Author: Gaurav Vaidya
Novell Service Desk (NSD) is a complete service management solution based on LiveTime. It provides various end-user roles (customers, Supervisors, Technician, Partner, etc) who can access the web based portal & manage service requests.
Novell Service Desk includes support for SAML based Single Sign-On (SSO). With this addition of SAML support NSD can streamline end user’s experience without forcing the user to re-authenticate at application. Access Manager is an apt product which facilitates secure access to Novell Service Desk & can leverage the SAML based SSO support in NSD to provide seamless experience to end users.
NSD allows SSO from Open Source solutions such as Shibboleth, JOSSO, OpenSSO etc as well as commercial vendors like NetIQ Access Manager, CA Siteminder, Oracle Identity Manager etc. In this article we will focus on configuration for SAML based SSO from NetIQ Access Manager to Novell Service Desk.
Glossary of Terms
SAML - Secure Assertion Markup Language
NSD - Novell Service Desk
SSO - Single Sign On
NAM - NetIQ Access Manager
NAM-IDP - NAM Identity Provider
NAM-AG - NAM Access Gateway
Understanding NSD SSO Configuration
Novell Service Desk manages HTTP session headers from the provider (web access gateway) to enable seamless access for user to application. The Login session is managed by Identity Provider (IdP) and the access to resource is managed by Service Provider (SP). This session information & associated user data is then filtered down to the protected application which uses the given data for granting access to user & bypass authentication.
For the above scenario in this document, Identity Provider is NAM-IDP, Service Provider is NAM-AG & the protected application is Novell Service Desk. Configuration for SSO in Novell Service Desk is located at (Setup > Authentication > SSO) as shown in Figure-1. There are three configurations to enable SSO, all of which are mandatory in NSD (as explained in following table):
|Session ID||This is the name of HTTP header passed to NSD which contains Session ID for the logged in user.|
|Username||Name of the HTTP header which contain login name of the user attempting to access NSD|
|Name of the HTTP header which contain email of the user attempting to access NSD. This email value is used to validate the username.|
Figure 1: Novell Service Desk SSO (SAML) configuration page
Preparations for Configuration
This document specifically focuses on SAML based SSO related configuration, so it is assumed that other parts of setup are already available & few key configurations are already done before we proceed. These are few per-requisites before we proceed with further configuration:
- Novell Service Desk is installed & configured with appropriate user store.
- NetIQ Access Manager is installed & configured with appropriate user store.
- Both NSD & NAM share the same user store OR the user credentials/data is synced among the both user stores.
- Basic reverser proxy service is configured on NAM for NSD (NSD is added as path based OR domain based protected resource).
Configuring NAM for SAML based SSO to NSD
As discussed above it is assumed that NSD has been configured as protected resource (path based OR domain based). The next step is to configure an Identity Injection policy which injects appropriate headers into the HTTP requests to NSD as required for SAML based SSO. Following are the steps to configure the Identity Injection policy for NSD.
Steps to Configure Identity Injection Policy for NSD
- Go to iManager (Access Manager > Policies) & add a new Policy of type – “Access Gateway: Identity Injection”
- On the “Edit Rule” page provide description for your policy (Optional)
- Create “New” action & select – “Inject Into Custom Header”. In the details select value as “Credential Profile”, then select “SAML Credentials” > “SAML Assertion” (as shown in Figure-2).
Figure 2: NAM Identity Injection Policy – SAML Assertion
- Create “New” action & select – “Inject Into Custom Header”. In the details select value as “Credential Profile”, then select “LDAP Credentials” > “LDAP User Name” (as shown in Figure-3).
Figure 3: NAM Identity Injection Policy – LDAP User Name
- Create “New” action & select – “Inject Into Custom Header”. In the details select value as “LDAP Attribute”, then select “mail” (as shown in Figure-4).
Figure 4: NAM Identity Injection Policy – User eMail
- Once all the above configuration are done the identity injection policy will look as shown in Figure-5.
Figure 5: NAM Identity Injection Policy for SAML SSO to NSD
- Enable this Identity Injection policy for the protected resource configured for NSD.
Configuring NSD for SSO
Once we are done with NAM configuration now the setup is ready for enabling NSD configuration. It is recommended (not mandatory) that Identity Injection to NSD is already enabled & the administrator can verify the HTTP headers received by NSD while configuring SSO on NSD.
Following are steps to configure SSO on NSD
- Login to NSD as Administrator & open SSO configuration at (Setup > Authentication > SSO)
- Edit the configuration & Select “On” for ‘Active’ field.
- If you have login to NSD through NAM with Identity Injection policy enabled – Click on the icon to review HTTP headers passed through Access Gateway (NAM).
- Configure HTTP header name for SAML Assertion as ‘Session ID’ (e.g. ‘samlsession’ as shown in Figure-5)
- Configure HTTP header name for current logged in user as ‘Username’ (e.g. ‘username’ as shown in Figure-5)
- Configure HTTP header name for user email as ‘Email’ (e.g. ‘useremail’ as shown in Figure-5)
- Once all the above configuration are done the identity injection policy will look as shown in Figure-6.
- Save the configuration & validate SSO through NAM.
Figure 6: NSD Configuration for SAML SSO with injected NAM HTTP Headers
Configuration for Simultaneous Logout
In this scenario ‘Simultaneous Logout’ is the ability to logoff from NAM session whenever user clicks Logout on NSD portal. Novell Service Desk does not have specific configuration to enable Simultaneous Logout with web access gateways (for example this configuration is available for applications like GroupWise, Vibe etc). So in order to enable simultaneous logout for NSD one must configure Form Fill policy as follows.
- Create a new FormFill policy for NSD simultaneous logout.
- On the “Edit Policy” page provide description for your policy (Optional)
- Create ‘New’ action & select – Form Login Failure
- In “Page Matching Criteria” field configure following text from NSD logout page – “Your session has ended. Please use the button below to login again.”
- In “Redirect to URL” field configure the Logout URL for your setup e.g. https://mynam.com/AGLogout
- Once all the above configuration are done the Form Fill policy will look as shown in Figure-7.
Figure 7: NAM Form Fill Policy for Simultaneous Logout from NSD-NAM
- Enable this Form Fill policy for the protected resource configured for NSD.
This article demonstrates that it is possible to leverage SAML based SSO support on Novell Service Desk to allow SSO configuration using NetIQ Access Manager.