9.5 Integrating Single Sign-on Access with Identity Manager Using OSP

If you have installed Identity Manager, your users can log in a single time to access the Identity Manager applications, Identity Reporting, and Identity Governance. These products use the OSP service for OAuth authentication, which provides users single sign-on access from the Identity Manager Home page. To ensure single sign-on access, you must configure both Identity Manager and Identity Governance. Users can easily shift between the two applications without needing to enter their credentials a second time.

Identity Governance must use the same identity service that the identity applications use.

9.5.1 Checklist for Integrating Identity Governance with Identity Manager

Use the following checklist to ensure a proper integration between the products:

Checklist Items

  1. To ensure that you have the correct software versions for integration, review the latest release notes for Identity Governance and Identity Manager identity applications. For more information, see the Identity Manager Documentation site.

  1. (Conditional) Create an index in eDirectory for the login attribute if you do not use a standard login attribute. For more information, see Section 9.6, Ensuring Rapid Response to Authentication Requests.

  1. Ensure that users can link to Identity Manager Home from Identity Governance. For more information, see Adding a Link to Identity Manager Home in the Identity Governance Menu.

  1. Ensure that Identity Governance connects to the Identity Vault for Identity Manager. For more information, see Changing Identity Governance to Use the Identity Manager Identity Vault as the Identity Service.

  1. (Conditional) If your identity service is a separate eDirectory or Active Directory from the Identity Manager Identity Vault, you must manually extend the schema for the OSP authentications to work. For more information, see Section 8.2.3, Extending the Schema for OSP in the Identity Service not Part of Identity Manager.

  1. (Conditional) If you are using the OSP that comes with Identity Manager, ensure that you are using the LDAP-based instead of the file-based bootstrap administrator account. For more information, see Section 4.1.1, Using the Bootstrap Administrator.

  1. Update Identity Manager Home to connect to Identity Governance. For more information, see Section 9.5.3, Configuring Identity Manager for Integration with Identity Governance.

  1. (Optional) Integrate Identity Governance with the workflows used in Identity Manager. For more information, see Using Workflows to Fulfill the Changeset and Configuring Fulfillment in Identity Governance 3.6 User and Administration Guide.

For more information about Identity Manager, see the NetIQ Identity Manager Overview and Planning Guide.

9.5.2 Configuring Identity Governance for Integration with Identity Manager

For proper integration, you must link Identity Governance to the Identity Manager Home page for the identity applications. You can also choose to use the same identity service that the identity applications use to verify login attempts. This process includes the following activities:

Adding a Link to Identity Manager Home in the Identity Governance Menu

This section describes how to add a link in Identity Governance so users can easily switch to Identity Manager Home.

  1. Log in to Identity Governance with an account that has the Global Administrator authorization.

  2. Select Administration > General Settings.

  3. For Home Page URL, specify the URL for Identity Manager Home.

  4. Select Save.

  5. Sign out of Identity Governance.

  6. (Optional) To verify the integration, complete the following steps:

    1. Log in to Identity Governance. Verify that Identity Governance lists Home in the navigation pane.

    2. Select Home, and verify that it takes you to the Identity Manager Home page.

Changing Identity Governance to Use the Identity Manager Identity Vault as the Identity Service

This section describes how to configure Identity Governance to use the Identity Manager Identity Vault as the Identity Governance identity service for verifying users who log in to Identity Governance. This section assumes that, when you installed Identity Governance, you did not specify the Identity Manager Identity Vault that you specified a different identity service. For example, you might have installed Identity Governance before adding Identity Manager to your environment.

NOTE:Identity Applications use https communication by default. You create a wildcard certificate on one of the servers and copy the certificate on all the servers. For example, you create the wildcard certificate *.example.com on the OSP server.

  1. Add this certificate to the keystoreFile on all the servers.

  2. Restart Apache Tomcat on all the servers.

  3. Ensure that keystoreFile is updated in the server.xml.

     <Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="conf/tomcat.ks" keystorePass="novell" sslEnabledProtocols="TLSv1.2" />

  1. Stop Identity Governance and Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.

  2. Launch the Identity Governance Configuration utility. For more information, see Section 14.1.3, Using the Identity Governance Configuration Utility.

  3. Click the Authentication Server Details tab.

  4. Deselect Same as IG Server.

  5. Specify the protocol, DNS host name or IP address, and port that represent the Identity Vault for Identity Manager identity applications.

    NOTE:To use TLS/SSL protocol for secure communications, select https.

