NetIQ Access Manager Appliance 4.4 Administration Guide
- NetIQ Access Manager Appliance 4.4 Administration Guide
- Overview
- How Access Manager Appliance Solves Business Challenges
- Protecting Resources While Providing Access
- Managing Passwords with Single Sign-On
- Enforcing Business Policies
- Sharing Identity Information
- Protecting Identity Information
- Complying with Regulations
- How Access Manager Appliance Works
- Authentication
- Authorization
- Identity Injection
- Identity Federation
- Access Manager Appliance Components and Their Features
- Administration Console
- Identity Servers
- Access Gateways
- Analytics Server
- MobileAccess
- User Portal
- Language Support
- Configuring Access Manager
- Configuring Administration Console
- Configuring the Default View
- Changing the View
- Setting a Permanent Default View
- Managing Administration Console Session Timeout
- Managing Administrators
- Creating Multiple Admin Accounts
- Managing Policy View Administrators
- Managing Delegated Administrators
- Changing Administrator’s Password
- Changing the IP Address of Access Manager Appliance
- Changing the DNS Name of Access Manager Appliance
- Setting Up a Basic Access Manager Appliance Configuration
- Understanding Access Manager Appliance Process Flow
- Prerequisites for Setup
- Setting up User Stores for Identity Server Configuration
- Identity Servers Cluster
- Managing a Cluster of Identity Servers
- Configuring Identity Server Shared Settings
- Configuring Attribute Sets
- Editing Attribute Sets
- Configuring User Matching Expressions
- Adding Custom Attributes
- Adding Authentication Card Images
- Creating an Image Set
- Metadata Repositories
- User Attribute Retrieval and Transformation
- Configuring Advanced Authentication Server
- Configuring Access Gateway
- Configuring a Reverse Proxy
- Configuring a Public Protected Resource
- Setting Up Policies
- Access Gateways Clusters
- Managing Access Gateway Cluster Configuration
- Protecting Web Resources Through Access Gateway
- Configuration Options
- WebSocket Support
- Managing Reverse Proxies and Authentication
- Configuring Web Servers of a Proxy Service
- Configuring Protected Resources
- Configuring HTML Rewriting
- Configuring Connection and Session Limits
- Protecting Multiple Resources
- Configuring Trusted Providers for Single Sign-On
- Understanding the Trust Model
- Configuring General Provider Settings
- Managing Trusted Providers
- Modifying a Trusted Provider
- Communication Security
- Selecting Attributes for a Trusted Provider
- Managing Metadata
- Configuring an Authentication Response for a Service Provider
- Routing to an External Identity Provider Automatically
- Configuring Options for Trusted Service Providers
- Using the Intersite Transfer Service
- Configuring Single Sign-On to Specific Applications
- Configuring SSO to SharePoint Server 2013 and 2016
- Configuring a Protected Resource for Outlook Web Access
- Configuring a Protected Resource for a Novell Vibe 3.3 Server
- Configuring Access to the Filr Site through Access Manager
- Sample Configuration for Protecting an Application Through Access Manager Appliance
- Installation Overview and Prerequisites
- Accessing the Sample Web Portal
- Understanding the Policies Used in the Sample Portal
- Setting Up an Advanced Access Manager Configuration
- Identity Server Advanced Configuration
- Managing an Identity Server
- Editing Server Details
- Customizing Identity Server
- Access Gateway Server Advance Configuration
- Configuration Overview
- Saving, Applying, or Canceling Configuration Changes
- Managing Access Gateways
- Managing General Details of Access Gateway
- Setting Up a Tunnel
- Setting the Date and Time
- Configuring Network Settings
- Enabling Access Gateway to Display Post-Authentication Message
- Customizing Access Gateway
- Access Gateway Content Settings
- Configuring Caching Options
- Controlling Browser Caching
- Configuring a Pin List
- Configuring a Purge List
- Purging Cached Content
- Apache htcacheclean Tool
- Access Gateway Advanced Options
- Configuring Global Advanced Options
- Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service
- Analytics Server Configuration
