This article is written for customers and partners who want to test NetIQ Access Manager (NAM) to understand and demonstrate how single sign-on works. Why single sign-on to Facebook? The reason is because it is probably the most widely used Website on the Internet that has a login page.

What are we trying to achieve?

 

tutorial-1

We want to configure NAM to achieve 2 things:

Firstly, we want to configure NAM as a reverse proxy. This means that when the user keys in a URL (we will use a fictitious domain in this article => www.external.com), NAM will reverse proxy to www.facebook.com

Secondly, we want to configure NAM to automatically sign in to Facebook and thereby achieving single sign-on.

What do we need to achieve this?

 

tutorial-2

All we need are the following:

  1. One laptop/workstation with 8 GB of Memory with 20GB Free Disk space.
  2. VMware workstation installed (I used VMware workstation 9 in this setup)
  3. Internet connection from laptop to the Internet (for connection to Facebook)

Installation and Configuration Procedures


Download NAM

1. tutorial-3

  • Go to http://dl.netiq.com
  • Choose Access Manager
  • Select the latest version of Access Manager
  • Press ‘Submit Query’
2. tutorial-4

  • Choose to download the latest version of ‘AccessManagerAppliance’

Setup your VMware workstation

3. tutorial-5
  • Select your VM to boot from the ISO that you downloaded in Step 2
4. tutorial-6
  • Choose the Operating System as SUSE Linux Enterprise 11 64-bit
  • Note that later versions of NAM could be based on SUSE Linux Enterprise 12 64-bit
5. tutorial-7
  • You can call the VM whatever name that you want. I call it ‘NAM401’
6. tutorial-8
  • Choose 1 Processor but 2 Core per processor
7. tutorial-9
  • Choose 7640 MB memory.
  • Note that even though NAM requires 8GB of RAM, it can still work with 7640MB memory
8. tutorial-10
  • In this example, I choose Bridge Networking. It is important that whatever you choose, both the NAM VM and the host machine have to have access to the Internet.
  • Alternatively, you can also choose NAT
9. tutorial-11
  • Create a new virtual Disk
10. tutorial-12
  • Select the disk size to be 100GB.
  • However, unselect “Allocate all disk space now” in order conserve space. The whole setup should not take more than 20GB.
11. tutorial-13
  • Take the default VMDK file name
12. tutorial-14
  • Click ‘Finish’ to complete the creation of the VM.

Installation of NAM

13. tutorial-15
  • Choose ‘Install Appliance’
14. tutorial-16
  • Agee to the license Agreement and click Next
15. tutorial-17
  • Choose your time zone
16. tutorial-18
  • The warning message appears because the memory is less than 8GB
  • Press ‘Continue’
17. tutorial-19

You can key in any values that you want. In this example, I used the following values:

  • Hostname: nam
  • Domain Name: external.com
  • IP address: 192 168.1.30
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.1.1
  • DNS Servers: 8.8.8.8, 8.8.4.4
  • Enter your root password
18. tutorial-20
  • Enter your admin password
  • Note that admin password is for your NAM application. Root password is the previous screen is for the Operating System
19. tutorial-21
  • Press ‘Continue’
20. tutorial-22
  • Press ‘Install’
21. tutorial-23
  • Press ‘Install’
22. tutorial-24
  • Once the installation is done, you should see the above screen
  • Login to NAM application using the ‘root’ account and password
23. tutorial-25
  • Test the connectivity to the Internet from NAM by pinging ‘www.facebook.com’
24. tutorial-26
  • Add the following entry into host windows machine of C:\windows\system32\drivers\etc\hosts file
  • To test the following entry, ping www.external.com and nam.external.com from your host windows machine

