6.10 Integrating Single Sign-on Access with Identity Manager

If you have installed Identity Manager, your users can log in a single time to access the Identity Manager applications, Identity Reporting, and Identity Governance. NetIQ uses the OSP service for OAuth authentication, which provides users single sign-on access from the Identity Manager Home page. To ensure single sign-on access, you must configure both Identity Manager and Identity Governance. Users can easily shift between the two applications without needing to enter their credentials a second time.

Identity Governance must use the same authentication server that the identity applications use.

6.10.1 Checklist for Integrating Identity Governance with Identity Manager

Use the following checklist to ensure a proper integration between the products:

Checklist Items

  1. To ensure that you have the correct software versions for integration, review the latest release notes for Identity Governance and Identity Manager identity applications. For more information, see the Identity Manager Documentation site.

  1. (Conditional) Create an index in eDirectory for the login attribute if you do not use a standard login attribute. For more information, see Section 6.5, Ensuring Rapid Response to Authentication Requests.

  1. Ensure that users can link to Identity Manager Home from Identity Governance. For more information, see Adding a Link to Identity Manager Home in the Identity Governance Menu.

  1. Ensure that Identity Governance connects to the authentication server for Identity Manager. For more information, see Using the Same Authentication Server as Identity Manager.

  1. Update Identity Manager Home to connect to Identity Governance. For more information, see Section 6.10.3, Configuring Identity Manager for Integration.

  1. (Optional) Integrate Identity Governance with the workflows used in Identity Manager. For more information, see Using Workflows to Fulfill the Changeset and Configuring Fulfillment in NetIQ Identity Governance Administrator Guide.

For more information about Identity Manager, see the NetIQ Identity Manager Overview and Planning Guide.

6.10.2 Configuring Identity Governance for Integration

For proper integration, you must link Identity Governance to the Identity Manager Home page for the identity applications. You can also choose to use the same authentication server that the identity applications use to verify login attempts. This process includes the following activities:

Adding a Link to Identity Manager Home in the Identity Governance Menu

This section describes how to add a link in Identity Governance so users can easily switch to Identity Manager Home.

  1. Log in to Identity Governance with an account that has the Global Administrator authorization.

  2. Select Administration > General Settings.

  3. For Home Page URL, specify the URL for Identity Manager Home.

  4. Select Save.

  5. Sign out of Identity Governance.

  6. (Optional) To verify the integration, complete the following steps:

    1. Log in to Identity Governance. Verify that Identity Governance lists Home in the navigation pane.

    2. Select Home, and verify that it takes you to the Identity Manager Home page.

Using the Same Authentication Server as Identity Manager

This section describes how to configure Identity Governance to use the same authentication server as Identity Manager identity applications for verifying users who log in. This section assumes that, when you installed Identity Governance, you did not specify the Identity Manager authentication server. For example, you might have installed Identity Governance before adding Identity Manager to your environment.

  1. Stop Identity Governance and Tomcat. For examples, see Stopping, Starting, and Restarting Tomcat.

  2. In the Identity Governance Configuration Utility, select Authentication Server Details.

  3. Clear Same as IG Server.

  4. Specify the protocol, DNS host name or IP address, and port that represent the authentication server for Identity Manager identity applications.

    NOTE:To use TLS/SSL protocol for secure communications, select https.

  5. Select Save.

  6. Make a note of the settings for the authentication server.

    The values for these settings must match the settings that you specify for Identity Governance in the RBPM Configuration utility. For more information, see Section 6.10.3, Configuring Identity Manager for Integration.

  7. Select Security Settings, and make a note of the settings in the General Service section.

    The values for these settings must match the settings that you specify for Identity Governance in the RBPM Configuration utility. For more information, see Section 6.10.3, Configuring Identity Manager for Integration.

  8. Close the utility.

  9. Start Identity Governance and Tomcat. For examples, see Stopping, Starting, and Restarting Tomcat.

6.10.3 Configuring Identity Manager for Integration

To ensure proper integration, you must update your version of Identity Manager identity applications to recognize Identity Governance. The process includes copying files from the Identity Governance installation to the Identity Manager identity applications installation.

NOTE:Ensure that you have configured single sign-on for the Identity Manager identity applications. For more information, see

  1. On the server where you installed Identity Governance, log in as an administrator.

  2. Navigate to the /osp folder in the installation directory for Identity Governance. For example:

    • Linux: Default location of /opt/netiq/idm/apps/configupdate

    • Windows: Default location of C:\netiq\idm\apps\configupdate

  3. Copy the uaconfig-ig-defs.xml file to a location or thumb drive that you can access from the server running Identity Manager identity applications.

