One of the primary deployment use cases for any IDM customer is to provide a single sign-on access to the User Application for their users from outside the enterprise, mostly for the employees working remotely. In this case, no customer would want to give direct access to IDM URL or keep the IDM in DMZ. This integration document talks about how this use case can be achieved with a very simple approach.
There are mainly two approaches for integrating NetIQ Access Manager with Identity Manager:
The first approach is available at https://www.netiq.com/documentation/idm45/setup_guide/data/b1ciypyj.html
This document highlights how we can configure the second approach where Access Gateway protects the IDM Userapp and other applications using a form fill policy.
When the user first hits the Access Gateway URL protecting the IDM User Application, the request is redirected for authentication at the Access Manager IDP. On successful authentication at IDP, the browser redirects the request back to the Access Gateway URL protecting the IDM User Application. At this point, Access Gateway will forward the request to backend IDM User Application URL which in turns redirects the request to OSP and OSP brings up the login form.
On detecting the login form, Access Gateway automatically executes the form fill policy and fills the form with the credentials of the logged in user and submits the form to OSP. OSP successfully authenticates the user and redirects the user to the User Application. User Application retrieves the access token from OSP and provides access to the user. This completes the Single sign-on and the user can access any other IDM hosted applications like landing portal, RRA, SSPR etc. henceforth and single sign-on to those applications would be provided by the access token provided by the OSP. So, Access Manager provides single sign-on to OSP using form fill policy and then OSP provides the single sign-on between other IDM hosted applications using OAuth.
This solution is tested with following versions of the product:
Access Manager and Identity Manager should be pointing to the same user store for authentication which can be any LDAP store. However, if the customer wants to use a password-less login like Kerberos or X.509, then, the users should also be synced to the eDirectory user store so that form fill policy can retrieve the logged in user’s password and fill the form for single sign-on to OSP.
Figure 1: Access Gateway Proxy Service Creation for IDM User Application
Note: If IDM is listening on a non-SSL port, ensure that you configure that corresponding port in the “Connect Port“ and the option “Connect Using SSL” is disabled.
Figure 2: Configuring IDM User Application as a Web server
Figure 3: Configuring IDM User Applications as different protected resources
Figure 4: Formfill policy for the SSO to OSP
Figure 5: Custom HTML Rewriter Profile
This completes the Access Gateway configuration for this integration.
The stand-alone IDM User Application needs only one specific configuration for this scenario to work and that is the authentication method. The authentication method has to be configured as “Name and Password”
Open the configuration utility by performing the following steps:
On Linux, use the command: cd /opt/netiq/idm/apps/UserApplication
For more information on how to run the Identity Applications Configuration Utility, refer the following: https://www.netiq.com/documentation/idm45/setup_guide/data/b1bkfd5r.html
Figure 6: RBPM Configuration Screen
Note: Please ensure that the URLs are resolvable either through the host entries or DNS
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.