3.7 Configuring Additional Identity Sources

During the initialization process, you configure an identity source. You can add more identity sources after the initialization process completes. However, the user IDs across the identity sources must be unique.

The Self-Service User Store (SSUS) and SAML 2.0 Inbound (SAML2 In) are identity sources that you can only add after your initialize the appliance. Use the following information to configure additional identity sources.

3.7.1 Configuring Self-Service Registration and Password Management

The Self-Service Registration and Password Management tool (SSRPM) allows you to empower users to register for services and to manage their credentials. It provides selected services from the NetIQ Self-Service Password Reset tool. The Self-Service User Store (SSUS) stores identity and credentials for self-registered user accounts. It is an additional identity source you can use with the appliance.

Enabling a Self-Service User Store (SSUS)

A Self-Service User Store provides self-service registration and password management services. You can enable and activate one Self-Service User Store. After you enable the service, the users can immediately begin to self-register on the SSUS Registration page. Self-registered users can then log in and access public applications from the landing page. Policies are required to allow the self-registered users to access private applications.

By default, SSUS requires new users to have a valid email account to create an SSUS account. Users must be able to receive and respond to a verification email.

You can also configure which service options to support for your SSUS users. The services include a helpdesk, new user, change password, and forgotten password.

To enable the SSUS service:

  1. Log in with an appliance administrator account to the Admin page at https://appliance_dns_name/appliance/index.html.

  2. In the administration console, drag the Self-Service User Store icon from the Identity Sources palette and drop it in the Identity Sources panel.

  3. In the Identity Sources panel, click the new identity source, then click Configure.

  4. On the Configuration tab, decide what options you want presented to your users and helpdesk administrators.

  5. Click OK to enable the Service.

  6. In the System Configuration panel of the administration console, click Apply to activate and start SSUS as a service.

  7. Wait for the SSUS service to be activated and started across all nodes in the cluster.

    In the Appliances panel, the icon on each node of the cluster spins until the service is ready on the node. Do not apply additional changes until this action is complete on all nodes.

    A round green status icon in the lower left corner of the SSUS service icon indicates that the SSUS is configured and its status is healthy.

To allow the self-registered users to access to a private application that is enabled for SSUS, continue with Using SSUS as an Authentication Source for an Application.

Using SSUS as an Authentication Source for an Application

The applications are not available for SSUS users until you configure policies that authorize SSUS to be an authentication source for them. All SSUS users receive rights to an application when you assign a policy to the SSUS identity source.

Requirements for SSUS Authorizations

Provisioning is not supported for users in an SSUS identity source. For more information, see Requirements for Provisioning in the NetIQ® CloudAccess Connectors Guide.

Creating an SSUS Policy for a Private Application

An application can have one or more authorizations for its resources. Each authorization can have one or more appmarks associated with it. You grant access to a private application by mapping one or more of its authorizations to the SSUS role. Users can access all of the appmarks associated with an authorization. You cannot control access at the appmark level.

NOTE:You should map authorizations for SSUS roles (groups) only to single sign-on applications. Do not map them to the SaaS applications with account provisioning (Google Apps, Office 365, or Salesforce).

To create a policy that grants access to an application for SSUS users:

  1. Log in with an appliance administrator account to the Admin page at https://appliance_dns_name/appliance/index.html.

  2. Click Policy in the toolbar.

  3. On the Policy Mapping page, select Other Identity Sources from the drop-down list on the left, then select the All SSUS Users role.

  4. On the right, select the software-as-a-service application that you want to use for this policy, and then view its authorizations.

    Some applications have multiple authorization options.

  5. Drag the All SSUS Users role from the left side and drop it on the desired authorization on the right.

    You can also select multiple authorizations under a single application, then drag them from the right and drop them on the All SSUS Users role on the left.

  6. In the pop-up Mapping window, review the mapped settings, then click OK to accept the new policy, or click Cancel to back out of the setup.

    You can remove an authorization in the list by selecting it, then clicking the Delete icon. A strike-through line is drawn through the entry.

  7. Under Other Identity Sources, view the Authorization column for the All SSUS Users role to confirm that the Authorization Stamp icon appears.

  8. Under the application on the right, view the Policy column to confirm that the Policy icon appears for the mapped authorization.

