7.2 Configuring the Connector for Access Manager

To configure the connector for Access Manager:

1. Log in to Administration Console as an administrator.

2. In Dashboard, under Administrative Tasks, click Applications.

3. (Conditional) Select the appropriate Identity Server cluster to use application.

4. Click the plus sign + to import the SAML 2.0 connector for Access Manager.

   1. Click Add Application from Catalog, then search for the SAML 2.0 connector for Access Manager.

      For more information, see Section 2.0, Using the Application Connector Catalog.

      or

   2. Click Import Application from File, then browse to and select the file.

5. Specify the following details:

   Options	Description
   Name	Specify a name for the connector.
   Description	Specify a description of the connector. You can configure multiple connectors for Access Manager. Ensure that you use a unique name and a description to help determine differences between the connectors.
   Change Image	(Optional) Change the default image that the User Portal page displays to users. Each connector contains a default image. You can change that image to any image you want. The maximum image size is 200 x 200 pixels and the ideal image size is 100 x 100 pixels. You can use an image from the Image Gallery or upload your own image.
   Application Connector Setup: This section displays the metadata information Access Manager Appliance requires from the connected system to create the federated connection.
   Assertion consumer service URL	Specify the information found in the AssertionConsumerService Location field with the HTTP-POST binding from the connected Access Manager system metadata file.
   Destination URL	(Optional) Specify the URL to which users are redirected after the initial login.
   EntityID	Specify the information found in the EntityID field from the connected Access Manager system metadata file.
   Logout response URL	Specify the information found in the SPSSODescriptor element, use the value from the SingleLogoutService ResponseLocation field with the HTTP-POST binding from the connected Access Manager system metadata file.
   Logout URL	Specify the information found in the SPSSODescriptor element, use the value from the SingleLogoutService Location field with the HTTP-POST binding from the connected Access Manager system metadata file.
   Metadata	Displays the metadata for the connector. You can view or download the metadata. If you have not saved the connector, the system creates the SAML 2.0 metadata using the values provided and other values from the connector. IMPORTANT:This field does not appear until you save the connector.
   Unique ID or Entity ID	Displays the value of the Unique ID or Entity ID if specified. For more information, see Section 4.4, Unique ID. IMPORTANT:This field appears only after you save the connector and you had specified the unique ID or entity ID to resolve the Entity ID conflict while saving the connector first time.
   Signing Certificate	Uploads a signing certificate file to secure communication between the two Access Manager systems. Or it displays the content of the signing certificate if you have saved the connector. You can upload up to two service provider signing certificates. For more information, see Minimizing Service Interruption of SAML 2.0 Service Providers in the NetIQ Access Manager Appliance 4.4 Administration Guide. When you add two certificates, the identity provider picks up the appropriate certificate from the metadata. Both of the certificates are active simultaneously. When two certificates are used, ensure that the certificate information (X.509 data) is sent along with the signed document. You can view details, download, and delete the uploaded certificates. The system automatically adds new certificates to the trust store for Administration Console. However, the new certificates are not automatically added to the trust store for the Identity Server cluster. IMPORTANT:You must manually add signing certificates to the Identity Server cluster trust store and to the OCSP trust store. Else, the health of the Identity Server cluster turns yellow and users do not see appmarks configured for this application when they log in to the User Portal page. For more information, see Managing Certificates and Keystores in the NetIQ Access Manager Appliance 4.4 Administration Guide.
   Attributes: Allows you to see and manage the attributes that are part of the SAML 2.0 assertion.
   Replace Attribute Set	If you want to import existing attributes from attribute sets already configured on the local Access Manager system, click this option. Select the required attribute sets from the list. IMPORTANT:Selecting an existing Attribute Set replaces any attributes available in the application.
   NameID	Specify an LDAP attribute that contains the user name identifier in the connected Access Manager system.
   Access and Roles: Allows you to control who has access to the application.
   Roles	Select the role assignments to determine the user accessibility of this application. The Role assignments made in the Appmark editor determine the user visibility of the appmarks associated with this application, not the accessibility of the application.
   Contracts	Select the contracts presented to users when they click the appmark. The users see these contract unless the contract is satisfied during login or through the authentication levels.
   System Setup: Displays the metadata information from Access Manager Appliance to use in the connected Access Manager system to create the federated connection.
   Metadata	You can view or download the metadata information from Access Manager Appliance to create the federated connection.
   Signing Certificate	You can view or download the signing certificate from Access Manager Appliance to create the federated connection.
   Federation Instructions	Contains the federation instructions on what you must change or modify in Access Manager to create the federated connection. Follow the federated instructions. The information in the Federation Instructions is specific to your environment.

   NOTE:The Advanced Setup does not appear in any of these sections until you save the connector.

6. Click Save.