To provide identity services to Access Manager, CloudAccess and MobileAccess must trust Access Manager as a service provider. Establish this trust by enabling and configuring the NetIQ Access Manager connector.
Before you begin, ensure that your system meets the requirements in Section 7.1, Requirements for the Connector for Access Manager.
Download the metadata file for SAML 2.0 services from your Access Manager system:
https://<access_manager_identity_server_DNS_name>/nidp/saml2/metadata
You need information from this file to configure the Access Manager connector.
Log in as an administrator to the CloudAccess administration console:
https://appliance_dns_name/appliance/index.html
Drag and drop the SAML 2.0 connector for NetIQ Access Manager from the Applications palette to the Applications panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.
On the Configuration window, use information from the Access Manager metadata file to specify the following connector settings:
NOTE:The information from the Access Manager metadata file is case sensitive.
|
Connector Parameter |
Value |
Metadata Parameter or Description |
|---|---|---|
|
Display name |
my_nam_sp |
Specify a unique name for your Access Manager service provider. |
|
Assertion consumer service URL |
https://idp.example.com/nidp/saml2/spassertion_consumer |
Specify the location in the AssertionConsumerService section for HTTP-POST bindings. |
|
Destination URL |
https://web_redirect_url |
(Optional) After a successful authentication by the IdP, the web browser is redirected to the secure destination URL. |
|
EntityID |
https://idp.example.com/nidp/saml2/metadata |
entityID Ensure that you specify the ID with lowercase characters. |
|
Logout response URL |
https://idp.example.com/nidp/saml2/spslo_return |
Specify the response location in the SingleLogoutService section for HTTP-POST bindings. |
|
Logout URL |
https://idp.example.com/nidp/saml2/spslo |
Specify the location in the SingleLogoutService section for HTTP-POST bindings. |
|
Signing certificate |
Browse to and select the file that contains the Access Manager SSL certificate. |
In the Assertion Attribute Mappings section, select an attribute from the NameID list to use for mapping users in the federation.
Specify the identity source attribute that contains a user’s name identifier in the Access Manager user store. CloudAccess and Access Manager can use different user stores, as long as you can find an attribute that is consistent between them.
For example, select X-Custom1, where you have created a custom mapping of the employee ID attribute to the X-Custom1 attribute in the CloudAccess identity source.
Expand Federation Instructions, then copy and paste the instructions into a text file to use during the Access Manager configuration.
Use a text editor that does not introduce hard returns or additional white space. For example, use Notepad instead of Wordpad.
Click the Appmarks tab, then review and edit the default settings for the appmark.
Click OK to save the configuration.
On the Admin page, click Apply to commit the changes to the appliance.
Wait until the configuration changes have been applied on each node of the CloudAccess cluster.
As the Access Manager administrator, configure the SAML 2.0 federation for CloudAccess.
For more information, see Section 7.3, Configuring Access Manager to Use CloudAccess as an Identity Provider.
Use the information from the Federation Instructions in Step 6 to complete the setup.
NOTE:When you copy the appliance’s signing certificate, ensure that you include all leading and trailing hyphens in the certificate’s Begin and End tags.
In the CloudAccess administration console, click Policy in the toolbar, then perform policy mapping to specify entitlements for identity source roles (groups).
For more information, see Mapping Authorizations
in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.