  9. The appmarks for each of the mapped authorizations are available to users at their next login.

  10. Repeat Step 4 through Step 9 for each application that you want to use SSUS as an identity source.

Deleting an SSUS Policy for an Application

You can deny access to an application by deleting its SSUS policy. Deleting the policy does not interrupt current sessions. The application is not available to users at their next login.

  1. Log in with an appliance administrator account to the Admin page at https://appliance_dns_name/appliance/index.html.

  2. Click Policy in the toolbar.

  3. On the Policy Mapping page, select the Self-Service User Store role from the drop-down list on the left, then select the All SSUS Users role.

  4. In the All Users row, click the Authorization Stamp icon.

  5. In the Edit All Users Mappings window, select the authorization you want to remove, then click the Delete icon. Repeat this action for every authorization that you want to remove.

    A strike-through line is drawn through the entry.

  6. Click OK to accept the modified settings, or click Cancel to back out of the setup.

    The application is not available to users at their next login.

Using the Self-Service User Registration and Password Management Services

The users can now self-register for accounts and manage their own credentials. Self-registered users can log in to the landing page for the appliance to access applications.

If you enabled the options during the SSUS configuration, users now see links on the appliance login page to create a new account or a link to reset their password if they have forgotten the password.

The user experience is:

  1. The new user accesses the appliance login page.

    https://appliance_dns_name

  2. The user clicks the link to create a new account.

  3. The user follows the on screen prompts to create a new account that includes their name, email address, and a password.

  4. After the account is created, the user is prompted to create security questions and answers.

    If the user forgets the account password, the questions and responses are used to verify the user’s identity and allow the user to reset the password

  5. (Conditional) If the user does not create the security questions and answers now, the user will be prompted to create them when they log in for the first time. If the user does not set up the security questions and answers the appliance will not authenticate the user. The user must set up the security questions and answers to authenticate to the appliance.

  6. After the user completes the new account setup, the appliance sends a verification email to the user’s email address. The user responds to verify the account creation.

  7. The user accesses the login page again.

  8. The user logs in with their new user name and password.

  9. The user sees and can access the applications that the policies entitle them to see.

After you enable the Self-Service User Store, the Self-Service User Store login page is available for users. On this page, the user can perform the following tasks:

  • Create a New User: A user can register for the service as a new user. The user provides their name and a valid email address, creates a password, and sets up security questions and responses. After the user responds to a validation message sent to the user's email address, the user can log in and begin using the account.

  • Change Password: A self-registered user can reset the password for their account at any time. On the user’s landing page, there is a Change Password icon they click. The user follows the on screen prompts to change their password.

  • Forgotten Password: If a user forgets their password, they can reset their password after answering the security questions. The user access the login page and they enter their user name. The user then clicks the Forgotten Password link and follows the on screen prompts to change their password. The user must successfully reply to the security questions that the user set up for the account.

Providing Helpdesk Services for Self-Registered Users

The Self-Service User Store provides a helpdesk service. If a password expires or a self-registered user is locked out of an account, the password can be reset by an authorized helpdesk user for the SSUS service. The helpdesk user sets a temporary randomized password for the account, and the user is notified of the temporary password by email. This allows the user to log in to the account and reset the temporary password to use a custom password.

Adding a User to the Helpdesk Role

You must assign a user to the SSUS Helpdesk role to provide helpdesk services for the related self-registered users.

NOTE:You should assign a user from an Identity source other than the SSUS source as the helpdesk user.

Use the following steps to enable the SSUS Helpdesk service.

  1. The new user accesses the appliance login page at:

    https://appliance_dns_name

  2. Click Roles in the toolbar.

  3. On the Roles page, type the name of a user you want to assign to the Helpdesk role, click Search, then select the name.

  4. Drag the user name from the left side and drop it on the Helpdesk role on the right.

  5. In the pop-up Add User to Role window, review the mapped settings, then click OK to accept the new role assignment, or click Cancel to back out of the setup.

  6. After the page refreshes, view the Role column for the user to confirm that the Role icon appears.

  7. Under the Helpdesk role on the right, verify that the authorized user’s name appears.

The helpdesk user accesses the helpdesk tools through the landing page. The helpdesk user logs in, and then clicks the Helpdesk icon on the landing page.