- Managing Analytics Server
- Managing General Details of Analytics Server
- Analytics Server Cluster Configuration
- Managing Details of a Cluster
- Configuring Analytics Server
- Forwarding Events from Sentinel Server to Analytics Server
- Importing Analytics Server
- Importing Analytics Server in a High Availability Setup
- Email Server Configuration
- Modifying Configuration Files
- Modifying web.xml
- Modifying server.xml
- Managing Direct Access to Identity Server
- Logging in to the Default User Portal
- Logging in with the Legacy Customized Portal
- Logging in to the User Portal from a Web Application
- Managing Authentication Cards
- Specifying a Target
- Blocking Access to the User Portal Page
- Blocking Access to the WSDL Services Page
- Configuring Authentication
- Local Authentication
- Configuring Identity User Stores
- Creating Authentication Classes
- Configuring Authentication Methods
- Configuring Authentication Contracts
- Specifying Authentication Defaults
- Persistent Authentication
- Client Integrity Check
- Mutual SSL (X.509) Authentication
- ORed Credential Class
- OpenID Authentication
- Password Retrieval
- Configuring Access Manager for NESCM
- Kerberos Authentication
- Federated Authentication
- Configuring Federation
- Service Provider Brokering
- Configuring User Identification Methods for Federation
- Configuring SAML 2.0
- Configuring SAML 1.1
- Configuring Liberty
- Configuring Liberty Web Services
- Configuring WS Federation
- Configuring WS-Trust Security Token Service
- Understanding How Access Manager Uses OAuth and OpenID Connect
- Configuring Authentication Through Federation for Specific Providers
- Integrating Amazon Web Services with Access Manager
- Configuring Single Sign-On for Office 365 Services
- Advanced Authentication
- Two-Factor Authentication Using Time-Based One-Time Password
- RADIUS Authentication
- NetIQ Advanced Authentication
- Social Authentication
- Why and When to Use
- Prerequisite
- Configuring the Social Authentication Class
- Adding Images for Social Authentication Providers
- Changing Social Authentication Icons
- Configuring Supported Social Authentication Providers for API Keys and API Secrets
- Risk-based Authentication
- How Risk-based Authentication Works
- Why Risk-based Authentication
- Features of Risk-based Authentication
- Key Terms
- Understanding Risk-based Authentication through Scenarios
- Understanding Risk Score Calculation
- Configuring Risk-based Authentication
- Enabling Auditing for Risk-Based Authentication Events
- Configuring an External Database to Store User History
- Enabling Logging for Risk-Based Authentication
- Troubleshooting Risk Rule Configuration
- Device Fingerprinting
- How It Works
- Understanding Device Fingerprint Parameters
- Configuring a Device Fingerprint Rule
- Configuring an Example Device Fingerprint Policy
- Enabling Mobile and Web Access
- User Requirements for MobileAccess
- Configuring Appmarks
- Creating Multiple Appmarks for an Application
- Understanding Appmarks Options
- Managing Icons
- Configuring MobileAccess
- Helping Users Register Their Mobile Devices
- Registering iOS Devices
- Registering Android Devices
- Installing MobileAccess on a Mobile Device
- Understanding the MobileAccess PIN
- Managing Mobile Devices
- Deregistering Mobile Devices as an Administrator
- Deregistering a Mobile Device as a User
- Deleting and Reinstalling the MobileAccess App on a Device
- Changing the Branding of the User Portal Page
- Access Manager Policies
- Understanding Policies
- Selecting a Policy Type
- Tuning the Policy Performance
- Managing Policies
- Managing Policy Containers
- Managing a Rule List
- Adding Policy Extensions
- Enabling Policy Logging
- Role Policies
- Understanding RBAC in Access Manager Appliance
- Enabling Role-Based Access Control
- Creating Roles
- Example Role Policies
- Creating Access Manager Appliance Roles in an Existing Role-Based Policy System
- Mapping Roles between Trusted Providers
- Enabling and Disabling Role Policies
- Importing and Exporting Role Policies
- Authorization Policies
- Designing an Authorization Policy
- Creating Access Gateway Authorization Policies
- Sample Access Gateway Authorization Policies
