3.1.3 Customizing Identity Server

login page, logout page, and error messages of Identity Server user portal.

Getting Started

The default user portal in Access Manager 4.2 and later is different than the previous one. If you have customized the legacy user portal, you can retain the customized JSP pages. For more information about customizing the legacy jsp pages, see Customizing Identity Server in the Access Manager Appliance 4.3 Administration Guide.

To change simple aspects of the default user portal page, see Section 9.0, Branding of the User Portal Page.

This section includes the following topics:

Understanding JSP Files

Access Manager supports two user interface layouts, legacy and latest. The legacy user interface is the user portal layout that was used before Access Manager 4.2. The latest user interface is the layout that got introduced in Access Manager 4.2. It is recommended to use the latest user interface because it is easy to use and includes enhanced features, such as appmarks.

To support these two user interface layouts, JSP files require different implementation and logic. A naming convention is introduced to distinguish those JSP files for both the user interfaces. Some JSP files do not require different implementation such as, saml2post.jsp, which follows the common naming convention.

To understand which JSP files to use for a specific user interface, some JSP files are classified into two different naming conventions and some JSP files have a common naming convention.

You can find the following types of naming convention for the JSP files:

  • <name>_legacy.jsp: This type of JSP files are used for the JSP pages that were designed for the legacy user portal (the portal that does not contain the enhanced features). If you edit this type of file, the corresponding <name>.jsp file will include those changes.

  • <name>_latest.jsp: This type of JSP files are used for the JSP pages that are designed for the latest user portal (the portal that contains the branding and appmark enhancements). If you edit this type of file, the corresponding <name>.jsp file will include those changes

  • <name>.jsp: This naming convention is used for the JSP files that include the implementation based on the active user interface. Also, this naming convention is used for the JSP files that are not dependent on the active user interface. Hence, some JSP files do not have the corresponding <name>_legacy.jsp or <name>_latest.jsp files.

    These type of JSP files do not require any modification.

An example of the JSP files with the different naming convention is login.jsp, login_legacy.jsp, and login_latest.jsp. The login.jsp file will include the logic of either login_legacy.jsp or login_latest.jsp based on the active user interface.

If the /opt/novell/nids/lib/webapp/WEB-INF/legacy folder exists, then the active user interface will be the legacy layout whereas, if the folder does not exist, the active user interface will be the latest layout.

This section focuses on the latest layout as the active user interface. Therefore, only <name>_latest.jsp and <name>.jsp are used. If you find any JSP file with the <name>_legacy.jsp naming convention, you must remove the /opt/novell/nids/lib/webapp/WEB-INF/legacy folder from each Identity Server deployment.

Types of JSP Files

System JSP files: The Identity provider refers the system JSPs, which are static names. If you rename a system JSP, the identity provider stops working because it expects to find the JSP with a specific name. System JSPs are mostly used for page layout and end user messages.

Authentication JSP files: The authentication JSP files are associated with an authentication method and provide the user interface for a specific authentication protocol. An authentication method may define a static default JSP name, but that name can be overridden using the authentication method JSP property. For example, the default Secure Form – Name Password authentication method defines login.jsp as its default JSP.

System JSP Files for Different Parts of the Identity Server Page:

The following diagram highlights JSP files corresponding to the different parts of user portal:

You can customize any of the following JSP files depending on the part of the page that requires modification:

  • nidp_latest.jsp: This is the main user interface (UI) layout workhorse JSP. It allows formatting of all components that create the Identity Server UI. The HTML div tags with CSS are used for formatting different areas of the UI. These tags can make an AJAX call to Identity Server to display the content <div>. You can customize the majority of your layout in this file.

    The following content is a skeletal extraction of the UI components defined in nidp_latest.jsp:

    <div id="masthead-namclient">
  <div id="branding-namclient"></div>
  <!-- If current user is authenticated -->
    <div id="username-namclient"></div>
    <div id="username-dialog-namclient">
      <div id="logoutButton"></div>
    </div>
  <!-- End if current user is authenticated -->
</div>
<!-- If showing card selection hamburger menu -->
  <div id="nam-ham-menu"></div>
<!-- End if showing card selection hamburger menu -->
<div id="globalMessage"></div>
<!-- If showing an authentication method -->
  <div id="currentCardDisplay">
    <div class="signin-div"></div>
  </div>
<!-- End if showing a card (authentication method) -->
<div id="theNidpContent">
<!--  If showing an authentication method -->
  javaScript.getToContent([Content URL], "theNidpContent");
<!--  else if showing a pending message -->
  <%@ include file="message_latest.jsp" %>
<!-- endif -->
</div>

    The customizations are primarily done in nidp_latest.jsp. The following are the other jsp files, which rarely require customization:

  • top_latest.jsp: This file automatically instructs the web browser to load the top level window using a URL obtained from the existing HTTP request parameter, url.

    <!-- Loads the Web browser's "top" window to the supplied URL -->
window.location.href='<%=(String) request.getAttribute("url")%>';

  • main.jsp: If an authentication contract is in the process of executing, then the specified JSP is displayed at the web browser’s top window. Otherwise, it forwards to nidp.jsp.

    <!-- Does a POST to the handler.getContentUrl() -->

  • content_latest.jsp: nidp.jsp uses this file to display the bottom section of the UI. This JSP makes an AJAX call to Identity Server to display the current authentication method or it loads an end user message.

    <!-- If user provisioning OR showing an authentication method -->
<div id="theContentContent">
    javaScript.getToContent([Content URL],"theContentContent");
  </div>
<!-- else -->
  <%@ include file="message_latest.jsp" %>
<!-- endif -->

  • message_latest.jsp: This JSP file displays an end user message in the global message area of nidp_latest.jsp.

Authentication JSP Files for Customizing Login and Password Components

It is not possible to create a comprehensive list of authentication JSP files because new authentication methods can be added to the Identity Server. However, the following list provides the details for some of the most common default authentication JSP files that are included with Identity Server.

Authentication JSP files are loaded into content_latest.jsp's <div id="theContentContent"> by using a JQuery AJAX call to Identity Server.

  • login_latest.jsp: This is the default JSP file for the Name / Password – Form and the Secure Name / Password – Form authentication methods. It provides simple form based name / password authentication. This can be customized to query for other user attributes such as, email.

  • radius_latest.jsp: This is the default JSP file for the Radius Server authentication method. It provides simple form based name / password / token authentication to a Radius server.

  • totp_latest.jsp: This is the default JSP file for the Timed One Time Password authentication method. It provides user registration of mobile TOTP applications and form based TOTP token entry with validation.

Detecting the Correct Mode for Java and JavaScript

Some JSP files are required to run in two modes, standalone and inside a <div> element within nidp_latest.jsp. These JSP files must be able to detect the appropriate mode. The following will explain how detection process is implemented for both JavaScript and Java.

The detection process is different for JavaScript and Java. JavaScript runs on the user’s web browser whereas, Java runs on the server.

