You need to import and configure the connector on the Access Manager setup that will act as the IDP.
This section provides information about how to create the SAML relationship between the IDP setup, on which you are configuring the connector, and the Access Manager SP setup.
Perform the following steps to import and configure the connector:
Log in to Administration Console of the Access Manager system that will be the IDP.
In Dashboard, under Administrative Tasks, click Applications.
Select the desired Identity Server cluster.
Click + (plus sign) to import the connector.
Click Add Application from Catalog, and then search for the Access Manager SAML 2.0 connector.
For more information, see Section 2.0, Using the Application Connector Catalog.
Specify a name and description for the connector.
In Application Connector Setup, specify the following details:
|
Field |
Description |
|---|---|
|
Access Manager IDP Base URL |
Specify the base URL of Access Manager Identity Server that will become the SP. For example, https://spidp.com:8443/nidp |
|
Get Metadata |
Click this to retrieve the metadata from the base URL specified in Access Manager IDP Base URL. This action populates the required values in Assertion consumer service URL, EntityID, Logout response URL, and Logout URL. In addition, it downloads the signing certificate of the SP. |
|
Destination URL |
(Optional) Specify the URL to which users are redirected after being authenticated to the SP via SAML. The specified URL will become the URL (Target override) value specified in the default appmark that is created when saving the application. |
In Attributes, keep the default attribute mappings to map values from the local user store into attributes sent with the assertion. See the Help information associated with the options for modifying the default mappings if necessary.
(Optional) In Access and Roles, specify the following details:
|
Field |
Description |
|---|---|
|
Roles |
Select the role assignments to determine the user accessibility of this application. |
|
Contracts |
Select the contract presented to users when they click the appmark. Users see the specified contract unless the contract is satisfied during login or through the authentication levels. |
In System Setup, perform the following actions:
|
Field |
Description |
|---|---|
|
Metadata |
(Optional) You can view or download the metadata information from Access Manager that can be used later to create the federated connection at the SP. |
|
Signing Certificate |
(Optional) You can view or download the signing certificate from Access Manager to create for later use when creating the federated connection at the SP setup. |
|
Federation Instructions |
Click Show to display the federation instructions. These instructions provide detailed steps that you must perform at the Access Manager setup that will be configured as the SP. If clicking Show returns an error and does not display the federation instructions, ensure that the machine (virtual or physical) where Administration Console is being accessed can connect directly to the base URL of the Identity Server cluster. |
Click Save.
Click Configuration Panel, and then update the Identity Server.
If the Identity Server health status turns yellow after the update, it is likely due to an untrusted certificate. For more information, see Managing the Keys, Certificates, and Trust Stores
in the NetIQ Access Manager 4.4 Administration Guide.
An appmark is created automatically after saving the application. By default, all users can see this appmark on their user portal page. The appmark is configured with a target URL set to the value specified in the Destination URL field you configured in Step 7.
In the System Setup section, click Show to display the federation instructions. Follow these instructions at the Access Manager setup that will act as the SP.