web based portal & manage service requests.
Novell Service Desk includes support for SAML based Single Sign-On (SSO). With this addition of SAML support NSD can streamline end user’s experience without forcing the user to re-authenticate at application. Access Manager is an apt product which facilitates secure access to Novell Service Desk & can leverage the SAML based SSO support in NSD to provide seamless experience to end users.
NSD allows SSO from Open Source solutions such as Shibboleth, JOSSO, OpenSSO etc as well as commercial vendors like NetIQ Access Manager, CA Siteminder, Oracle Identity Manager etc. In this article we will focus on configuration for SAML based SSO from NetIQ Access Manager to Novell Service Desk.
SAML - Secure Assertion Markup Language
NSD - Novell Service Desk
SSO - Single Sign On
NAM - NetIQ Access Manager
NAM-IDP - NAM Identity Provider
NAM-AG - NAM Access Gateway
Novell Service Desk manages HTTP session headers from the provider (web access gateway) to enable seamless access for user to application. The Login session is managed by Identity Provider (IdP) and the access to resource is managed by Service Provider (SP). This session information & associated user data is then filtered down to the protected application which uses the given data for granting access to user & bypass authentication.
For the above scenario in this document, Identity Provider is NAM-IDP, Service Provider is NAM-AG & the protected application is Novell Service Desk. Configuration for SSO in Novell Service Desk is located at (Setup > Authentication > SSO) as shown in Figure-1. There are three configurations to enable SSO, all of which are mandatory in NSD (as explained in following table):
|Session ID||This is the name of HTTP header passed to NSD which contains Session ID for the logged in user.|
|Username||Name of the HTTP header which contain login name of the user attempting to access NSD|
|Name of the HTTP header which contain email of the user attempting to access NSD. This email value is used to validate the username.|
Figure 1: Novell Service Desk SSO (SAML) configuration page
This document specifically focuses on SAML based SSO related configuration, so it is assumed that other parts of setup are already available & few key configurations are already done before we proceed. These are few per-requisites before we proceed with further configuration:
As discussed above it is assumed that NSD has been configured as protected resource (path based OR domain based). The next step is to configure an Identity Injection policy which injects appropriate headers into the HTTP requests to NSD as required for SAML based SSO. Following are the steps to configure the Identity Injection policy for NSD.
Steps to Configure Identity Injection Policy for NSD
Figure 2: NAM Identity Injection Policy – SAML Assertion
Figure 3: NAM Identity Injection Policy – LDAP User Name
Figure 4: NAM Identity Injection Policy – User eMail
Figure 5: NAM Identity Injection Policy for SAML SSO to NSD
Once we are done with NAM configuration now the setup is ready for enabling NSD configuration. It is recommended (not mandatory) that Identity Injection to NSD is already enabled & the administrator can verify the HTTP headers received by NSD while configuring SSO on NSD.
Following are steps to configure SSO on NSD
Figure 6: NSD Configuration for SAML SSO with injected NAM HTTP Headers
In this scenario ‘Simultaneous Logout’ is the ability to logoff from NAM session whenever user clicks Logout on NSD portal. Novell Service Desk does not have specific configuration to enable Simultaneous Logout with web access gateways (for example this configuration is available for applications like GroupWise, Vibe etc). So in order to enable simultaneous logout for NSD one must configure Form Fill policy as follows.
Figure 7: NAM Form Fill Policy for Simultaneous Logout from NSD-NAM
This article demonstrates that it is possible to leverage SAML based SSO support on Novell Service Desk to allow SSO configuration using NetIQ Access Manager.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.