When a JSP file is loaded into a <div> element in nidp_latest.jsp, the HTML elements, such as <html>, <head>, and <body> are not necessary. Also, the nidp_latest.jsp implementation can assume that the provided JavaScript functions are available for use. For example, the function setGlobalMessage(strMessage) can be called without any problem.

But when the same JSP file is loaded standalone, it must provide all the required HTML elements to create a proper HTML document. It cannot rely on any of the JavaScript and CSS that nidp_latest.jsp provides.

Detecting for JavaScript

The nidp_latest.jsp implementation includes the empty DOM element:

<div id="runningInEndUserLoginEnvironment" style="display: none"></div>

JSP JavaScript code can query for the existence of this DOM element. If it exists it can be assumed that the JSP is running inside of the nidp_latest.jsp environment.

var proofOfEndUserEnvironment=
  document.getElementById('runningInEndUserLoginEnvironment');

Detecting for Java

The JavaScript function getToContent(strUrl strTargetDivId) adds an HTTP request parameter that names the identifier of the <div> element that is the target of the request.

strUrl = updateQueryString(
"<%=NIDPConstants.HTTP_REQUEST_PARAM_NAME_UIDESTINATION%>", "<%=NIDPConstants.HTTP_REQUEST_PARAM_NAME_UIDESTINATION_VALUE_CONTENTDIV%>",
strUrl);

The JSP Java code runs on the server and the request is the JQuery AJAX HTTP Get request sent by getToContent(). Therefore, the Java code can query the existence and value of the NIDPConstants.HTTP_REQUEST_PARAM_NAME_UIDESTINATION request parameter. If it exists, the Java code can determine the target <div> element and know that the current request is an AJAX request produced by getToContent().

String strUIDestinationId =
  (String) request.getParameter(NIDPConstants.HTTP_REQUEST_PARAM_NAME_UIDESTINATION);
if (!StringUtil.isDefined(strUIDestinationId) ||            (!strUIDestinationId.equals(NIDPConstants.HTTP_REQUEST_PARAM_NAME_UIDESTINATION_VALUE_CONTENTDIV)))
{
  bProofOfEndUserEnvironment = false;
}

Enabling Impersonation in Login Page

The default User Portal page works with impersonation, but if you have customized Identity Server to provide custom login and logout pages for your customers, you must change your customized pages for impersonation to work. For more information, see Section 29.4, Implementing Impersonation in Custom Portal Pages.

Customizing the Identity Server Login Page

You can create custom login pages that are displayed when the user authenticates to Identity Server. There are a multitude of reasons for customizing the login page. You might want to remove the NetIQ branding and replace it with your company’s brands. You might need to authenticate users with non-default attributes (such as an e-mail address rather than a username). You also might be fronting several protected resources with an Access Gateway, and you need to create a unique login page for each resource.

When you customize the login page:

Modifying the Target of the User Portal: If you want to control the target when users log in directly to Identity Server, see Specifying a Target.

Modifying Error Pages: Both Identity Server and Access Gateway return error pages to the user. For information about customizing these messages and pages, see the following:

Selecting the Login Page and Modifying It

You must be familiar with customizing JSP files to create a customized login page. You can use any of the following methods to produce the page:

  • If you want to customize the page title of the User Portal, see Customizing the Page Title.

  • If you only need to customize the credentials (for example, prompt the user for an e-mail address rather than a name), you can make most of the modifications in Administration Console. You need to add some properties to a method, create a contract from that method, and modify the prompt in the login_latest.jsp file. For configuration information, see Customizing the Default Login Page to Prompt for Different Credentials.

  • If you want to maintain the features of the default web page and use its authentication cards but you want to remove the NetIQ branding, use Branding on the Administration Console dashboard. By using the Branding page you can modify the colors, images, and the text. For configuration information, see Customizing the nidp_latest.jsp file.

  • If you want to modify the layout or content of the default Web page you must customize the nidp_latest.jsp file. For more information about customizing the file, see Customizing JSP Files.

NOTE:After you have created customized login pages, you need to back them up before doing an upgrade. The upgrade process overrides any custom changes made to JSP files that use the same filename as those included with the product.

During an upgrade, you can select to restore custom login pages, but NetIQ recommends that you have your own backup of any customized files that can be used for copying the customized content to the upgraded file.

Customizing the Page Title

Perform the following steps to customize the page title of the User Portal:

  1. Copy the nidp.jar file to a working area. This file is located in the following location:

    Linux: /opt/novell/nids/lib/webapp/WEB-INF/lib

  2. Unzip the copied nidp.jar file by using the following command:

    jar -xvf nidp.jar

  3. Open the jsp_resources_en_US.properties file located at com/novell/nidp/resource/jsp.

  4. Edit the JSP.1 property and modify the page title.

  5. Create the JAR file by using the following command:

    jar -cvf nidp.jar *

  6. Replace the old nidp.jar file with the new one.

  7. Restart Tomcat.

    /etc/init.d/novell-idp restart Or

    rcnovell-idp restart

Customizing the Default Login Page to Prompt for Different Credentials

This section explains how to prompt the users for an identifier other than the user’s name. Figure 3-1 displays the default login page with the username prompt.

Figure 3-1 Modifying the Credential Prompts

This section explains only how to modify the content of the login_latest.jsp file. If you want to modify other aspects of this page, you need to select one of the other methods.

The instructions explain how to create a method that sets up the appropriate query so that the user can be found in the user store with an identifier other than the username (the cn attribute). The instructions also explain how to create a contract that uses this method and how to modify the login_latest.jsp page so that it prompts for the appropriate identifier such as an email address instead of a username.

  1. Create a method with the appropriate query:

    1. Click Devices > Identity Servers > Edit > Local > Methods.

    2. Click New, and then specify a Display Name.

    3. In Class, select a username/password class.

    4. Keep the Identifies User option selected, and configure the user store option according to your needs.

    5. In the Properties section, click New, and then specify the following values:

      Property Name: Query

      Property Value: (&(objectclass=person)(mail=%Ecom_User_ID%))

      This property is defined so that it queries the user store for the attribute you want to use rather than the cn attribute (in this case, the mail attribute of the person class). The %Ecom_User_ID% variable is the default variable name on the login page. You can change this to %EMail_Address% if you also change the value in your custom login page.

      For more information about how to use this property, see Query Property.

    6. Click OK.

    7. In the Properties section, click New, and specify the following values:

      Property Name: JSP

      Property Value: <filename>

      Replace <filename> with the name of the custom login_latest.jsp page you are going to create so that the page prompts the user for an email address rather than a username. This must be the filename without the JSP extension. For example, if you name your file email_login.jsp, then you would specify email_login for the property value.

    8. Click Finish.

    9. Click OK.

  2. Create a contract that uses this method:

    1. Click Contracts > New.

    2. Select the method you just created.

    3. Configure other options to fit your requirements.

      For information about configuring the other options for a contract, see Section 4.1.4, Configuring Authentication Contracts.