Configure NAM for Reverse Proxy

25. tutorial-27
  • Open a browser and go to URL => https://nam.external.com:8443/nps
  • Login with admin and the password
26. tutorial-28
  • In the tab above, click ‘Devices > Access Gateways > AG-Cluster’
  • Click on ‘Adapter_List’
27. tutorial-29
  • Click on 192.168.1.0
28. tutorial-30
  • Click on ‘New’
29. tutorial-31
  • Add in the secondary IP address “192.168.1.31”
30. tutorial-32
  • When the secondary IP address is added, the secondary IP address is shown above
  • Click ‘Ok’
31. tutorial-33
  • Click ‘Ok’
32. tutorial-34
  • Click ‘Update All’
  • Note that in order for any changes to take effect, you need to come to this screen to update all.
33. tutorial-35
  • Press Ok to update all
34. tutorial-36
  • In the tab above, click ‘Devices > Access Gateways > AG-Cluster’
  • Click on ‘Reverse Proxy/Authentication’
35. tutorial-37
  • Click on ‘New’ to create a new Reverse Proxy List
36. tutorial-38
  • Type in the name of the Reverse Proxy. In this example, I used “FB-RP”
37. tutorial-39
  • Make sure that the FB-RP is listening on the secondary IP address: 192.168.1.31
  • Make sure that ‘Enable SSL between Browser and Access Gateway’ and ‘Redirect request from Non-Secure Port to Secure Port’ is checked
  • Click on the Certificate Icon besides the ‘Server Certificate’ Field.
38. tutorial-40
  • Click on ‘New’ to create a new certificate
39. tutorial-41
  • Select ‘User local certificate authority’
  • Key in the Certificate name. In this example, I used ‘FB-RP-Certificate’
  • Click on the icon next to the subject field.
  • The Edit Subject text box will appear.
  • Key in the common name as “www.external.com”
40. tutorial-42
  • You should see that the Server Certificate is the one that was created in the previous step
41. tutorial-43
  • At the bottom of the page, click ‘New’ to create a new Proxy Service List
42. tutorial-44

For the new Proxy Service, I keyed in the following values:

  • Proxy Service Name: FB-Proxy
  • Published DNS Name: www.external.com
  • Web Server IP address: 31.13.79.96 (this is public IP address of Facebook)
  • Web Server Host Name: www.facebook.com
43. tutorial-45
  • Enable the FB-Proxy
  • Click on ‘FB-Proxy’
44. tutorial-46
  • Go to the ‘Web Servers’ tab
  • Check ‘Connect using SSL’
45. tutorial-47
  • Go to ‘Protected Resources’ tab
  • Click on ‘New’
46. tutorial-48
  • Key in the name of the Protected Resource List. I call this “FB-RL”
47. tutorial-49
  • In the Authentication Procedure, choose “Name/Password – Form (60)”
48.

Click ‘Ok’ until you see the following page:

tutorial-50

  • Click ‘Update all’
49.

At this point, you can test whether your reverse proxy works.

  • On your windows host, open a web browser.
  • Type in the URL => www.external.com
  • You should be prompted with a login prompt. Key in the Admin and password
  • NAM should redirect you to www.facebook.com

Configure NAM for Single Sign-on

50.

When Facebook website comes up, right click on the website and view source. Look for the following information:

  • Title id
    tutorial-51
  • Form id
    tutorial-52
  • Id for email and id for pass
    tutorial-53
51. tutorial-54
  • Go to Devices > AG-Cluster > FB-RP > FB-Proxy
  • Click on “Protected Resources” Tab
  • Click on ‘Form Fill’
52. tutorial-55
  • Click on ‘Manage polices’
53. tutorial-56
  • Check on ‘fill_allowance’ and click on ‘Copy’
  • Click ‘ok’
54. tutorial-57
  • Check on ‘fill_allowance-Copy_1′ and click on Rename
  • Choose the new name to be ‘fill_FB’
  • Click on ‘fill_FB’ to edit this form fill
55. tutorial-58

Fill in the following for this page with the information that we found in Step 50:

  • Page Matching Criteria: <title id=”pageTitle”>Welcome to Facebook – Log In, Sign Up or Learn More</title>
  • Form ID: login_form
  • email: LDAP Attribute: mail
  • pass: Credential Profile: LDAP Credentials:LDAP Password
  • Under the Submit Options, check “Auto Submit”
56. tutorial-59
  • Click ‘Apply Changes’
57. tutorial-60
  • Click on fill_FB and Enable this policy
58.

Click ‘Ok’ until you see the following page:

tutorial-61

  • Click ‘Update all’
59. tutorial-62
  • At the top of iManager, click on the ‘Magnifying Glass’ icon
60. tutorial-63
  • On the Tree tab, go to the “Novell” container
  • On the Right Panel, click on ‘Alice’
61. tutorial-64
  • In the Internet E-mail address field, add the email that facebook requires to login with
  • Go to the “Restriction” Tab
62. tutorial-65
  • Set the password
63. tutorial-66
  • Set the same password as your Facebook account
64.

At this point, you can test whether your Single Sign-on works.

  • On your windows host, open a web browser.
  • Type in the URL => www.external.com
  • You should be prompted with a login prompt. Key in the Alice username and password that you sent in Step 63.
  • NAM should redirect you www.facebook.com and single sign-on into Facebook.
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: ephua
Aug 19, 2014
11:11 am
Reads:
1,872
Score:
5