CloudAccess allows you to import and configure custom connectors that you create with the Access Connector Toolkit, or that are created for you by NetIQ Technical Support or NetIQ partners.
After you export a custom connector, you must import its ZIP file to CloudAccess to make it available in the Applications palette of the administration console. Thereafter, you can enable and manage the connector as you do the connectors for applications that shipped with the appliance. The custom connector might require additional configuration, depending on the single sign-on method you use.
The destination application might also require additional configuration, depending on the application and the federation method. The destination applications for connectors for Basic SSO do not require additional configuration.
To import and configure a custom connector for SAML2 and WS-Federation:
Log in as an administrator to the CloudAccess administration console:
https://appliance_dns_name/appliance/index.html
Import the custom connector to the Applications palette.
Copy the custom connector ZIP file to the computer where you administer CloudAccess.
On the Admin page, click the Tools icon on the toolbar, then click Import connector template.
Browse to and select the custom connector ZIP file, then click Import.
The connector appears in the Applications palette.
Drag the new custom connector from the Applications palette to the Applications panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.
Complete the connector settings on the Configuration tab.
The steps to configure the connector are determined by the information you added to the connector template.
Expand the Federation Instructions, then copy and paste the instructions into a text file to use when you configure the destination application.
NOTE:You must use a text editor that does not introduce hard returns or additional white space. For example, use Notepad instead of Wordpad.
Click the Appmarks tab, then review and edit the default settings for the appmark.
For more information, see Section 2.5, Configuring Appmarks for Connectors.
Click OK to save the configuration.
On the Admin page, click Apply to commit the changes to the appliance.
Wait until the configuration changes have been applied on each node of the CloudAccess cluster.
Log in to the service provider as the account administrator, then configure the federation for CloudAccess in the application’s administration console.
Use the information from the Federation Instructions in Step 5 to complete the setup.
NOTE:When you copy the appliance’s signing certificate, ensure that you include all leading and trailing hyphens in the certificate’s Begin and End tags.
In the CloudAccess administration console, click Policy on the toolbar, then perform policy mapping to specify entitlements for the SAML 2.0 Inbound users to the service provider application.
For more information, see Mapping Authorizations
in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.
After you complete the configuration, users can log in through CloudAccess to single sign-on to the service provider’s system. The CloudAccess login page URL is:
https://appliance_dns_name
Before you begin, ensure that you understand the trust policy settings for the SAML2 In identity sources. For more information, see Section 3.6.1, Understanding SAML2 In Identity Sources and Section 3.6.2, Requirements for Using SAML2 In Identity Sources.
To import and configure a custom connector for SAML2 In as an identity source:
Log in as an administrator to the CloudAccess administration console:
https://appliance_dns_name/appliance/index.html
Import the custom SAML2 In connector to the Applications palette.
Copy the custom connector ZIP file to the computer where you administer CloudAccess.
On the Admin page, click the Tools icon on the toolbar, then click Import connector template.
Browse to and select the custom connector ZIP file, then click Import.
The connector appears in the Identity Sources palette.
Drag the new custom connector from the Identity Sources palette to the Identity Sources panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.
Complete the connector settings on the Configuration tab.
The steps to configure the connector are determined by the information you added to the connector template.
Under Assertion Attribute Mappings, map the SAML Assertion attributes to the appropriate attributes in your identity source.
Under Trust policy for user identities in assertions, configure the preferred action to take when the appliance receives an assertion from the identity provider:
Allow access for unknown users: Creates unique user objects in an unmanaged internal identity store for the identity provider.
For more information, see Section 3.6.2, Requirements for Using SAML2 In Identity Sources.
Allow access for known users: Matches user objects in managed identity sources.
For more information about unknown and known users, see Section 3.6.1, Understanding SAML2 In Identity Sources.
Expand the Federation Instructions, then copy and paste the instructions into a text file to use when you configure the originating identity provider.
NOTE:You must use a text editor that does not introduce hard returns or additional white space. For example, use Notepad instead of Wordpad.
Click OK to save the configuration.
On the Admin page, click Apply to commit the changes to the appliance.
Wait until the configuration changes have been applied on each node of the CloudAccess cluster.
The appliance now acts as a SAML 2.0 service provider for the specified identity provider. The appliance SAML 2.0 metadata should now include the SPSSODescriptor section. Use this information to configure the identity provider for SAML 2.0 Inbound federation with the appliance.
Log in to the originating identity provider as the account administrator, then configure the SAML 2.0 Inbound federation for CloudAccess in the provider’s administration console.
To complete the setup, use the information from the Federation Instructions in Step 7 and the SPSSODescriptor from Step 11.
NOTE:When you copy the appliance’s signing certificate, ensure that you include all leading and trailing hyphens in the certificate’s Begin and End tags.
(Conditional) If you enabled access for unknown users, you must configure entitlements for the users that will be added to the SAML2 In internal data store. In the CloudAccess administration console, click Policy on the toolbar, then perform policy mapping to specify entitlements for the SAML2 In users to the appropriate applications.
For more information, see Mapping Authorizations
in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.
The appliance login page provides a link to the login page of the SAML 2.0 identity provider, located to the left of the user name and password login options. The SAML 2.0 users log in through the identity provider to gain access to the appliance landing page.
To import and configure a custom connector for Basic SSO:
Log in as an administrator to the CloudAccess administration console:
https://appliance_dns_name/appliance/index.html
Import the custom connector for Basic SSO to the Applications palette.
Copy the custom connector ZIP file to the computer where you administer CloudAccess.
Click the Tools icon on the console toolbar, then click Import Connector Template.
Browse to and select the ZIP file for the connector template you want to import, then click Import.
The imported connector appears in the Applications palette.
Drag the new custom connector from the Applications palette to the Applications panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.
On the Configuration page, you can modify the display name, set custom settings as required, and view information about the connector’s destination website.
Click the Appmarks tab, then review the default settings for the appmark.
Public access is enabled automatically. If you disable public access, the appmark does not appear on the landing page until you map authorizations to set entitlements for user roles (groups).
Click OK to save the configuration.
On the Admin page, click Apply to commit the changes to the appliance.
Wait until the configuration changes have been applied on each node of the CloudAccess cluster.
(Conditional) If Public access is disabled, perform policy mapping to specify entitlements for identity source roles (groups).
For more information, see Mapping Authorizations
in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.
After you complete the configuration, users can log in through CloudAccess to access the destination website. The CloudAccess login page URL is:
https://appliance_dns_name