    4. Click OK.

  3. Update Identity Server.

  4. Copy the login_latest.jsp file and rename it to match the value of the JSP property configured in Step 1. For example, email_login.jsp.

    The JSP files are located on Identity Server in the following directory:

    /opt/novell/nids/lib/webapp/jsp

  5. (Conditional) If you modified the %Ecom_User_ID% variable, find the string in the file and replace it with your variable.

  6. (Conditional) If you need to support only one language, modify the prompt in the login_latest.jsp file.

    1. Find the following string in the file:

      placeholder="<%=handler.getResource(JSPResDesc.USERNAME_UNDER_LABEL)%>"

    2. Replace it with the string you want. For example:

      placeholder="Email Address"

    3. Copy the modified file to each Identity Server in the cluster.

    4. Back up your customized file.

  7. (Conditional) If you need to localize the prompt for multiple languages, create a custom message properties file for the login prompt.

    For more information about how to create a custom message properties file, see Customizing Messages.

    The following steps assume you want to change the username prompt to an email address prompt.

    1. Find the following definition in the com/novell/nidp/resource/jsp directory of the unzipped nidp.jar file.

      JSP.50=Username:

    2. Add this definition to your custom properties file and modify it so that it prompts the user for an email address.

      JSP.50=Email Address:

    3. Translate the value and add this entry to your localized custom properties files.

    4. Copy the customized properties files to the WEB-INF/classes directory of each Identity Server in the cluster.

    5. Restart Tomcat on each Identity Server using one of the following commands:

      /etc/init.d/novell-idp restart OR

      rcnovell-idp restart

Modifying the login.jsp File

The login.jsp file gives you the credential frame with the login prompts in an iframe. It has no branding header. If you use this page, you need to write the HTML code for the header and the branding.

  1. Copy the login.jsp file and rename it. The JSP files are located on Identity Server in the following directory:

    /opt/novell/nids/lib/webapp/jsp

  2. Add the custom branding and any other content you require to the file.

  3. Modify the credentials. See Customizing the Credential Frame.

  4. Repeat Step 1 through Step 3 for each resource that requires unique branding.

  5. Copy the files to each Identity Server in the cluster.

  6. Back up your customized files.

  7. Continue with Using Properties to Specify the Login Page.

Customizing JSP Files

Three general types of customizable UI files are associated with Identity Server: JSP files, CSS files, and JavaScript (JS) files. To obtain an initial working set of these files for customization, perform the following steps:

NOTE:If the /opt/novell/nids/lib/webapp/WEB-INF/legacy folder exists, Access Manager uses the legacy UI. To use the latest UI, you must remove the legacy folder.

  1. Identify the Identity Server cluster where the customization is required.

    You can view the cluster configuration from Administration Console.

  2. Copy the IP address of one of the Identity Server devices in the cluster.

    The Identity Providers section lists the cluster names and each cluster includes IP addresses of the Identity Server devices in the cluster. You can choose any one of the Identity Server IP addresses. It is recommended to choose the IP address of Identity Server that is up.

  3. Connect to the Identity Server device by using the IP address that you have copied in the previous step.

    You can use SSH, Remote Desktop Connection, and so on.

  4. Locate the customizable Identity Server files on the hard drive of the connected device, then edit them in the same location or copy them to a preferred editing location.

    For JSP files:

    • Linux: /opt/novell/nids/lib/webapp/jsp

    • Windows: \Program Files\Novell\Tomcat\webapps\nidp\jsp

    For CSS file:

    • Linux: /opt/novell/nids/lib/webapp/css

    • Windows: \Program Files\Novell\Tomcat\webapps\nidp\css

    For JS file:

    • Linux: /opt/novell/nids/lib/webapp/js

    • Windows: \Program Files\Novell\Tomcat\webapps\nidp\js

  5. (Conditional) If you have copied the customizable files to a different location for editing, ensure to update the files at the original location with the edited version of the file.

NOTE:For more information, see Maintaining Customized JSP Files for Identity Server in the NetIQ Access Manager Appliance 4.5 Installation and Upgrade Guide.

Customizing the nidp_latest.jsp file

nidp_latest.jsp provides the default layout for Identity Server authentication pages. This section provides the details of the concepts that the implementation addresses to populate the different layout components on the page. With this understanding, a developer can identify sections of the implementation that address each concept.

The following are main concepts throughout the nidp_latest.jsp implementation:

  • Authentication methods (cards) to be displayed

  • URL to be used for populating the Content Area (<div id="theNidpContent">)

  • The end user messages to be displayed

You can query Identity Server to get the required data. The access point into Identity Server internal data structures is the ContentHandler Java class.

The following line, found at the top of nidp_latest.jsp, represents a new ContentHandler and initializes it for the current HTTP request and response:

ContentHandler handler = new ContentHandler(request,response);

NOTE:The handler variable is used throughout the Identity Server code.

Authentication Method (cards) to be Displayed

The term card refers to Authentication Card in Administration Console. When editing Identity Server in Administration Console, an authentication is comprised of an Authentication Contract that contains one or more authentication methods and each Authentication Method references to an Authentication Class.

To make an Authentication Contract visible in the user interface, an Authentication Card is associated with Authentication Contract. Authentication Card displays an icon and a name to the end user for a defined Authentication Contract.

The nidp_latest.jsp implementation queries Identity Server to gather the following Authentication Card information:

  • The set of all available Authentication Cards.

    This query is used for populating the drop-down hamburger menu where the user can choose from the available authentications.

  • The set of authentications already completed by the current user.

    This query is used for placing a check mark next to the completed authentications in the drop-down hamburger menu.

  • The authentication that is currently executing.

    This query is required to display the current authentication in the content section of the UI.

The Java variable showCards is used for indicating if the drop-down hamburger menu should be shown. It is initialized to true and the situations that would make it false are tested.

The drop-down hamburger menu is not shown in the following scenarios:

  • No Authentication Cards.

  • Only one Authentication Card, and that card is the current Authentication Card.

  • An error message is displayed.

  • The logout confirmation page is displayed.

  • The page is being rendered for a Mobile application.

The drop-down hamburger menu is divided into local, remote, and federated authentication sections.

A local login is an authentication that Identity Server can use without involving an external identity provider. LDAP and JDBC logins are examples of local logins. In these cases, Identity Server locally logs into a local directory or a database to authenticate an end user.

A social media authentication, such as Facebook or Twitter login, is a remote authentication.

A login at a federated external identity provider (often using a protocol, such as SAML) is an example of federated login.

The implementation examines each Authentication Card and sorts them into these three categories. The drop-down hamburger menu is populated with federated cards, followed by remote cards, and then local cards.

