After configuring the connector, you must configure Access Manager to use CloudAccess or MobileAccess as a trusted external identity provider.
IMPORTANT:The following checklist identifies the tasks to perform in NetIQ Access Manager. For step-by-step instructions with sample values, see Using NetIQ® CloudAccess as a Trusted Identity Provider for NetIQ® Access Manager.
Create an attribute set to use for the identity provider attributes.
Access Manager uses attribute sets to provide a common naming scheme for the exchange of authentication information. Using an attribute set reduces the traffic between the identity provider and the service provider’s identity source, because the attribute information can be gathered in one request at authentication rather than in a separate request for each attribute when a policy or protected resource needs the attribute information.
For more information, see Configuring Attribute Sets
in the NetIQ Access Manager Identity Server Guide.
Create an attribute matching expression to use for the identity provider user identification.
When Access Manager receives an assertion from CloudAccess, it uses the attributes in the assertion to match the user to an identity in your identity sources. You must know which attributes in the identity source are used to uniquely identify the users. Use the same attribute that you specified in the attribute set, such as Ldap Attribute:workforceID.
For more information, see Configuring User Matching Expressions
in the NetIQ Access Manager Identity Server Guide.
Create an external identity provider for SAML 2.0 that represents CloudAccess.
CloudAccess acts as an external identity provider to Access Manager. You must establish a trust between them so that two user accounts can be associated with each other without the sites exchanging user data.
For more information, see Creating a Trusted Service Provider for SAML 2.0
in the NetIQ Access Manager Identity Server Guide.
Create an external authentication contract for the identity provider that represents CloudAccess.
An external authentication contract allows you to use CloudAccess as the primary authentication method for a resource. The contract can allow users to authenticate only through CloudAccess, or to alternatively authenticate through local contracts of equal or higher authentication levels. The contract defines a string that the identity provider uses to match an incoming authentication request from Access Manager. You can assign a contract to one or more resources.
IMPORTANT:If the protected resources are authenticated primarily by a local contract, but might alternatively be authenticated by CloudAccess, you can modify the local contract you want to use to allow it to be satisfiable by an external provider.
For more information, see Configuring Authentication Contracts
in the NetIQ Access Manager Identity Server Guide.
Configure a SAML 2.0 authentication request for the identity provider that represents CloudAccess.
Access Manager uses an authentication request to define the federation method and the authentication contract to use for an external identity provider. This relationship between the identity provider and service provider enables single sign-on and single log-out. To enable the authentication process for CloudAccess, you must create an authentication request that uses the external authentication contract that you created for it. The authentication type in the contract must match the string that the service provider sends in an authentication request.
For more information, see Configuring an Authentication Request for an Identity Provider
in the NetIQ Access Manager Identity Server Guide.
(Conditional) If you use an eDirectory identity source and the protected applications require a password, configure password retrieval.
The identity provider contract for CloudAccess does not use a user name and password for the credentials. To allow single sign-on to Access Gateway protected resources that require a user’s name and password, you must configure the PasswordFetchClass to retrieve them. You create the class, then create a password retrieval authentication method from the class.
NOTE:MobileAccess cannot send a user’s password for a proxy application to the back-end web service. However, the password-retrieval method specifies a static string that is accepted for all users.
The service provider executes the password retrieval after the identity provider completes the remote authentication and federation. It stores the user name and password with the LDAP credentials, then allows the additional user-specific attributes to be injected in SAML assertions for authentication sent to and consumed by the Access Gateway that protects the back-end resources. This advanced authentication enables users to access the back-end protected resources.
IMPORTANT:The PasswordFetchClass works only with eDirectory user stores where Universal Password is enabled.
For more information, see Configuring Password Retrieval
in the NetIQ Access Manager Identity Server Guide.
Configure a user identification method to use for the identity provider that represents CloudAccess.
During the authentication, CloudAccess matches the user with an account in the Access Manager user store. The matching process allows CloudAccess to retrieve information about the user, such as the name, email, roles, and so on. You must specify the user identification method that is used to match the user account at the identity provider (CloudAccess) with a user account at the service provider (Access Manager).
For more information, see Selecting a User Identification Method for Liberty or SAML 2.0
in the NetIQ Access Manager Identity Server Guide.
Configure attributes for the identity provider that represents CloudAccess.
You must specify the attributes that CloudAccess can use to match the user to an account in the Access Manager user store. An authentication request and response contain these attributes.
For more information, see Configuring the Attributes Obtained at Authentication
in the NetIQ Access Manager Identity Server Guide.
Assign the external authentication contract to the protected resources.
You can use CloudAccess as the identity provider for back-end resources protected by Access Gateway. To do this, use the external authentication contract that you created for CloudAccess as the definition of how users authenticate to the protected resources.
For more information about configuring Access Gateway to protect resources, see Configuring Protected Resources
in the NetIQ Access Manager Access Gateway Guide.