  4. Sign out of the server.

  5. On the server where you installed the identity applications, log in as an administrator.

  6. Stop the application server. For examples, see Stopping, Starting, and Restarting Tomcat.

  7. Navigate to the conf directory of the application server.

    • Linux: Default location of /opt/netiq/idm/apps/tomcat/conf

    • Windows: Default location of c:\netiq\idm\apps\tomcat\conf

  8. Place the uaconfig-ig-defs.xml file from the Identity Governance installation in the /conf directory.

  9. In a text editor, open the configupdate.sh or configupdate.bat file.

    • Linux: Default location of /opt/netiq/idm/apps/UserApplication/configupdate.sh

    • Windows: Default location of c:\netiq\idm\apps\UserApplication\configudate.bat

  10. In the file, add the following line before the -Duser.language entry:

    -Dcom.netiq.uaconfig.impl.custom.clients=path_to_conf_dir/uaconfig-ig-defs.xml

    For example:

    -Dcom.netiq.uaconfig.impl.custom.clients=/opt/netiq/idm/apps/tomcat/server/IDMProv/conf/uaconfig-ig-defs.xml

  11. Save and close the file.

  12. Launch the configuration update utility by running from the command prompt.

    • Linux: Enter:

      ./configupdate.sh

    • Windows: From a command line enter:

      configupdate.bat

  13. In the utility, select Identity Governance SSO Client.

    NOTE:If the utility does not display the Identity Governance SSO Client tab, ensure that you copied the correct files from the Identity Governance installation to the identity applications installation.

  14. Specify the values based on the OAuth SSO Client and Security Settings > General Service settings that you observed in Step 6 through Step 7 in Using the Same Authentication Server as Identity Manager.

    Observe the following considerations for these settings:

    • By default, the OAuth client ID is iac. You specified the client ID and its password when you specified the client secret during the Identity Governance installation.

    • OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, http://myserver.host:8080/oauth.html. By default, the configuration utility provides some of this URL. However, you must ensure that you add the server and port information.

  15. Save your changes and close the utility.

  16. In the directory of the application server, clear out the /temp and /work directories.

  17. Start the application server. For examples, see Stopping, Starting, and Restarting Tomcat.

  18. Add a link to Identity Governance on the Identity Manager Home page.

    For more information, see Configuring the Settings for the Identity Applications in the NetIQ Identity Manager Setup Guide for Linux.

  19. On the Identity Governance server, start Identity Governance (and Tomcat). For examples, see Stopping, Starting, and Restarting Tomcat.

6.10.4 Configuring a File Authentication Source for the Bootstrap Administrator

If you want to use a file as the authentication source for the bootstrap administrator instead of LDAP authentication, complete the following steps. You might need to modify the files Configuration Update utility files (configupdate.sh.properties or configupdate.bat.properties and configupdate.sh or configupdate.bat) similar to Step 9 through Step 12 in Section 6.10.3, Configuring Identity Manager for Integration.

  1. (Optional) Make a backup copy of both the Configuration Update utility and properties files for the identity applications.

    • Linux: /opt/netiq/idm/apps/UserApplication and the files are configupdate.sh.properties and configupdate.sh.

    • Windows: c:\netiq\idm\apps\UserApplication and the files are configupdate.bat.properties and configupdate.bat.

  2. (Optional) Copy both the Configuration Update utility and the properties files to the /conf directory of the application server.

    • Linux: Default path of /opt/netiq/idm/apps/tomcat/conf

    • Windows: c:\netiq\idm\apps\tomcat\conf

  3. In a text editor, open the configupdate.sh or configupdate.bat file.

  4. In the file, add the following line before the -Duser.language entry in the JAVA_OPTS shell variable.

    For example:

    • Linux: Using the default installation path:

      -Dcom.netiq.uaconfig.impl.custom.clients=/opt/netiq/idm/apps/tomcat/server/IDMProv/conf/uaconfig-ig-defs.xml

    • Windows: Using the default installation path:

      ‑Dcom.netiq.uaconfig.impl.custom.clients=c:\netiq\idm\apps\tomcat\server\IDMProv\conf\uaconfig-ig-defs.xml

  5. Save and close the file.

  6. In a text editor, open the configupdate.sh.properties or the configupdate.bat.properties file.

  7. Set INSTALL_JAVA_BASE as the path to the Oracle Java instance that Tomcat uses.

    For example:

    • Linux: INSTALL_JAVA_BASE="/root/jdk1.x.x_xx"

    • Windows: INSTALL_JAVA_BASE="c:\Program_Files\jdk1.x.x.xx"

  8. Set CONFIG_FILENAME as "ism-configuration.properties".

    For example:

    CONFIG_FILENAME="ism-configuration.properties"

  9. Save and close the file.

  10. Launch the Configuration Update utility.

    • Linux: From the command line, enter ./configupdate.sh

    • Windows: From the command line, enter configupdate.bat

  11. In the Configuration Update utility, select Identity Governance SSO Client and select Show Advanced Options.

  12. Enter the file location in the File Authentication Source field and the file name in the File Name field. The default file name is adminusers.txt.

  13. Save your changes and close the utility.