The URL to be Used for Populating the Content Area

The goal of the nidp_latest.jsp implementation is to display the current activity to the end user. The current activity can be an authentication, a confirmation, or a user message. This activity is loaded into the <div id="<%=NIDP_JSP_CONTENT_DIV_ID%>">…</div> area using a JQuery AJAX HTTP call to Identity Server. The HTML returned from this request is “set” into the content div.

To go to the correct activity, nidp_latest.jsp must build the correct URL for the call to getToContent(strUrl, strTargetDivId) JavaScript Function.

NOTE:The nidp_latest.jsp implementation includes a JavaScript function with signature getToContent(strUrl, strTargetDivId) that makes a JQuery AJAX HTTP Get request to the URL supplied in the parameter strUrl, and then writes the returned HTML to the <div> element identified by the parameter strTargetDivId.

The content_latest.jsp implementation also uses this JavaScript function for the same purpose.

GenericURI builderContentDivUrl = 
new GenericURI(handler.getJSP(handler.isJSPMsg() ?
handler.getJSPMessage().getJSP() :
NIDPConstants.JSP_CONTENT));

A GenericURI Java object wraps a standard URI allowing easier creation and editing of URLs.

If Identity Server specifically indicates that a particular JSP must be displayed by returning true from handler.isJSPMsg(), then that JSP name is used to build the URL. Otherwise, the system JSP content_latest.jsp is used.

The handler.getJSP() method creates a URL formatted similar to the following:

[IDP domain]:[IDP port]/nidp/jsp/[JSP Name].jsp?sid=[session data id]

The query string parameters from the current HTTP request (the request that invoked nidp_latest.jsp) are copied to the content <div> url, then the current Authentication Card identifier is added to the query string.

builderContentDivUrl.setQueryItem(ContentHandler.CARD_PARM,
currentAuthCard.getID(true));

This ensures that the identity provider is executing the correct authentication method.

Lastly, the JavaScript getToContent() function is called to invoke the JQuery AJAX HTTP call:

getToContent('<%=strContentDivUrl%>', '<%=NIDP_JSP_CONTENT_DIV_ID%>');

The Message to be Displayed

All user messages are displayed in the Global Message Area.

The Global Message Area is the layout section of nidp_latest.jsp that gets data from the <divid="globalMessage"> element.

A user message can be displayed as a prompt that correlates with the current activity that is executing in the content div area. For example, Authentication Failed: Invalid Credentials can be displayed during a Name / Password login while the content <div> refreshes the login form.

A user message can also be displayed when the Content Area is empty. This situation arises when the user message is terminal in nature to the previously executed Content Area activity. For example, when an error occurs during an X509 Mutual Certificate Authentication, the message, Error occurred during User Certificate Authentication. Please contact Administrator is displayed in the Global Message Area and the Content Area will be empty.

In the nidp_latest.jsp implementation, many Identity Server conditions are verified that can lead to setting a value for the Global Message Area. The value is set using code similar to the following:

strGlobalMessageText =
    handler.getResource(JSPResDesc.LOGOUT_SUCCESS_MSG);

The messages that cause the Content Area to be empty are those that are queried from Identity Server.

NIDPMessage msg = handler.getMessage(true);

If the message is an error message, then it is displayed in the Global Message Area and the getToContent() JavaScript function is not called to populate the Content Area. This mechanism uses the message_latest.jsp file to set the Global Message Area value.

The following sections explain how to modify the login page that the JSP files create:

Rebranding the Header

  1. Navigate to Administration Console Dashboard.

  2. Click Branding.

  3. Select the required Identity Server cluster.

  4. Modify Title as per requirement.

  5. Modify the background color using Left Background Color and Right Background Color.

  6. Click Change Image to replace the NetIQ logo on the right of the header.

  7. Continue with one of the following tasks:

Customizing the Card Display

To control what appears in the Authentication Cards section, use the Show Card option that appears on the definition of each card. If this option is not selected, the card does not appear in the Authentication Cards section. Each contract has an associated card. For information about modifying the card options, see Section 4.1.4, Configuring Authentication Contracts.

Perform one of the following tasks:

Customizing the Credential Frame

You can modify login.jsp to prompt users for an identifier other than the username. To do this, you need to create a method that sets up the appropriate query to find the user in the user store with an identifier other than the username. Then create a contract that uses this method. You also need to modify the prompt in login.jsp to match the identifier you are prompting for.

  1. Create a method with the appropriate query:

    1. Click Devices > Identity Servers > Edit > Local > Methods.

    2. Click New, and then specify a Display Name.

    3. Select a class that is a username/password class from the list.

    4. Keep Identifies User selected, and configure the user store option according to your needs.

    5. In the Properties section, click New, and then set the following properties:

      Property Name

      Property Value

      Query

      (&(objectclass=person)(mail=%Ecom_User_ID%))

      This property is defined to query the user store for the attribute you want to use rather than the cn attribute (in this case, the mail attribute of the person class). Change mail to the name of the attribute in your user store that you want to use for the user identifier.

      The %Ecom_User_ID% variable is the default variable name on the login page. You can change this to something similar to %EMail_Address% if you also change the value in your custom login page.

      For more information about how to use this property, see Query Property.

      JSP

      <filename>

      Replace <filename> with the name of the custom login.jsp page you are going to create, so that the page prompts the user for an e-mail address rather than a username. This must be the filename without the JSP extension. For example, if the name of your file is email_login.jsp, then specify email_login for the property value.

    6. Click OK.

  2. Create a contract that uses this method:

    1. Click Contracts > New.

    2. Select the method you just created.

    3. Configure the other options to fit your requirements.

      If you are creating multiple custom login pages with customized credentials, you might want to use the URI to hint at which custom login.jsp file is used with which custom nidp_latest.jsp file. For example, the following URI values have the filename of the login page followed by the name of the custom nidp_latest.jsp page:

      login1/custom1
login2/custom2
login3/custom3

      For information about configuring the other options for a contract, see Section 4.1.4, Configuring Authentication Contracts.

    4. Update Identity Server.

  3. Copy the login.jsp file and rename it.

    The JSP files are located on Identity Server in the following directory:

    /opt/novell/nids/lib/webapp/jsp

  4. (Conditional) If you modified the %Ecom_User_ID% variable, find the string in the file and replace it with your variable.

  5. (Conditional) If you need to support only one language, modify the prompt in the login.jsp file:

    1. Late the following string in the file:

      <label><%=handler.getResource(JSPResDesc.USERNAME)%></label>

    2. Replace it with the string you want. For example, <label>Email Address:</label>

    3. Copy the modified file to each Identity Server in the cluster.

    4. Back up your customized file.

  6. (Conditional) If you need to localize the prompt for multiple languages, create a custom message properties file for the login prompt.

    For more information about how to create a custom message properties file, see Customizing Messages.

