To integrate NetIQ Advanced Authentication with Access Manager, you must configure the Advanced Authentication server details in Access Manager.
For step-by-step details for integrating Access Manager with Advanced Authentication, see Multi-Factor Authentication Using Advanced Authentication.
Perform the following steps to configure Advanced Authentication server:
Click Devices > Identity Servers > Shared Settings > Advanced Authentication.
Specify the following details:
|
Field |
Description |
|---|---|
|
Server Domain |
Specify the scheme, domain name or IP address, and port of the Advanced Authentication server. |
|
Tenant Name (Access Manager 4.5 Service Pack 2 and later) |
Specify the name of the tenant that you want to use. This field populates the TOP tenant of Advanced Authentication by default. You can specify another tenant name that you want to use. |
NOTE:When using the Plug-in-based methods, skip to Step 5.
(Required only for OAuth-based approach) Select Integrate using OAuth under OAuth Event Configuration.
(Required only for OAuth-based approach) Specify the following details:
|
Field |
Description |
|---|---|
|
Event Name |
Specify an event name. This event name must be identical to the event name specified in the Advanced Authentication administration portal. |
|
Client ID |
Specify the client ID that was generated while creating the OAuth 2.0 event in the Advanced Authentication administration portal. |
|
Client Secret |
Specify the client secret that was generated while creating the OAuth 2.0 event in the Advanced Authentication administration portal. |
|
Webauth Domain (Access Manager 4.5 Service Pack 1 and later) |
To use the Virtual Smartcard method, select Use the Advanced Authentication Virtual Smartcard. This populates the Webauth Domain URL. For example, if aaserver.domain.com is the DNS name of your web server then webauth.domain.com is populated in Webauth Domain. When you enable this option, all the requests from Identity Server to OSP are redirected to webauth.domain.com instead of aaserver.domain.com. NOTE:The Virtual Smartcard method must be configured in the Advanced Authentication server. |
Access Manager uses the endpoint links to retrieve token and user details from the Advanced Authentication server. These are default endpoint links. If the values of the URIs change because of modification of the Advanced Authentication authorization server, then you can change the values here.
|
Field |
Default Value |
Description |
|---|---|---|
|
Authorization URL |
/osp/a/TOP/auth/oauth2/grant |
Access Manager uses this URL to retrieve the authorization code from the Advanced Authentication server. |
|
Token URL |
/osp/a/TOP/auth/oauth2/authcoderesolve |
Access Manager uses this URL to exchange the authorization code with the access token. |
|
User Info URL |
/osp/a/TOP/auth/oauth2/getattributes |
Access Manager sends the access token to this URL to get the user details from the Advanced Authentication server. |
The fields under Integration URLs are auto-populated after you specify the server domain address.
IMPORTANT:If the values are not auto-populated then specify the default values as mentioned in the following table.
|
Field |
Default Value |
Description |
|---|---|---|
|
Enrollment Page URL |
/account/basic |
If the user is not enrolled in the Advanced Authentication server, then Access Manager uses this URL to redirect the user to the enrollment page. |
|
Sign Data URL |
/osp/a/TOP/auth/oauth2/sign |
Access Manager uses this URL to retrieve the signed data from the Advanced Authentication server. |
Click Apply.
Proceed with Section 4.3.3, NetIQ Advanced Authentication to create Advanced Authentication classes.