A CloudAccess appliance, installed and configured. MobileAccess configuration is optional, depending on your user authentication needs.
A NetIQ Access Manager 4.0.x system, installed and configured.
Ensure that SSL communications are enabled for Identity Server and Access Gateway, and that both components are configured to trust the same signing certificate authority. For more information, see Enabling SSL Communications
in the NetIQ Access Manager Setup Guide. You will use this signing certificate for the Access Manager connector in CloudAccess.
Access Manager user accounts for each user who wants the single sign-on service.
The metadata file from your Access Manager system for SAML 2.0 services:
https://<access_manager_identity_server_dns_name>/nidp/saml2/metadata
The SSL signing certificate from Access Manager.
IMPORTANT:The configuration assumes that you have configured SSL communications for Access Manager. The SSL signing certificate does not necessarily need to come from an external certificate authority, but you must use the same certificate for the Access Manager connector in CloudAccess when you set up the federation. Each provider must trust the SSL certificate authority.
For information about configuring SSL communications for Access Manager, see Security and Certificate Management
in the NetIQ Access Manager Administration Console Guide.
SSL is used for the secure exchange of authentication information between CloudAccess and Access Manager. When you configure the Access Manager connector in CloudAccess, you must import the trusted root certificate from the Access Manager NIDP Trust Store. Failure to import the certificate causes numerous system errors.
You can download the certificate from the Trusted Roots configuration for Access Manager. Store the file in a location that you can browse to from the CloudAccess appliance.
In the Access Manager Administration Console, click Devices > Identity Servers > ClusterName > Security > Trusted Roots.
Click the signing certificate name.
On the Certificate Details page, select Export Public Certificate, then click PEM as the file type.
A PEM-encoded file is a Base64-encoded DER certificate that is enclosed between BEGIN CERTIFICATE and END CERTIFICATE tags.
Store the PEM file in a location that you can browse to from the CloudAccess appliance when you configure the connector for Access Manager.
You can alternatively copy the certificate information from the ds:X509Certificate field in the Access Manager metadata file. Ensure that you add -----BEGIN CERTIFICATE----- before the encoded information, and add -----END CERTIFICATE----- after the encoded information.
You must use a text editor that does not introduce hard returns or additional white space. For example, use Notepad instead of Wordpad.
If you use an eDirectory identity source for Access Manager and you need to provide access to Access Gateway protected resources that require a user name and password, you must enable Universal Password in eDirectory for the Access Manager LDAP connection.
NOTE:Universal Password Retrieval options must be properly set in the configuration of the Universal Password policy in eDirectory, so that it allows the password to be retrieved from the Access Manager user store.
For more information, see Unable to retrieve Universal Password from eDirectory using PasswordFetchClass (TID 7007114).