    The following steps assume you want to change the username prompt to an e-mail address prompt:

    1. Find the following definition in the com/novell/nidp/resource/jsp directory of the unzipped nidp.jar file.

      JSP.50=Username:

    2. Add this definition to your custom properties file and modify it so that it prompts the user for an e-mail address:

      JSP.50=Email Address:

    3. Translate the value and add this entry to your localized custom properties files.

    4. Copy the customized properties files to the WEB-INF/classes directory of each Identity Server in the cluster.

    5. Restart each Identity Server using one of the following commands:

      /etc/init.d/novell-idp restart

      rcnovell-idp restart

  7. To specify which customized nidp_latest.jsp to display with the contract, you must modify the main.jsp file. Continue with Adding Logic to the main.jsp File.

Customizing the nidp.jsp File to Customize Error Message

Identity Server publishes a generic error message for the error code during SAML failure, such as request denied or Invalid Name ID Policy. You can customize the NIDP jsp file available at /opt/novell/nids/lib/webapp/jsp and write an appropriate error message for redirection or to inform the user about the issue.

In the following example, the specified code snippet is for simulating InvalidNameIDPolicy error for SAML 2.0.

Perform the following steps to customize error message:

  1. Generate an error condition with, for example, Invalid Name ID Policy.

  2. Customized the nidp_latest.jsp file and add the following code for redirection:

    com.novell.nidp.ui.MenuHandler redirectMenuHandler;
        com.novell.nidp.NIDPMessage redirectMessage;
    String redirectCause;

        redirectMenuHandler = new MenuHandler(request, response);
        redirectMessage = redirectMenuHandler.getMessage(true);
        if (redirectMessage != null && redirectMessage instanceof
com.novell.nidp.NIDPError) {
        redirectCause = ((com.novell.nidp.NIDPError)
redirectMessage).getNIDPExceptionMsg();
        System.out.println("************** redirectCause" + redirectCause);
        if (redirectCause != null && 
redirectCause.indexOf("InvalidNameIDPolicy") != -1) {
        response.sendRedirect("http://www.novell.com"); 
            return;
       }
    }

  3. Restart Identity Server by using the rcnovell-idp restart command.

  4. Verify that when failure occurs, SAML shows the following message in the authentication response:

    <samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode>

    Due to the customized nidp_latest.jsp file, SAML redirects to the specified location.

  5. Rerun the failure and verify that instead of displaying 300101008, the nidp page redirects to the specified www.novell.com location.

Configuring Identity Server to Use Custom Login Pages

You can configure Identity Server in two ways to use a custom login page. You can use properties or you can modify the main.jsp file. Select the method depending upon your modifications.

Using Properties to Specify the Login Page

For each resource that needs a unique login page, you need to create an authentication method and add the JSP and MainJSP properties to the method. You then need to create a contract for each method.

The following steps assume that the custom login page is called custom1.jsp:

  1. Create a method for a custom login page:

    1. Click Devices > Identity Servers > Edit > Local > Methods.

    2. Select one of the following actions:

      • If you have create a method for a Query property to be used with your custom login page, click the name of the method.

      • If you did not modify the credentials on the login page, click New, specify a display name, select a password class, and configure a user store.

    3. In the Properties section, click New, then specify the following:

      Property Name: MainJSP

      Property Value: true

      This property indicates that you want to use a custom login page with this method. It also indicates that the custom login page contains the prompts for user credentials.

      Property names and values are case-sensitive.

    4. Click OK.

    5. (Conditional) If the Properties section does not contain a JSP property, click New, and specify the following values:

      Property Name: JSP

      Property Value: custom1

      The property value for the JSP property is the name of the custom login file without the JSP extension. Replace custom1 with the name of your custom login file. This property determines which login page is displayed when this method is used. The filename cannot contain nidp as part of its name.

    6. Click OK.

      For more information about setting property values, see Specifying Common Class Properties.

    7. (Conditional) If you created multiple custom login pages, repeat Step 1.b through Step 1.e for each page.

  2. For each method that you modified for a custom login page, create a contract.

    1. Click Contracts > New.

    2. Specify the details as per the needs of the resource, but ensure that to assign the custom method as the method for the contract.

    3. Click Next, configure a card for the contract, and then click Finish.

  3. Update Identity Server.

  4. For each resource that you have created a custom login page, assign that resource to use the contract that is configured to display the appropriate login page.

    1. Click Devices > Access Gateways > Edit > [Reverse Proxy Name] > [Proxy Service Name] > Protected Resources.

    2. Select each protected resource for which you have created a custom contract, and then configure it to use the custom contract.

  5. Update Access Gateway.

  6. (Conditional) If the custom page is not displayed correctly, see Troubleshooting Tips for Custom Login Pages.

Adding Logic to the main.jsp File

You can modify the main.jsp file and use the contract URI to specify the login page to display.

Consider the following points:

  • You cannot rename the main.jsp file. Therefore, any modifications you make to this file can be lost whenever you upgrade Identity Server. During the upgrade, you must select to restore custom files or you must restore your modified file after the upgrade. If this is the only JSP file that you modified that uses an Identity Server name, it is recommended to manually restore this file after an upgrade.

  • Modifying the main.jsp file requires knowledge of JSP programming and if/else statements.

Modifying the main.jsp file enables you to perform the following actions:

  • You can create multiple customized nidp_legacy.jsp pages. For example: custom1.jsp, custom2.jsp, and custom3.jsp.

  • You can create multiple customized login.jsp pages that request different login credentials. For example:

    login1.jsp: Configured to request username and password.

    login2.jsp: Configured to request username, email, and password.

    login3.jsp: Configured to request email and password.

With this type of configuration, you must create three different authentication contracts with an authentication method with a JSP property defined for each of them. These contracts require the types of values listed in the following table. The URI is defined so that it reflects the custom login.jsp and the custom nidp_legacy.jps that are used by the contract.

Contract

Configuration Details

Contract1

URI

login1/custom1

 

Method1

Configured with the following JSP property:

Property Name: JSP

Property Value: login1

This method does not need a query property unless you are using an attribute other than the cn attribute for the username.

Contract2

URI

login2/custom2

 

Method2

Configured with the following two properties:

Property Name: JSP

Property Value: login2

Property Name: Query

Property Value: (&(objectclass=person)(mail=%Ecom_User_ID%)))

Contract3

URI

login3/custom3

 

Method3

Configured with the following two properties:

Property Name: JSP

Property Value: login3

Property Name: Query

Property Value: (&(objectclass=person)(mail=%Ecom_User_ID%))

The following procedure explains how to configure Access Manager to display these custom login pages with custom credentials:

  1. Create a unique method for each custom login.jps file:

    1. Click Devices > Identity Servers > Edit > Local > Methods > New.

    2. Specify the following details:

      Display name: Specify a name for the method. Use a name that indicates which login page is assigned to this method.

      Class: Select a name/password class.

      Configure the other fields to match your requirements.