Accessing the SSUS Helpdesk

The landing page of an authorized helpdesk user displays a Helpdesk icon.

To access the Helpdesk from the landing page if you are an authorized helpdesk user:

  1. Log in to CloudAccess using your corporate credentials.

  2. On the landing page, click the Helpdesk icon to go to the Helpdesk page.

Resetting the Password for a Locked Self-Registered User Account

An authorized helpdesk user can use the SSUS Helpdesk service to reset the password for a self-registered user account. Typically, the user needs helpdesk assistance because the account is locked. If the account is not locked, the user can alternatively reset the password by using the Forgotten Password option on the Self-Service Registration login page.

To reset the password for an SSUS account as the authorized helpdesk user:

  1. Log in to the SSUS Helpdesk as an authorized helpdesk user.

  2. On the Helpdesk page, search for an SSUS user account, then click the self-registered user’s name.

  3. On the Password Policy page, view the password policy settings for the user account, then click Change Password.

  4. On the Account Information page, confirm the user’s information, then click Change Password.

  5. In the Random Passwords window, select a password from the list of randomly generated passwords that satisfies the password policy for this account.

    You can click More to choose from additional random passwords.

  6. View the confirmation message with the new password, then click OK.

  7. After the self-registered user receives the temporary password, the user is prompted to reset the password at their next login.

Deleting a Self-Registered User Account

An authorized helpdesk user can use the SSUS Helpdesk service to delete the SSUS account for a self-registered user.

To delete an SSUS account as the authorized helpdesk user:

  1. Log in to the SSUS Helpdesk as an authorized helpdesk user.

  2. On the Helpdesk page, search for an SSUS user account, then click the self-registered user’s name.

  3. On the Account Information page, confirm the user’s information, then click Delete Account.

  4. Click OK to confirm the account deletion.

3.7.2 Configuring Additional Identity Sources

CloudAccess supports multiple types of identity sources. You can have one or more of each type of identity source configured on your appliance, and you can configure as many identity sources as you need.

The only restrictions are as follows:

  • The source for each identity source must be unique. For example, do not configure multiple instances of an identity source for the same Active Directory domain.

and that every user account across the different identity sources must be unique.

For information about requirements and information that are needed to configure an Active Directory, eDirectory, or JDBC database identity source, see Section 2.3, Identity Source Requirements.

NOTE:Although CloudAccess allows you to modify an existing eDirectory or Active Directory connector to point to a different tree, NetIQ does not recommend this approach because it can result in inconsistent display of user and group data. If you want to point a connector to a different tree, delete the existing connector and create a new connector that points to the correct tree.

To change the initial identity source configuration information:

  1. Log in with an appliance administrator account to the Admin page at

    https://appliance_dns_name/appliance/index.html

  2. In the Identity Sources panel, click the icon of the identity source that you want to modify, then click Configure.

  3. Modify the settings as needed, then click OK to save the configuration information.

  4. Click Apply to commit the changes to the appliance.

To add another identity source:

  1. Log in with an appliance administrator account to the Admin page at

    https://appliance_dns_name/appliance/index.html

  2. Drag and drop an identity source icon from the Identity Sources palette to the Identity Sources panel.

  3. Click the identity source icon, then click Configure.

  4. Complete the fields to configure the new identity source.

  5. Click OK to save the configuration information.

  6. Click Apply to commit the changes to the appliance.

3.7.3 Configuring SAML 2.0 Inbound Identity Sources

To allow the appliance to be a SAML 2.0 service provider, you can create a SAML 2.0 Inbound connector using the Access Connector Toolkit. After you export the connector and import it in the appliance, the SAML2 In connector appears as an identity source. You configure an instance of the identity source with information about an appropriate identity provider in order to enable the service provider functionality of the appliance, and to allow the identity provider to send a SAML token to the appliance using the SAML 2.0 POST profile.

After you configure the SAML2 In identity source, the appliance login page provides a link to the login page of the SAML 2.0 identity provider, located to the left of the user name and password login options. The SAML 2.0 users log in through the identity provider to gain access to the appliance landing page.

For more information, see Creating a SAML 2.0 Inbound (SAML2 In) Connector Template in the NetIQ® CloudAccess Connectors Guide.