- Conditions
- Importing and Exporting Authorization Policies
- Identity Injection Policies
- Designing an Identity Injection Policy
- Configuring an Identity Injection Policy
- Configuring an Authentication Header Policy
- Configuring a Custom Header Policy
- Configuring a Custom Header with Tags
- Specifying a Query String for Injection
- Injecting into the Cookie Header
- Configuring an Inject Kerberos Ticket Policy
- Configuring an OAuth Token Inject Policy
- Importing and Exporting Identity Injection Policies
- Sample Identity Injection Policy
- Form Fill Policies
- Understanding an HTML Form
- Creating a Form Fill Policy for the Sample Form
- Implementing Form Fill Policies
- Creating and Managing Shared Secrets
- Importing and Exporting Form Fill Policies
- Configuring a Form Fill Policy for Forms With Scripts
- External Attribute Source Policies
- Enabling External Attributes Policy
- Creating an External Attribute Source Policy
- External Attribute Source Policy Examples
- Risk-based Policies
- Configuring Risk-based Authentication
- Configuring User History
- Configuring Geolocation Profiling
- Configuring NAT Settings
- Configuring an Authorization Policy to Protect a Resource
- Risk-Based Authentication: Sample Configuration
- High Availability and Fault Tolerance
- Installing Secondary Access Manager Appliance
- Prerequisites
- Understanding How Consoles Interact with Each Other and with Access Manager Devices
- Configuration Tips for the L4 Switch
- Sticky Bit
- Network Configuration Requirements
- Health Checks
- Real Server Settings Example
- Virtual Server Settings Example
- Setting up L4 Switch for IPv6 Support
- Web SSO Over IPv6
- Federated SSO over IPv6
- Limitations
- Using a Software Load Balancer
- Business to Consumer Access Management
- Overview
- An Example Scenario
- Deployment Strategy
- Setting Up the B2C Login Page
- Configuring Self Service Password Reset and Advanced Authentication
- Configuring Self Service Password Reset
- Configuring Advanced Authentication
- Configuring Services for Login Page, Self Service Password Reset, and Advanced Authentication in Access Gateway
- Configuring the B2C Login Page as a Service in Access Gateway
- Configuring SSO to Self Service Password Reset Through Access Gateway
- Configuring SSO to Advanced Authentication Through Access Gateway
- Enabling Self Service Password Reset and Advanced Authentication Integration in Access Manager
- Configuring Self Service Password Reset Server Details in Identity Server
- Configuring Advanced Authentication in Identity Server
- Configuring Social Authentication Contracts
- Configuring Device Registration Contract
- Configuring Email Server
- Branding and Customizing
- Branding and Customizing Access Manager
- Customizing Self Service Password Reset
- Customizing Advanced Authentication
- Validating Deployment
- Business To Consumer Wizard: Sample Configuration
- Prerequisites
- Using the B2C Wizard
- Security And Certificates
- Securing Access Manager
- Securing Administration Console
- Protecting the Configuration Store
- Security Considerations for Certificates
- Configuring Secure Communication on Identity Server
- Viewing the Services That Use the Signing
- Viewing Services That Use the Encryption
- Enabling Secure Cookies
- Securing the Embedded Service Provider Session Cookie on Access Gateway
- Securing the Proxy Session Cookie
- Preventing Cross-site Scripting Attacks
- Option 1: HTML Escaping
- Option 2: Filtering
- Setting Up Advanced Session Assurance
- Understanding Access Manager Certificates
- Process Flow
- Creating Certificates
- Creating a Locally Signed Certificate
- Editing the Subject Name
- Assigning Alternate Subject Names
- Generating a Certificate Signing Request
- Importing a Signed Certificate
- Managing Certificates and Keystores
- Viewing Certificate Details
- Renewing a Certificate
- Exporting a Private/Public Key Pair
- Exporting a Public Certificate
- Importing a Private/Public Key Pair
- Using Multiple External Signing Certificates
- Assigning Certificates to Access Manager Appliance
- Managing Trusted Roots and Trust Stores
- Managing Trusted Roots
- Importing Public Key Certificates (Trusted Roots)
