3.3 Configuring an Identity Server

Post installation, create an Identity Server configuration that defines how an Identity Server or Identity Server cluster operates.

When creating the Identity Server configuration, specify the following information:

  • The DNS name for the Identity Server.

  • The IP address of an LDAP directory (user store). The LDAP directory is used to authenticate users. The trusted root certificate of the user store is imported to provide secure communication between the Identity Server and the user store.

  • The distinguished name and password of the administrator of the LDAP user store.

NOTE:This task is a basic setup to help you become familiar with Access Manager. It discusses only the required fields for creating a configuration. For information about all fields in the interface, see Identity Servers Cluster.

To create an Identity Server configuration:

  1. On a client workstation, enable browser pop-ups, then log in to the Administration Console.

  2. In the Administration Console, click Devices > Identity Servers.

  3. Select the check box next to the Identity Server, then click New Cluster.

    Selecting the server assigns it to the cluster configuration.

  4. In the New Cluster dialog box, specify a name for the cluster configuration.

    If you did not select the server in the previous step, you can now select the server or servers that you want to assign to this configuration.

  5. Click OK.

  6. Specify the following properties for your Identity Server configuration:

    Field

    Description

    Name

    The name by which you want to refer to the Identity Server configuration. This field is populated with the name you provided in the New Cluster dialog box. You can change the name here, if necessary.

    Base URL

    The application path for the Identity Server. The Identity Server protocols rely on this base URL to generate URL endpoints for each protocol.

    • Protocol: The communication protocol. Select HTTP for a basic setup.

    • Domain: The domain name used to access the Identity Server. For a basic setup, this is the DNS name of the machine on which you installed the Identity Server. Using an IP address is not recommended.

    • Port: The port values for the protocol. For HTTP, this is 8080.

    • Application: The Identity Server application path. Leave the default value as nidp.

  7. Click Next.

    The system displays the Organization page.

    Use this page to specify organization information for the Identity Server configuration. The information you specify on this page is published in the metadata of Liberty 1.2 and SAML protocols. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at the Identity Server.

    Specify values in the following fields:

    Name: The name of the organization.

    Display Name: The display name for the organization. This can be the same as the name of the organization.

    URL: The organization’s URL for contact purposes.

    Optional fields include Company, First Name, Last Name, Email, Telephone, and Contact Type.

  8. Click Next.

    The system displays the User Store page.Use this page to configure the user store that references users in your organization. User stores are LDAP directory servers to which end users authenticate. You can configure a user store to use more than one replica of the directory server, to provide load balancing and failover capability. You must reference an existing user store.

    For more information about the options on this page and configuring for load balancing and failover, see Configuring Identity User Stores.

    Name: A display name for the LDAP directory.

    Admin Name: The distinguished name of the admin user of the LDAP directory. Administrator-level rights are required for setting up a user store.

    Admin Password and Confirm Password: The password for the admin user and the confirmation for the password.

    Directory Type: The type of LDAP directory. You can specify eDirectory, Active Directory, or Sun ONE.

    If eDirectory has been configured to use Domain Services for Windows, eDirectory behaves like Active Directory. When you configure such a directory to be a user store, its Directory Type must be set to Active Directory for proper operation.

  9. Under Server Replicas, click New to specify the user store replica information. Specify an LDAP server that contains a read/write replica.

    Name: The display name for the LDAP directory server.

    IP Address: The IP address of the LDAP directory server. The port is set automatically to the standard LDAP ports.

    For information about adding multiple replicas for load balancing and failover, see Configuring Identity User Stores

  10. Select Use secure LDAP connections. The port changes to 636, which is the secure LDAP port.

    This is the only configuration we recommend for the connection between the Identity Server and the LDAP server in a production environment. If you use port 389, usernames and passwords are sent in clear text on the wire.

  11. Click Auto import trusted root > OK.

  12. Select one of the certificates in the list.

    Server Certificate: To trust one certificate.

    Root CA Certificate: To trust any certificate signed by that certificate authority.

  13. Specify an alias, then click OK.

    An alias is a name you use to identify the certificate used by Access Manager.

  14. Click Close > OK.

  15. Under Server Replicas, verify Validation Status.

    The system displays a green check mark if the connection is valid. If it is red, you have a configuration error:

    • Check the distinguished name of the admin user, password, and IP address of the replica.

    • Ensure that the specified admin user can log in to the user store.

    • Check for network communication problems between the Identity Server and the LDAP server.

    • Enable verbose logging on the Identity Server, then search for the IP address or name of the user store in the log file (Linux: catalina.out; Windows: stdout.log) and identify errors.

      For logging information, see Configuring Logging for Identity Server.

  16. Add a search context. Click New, specify the DN of the context, select a scope, then click OK.

    The search context is used to locate users in the directory. If a user exists outside of the specified search context and its scope (object, subtree, one level), the Identity Server cannot find the user, and the user cannot log in.

    A username must be unique within a search context. If the search context you specify finds more than one user with the same username, the Identity Server cannot authenticate these users.

  17. Click Finish.

  18. Restart Tomcat when prompted.

    If your Administration Console is installed on the same machine, your connection is broken. Refresh the page and log in to the Administration Console.

    The Health status icons for the configuration and the Identity Server must turn green.

    It might take several seconds for the Identity Server to start and for the system to display a green icon. If the health icon does not turn green, see Monitoring Health of Identity Servers.

  19. (Optional) Verify the configuration:

    1. In a browser, specify the base URL of the Identity Server.

    2. Select a card without the locking icon.

      Cards with a locking icon require HTTPS and SSL. In this basic setup, you configured the Identity Server to use HTTP.

    3. Log in to by using the credentials of a user in the LDAP server.

    4. (Conditional) If the URL returns an error, verify the following:

      • The browser machine can resolve the DNS name of the Identity Server.

      • The browser machine can access the port.

  20. If you have already installed an Access Gateway, continue with one of the following: