If you have installed Identity Manager, your users can log in a single time to access Identity Applications, Identity Reporting, and Identity Governance from the Identity Manager Home page. To ensure single sign-on access, you must configure both Identity Manager and Identity Governance. Users can easily shift between the two applications without needing to enter their credentials a second time. Identity Governance must use the same authentication server that the identity applications use.
You can configure OSP so users can log in with an email address or another attribute available in the Identity Vault. If you use a non-default attribute, the server might take longer to respond to authentication requests. Also, OSP automatically times out LDAP connections after 15 seconds. To ensure a rapid response time, the LDAP authentication server should have an index for the login attribute. You also must specify that attribute in the RBPM Configuration Utility.
To specify the login attribute, complete the following steps:
Run the RBPM Configuration utility.
For more information, see Configuring the Settings for the Identity Applications in the NetIQ Identity Manager Setup Guide.
Select Authentication > Show Advanced Options.
For more information, see Authentication Parameters in the NetIQ Identity Manager Setup Guide.
For Duplicate resolution naming attribute, specify the attribute that you want to use for login activities. For example, Internet Email Address.
Save your changes.
(Conditional) To create an index for the login attribute in the Identity Vault, complete the following steps:
Create the index.
For more information, see “Creating an Index” in the NetIQ eDirectory Administration Guide.
For the attribute, select the same attribute that you specified for Duplicate resolution naming attribute in the configuration utility.
For the index rule, specify Value.
Complete the process for creating the index.
For proper integration, you must link Identity Governance to the Identity Manager Home page for the identity applications. You can also choose to use the same authentication server that the identity applications use to verify login attempts. This process includes the following activities:
This section describes how to add a link in Identity Governance so users can easily switch to Identity Manager Home.
Log in to Identity Governance with an account that has the Global Administrator authorization.
Select Administration > General Settings.
For Home Page URL, specify the URL for Identity Manager Home.
Select Save.
Sign out of Identity Governance.
(Optional) To verify the integration, complete the following steps:
Log in to Identity Governance. Verify that Identity Governance lists Home in the navigation pane.
Select Home, and verify that it takes you to the Identity Manager Home page.
This section describes how to configure Identity Governance to use the same authentication server as Identity Manager identity applications for verifying users who log in. This section assumes that, when you installed Identity Governance, you did not specify the Identity Manager authentication server. For example, you might have installed Identity Governance before adding Identity Manager to your environment.
Stop Identity Governance (and Tomcat).
For example:
/etc/init.d/idmapps_tomcat_init stop
In the Identity Governance Configuration Utility, select Authentication Server Details.
Clear Same as IG Server.
Specify the protocol, DNS host name or IP address, and port that represent the authentication server for Identity Manager identity applications.
NOTE:To use TLS/SSL protocol for secure communications, select https.
Select Save.
Make a note of the settings for the authentication server.
The values for these settings must match the settings that you specify for Identity Governance in the RBPM Configuration utility. For more information, see Section 33.6.3, Configuring Identity Manager for Integration.
Select Security Settings, and make a note of the settings in the General Service section.
The values for these settings must match the settings that you specify for Identity Governance in the RBPM Configuration utility. For more information, see Section 33.6.3, Configuring Identity Manager for Integration.
Close the utility.
Start Identity Governance. For example:
/etc/init.d/idmapps_tomcat_init start
To ensure proper integration, you must update your version of Identity Manager identity applications to recognize Identity Governance. The process includes copying files from the Identity Governance installation to the Identity Manager identity applications installation.
This procedure assumes that you have configured single sign-on for the identity applications. For more information, see Configuring Single Sign-on Access in Identity Manager in the NetIQ Identity Manager Setup Guide.
On the server where you installed Identity Governance, log in as an administrator.
Navigate to the /osp folder in the installation directory for Identity Governance. For example, /opt/netiq/idm/apps/idgov/osp.
Copy the uaconfig-ig-defs.xml file to a location or thumb drive that you can access from the server running Identity Applications.
Sign out of the server.
On the server where you installed the identity applications, log in as an administrator.
Stop the application server.
For example:
/etc/init.d/idmapps_tomcat_init stop
Navigate to the /conf directory of the application server. For example, installation_path/idm/apps/tomcat/conf.
Place the uaconfig-ig-defs.xml file from the Identity Governance installation in the /conf directory.
In a text editor, open the configupdate.sh file, located by default in the installation directory for Identity Applications. For example, /opt/netiq/idm/apps/UserApplication/configupdate.sh.
In the file, add the following line before the -Duser.language entry:
-Dcom.netiq.uaconfig.impl.custom.clients=path_to_conf_dir/uaconfig-ig-defs.xml
For example:
-Dcom.netiq.uaconfig.impl.custom.clients=/opt/netiq/idm/apps/tomcat/server/IDMProv/conf/uaconfig-ig-defs.xml
Save and close the file.
Launch the configuration update utility by running ./configupdate.sh from the command prompt.
In the utility, select Identity Governance SSO Client.
NOTE:If the utility does not display the Identity Governance SSO Client tab, ensure that you copied the correct files from the Identity Governance installation to the identity applications installation.
Specify the values based on the OAuth SSO Client and Security Settings > General Service settings that you observed in Step 6 through Step 7 in Using the Same Authentication Server as Identity Manager.
Observe the following considerations for these settings:
By default, the OAuth client ID is iac. You specified the client ID and its password when you specified the client secret during the Identity Governance installation.
OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, http://myserver.host:8080/oauth.html. By default, the configuration utility provides some of this URL. However, you must ensure that you add the server and port information.
Save your changes and close the utility.
In the directory of the application server, clear out the /temp and /work directories.
Start the application server.
For example:
/etc/init.d/idmapps_tomcat_init start
Add a link to Identity Governance on the Identity Manager Home page.
For more information, see Configuring Identity Manager Home Items in the NetIQ Identity Manager Home and Provisioning Dashboard User Guide.
On the Identity Governance server, start Identity Governance (and Tomcat).
For example:
/etc/init.d/idmapps_tomcat_init start