- Auto-Importing Certificates from Servers
- Exporting the Public Certificate of a Trusted Root
- Viewing Trusted Root Details
- Viewing External Trusted Roots
- Enabling SSL Communication
- Enabling SSL Communication
- Using Access Manager Certificates
- Using Externally Signed Certificates
- SSL Renegotiation
- Using SSL on Access Manager Appliance Communication Channels
- Prerequisites for SSL
- Prerequisites for SSL Communication between Identity Server and Access Manager Appliance
- Prerequisites for SSL Communication between Access Gateway and Web Servers
- Configuring SSL Communication with Browsers and Access Gateway
- Configuring SSL between the Proxy Service and the Web Servers
- Configuring the SSL Communication
- Maintaining Access Manager
- Analytics Dashboard
- Advantages of Using Analytics Dashboard
- Architecture
- Who Can Access Analytics Dashboard
- Prerequisites
- Enabling Events for Each Graph
- Viewing Data in Analytics Dashboard
- Real-time Data
- Historic Data
- Types of Graphs
- Unique Users Logged In
- Identity Server Active Users
- Access Gateway Active Users
- Geolocation of Users Logged In
- Pre-Auth Risk Distribution
- Post-Auth Risk Distribution
- Identity Server Accessed Applications
- Access Gateway Accessed Applications
- Most Used Browsers
- Most Used Endpoint Devices
- Most Accessed Users
- Client IP Addresses
- Most Used Contracts
- Failed Authentications
- Identity Server Logins
- Access Gateway Logins
- Access Gateway Uptime
- Access Gateway Requests
- Access Gateway Cache Utilization
- Identity Server Clusters
- Identity Servers
- Access Gateway Clusters
- Access Gateways
- Accessing Analytics Dashboard
- Managing Analytics Dashboard
- Managing Layout of the Dashboard
- Exporting and Importing a Customized Dashboard
- Filtering Data to View Required Details
- Managing Dashboard
- Adding/ Modifying Refresh Time for Real-time Dashboard
- Viewing Historic Data
- Auditing
- Enabling Auditing
- Specifying the Logging Server and Console Events
- Configuring Syslog for Auditing
- Enabling Identity Server Audit Events
- Enabling Access Gateway Audit Events
- Reporting
- Overview
- Using Reporting with Sentinel
- Prerequisites
- Deploying Access Manager Reporting Solution Pack
- Using Reporting with Analytics Server
- Prerequisites
- Viewing Reports
- Enabling Reporting
- Generating Reports
- Logging
- Understanding the Types of Logging
- Component Logging for Troubleshooting Configuration or Network Problems
- HTTP Transaction Logging for Proxy Services
- Understanding the Log Format
- Understanding the Correlation Tags in the Log Files
- Sample Scenario
- Identity Server Logging
- Configuring Logging for Identity Server
- Configuring Session-Based Logging
- Capturing Client Side Stack Traces
- Access Gateway Logging
- Managing Access Gateway Logs
- Configuring Logging for a Proxy Service
- Downloading Log Files
- Administration Console Logs
- Identity Server Logs
- Access Gateway Appliance and Access Gateway Service Logs
- Turning on Logging for Policy Evaluation
- Monitoring Component Statistics
- Identity Server Statistics
- Monitoring Identity Server Statistics
- Monitoring Identity Server Cluster Statistics
- Access Gateway Statistics
- Monitoring Access Gateway Statistics
- Monitoring Access Gateway Cluster Statistics
- Component Statistics Through REST APIs
- Monitoring API for Identity Server Statistics
- Monitoring API for Access Gateway Statistics
- Monitoring Component Command Status
- Viewing the Command Status of Identity Server
- Viewing the Status of Current Commands
- Viewing Detailed Command Information
- Viewing the Command Status of Access Gateway
- Viewing the Status of Current Commands
- Viewing Detailed Command Information
- Viewing the Command Status of the Analytics Server
- Viewing the Status of Current Commands
- Viewing Detailed Command Information
- Reviewing the Command Status for Certificates
- Monitoring Server Health
- Health States
- Monitoring Health by Using the Hardware IP Address
- Monitoring Health of Identity Servers
- Monitoring the Health of an Identity Server
- Monitoring the Health of a Cluster
- Monitoring the Health of Access Gateways
- Monitoring the Health of an Access Gateway