  6. Click Save.

  7. Make a note of the settings for the Identity Vault.

    The values for these settings must match the settings that you specify for Identity Governance in the RBPM Configuration utility. For more information, see Section 9.5.3, Configuring Identity Manager for Integration with Identity Governance.

  8. Click the Security Settings tab, then make a note of the settings in the General Service section.

    The values for these settings must match the settings that you specify for Identity Governance in the RBPM Configuration utility. For more information, see Section 9.5.3, Configuring Identity Manager for Integration with Identity Governance.

  9. Close the utility.

  10. Start Apache Tomcat to start Identity Governance. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.

9.5.3 Configuring Identity Manager for Integration with Identity Governance

To ensure proper integration, you must update your version of Identity Manager identity applications to recognize Identity Governance. The process includes copying files from the Identity Governance installation to the Identity Manager identity applications installation.

  1. Ensure that you have configured single sign-on for the Identity Manager identity applications. For more information, see Preparing for Single Sign-on Access in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  2. (Conditional) If you are using the OSP that comes with Identity Manager, ensure that you are using the LDAP-based instead of the file-based bootstrap administrator account. For more information, see Section 4.1.1, Using the Bootstrap Administrator.

  3. (Conditional) If you are running Identity Manager 4.7.3, update the Configuration Update utility for the identity applications server to point to the patch uaconfig-ig36-defs.xml file that you must download.

    1. From the Patch Finder website, download the One SSO Provider (OSP) 6.3.6 patch for Identity Manager 4.7.

    2. Copy the patch file to the identity applications server.

    3. In a text editor, open the configupdate.sh or configupdate.bat file for the identity applications. The default location is:

      • Linux: /opt/netiq/idm/apps/UserApplication/configupdate.sh

      • Windows: c:\netiq\idm\apps\UserApplication\configudate.bat

    4. In the file, add the following line before the -Duser.language entry:

      -Dcom.netiq.uaconfig.impl.custom.clients=path_to_conf_dir/uaconfig-ig36-defs.xml

      For example:

      -Dcom.netiq.uaconfig.impl.custom.clients=/opt/netiq/idm/apps/tomcat/server/IDMProv/conf/uaconfig-ig36-defs.xml

    5. Save and close the file.

  4. (Conditional) If you are running Identity Manager 4.8, ensure that the IG SSO tab appears in the Configuration Update utility for the identity applications.

    1. Ensure that the Configuration Update utility is not running.

    2. Find the properties file for the Configuration Update utility for the identity applications. The default location is:

      • Linux: /opt/netiq/idm/apps/UserApplication/configupdate.sh.properties

      • Windows: c:\netiq\idm\apps\UserApplication\configudate.bat.properties

    3. Open the properties file in a text editor.

    4. If the line sso_apps= exists, ensure that it lists the User Application, Identity Reporting, and Identity Governance. For example:

      sso_apps=ua,rpt,ig

    5. If the sso_apps= line does not exist, add it to file listing the User Application, Identity Reporting, and Identity Governance. For example:

      sso_apps=ua,rpt,ig

    6. Save and close the file.

    7. Launch the Configuration Update utility for the identity applications and ensure that the IG SSO tab appears.

  5. Configuration the single sign-on settings in the Identity Governance Configuration Update utility for the identity applications server.

    1. Launch the Identity Governance Configuration Update utility for the identity applications server.

    2. In the Identity Governance Configuration Update utility, click the IG SSO Client tab.

    3. Specify the values based on the OAuth SSO Client and Security Settings > General Service settings that you observed in Step 7 through Step 8 in Changing Identity Governance to Use the Identity Manager Identity Vault as the Identity Service.

      Observe the following considerations for these settings:

      • By default, the OAuth client ID is iac. You specified the client ID and its password when you specified the client secret during the Identity Governance installation.

      • OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, http://myserver.host:8080/oauth.html. By default, the configuration utility provides some of this URL. However, you must ensure that you add the server and port information.

    4. Save your changes and close the Identity Governance Configuration Update utility.

  6. Before starting Apache Tomcat again, delete the contents of the following two directories from Apache Tomcat that contain cached files. The directories are:

    • Linux: Default installation location:

      • /opt/netiq/idm/apps/tomcat/temp

      • /opt/netiq/idm/apps/tomcat/work/Catalina/localhost

    • Windows: Default installation location:

      • c:\netiq\idm\apps\tomcat\temp

      • c:\netiq\idm\apps\tomcat\work\Catalina\localhost

  7. Start the application server. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.

  8. Add a link to Identity Governance on the Identity Manager Home page. For more information, see Setting Up the Dashboard for Identity Applications in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

  9. On the Identity Governance server, start Identity Governance (and Apache Tomcat). For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.