    3. In the Properties section, add a Query property if the page uses custom credentials.

      For example, to add an email address to the login prompts, add the following property:

      Property Name: Query

      Property Value: (&(objectclass=person)(mail=%Ecom_User_ID%))

      If you are creating a method for Contract 1 in the previous example (which prompts for a username and password), you do not need to add a query property unless you are using an attribute other than the cn attribute for the username.

    4. In the Properties section, add a JSP property to specify which login.jsp file to use with this method.

      For example:

      Property Name: JSP

      Property Value: login2

    5. Click Finish.

    6. If you have created more than one custom login.jsp files, repeat Step 1.b through Step 1.e for each page.

      To configure the scenario described in this section, repeat these steps for three login pages.

  2. Create a unique contract URI.

    1. Click Contracts > New.

    2. Specify the following details:

      Display name: Specify a name for the contract. Use a name that indicates which login page is assigned to this contract.

      URI: Specify a value that uniquely identifies the contract from all other contracts. Spaces are not allowed. Use a name that indicates the custom login page and custom credential page, such as login1/custom1.

      Methods and Available Methods: Select the authentication method you configured in Step 1.

    3. Configure the other fields to meet your network requirements, and then click Next.

    4. Configure the authentication card, and then click Finish.

    5. (Conditional) If you have created multiple custom login pages, repeat Step 2.b to Step 2.d for each page.

      To configure the scenario described in this section, repeat these steps for /login2/custom2 and /login3/custom3.

    6. Click OK, and then update Identity Server.

  3. Modify the main.jsp file.

    1. Open the main.jsp file. The file is located in the following directory:

      /opt/novell/nids/lib/webapp/jsp

    2. Near the top of the file, add the following line:

      String strContractURI = hand.getContractURI();

      This sets the strContractURI variable to the value of the contract URI that is being used for authentication. These lines must look similar to the following:

      <%
    ContentHandler hand = new ContentHandler(request,response);
    String strContractURI = hand.getContractURI();

    // Is there a JSP defined on a class definition or a method 
    // definition that must be displayed as the main jsp here?
    if (handler.contractDefinesMainJSP())
    {
%>

    3. After the if statement, add an else if statement for each contract URI you have created. For example:

      <% }
else if(strContractURI != null && strContractURI.equals("login1/custom1"))
    {
%>
     <%@ include file="custom1.jsp" %>

<%  }
else if(strContractURI != null && strContractURI.equals("login2/custom2"))
    {
%>
        <%@ include file="custom2.jsp" %>

<% }
else if(strContractURI != null && strContractURI.equals("login3/custom3"))
    {
%>
        <%@ include file="custom3.jsp" %>

      These else if statements set up three contracts for customized login pages:

      • The first else if statement specifies the URI of the login1 contract and configures it to display the custom1.jsp page for authentication.

      • The second else if statement specifies the URI of the login2 contract and configures it to display the custom2.jsp page for authentication.

      • The third else if statement specifies the URI of the login3 contract and configures it to display the custom3.jsp page for authentication.

      Your file must look similar to the following:

      <%@ page language="java" %>
<%@ page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%>
<%@ page import="com.novell.nidp.*" %>
<%@ page import="com.novell.nidp.resource.jsp.*" %>
<%@ page import="com.novell.nidp.ui.*" %>
<%@ page import="com.novell.nidp.common.util.*" %>
<%@ page import="com.novell.nidp.liberty.wsf.idsis.apservice.schema.*" %>

<%
    ContentHandler hand = new ContentHandler(request,response);
    String strContractURI = hand.getContractURI();

    // Is there a JSP defined on a class definition 
    // or a method definition that must be displayed 
    // as the main jsp here?
    if (hand.contractDefinesMainJSP())
    {
%>
        <%@ include file="mainRedirect.jsp" %>
<%  }
    else if(strContractURI != null && strContractURI.equals("login1/custom1"))
    {
%>
     <%@ include file="custom1.jsp" %>

<%  }
else if(strContractURI != null && strContractURI.equals("login2/custom2"))
    {
%>
        <%@ include file="custom2.jsp" %>

else if(strContractURI != null && strContractURI.equals("login3/custom3"))
    {
%>
        <%@ include file="custom3.jsp" %>

<%  }    // This is the jsp used by default
    else
    {
%>
        <%@ include file="nidp.jsp" %>
<%  }  %>

    4. Copy the modified main.jsp file to each Identity Server in the cluster.

  4. Back up your customized files.

  5. For each resource for which you created a custom login page, assign that resource to use the contract that is configured to display the appropriate login page.

    1. Click Devices > Access Gateways > Edit > [Reverse Proxy Name] > [Proxy Service Name] > Protected Resources.

    2. For each protected resource that you have created a custom contract for, select the protected resource, then configure it to use the custom contract.

    3. Update Access Gateway.

  6. (Conditional) If the custom page is not displayed correctly, see Troubleshooting Tips for Custom Login Pages.

Troubleshooting Tips for Custom Login Pages

If your custom login page does not display or generate an error message, use the following procedure to find the cause:

  1. Set the Application option of Component File Logger Levels to debug, update Identity Server, attempt to log in, and then view the log file.

    Check for Unable to Compile errors in the log file. If your custom page does not compile, a blank page is displayed.

  2. If you receive an Unable to Find File error, verify the value of the JSP property. Ensure that the value does not contain the JSP extension as part of the filename.

  3. If you see pages that you have deleted or pages where your modifications have not been implemented:

    1. Open the new custom file with a text editor to ensure it has a newer date than the compiled file.

      If this does not solve the problem, continue with Step 3.b.

    2. Delete the nidp directory in the Tomcat work directory on each Identity Server to recompile JSP pages.

      /opt/novell/nam/idp/work/Catalina/localhosts/nidp

    3. Restart Tomcat on each Identity Server.

Customizing the Identity Server Logout Page

You can also use the following methods to modify the Identity Server logout page:

To customize the logout page when a user logs out of an Access Gateway protected resource, see Customizing Logout Requests. When you have both Liberty and SAML 2.0 sessions running on Identity Server and you log out of Access Gateway, the logoutsuccess_latest.jsp page is not executed with the customization you have made to the logout page. For information about the workaround, see Logging Out of Sessions of Access Gateway and SAML Connectors when Branding Exists in the Customized Logout Page.

NOTE:After customizing a JSP file, you need to sanitize the JSP file to prevent XSS attacks. See, Section 12.6, Preventing Cross-site Scripting Attacks.

Rebranding the Logout Page

The branding in the header of the logout page is controlled by the branding of the nidp_latest.jsp file. If you have modified this file for a customized login, the same branding appears in the logout page. For information about how to modify nidp_latest.jsp for logos, titles, and colors, see Rebranding the Header.

IMPORTANT:Save a copy of your modified nidp_latest.jsp file. Every time you upgrade Identity Server, you need to restore this file.