- Monitoring the Health of an Access Gateway Cluster
- Monitoring the Health of Analytics Server
- Monitoring the Health of Analytics Server
- Monitoring the Health of Analytics Server Cluster
- Monitoring Alerts
- Monitoring Identity Server Alerts
- Monitoring Access Gateway Alerts
- Viewing Access Gateway Alerts
- Viewing Access Gateway Cluster Alerts
- Managing Access Gateway Alert Profiles
- Configuring an Alert Profile
- SNMP Profile
- Configuring a Log Profile
- Configuring an E-Mail Profile
- Configuring a Syslog Profile
- Monitoring Analytics Server Alerts
- Viewing Analytics Server Alerts
- Viewing Analytics Server Cluster Alerts
- Monitoring Access Manager By Using Simple Network Management Protocol
- SNMP Architecture in Access Manager
- Features of Monitoring in Access Manager
- Using the Default MIB File with External SNMP Systems
- Querying For SNMP Attributes
- Querying Using the Namespace
- Querying Using the OID
- Installing and Enabling Monitoring for Access Manager Components
- Installing and Enabling Monitoring for Access Manager on Linux
- Installing and Enabling Monitoring for Access Manager on Windows
- Impersonation
- Impersonation Terminology
- Prerequisites
- Enabling Impersonation
- Impersonation Flow
- Implementing Impersonation in Custom Portal Pages
- Understanding the Specific JSP Files
- Determining when to Show the Specific JSP Files
- Audit Event for Impersonation
- Troubleshooting
- Back Up and Restore
- How The Backup and Restore Process Works
- Default Parameters
- The Process
- Backing Up the Access Manager Appliance Configuration
- Restoring the Access Manager Appliance Configuration
- Restoring the Configuration on the Same Appliance for Which Backup Was Taken
- Restoring the Configuration on a Freshly Installed Appliance with Same IP Address and DNS Settings
- Code Promotion
- How Code Promotion Helps
- Sequence of Promoting the Configuration Data
- Prerequisites
- Limitations
- Configuring Custom File Paths
- Exporting the Configuration Data
- Importing the Configuration Data
- Uploading Configuration File to Import
- Selecting the Component to Import the Configuration Data
- Importing Identity Server Configuration Data
- Importing Access Gateway Configuration Data
- Post-Import Configuration Tasks
- Troubleshooting Code Promotion
- Troubleshooting
- Troubleshooting Administration Console
- Global Troubleshooting Options
- Diagnostic Configuration Export Utility
- Restoring a Failed Secondary Console
- Converting a Secondary Access Manager Appliance into a Primary Appliance
- Repairing the Configuration Datastore
- Session Conflicts
- Unable to Log In to Administration Console
- Exception Processing IdentityService_ServerPage.JSP
- Backup and Restore Fail Because of Special Characters in Passwords
- Unable to Install NMAS SAML Method
- Incorrect Audit Configuration
- Unable to Update Access Gateway Listening IP Address in Administration Console Reverse Proxy
- During Access Manager Appliance Installation Any Error Message Should Not Display Successful Status
- Incorrect Health Is Reported on Access Gateway
- Administration Console Does Not Refresh the Command Status Automatically
- SSL Communication with Weak Ciphers Fails
- Error: Tomcat did not stop in time. PID file was not removed
- An IP Address for the Other Known Device Manager List Is Missing in the Troubleshooting Page
- (Access Manager on Cloud) Metadata Under System Setup of SAML2 Applications Is Displayed after a Delay of 5 to 10 Seconds
- Troubleshooting Access Gateway
- Useful Troubleshooting Files
- Verifying That All Services Are Running
- Troubleshooting SSL Connection Issues
- Enabling Debug Mode and Core Dumps
- Useful Troubleshooting Tools for Access Gateway Service
- Solving Apache Restart Issues
- Understanding the Authentication Process of Access Gateway Service
- Issue While Accelerating the Ajax Applications
- Accessing Lotus-iNotes through Access Gateway Asks for Authentication
- Configuration Issues
- Cannot Inject a Photo into HTTP Headers
- Access Gateway Caching Issues
- Issues while Changing the Management IP Address in Access Gateway Appliance
- Issue While Adding Access Gateway in a Cluster
- Troubleshooting Identity Server and Authentication
