This tutorial will explain how to configure GroupWise WebAccess as an AppMark for NetIQ CloudAccess/MobileAccess. This feature is particularly useful for BYOD situations, such as when an employee wishes to access GroupWise, but does not wish to have corporate restrictions or store their corporate password on their personal device. This tutorial has three main components:
Currently, GroupWise WebAccess requires the user’s real password to be sent in the authentication header from Access Manager. Since the authentication between CloudAccess and Access Manager is handled with a SAML assertion, Access Manager does not have the user’s real authentication information to use in the identity injection. To get around this, we need to enable password fetch in Access Manager and configure it as a post authentication method in the SAML configuration (more on the post authentication method later).
First, we need to be sure that Universal Password is enabled in eDirectory for the administrative account that Access Manager uses. When this is done, create a new authentication class in the IDP settings, using the PasswordFetchClass. In most situations, you will want to use the Universal Password option and to look up the password based on the user’s CN. These options are outlined in the first two images below. You will then need to create an authentication method based on this class and the user store from which you need to retrieve the password.
The next part of this tutorial is to enable SSO between Access Manager and GroupWise. By itself, this is a nice feature to have enabled because it adds a layer of protection for the WebAccess server, and it is convenient for desktop users.
Enabling SSO between Access Manager and WebAccess is pretty straightforward. First, create a path or domain based accelerator and point it to your WebAccess server. Make sure to use port 443 and enable SSL on the web server configuration tab. Next, create a protected resource, either as /* or as /gw/webacc/* and require a contract. After this is done, configure an identity injection for Access Manager to inject the username and password into an authorization header and enable this for the protected resource (see related screen shot).
Once you have applied these settings, you should be able to access the accelerator address, log into your IDP, and see your mailbox in WebAccess. Now, let’s get it working with MobileAccess.
This part of the tutorial will have you configure CloudAccess as a SAML2 IDP for Access Manager. This will allow one touch access to everything protected by Access Manager, including WebAccess. This may be challenging if you have not configured Access Manager as an SP before, but the screen shots should help guide you in this configuration.
At this point, you should be able to test the federation by logging into CloudAccess from your desktop and selecting the NAM AppMark that you configured. If you were able to access the protected resource, congratulations! If not, here are some common pitfalls to look for:
Troubleshooting is outside the scope of this tutorial, but the SAML tracer Firefox extension and the IDP logs can be quite valuable tools for identifying other issues.
Once you have made it this far, the last step is configuring the WebAccess AppMark. Configure a new AppMark under the NAM connector and set the mobile device URL to https://youraccelerator/gw/webacc.
The default WebAccess configuration does not recognize all mobile and tablet devices, so you have two options for providing the proper interface to all devices. The first is to configure the list to accept a wider range of User-Agent strings, although that may involve ongoing maintenance as new devices are created. The more foolproof way is to append “?User.interface=mobile” to the mobile device URL, which will override the User-Agent setting in WebAccess.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.