Replacing the Logout Page with a Custom Page

You can create your own logout page and configure Identity Server to use it. To do this, you need to modify the logoutSuccess_latest.jsp file on Identity Server. It is located in the following directory:

/opt/novell/nids/lib/webapp/jsp

The logoutSuccess_latest.jsp file is called in a frame from the nidp_latest.jsp file. You can modify the file to display what you want or you can modify it to redirect the user to your custom page. One way to provide redirection is to replace the information in the <body> element of the file with something similar to the following:

<body> 
      <script language="JavaScript"> 
        top.location.href='http://<hostname/path>'; 
      </script>     
</body>

Replace the <hostname/path> string with the location of your customized logout page.

IMPORTANT:Save a copy of your modified logoutSuccess_latest.jsp file. Every time you upgrade Identity Server, you will need to restore this file.

Configuring for Local Rather Than Global Logout

By default, when Identity Server receives a logout request, Identity Server logs the user out of any identity providers and service providers to which the user has authenticated. If you want to modify this behavior so that the logout request logs the user out of just Identity Server and leaves the user authenticated to identity providers and service providers, you need to add the following query string to the logout URL:

?local=true

The logout URL has the following format:

<Base_URL>/app/logout

Replace <Base_URL> with the base URL of your Identity Server. If the base URL of your Identity Server is https://hhb1.provo.novell.com:8443/nidp, the following is your local logout URL:

https://hhb1.provo.novell.com:8443/nidp/app/logout?local=true

To modify the logout.jsp file so that it performs a local logout:

  1. At Identity Server, open the logout.jsp file.

    /opt/novell/nids/lib/webapp/jsp

  2. Find the following line in the file:

    <form method="post" target="_top" action="<%= request.getContextPath() %>/app/logout">

  3. To the /app/logout string, add ?local=true. This modified line must look similar to the following:

    <form method="post" target="_top" action="<%= request.getContextPath() %>/app/logout?local=true">

  4. Save the file.

  5. Copy the file to each Identity Server in the cluster.

  6. Back up this file.

Customizing Logout Pages to Redirect Based on Parameters

You can customize an Identity Server logout page to redirect to URLs based on parameters specified in the logoutSuccess_latest.jsp file.

To customize the logoutSuccess_latest.jsp file to redirect to URLs, perform the following steps:

  1. At Identity Server, open the logoutSuccess_latest.jsp file:

    Linux: /opt/novell/nids/lib/webapp/jsp

    Windows: \Program Files\Novell\Tomcat\webapps\nidp\jsp

  2. Add the following as the last line in the logoutSuccess_latest.jsp file:

    <%out.println("UIHandler-param: " + uh.getLogoutQueryStringParam("test"));%>

    Here test indicates name of the parameter.

  3. Restart Identity Server.

  4. Specify a parameter with the logout URL. For example, https://www.idp.com:8443/nidp/app/logout?test=NetIQ.

    The logout page displays UIHandler-param: NetIQ in the logout page.

Customizing Identity Server Messages

NOTE:After customizing a JSP file, you need to sanitize the JSP file to prevent XSS attacks. See, Section 12.6, Preventing Cross-site Scripting Attacks.

Customizing Messages

  1. To customize the error pages, determine whether you need one custom file or multiple files:

    • If you do not need to support multiple languages, create one custom file for all customized messages.

    • If you need to support multiple languages, create a custom file for each language you want to customize.

  2. Create the custom properties file and name it:

    To support one language, name the file nidp_custom_resources.properties.

    To support multiple languages, create a nidp_custom_resources_<le_cy>.properties file for each supported language. Replace <le_cy> with the standard convention for Java Resource Bundles for the language or the language and country. For example:

    nidp_custom_resources_en_US.properties
nidp_custom_resources_fr.properties
nidp_custom_resources_es.properties

    If you want to support a custom messages for a language and a country and for just the language, you must create two files. For example:

    nidp_custom_resources_es_VE.properties
nidp_custom_resources_es.properties

  3. Copy the nidp.jar file to a working area. This file is located in the following location:

    /opt/novell/nids/lib/webapp/WEB-INF/lib

  4. Unzip the nidp.jar file in your working directory.

  5. In your working directory, locate the properties files in the following directories:

    com/novell/nidp/resource/strings
com/novell/nidp/resource/logging
com/novell/nidp/resource/jsp
com/novell/nidp/resource/jcc
com/novell/nidp/resource/noxlate
com/novell/nidp/liberty/wsf/idsis/ppservice/model
com/novell/nidp/liberty/wsf/idsis/epservice/model
com/novell/nidp/liberty/wsf/idsis/opservice/model
com/novell/nidp/liberty/wsf/idsis/apservice/model
com/novell/nidp/liberty/wsf/interaction
com/novell/nidp/liberty/wsf/idsis/ssservice/model
com/novell/nidp/servlets/handler/identityeditor
com/novell/nidp/servlets/handler/identityaccesseditor
com/novell/nidp/liberty/wsf/idsis/model
com/novell/nidp/liberty/wsf/idsis/authority/ldap/attribute/plugins/resources
com/novell/nidp/liberty/wsf/idsis/ldapservice/model

    The localized properties files contain messages that end users might see. The properties files that have not been localized contain messages that the end users must not see.

  6. Locate the messages you want to customize and copy them to your custom file.

    All messages that you want to customize are placed in this file, even though they come from different properties files.

    Your file must look similar to the following if you selected to customize messages from the nidp_resources_en_US.properties file and the SSModelResources_en_US.properties file:

    NIDPMAIN.100=An Identity Provider response was received that failed to authenticate this session.
NIDPMAIN.101=A request for identity federation could not be completed.
NIDPMAIN.102=A request for identity federation termination could not be completed.
SS.WKSLdapCreds = LDAP Credentials
SS.WKSELdapCredsUserName = LDAP User Name
SS.WKSELdapCredsUserDN = LDAP User DN
SS.WKSELdapCredsUserPassword = LDAP Password
SS.WKSX509Creds = X509 Credentials

  7. (Conditional) If multiple languages are supported, copy messages to each custom language file.

  8. Replace the messages in the file with your custom messages.

    Replace the string after the equals (=) sign with your translated or customized message.

    If you are using double-byte characters, the characters need to be in Unicode, hexadecimal format with a \u prefix. For example: \u5c71.

  9. Save the file.

  10. Copy the custom properties file to the following directory on all Identity Servers in the cluster:

    /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes

  11. (Optional) Enable debug logging to enable messages for loading the custom properties files:

    1. Click Devices > Identity Servers > Edit > Auditing and Logging.

    2. In the Component File Logger Levels section, select Debug level for Application.

    3. Click OK, and then update Identity Server.

  12. Restart Tomcat.

    /etc/init.d/novell-idp restart Or

    rcnovell-idp restart

  13. (Optional) To verify the loading of the custom properties files, perform the following steps:

    1. View the log file by clicking Auditing > General Logging.

    2. Search for messages similar to the following in catalina.out or stdout.log:

      The named Custom Properties File was loaded and will be used:

Custom Properties File successfully loaded! Name: <Custom Properties FileName> 

An error occurred loading a specific Custom Properties File. Loading of other Custom Properties Files will continue.