- Useful Networking Tools for Linux Identity Server
- Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors
- Authentication Issues
- After Setting Up the User Store to Use SecretStore, Users Report 500 Errors
- When Multiple Browser Logout Option Is Enabled, User Is Not Getting Logged Out from Different Sessions
- After Consuming a SAML Response, the Browser Is Redirected to an Incorrect URL
- Configuring SAML 1.1 Identity Provider Without Specifying Port in the Login URL Field
- Attributes Are Not Available Through Form Fill When OIOSAML Is Enabled
- Issue in Importing Metadata While Configuring Identity Provider or Service Provider Using Metadata URL
- Metadata Mentions Triple Des As Encryption Method
- Issue in Accessing Protected Resources with External Identity Provider When Both Providers Use Same Cookie Domain
- SAML Intersite Transfer URL Setup Does Not Work for Non-brokered Setups after Enabling SP Brokering
- Orphaned Identity Objects
- Users Cannot Log In to Identity Server When They Access Protected Resources with Any Contract Assigned
- An Attribute Query from OIOSAML.SP Java Service Provider Fails with Null Pointer
- Disabling the Certificate Revocation List Checking
- Step Up Authentication for Identity Server Initiated SSO to External Provider Does Not Work Unless It has a Matching Local Contract
- Metadata Cannot be Retrieved from the URL
- Authentication Request to a Service Provider Fails
- SAML 2.0 POST Compression Failure Does Not Throw a Specific Error Code
- SAML 1.1 Service Provider Re-requests for Authentication
- Identity Server Statistics Logs Do Not Get Written In Less Than One Minute
- No Error Message Is Written in the Log File When an Expired Certificate Is Used for the X509 Authentication
- Terminating an Existing Authenticated User from Identity Server
- X.509 Authentication Lists the Entire List of Certificates Imported to the Browser
- Clustered Nodes Looping Due to JGroup Issues
- Authentication With Aliases Fails
- nidp/app Does Not Redirect to nidp/portal after Authentication
- Login to Office 365 Fails when WS-Trust MEX Metadata Is Larger than 65 KB
- Unsafe Server Certificate Change in SSL/TLS Renegotiations Is Not Allowed
- Viewing Request and Response Headers of All Protocols in a Log File
- Provisioning of LDAP Attribute for Social Authentication User Failed
- User Authentication Fails When the Advanced Authentication Generic Class Is Used
- The Advanced Authentication Chains Are Not Displayed When Creating a Method with Advanced Authentication Generic Class
- Troubleshooting Analytics Server
- Launching Analytics Dashboard Displays a Blank Page
- Graphs Do Not Display Any Data When You Launch Analytics Dashboard
- Clearing the Existing Graphs to View the Imminent Data on the Graphs
- Cannot Launch Analytics Dashboard After Reimporting Analytics server
- The Analytics Server Health Is Not Reported to Administration Console
- Analytics Dashboard Does Not Display the Graphs, but Displays the Health Status of the Devices
- When Deploying Analytics Server in High Availability Mode, crm status Displays Failed Actions
- Troubleshooting Certificate Issues
- Resolving the JCC Communication between Devices and Administration Console
- On Analytics Server the Self-Signing Certificate Is Expired for Port 10013
- Resolving Certificate Import Issues
- Mutual SSL with X.509 Produces Untrusted Chain Messages
- Certificate Command Failure
- A Device Reports Certificate Errors
- Renewing the expired eDirectory certificates
- Troubleshooting Access Manager Policies
- Turning on Logging for Policy Evaluation
- Common Configuration Problems That Prevent a Policy from Being Applied as Expected
- The Policy Is Using Old User Data
- Form Fill and Identity Injection Silently Fail
- Checking for Corrupted Policies
- Policy Page Timeout
- Policy Creation and Storage
- Policy Distribution
- Policy Evaluation: Access Gateway Devices
- Troubleshooting MobileAccess
- Using the Same Mobile Device for Different Users Causes the Expired Session Error
- Simple Authentication with a Pop-up Browser Window Does Not Work for MobileAccess
- Users Fail to Authenticate to MobileAccess when Appmarks Are Launched in the Chrome Browser
