This article is written for customers and partners who want to test NetIQ Access Manager (NAM) to understand and demonstrate how single sign-on works. Why single sign-on to Facebook? The reason is because it is probably the most widely used Website on the Internet that has a login page.
Firstly, we want to configure NAM as a reverse proxy. This means that when the user keys in a URL (we will use a fictitious domain in this article => www.external.com), NAM will reverse proxy to www.facebook.com
Secondly, we want to configure NAM to automatically sign in to Facebook and thereby achieving single sign-on.
Download NAM
|
1. |
- Go to http://dl.netiq.com
- Choose Access Manager
- Select the latest version of Access Manager
- Press ‘Submit Query’
|
2. |
- Choose to download the latest version of ‘AccessManagerAppliance’
|
Setup your VMware workstation
|
3. |
- Select your VM to boot from the ISO that you downloaded in Step 2
|
4. |
- Choose the Operating System as SUSE Linux Enterprise 11 64-bit
- Note that later versions of NAM could be based on SUSE Linux Enterprise 12 64-bit
|
5. |
- You can call the VM whatever name that you want. I call it ‘NAM401’
|
6. |
- Choose 1 Processor but 2 Core per processor
|
7. |
- Choose 7640 MB memory.
- Note that even though NAM requires 8GB of RAM, it can still work with 7640MB memory
|
8. |
- In this example, I choose Bridge Networking. It is important that whatever you choose, both the NAM VM and the host machine have to have access to the Internet.
- Alternatively, you can also choose NAT
|
9. |
- Create a new virtual Disk
|
10. |
- Select the disk size to be 100GB.
- However, unselect “Allocate all disk space now” in order conserve space. The whole setup should not take more than 20GB.
|
11. |
- Take the default VMDK file name
|
12. |
- Click ‘Finish’ to complete the creation of the VM.
|
Installation of NAM
|
13. |
- Choose ‘Install Appliance’
|
14. |
- Agee to the license Agreement and click Next
|
15. |
|
16. |
- The warning message appears because the memory is less than 8GB
- Press ‘Continue’
|
17. |
You can key in any values that you want. In this example, I used the following values:
- Hostname: nam
- Domain Name: external.com
- IP address: 192 168.1.30
- Subnet Mask: 255.255.255.0
- Default Gateway: 192.168.1.1
- DNS Servers: 8.8.8.8, 8.8.4.4
- Enter your root password
|
18. |
- Enter your admin password
- Note that admin password is for your NAM application. Root password is the previous screen is for the Operating System
|
19. |
|
20. |
|
21. |
|
22. |
- Once the installation is done, you should see the above screen
- Login to NAM application using the ‘root’ account and password
|
23. |
- Test the connectivity to the Internet from NAM by pinging ‘www.facebook.com’
|
24. |
- Add the following entry into host windows machine of C:\windows\system32\drivers\etc\hosts file
- To test the following entry, ping www.external.com and nam.external.com from your host windows machine
|
Configure NAM for Reverse Proxy
|
25. |
- Open a browser and go to URL => https://nam.external.com:8443/nps
- Login with admin and the password
|
26. |
- In the tab above, click ‘Devices > Access Gateways > AG-Cluster’
- Click on ‘Adapter_List’
|
27. |
|
28. |
|
29. |
- Add in the secondary IP address “192.168.1.31”
|
30. |
- When the secondary IP address is added, the secondary IP address is shown above
- Click ‘Ok’
|
31. |
|
32. |
- Click ‘Update All’
- Note that in order for any changes to take effect, you need to come to this screen to update all.
|
33. |
|
34. |
- In the tab above, click ‘Devices > Access Gateways > AG-Cluster’
- Click on ‘Reverse Proxy/Authentication’
|
35. |
- Click on ‘New’ to create a new Reverse Proxy List
|
36. |
- Type in the name of the Reverse Proxy. In this example, I used “FB-RP”
|
37. |
- Make sure that the FB-RP is listening on the secondary IP address: 192.168.1.31
- Make sure that ‘Enable SSL between Browser and Access Gateway’ and ‘Redirect request from Non-Secure Port to Secure Port’ is checked
- Click on the Certificate Icon besides the ‘Server Certificate’ Field.
|
38. |
- Click on ‘New’ to create a new certificate
|
39. |
- Select ‘User local certificate authority’
- Key in the Certificate name. In this example, I used ‘FB-RP-Certificate’
- Click on the icon next to the subject field.
- The Edit Subject text box will appear.
- Key in the common name as “www.external.com”
|
40. |
- You should see that the Server Certificate is the one that was created in the previous step
|
41. |
- At the bottom of the page, click ‘New’ to create a new Proxy Service List
|
42. |
For the new Proxy Service, I keyed in the following values:
- Proxy Service Name: FB-Proxy
- Published DNS Name: www.external.com
- Web Server IP address: 31.13.79.96 (this is public IP address of Facebook)
- Web Server Host Name: www.facebook.com
|
43. |
- Enable the FB-Proxy
- Click on ‘FB-Proxy’
|
44. |
- Go to the ‘Web Servers’ tab
- Check ‘Connect using SSL’
|
45. |
- Go to ‘Protected Resources’ tab
- Click on ‘New’
|
46. |
- Key in the name of the Protected Resource List. I call this “FB-RL”
|
47. |
- In the Authentication Procedure, choose “Name/Password – Form (60)”
|
48. |
Click ‘Ok’ until you see the following page:

|
49. |
At this point, you can test whether your reverse proxy works.
- On your windows host, open a web browser.
- Type in the URL => www.external.com
- You should be prompted with a login prompt. Key in the Admin and password
- NAM should redirect you to www.facebook.com
|
Configure NAM for Single Sign-on
|
50. |
When Facebook website comes up, right click on the website and view source. Look for the following information:
- Title id

- Form id

- Id for email and id for pass

|
51. |
- Go to Devices > AG-Cluster > FB-RP > FB-Proxy
- Click on “Protected Resources” Tab
- Click on ‘Form Fill’
|
52. |
- Click on ‘Manage polices’
|
53. |
- Check on ‘fill_allowance’ and click on ‘Copy’
- Click ‘ok’
|
54. |
- Check on ‘fill_allowance-Copy_1’ and click on Rename
- Choose the new name to be ‘fill_FB’
- Click on ‘fill_FB’ to edit this form fill
|
55. |
Fill in the following for this page with the information that we found in Step 50:
- Page Matching Criteria: <title id=”pageTitle”>Welcome to Facebook – Log In, Sign Up or Learn More</title>
- Form ID: login_form
- email: LDAP Attribute: mail
- pass: Credential Profile: LDAP Credentials:LDAP Password
- Under the Submit Options, check “Auto Submit”
|
56. |
|
57. |
- Click on fill_FB and Enable this policy
|
58. |
Click ‘Ok’ until you see the following page:

|
59. |
- At the top of iManager, click on the ‘Magnifying Glass’ icon
|
60. |
- On the Tree tab, go to the “Novell” container
- On the Right Panel, click on ‘Alice’
|
61. |
- In the Internet E-mail address field, add the email that facebook requires to login with
- Go to the “Restriction” Tab
|
62. |
|
63. |
- Set the same password as your Facebook account
|
64. |
At this point, you can test whether your Single Sign-on works.
- On your windows host, open a web browser.
- Type in the URL => www.external.com
- You should be prompted with a login prompt. Key in the Alice username and password that you sent in Step 63.
- NAM should redirect you www.facebook.com and single sign-on into Facebook.
|