<Error Description>, Attempting to load Custom Properties File! Name: <Custom Properties FileName>

The locale specifier in the Custom Properties File filename could not be successfully parsed into a valid locale. Loading of other Custom Properties Files will continue.

Custom Properties File load failed. Could not determine correct locale! Name: <Custom Properties FileName>

A general error occurred loading Custom Properties Files. Loading will stop and all un-loaded Custom Properties Files will not be loaded.

<Error Description>, Attempting to load Custom Properties Files!

To create custom error pages for Access Gateway, see Customizing Error Messages and Error Pages on Access Gateway.

Customizing the Branding of the Error Page

The error page (err_latest.jsp) is returned when Identity Server encounters an error with the following message:

Error: Unable to authenticate, (300101014-esp-01E79F6000B87D4E8)

The file is located in the following directory:

/opt/novell/nids/lib/webapp/jsp

IMPORTANT:After you customize this page, ensure that you back up this page before doing an upgrade. The upgrade process overrides any custom changes made to the err_latest.jsp page.

For information about customizing the error message, see Customizing Messages.

You can customize the following items:

Customizing the Titles

The window title appears in the browser title bar. To replace this text, open the err_latest.jsp file and locate the following text that appears between the <head></head> tags:

<title><%=handler.getResource(JSPResDesc.TITLE)%></title>

Replace the content between the <title> and </title> tags with the title you want to appear. For example:

<title>My Company</title>

The display title is the title that appears in the top frame of the page. Locate the following text that appears in the <body> of the page:

<div id="title"><%=handler.getResource(JSPResDesc.PRODUCT)%></div>

Replace the content between the <div id="title"> and </div> with the title you want to appear. For example:

<div id="title">My Company</div>

Customizing the Images

To replace the header image, open the err_latest.jsp file and locate the following text in the body of the file:

<div><img src="/nesp/images/AccessMan_Login_Head.png"></div>

Replace the value of the src attribute with the path and filename of the image you want to use.

To replace the Novell logo image, locate the following text in the body of the file:

<div id="logo"><img src="/nesp/images/AccessMan31_Nlogo.png"></div>

Replace the value of the src attribute with the path and filename of the image you want to use.

Customizing the Colors

To change the background colors on the page, modify the color values in the <style> section of the <head>.

Customizing Tooltip Text for Authentication Contracts

The strings that users see when they mouse over the cards for authentication contracts can be customized. If you need to support only one language, modify the text in Administration Console.

  1. Click Devices > Identity Servers > Edit > Local > Contracts.

  2. Click the name of a contract, then click Authentication Card.

  3. Replace the English text in the Text option with the required language, then click OK.

  4. Repeat Step 2 and Step 3 for each contract in the list.

  5. Click OK, and then update Identity Server.

To support multiple languages, you need to localize the tooltips. The nidsCardText attribute of the nidsAuthLocalContract object needs to be changed to a resource ID. The following procedure explains how to do this in Administration Console. You can also use an LDAP browser.

  1. Click Devices > Identity Servers > Edit > Local > Contracts.

  2. Click the name of a contract, then click Authentication Card.

  3. Replace the text in the Text option with a resource ID.

    For example, replace Name/Password - Form with CUSTOM_NamePwdFormToolTip.

  4. Click OK.

  5. Repeat Step 2 through Step 4 for each contract in the list.

  6. Click OK, then update Identity Server.

  7. Use custom string resource files to define the localized strings:

    1. Change to the WEB-INF/classes directory.

    2. For each supported language, create a properties file. For example:

      nidp_custom_resources_fr.properties
nidp_custom_resources_es.properties

      If you have already created these files for custom messages (see Customizing Messages), use the existing files.

    3. For each resource ID you have created, add an entry that contains the resource ID and the text you want displayed for that language. For example:

      CUSTOM_NamePwdFormToolTip=Forma de Nombre/Clave

    4. Repeat Step 7.c for each supported language file.

  8. Restart Tomcat.

    /etc/init.d/novell-idp restart Or

    rcnovell-idp restart

Maintaining Customized Identity Server

If you have customized JSP files for Identity Server, you must perform few steps to maintain the customized files before upgrading Access Manager. If you do not, Access Manager overwrites the customized JSP files.

For more information, see Maintaining Customized JSP Files for Identity Server in the NetIQ Access Manager Appliance 4.5 Installation and Upgrade Guide.

Examples for Customizing the User Portal Page Using Customizable Files

The following sections provide the customizations that you can perform using customizable files:

Editing the ux_access.css file

Edit the following in the ux_access.css file at opt/novell/nids/lib/webapp/css:

body {
 … 
background-color: #f7ba6f;
 }
#theNidpContent{
  margin: 0px auto;
  width:400px;
}
#globalMessage {
  margin: 0px auto;
  width:400px;
}
#nam-login-tabs-div {
  background-color: #dbd9db;
}

Editing ux_access.css and nidp_latest.JSP

  • Edit the following in the ux_access.css file at opt/novell/nids/lib/webapp/css:

    body {
 … 
background-color: #bc5854;
}
#theNidpContent{
  margin: 0px auto;
  width:400px;
}

  • Edit the following in the nidp_latest.jsp file at opt/novell/nids/lib/webapp/jsp:

    $(document).ready(function(){
  …
  $('#currentCardDisplay, #masthead-namclient, #nam-ham-menu, #nam-ham-but, #globalMessage, .tabs').css('visibility', 'hidden');
}

Editing ux_access.css and nidp_latest.jsp

  • Edit the following in the ux_access.css file at opt/novell/nids/lib/webapp/css:

    body {
 … 
background-color: #f7ba6f;
}
#theNidpContent{
  margin: 0px auto;
  width:400px;
}

  • Edit the following in the nidp_latest.jsp file at opt/novell/nids/lib/webapp/jsp:

    $(document).ready(function(){
  …
  $('#currentCardDisplay, #nam-ham-menu, #nam-ham-but, #globalMessage, .tabs').css('visibility', 'hidden');  }

Editing ux_access.css and nidp_latest.jsp

  • Edit the following in the ux_access.css file at opt/novell/nids/lib/webapp/css:

    body {
 … 
background-color: #f7ba6f;
}
#mastheadTitle {
  margin-left: 2%;   
}

#mastheadImage {
  margin-left: 35%;
}

#nam-ham-but {
  margin-left:93%;
}
#theNidpContent{
  margin: 0px auto;
  width:400px;
}

  • Edit the following in the nidp_latest.jsp file at opt/novell/nids/lib/webapp/jsp:

    $(document).ready(function() {
  …
  $('#currentCardDisplay, #globalMessage, nam-login-tabs-div').css('visibility', 'hidden');
}