- Changes to MobileAccess do not Appear in Administration Console
- Facebook Basic SSO Connector Does Not Work from MobileAccess
- Troubleshooting Code Promotion
- Troubleshooting Identity Server Code Promotion
- Troubleshooting Access Gateway Code Promotion
- Troubleshooting Device Customization Code Promotion
- Troubleshooting the Device Fingerprint Rule
- Enabling the Debug Option for the Device Fingerprint Rule
- Using Logs to Understand How the Device Fingerprint Rule Is Evaluated
- Troubleshooting Advanced Session Assurance
- Troubleshooting Using the Log Files
- Important Error Messages
- Checking Session Assurance Configuration Details
- The Advanced Session Assurance Page Does Not Display the Access Gateway Cluster
- Troubleshooting OAuth and OpenID Connect
- The OAuth Tokens Are in Binary Format Instead of JWT Format
- Users Cannot Register a Client Application
- Token Exchanges Show Redirect URI Invalid Error
- Users Cannot Register or Modify a Client Application with Specific Options
- A Specific Claim Does Not Come to the UserInfo Endpoint during Claims Request
- Access Gateway OAuth Fails
- After Allowing Consent, 500 Internal Server Error Occurs
- The Access Token Does Not Get Exchanged with Authorization Code When Using a Multi-Node Identity Server Cluster
- No Error Message When a Token Request Contains Repetitive Parameters
- OAuth Token Encryption/Signing Key Is Compromised or Corrupted
- Tracing OAuth Requests
- OAuth Client Registration Fails If a Role Policy Contains a Condition Other than LDAP Attribute, LDAP Group, or LDAP OU
- The Identity Injection Policy Does Not Inject Passwords
- OAuth Apps Fail After Upgrading Access Manager
- Troubleshooting User Attribute Retrieval and Transformation
- No Value Is Fetched from Attribute Source in Identity Server
- Error Message While Testing a Database Connection
- Regex Replace Error Message
- Troubleshooting Impersonation
- Internet Explorer Caching Error
- Troubleshooting Branding
- Changes to Branding do not Appear in Administration Console
- Using Log Files for Troubleshooting
- Sample Authentication Traces
- Understanding Policy Evaluation Traces
- Adding Hashed Cookies into Browsers
- Access Manager Audit Events and Data
- NIDS: Sent a Federate Request (002e0001)
- NIDS: Received a Federate Request (002e0002)
- NIDS: Sent a Defederate Request (002e0003)
- NIDS: Received a Defederate Request (002e0004)
- NIDS: Sent a Register Name Request (002e0005)
- NIDS: Received a Register Name Request (002e0006)
- NIDS: Logged Out an Authentication that Was Provided to a Remote Consumer (002e0007)
- NIDS: Logged out a Local Authentication (002e0008)
- NIDS: Provided an Authentication to a Remote Consumer (002e0009)
- NIDS: User Session Was Authenticated (002e000a)
- NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b)
- NIDS: User Session Authentication Failed (002e000c)
- NIDS: Received an Attribute Query Request (002e000d)
- NIDS: User Account Provisioned (002e000e)
- NIDS: Failed to Provision a User Account (002e000f)
- NIDS: Web Service Query (002e0010)
- NIDS: Web Service Modify (002e0011)
- NIDS: Connection to User Store Replica Lost (002e0012)
- NIDS: Connection to User Store Replica Reestablished (002e0013)
- NIDS: Server Started (002e0014)
- NIDS: Server Stopped (002e0015)
- NIDS: Server Refreshed (002e0016)
- NIDS: Intruder Lockout (002e0017)
- NIDS: Severe Component Log Entry (002e0018)
- NIDS: Warning Component Log Entry (002e0019)
- NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider as Identity Provider and Service Provider Are not in Same Group (002E001A)
- NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider Because a Policy Evaluated to Deny (002E001B)
- NIDS: Brokered an Authentication from Identity Provider to Service Provider (002E001C)
- NIDS: Web service Request was authenticated (002e001D)
- NIDS: Web service Request for authentication Failed (002e001E)
- NIDS: OAuth2 Authorization code issued (002e0028)
- NIDS: OAuth2 token issued (002e0029)
- NIDS: OAuth2 Authorization code issue failed (002e0030)
- NIDS: OpenID token issued (002e0031)
- NIDS: OAuth2 refresh token issued (002e0032)
- NIDS: OAuth2 token issue failed (002e0033)
- NIDS: OpenID token issue failed (002e0034)
