7.1 Overview of CloudAccess Connectors

CloudAccess uses connectors to provide single sign-on (SSO) access for users to web resources through CloudAccess. CloudAccess authenticates the users against your identity sources. When the user accesses the link for an application through CloudAccess, CloudAccess shares the authenticated user’s identity information with the destination application to establish the user’s session. Each user can access only the links they are authorized to use, according to the entitlements you set for each application.

7.1.1 Understanding Single Sign-On Methods

CloudAccess supports single-sign for a variety of web services and applications that have different authentication requirements. The method used for single sign-on depends on the security requirements and capabilities of each destination resource.

Federated Single Sign-On with SAML 2.0 or WS-Federation

Federated single sign-on relies on a trust relationship between an identity provider and a service provider to give a user access to a protected web service or application through CloudAccess. Open standards for federation include SAML 2.0 (Security Assertion Markup Language), WS-Federation (Web Services Federation), and SAML 2.0 Inbound. They provide a vendor-neutral means of exchanging user identity, authentication, and attribute information. The service provider trusts the identity provider to validate the user’s authentication credentials and to send identity information about the authenticated user. The service provider accepts the data and uses it to give the user access to the destination service or application. This data exchange is transparent for the user. It allows the user to access the web service or application without providing an additional password.

The following describes the SSO experience for trusted access to an application through CloudAccess:

  1. The user provides login credentials directly to CloudAccess, such as their corporate user name and password.

  2. CloudAccess authenticates the user’s credentials against the identity sources.

  3. CloudAccess presents the landing page to the user with links to applications that the user is entitled to use.

  4. When a user clicks an application’s link, as the identity provider, CloudAccess produces an authentication assertion or token for the service provider that contains the identity attributes needed for the user request.

  5. The service provider consumes the assertion or token to establish a security context for the user.

  6. The service provider validates the assertion and authorizes the resource request.

  7. The service provider establishes a session with the user.

CloudAccess can also provide authentication when the user initiates access to the application from the service provider.

The following describes the SSO experience for trusted access to an application initiated from the service provider:

  1. The user attempts to log in to an application.

  2. The login is redirected to CloudAccess.

  3. CloudAccess prompts the user for the user name and password. Or, if Kerberos is configured, CloudAccess performs seamless authentication.

  4. CloudAccess verifies the user name and password using the identity sources. Or, if Kerberos is configured, CloudAccess validates the Kerberos token.

  5. CloudAccess provides an assertion to the application service provider.

  6. The service provider validates the assertion and allows the user to access the application.

Basic Single Sign-On

Basic single sign-on provides an internal credentials store where users can save their credentials for third-party websites that require a password be sent at login. The destination website’s login page must use HTML Forms as the main point of interaction with the user. A user typically has a site-specific user name and password for each destination website. CloudAccess stores the user’s credentials for each site in AES-256 encrypted format. After a user authenticates to CloudAccess, the user can access a website without manually re-entering the user’s credentials for the site.

OAuth 2.0 Single Sign-On

OAuth 2.0 single sign-on provides simple authenticated access to a protected web service through CloudAccess. CloudAccess behaves as an OAuth 2.0 Authorization Server and Resource Server to provide user authentication and all OAuth2 token creation and validation for access. It uses the Authorization Code flow as detailed in the OAuth 2.0 Authorization Framework (IETF RFC 6749) document.

CloudAccess supports OAuth 2.0 access in service-provider mode. End users can access the protected resource by browsing to the URL of the OAuth client application. For example, the user can enter the URL directly into the browser and be redirected to log in to CloudAccess, or they can use a bookmark or the landing page appmark after logging in to CloudAccess.

The following describes the experience for OAuth 2.0 access to an application by browsing to the URL:

  1. The user accesses the protected resource by entering the URL directly in the browser.

  2. The user is redirected to the CloudAccess login page.

  3. The user provides login credentials to CloudAccess, such as their corporate user name and password.

  4. CloudAccess authenticates the user’s credentials against the identity sources.

  5. CloudAccess validates the OAuth2 token for the client.

  6. The user gains access to the resource.

The following describes the experience for OAuth 2.0 access to an application through CloudAccess:

  1. The user provides login credentials directly to CloudAccess, such as their corporate user name and password.

  2. CloudAccess authenticates the user’s credentials against the identity sources.

  3. CloudAccess presents the landing page to the user with links to applications that the user is entitled to use.

  4. The user clicks the bookmark or the landing page appmark for the application.

  5. CloudAccess validates the OAuth2 token for the client.

  6. The user gains access to the resource.

Simple Proxy Single Sign-On

Simple proxy single sign-on provides reverse proxy access to your enterprise web service through CloudAccess. If the web service requires user identity information to control access or content, you can configure the connector to inject the authenticated user’s identity attributes in query strings and HTTP headers sent to the web service. However, the connector cannot be used to provide single sign-on for web services that require passwords for access. This proxy solution cannot inject the password. It does not support site redirects.

The following describes the experience for simple proxy access to a web service through CloudAccess:

  1. The user provides login credentials directly to CloudAccess, such as their corporate user name and password.

  2. CloudAccess authenticates the user’s credentials against the identity sources.

  3. CloudAccess presents the landing page to the user with links to applications that the user is entitled to use.

  4. The user clicks the appmark for the application.

  5. (Conditional) CloudAccess sends identity information about the user in query strings and headers.

  6. The website validates the resource request.

  7. The user gains access to the resource.

Bookmarks

In CloudAccess, you can create bookmarks to access web applications through CloudAccess that do not require additional passwords. The bookmarks are accessible from the browser landing page or directly from the MobileAccess app on users’ mobile devices.