- NIDS: OAuth2 refresh token issue failed (002e0035)
- NIDS: OAuth2 client has been registered successfully (002e0036)
- NIDS: OAuth2 client has been modified successfully (002e0037)
- NIDS: OAuth2 client has been deleted successfully (002e0038)
- NIDS: OAuth2 user has provided consent (002e0039)
- NIDS: OAuth2 user has revoked consent (002e0040)
- NIDS: OAuth2 token validation success (002e0041)
- NIDS: OAuth2 token validation failed (002e0042)
- NIDS: OAuth2 client registration failed (002e0043)
- NIDS: OAuth2 refresh token revoked success (002e0055)
- NIDS: OAuth2 refresh token revocation failed (002e0056)
- NIDS: OAuth2 AA Authorization Code Exchange (002e0071)
- NIDS: OAuth2 AA Access Token Exchange (002e0072)
- NIDS: Step-up authentication (002e0719)
- NIDS: Roles PEP Configured (002e0300)
- NIDS: Risk-Based Authentication Action for User (002e0045)
- NIDS: Risk-Based Authentication Action for User (002e0046)
- NIDS: Risk-Based Authentication Action for User (002e0047)
- NIDS: Token was Issued to Web Service (002E001F)
- NIDS: Issued a Federation Assertion (002E0102)
- NIDS: Received a Federation Assertion (002E0103)
- Access Gateway: PEP Configured (002e0301)
- Roles Assignment Policy Evaluation (002e0320)
- Access Gateway: Authorization Policy Evaluation (002e0321)
- Access Gateway: Form Fill Policy Evaluation (002e0322)
- Access Gateway: Identity Injection Policy Evaluation (002e0323)
- Access Gateway: Access Denied (0x002e0505)
- Access Gateway: URL Not Found (0x002e0508)
- Access Gateway: System Started (0x002e0509)
- Access Gateway: System Shutdown (0x002e050a)
- Access Gateway: Identity Injection Parameters (0x002e050c)
- Access Gateway: Identity Injection Failed (0x002e050d)
- Access Gateway: Form Fill Authentication (0x002e050e)
- Access Gateway: Form Fill Authentication Failed (0x002e050f)
- Access Gateway: URL Accessed (0x002e0512)
- Access Gateway: IP Access Attempted (0x002e0513)
- Access Gateway: Webserver Down (0x002e0515)
- Access Gateway: All WebServers for a Service is Down (0x002e0516)
- Access Gateway: Application Accessed (002E0514)
- Access Gateway: Session Created (002E0525)
- Management Communication Channel: Health Change (0x002e0601)
- Management Communication Channel: Device Imported (0x002e0602)
- Management Communication Channel: Device Deleted (0x002e0603)
- Management Communication Channel: Device Configuration Changed (0x002e0604)
- Management Communication Channel: Device Alert (0x002e0605)
- Management Communication Channel: Statistics (002e0606)
- Risk-Based Authentication Successful (002e0025)
- Risk-Based Authentication Failed (002e0026)
- Risk-Based Authentication for User (002e0027)
- Impersonation Sign in (002E0048)
- Impersonation: Impersonator Logs Out (002E0049)
- Impersonation: Session Started (002E0050)
- Impersonation: Impersonatee Denies (002E0051)
- Impersonation: Impersonatee Approves (002E0052)
- Impersonation: Impersonator Cancels (002E0053)
- Impersonation: Authorization Policy Fails (002E0054)
- Event Codes
- Administration Console (009)
- Identity Server (001)
- Linux Access Gateway Appliance(045)
- Access Gateway Service (046)
- Policy Engine (008)
- SOAP Policy Enforcement Point (011)
- Backup and Restore (010)
- Modular Authentication Class (012)
- Appendix
- Data Model Extension XML
- Elements
- Writing Data Model Extension XML
- SOAP versus REST API
- OAuth versus Other Protocols
- OAuth Concepts
- OAuth Terminology
- Why OpenID Connect
- OAuth Authorization Grant
- Authorization Code Grant (Web Server)
- Implicit Grant
- Resource Owner Credential Grant
- Client Credential Grant
- Security Assertion Markup Language (SAML) 2.0 Bearer Grant
- Authentication Flows
- Authentication by Using the Authorization Code Flow
- Authentication by Using the Implicit Flow
- Authentication by Using Hybrid Flow
- End User Operations
- User Authorization
- Revoking Authorizations
- Access Manager Reports Samples
- Application Access Summary Report
- User Application Access Summary Report
- Application Specific User Access Report
- Federation Summary Report
- User Login Contract Summary Report
- User Login Failure Report
- Application Specific Risk based Authentication Report
- Legal Notice