The following describes the experience for bookmark access to a web application through CloudAccess:

  1. The user provides login credentials directly to CloudAccess, such as their corporate user name and password.

  2. CloudAccess authenticates the user’s credentials against the identity sources.

  3. CloudAccess presents the landing page to the user with links to applications that the user is entitled to use.

  4. The user clicks the appmark for the bookmark.

  5. The user gains access to the resource.

7.1.2 Connectors for Federated Single Sign-On and Provisioning

CloudAccess provides three connectors that enable federated single sign-on and logout as well as account provisioning. The connectors ship with the appliance. You can use these connectors if you have a CloudAccess license as well as an account with the destination service.

After you initialize the appliance, the connectors for Google Apps and Salesforce are automatically visible in the Applications palette in the administration console. However, the connector for Office 365 is not visible in the palette until you install the connector on the Windows Management Server.

Provisioning is available for users in your corporate identity sources for Active Directory, eDirectory, and JDBC. You must map authorizations for the appropriate roles (groups) to enable their entitlements to the applications. Users must log in with a corporate identity to access their provisioned account.

7.1.3 Connectors for Federated Single Sign-On

CloudAccess provides additional connectors that you can use for federated single sign-on to web services and applications through CloudAccess. The connectors support either the SAML 2.0 protocol or the WS-Federation protocol.

The connector for NetIQ Access Manager ships with the appliance. You can use this connector if you have a CloudAccess license or a MobileAccess-only license as well as an account for Access Manager. For more information, see “Connector for NetIQ Access Manager”.

You can download additional connectors from NetIQ Downloads. For configuration information, see the following:

You can also create custom connectors for federated single sign-on and logout by using the NetIQ Access Connector Toolkit. For more information, see Creating Custom Connectors.

After you download a connector or create a custom connector, you must import it to CloudAccess to make it available in the Applications palette in the CloudAccess administration console. You can use these connectors if you have a CloudAccess license as well as an account with the destination service.

7.1.4 Connectors for Basic Single Sign-On

CloudAccess provides many connectors for Basic Single Sign-on (Basic SSO). They allow users to access web services that use forms-based authentication and require that the user’s password be sent at login. Examples include social media sites such as Evernote, LinkedIn, and Facebook. Basic SSO connectors work with the Basic SSO extension for supported browsers running on the user’s computer.

CloudAccess supports using multiple connectors for Basic SSO. Each instance points to a different destination website. You can use these connectors if you have a CloudAccess license. Users have individual accounts with the destination services.

NetIQ provides connectors for Basic SSO in the NetIQ Application Catalog. You can browse or search the catalog for appropriate connectors to import to your appliance. You can access the catalog from the Applications palette in the administration console.

You can also create custom connectors for Basic SSO by using the NetIQ Access Connector Toolkit. For more information, see Creating Custom Connectors. After you create a custom connector, you must import it to CloudAccess to make it available in the Applications palette in the CloudAccess administration console. For more information, see Connectors for Basic SSO.

7.1.5 Connector for OAuth 2.0 Single Sign-On

CloudAccess provides a connector for OAuth2 Resources that allows single sign-on with simple OAuth 2.0 authenticated access to a protected web service through CloudAccess. The connector ships with the appliance.

CloudAccess supports using multiple instances of the connector for OAuth2 Resources. Each instance points to a different destination OAuth 2.0 resource, or to a set of OAuth 2.0 resources that have the same authentication requirements. You can use this connector if you have a CloudAccess license as well as an account with the destination service.

For more information, see Connector for OAuth2 Resources.

7.1.6 Connector for Simple Proxy Single Sign-On

CloudAccess provides a connector for Simple Proxy that gives users reverse proxy access to your enterprise web service through CloudAccess. The connector ships with the appliance.

CloudAccess supports using multiple instances of the connector for Simple Proxy. Each instance points to a different destination website path. You can use this connector if you have a CloudAccess license or a MobileAccess-only license as well as access to the destination web path.

For more information, see Connector for Simple Proxy.

7.1.7 Connector for Bookmarks

The connector for Bookmarks is a container for simple bookmarks to applications that do not require additional passwords for access. The connector ships with the appliance. You can use this connector if you have a CloudAccess license or a MobileAccess-only license as well as access to the destination web service.

For more information, see Connector for BookMarks.

7.1.8 Custom Connectors

CloudAccess provides the NetIQ Access Connector Toolkit (ACT) that allows you to create custom connectors. If you need help creating a custom connector to use with CloudAccess, Priority Support customers have the option to open a service request with NetIQ Technical Support (NTS). NTS is available to provide toolkit support as well as to configure the connectors to work with integrated applications. Additional information from the SaaS provider is usually required.

NOTE:Before you contact NetIQ Technical Support, please complete the appropriate worksheet for the connector type that you want to create. See Custom Connector Worksheets.

The Access Connector Toolkit facilitates custom connector development efforts without coding or scripting. You can create connectors for identity-aware SaaS applications that support federated single sign-on and logout or that support basic single sign-on. You can use the toolkit and custom connectors if you have a CloudAccess license as well as appropriate accounts with the destination services.

For more information, see Creating Custom Connectors.

7.1.9 License Information for Connectors

A CloudAccess license entitles you to use any of the connectors described in this guide, including custom connectors.

A MobileAccess-only license entitles you to use only the following three connectors on the Applications palette in the CloudAccess administration console. All other connectors, including custom connectors, are CloudAccess-only features and require a CloudAccess license.

For more information, see Understanding Product Licensing.