37.2 Using SAML Authentication for Single Sign-on

This section helps you configure both NetIQ Access Manager and OSP to support single sign-on access in Identity Manager using SAML 2.0 authentication.

37.2.1 Establishing Trust between Identity Manager and Access Manager

Identity Manager needs the URL of the SAML metadata to redirect users for authentication requests. By default, Access Manager uses the following URL for storing the SAML metadata:

https://server:port/nidp/saml2/metadata

where server:port represent the Access Manager Identity Server.

  1. (Optional) To view an .xml document for the SAML metadata, open the URL in a browser.

    If the URL does not produce the document, ensure that the link is correct.

  2. Launch configupdate utility on the OSP server.

  3. Click Advance to view more options.

  4. Select Authentication.

  5. In the Authentication Server section, specify the DNS name of the server that hosts OSP in the Oauth server host identifier setting.

  6. For Authentication Method:

    1. Select SAML 2.0 from the Method list.

    2. Select URL from the Metadata source list.

    3. In Metadata URL, specify the URL that OSP uses to redirect the authentication request to SAML metadata of Access Manager.

      For example, https://server:port/nidp/saml2/metadata

    4. Select Load on exit and Configure Access Manager on exit.

  7. Click OK to save the changes.

  8. Click Yes to accept the certificate.

  9. In Access Manager Auto-Configuration of SAML 2, specify the Access Manager details:

    Access Manger Administration Console

    Specify the Access Manger URL with the full DNS.

    For example,

    https://<Access Manager DNS><port>
     

    The default port is 8443.

    Access Manger Administrator Credentials

    Specify the username and password of the Access Manager administrator in LDAP format.

    For example,

    Username: cn=admin,o=novell

    Authentication Server Administrator Credintials

    Specify the username and password of the User Application administrator. For example, Username: uaadmin

  10. Click OK.

  11. Click Yes to accept the certificate.

  12. Click Yes to continue.

    Displays the Access Manager SAML 2 configuration summary.

  13. Click OK.

  14. Restart the Tomcat instance that hosts OSP.

37.2.2 Updating the Login Pages for Access Manager

The default login pages for Access Manager use HTML iFrame elements that conflict with the elements used for the identity applications. This section provides instructions for eliminating that conflict by creating a new login method and contract for Access Manager. The .jsp files referenced in this section are located by default in the /opt/novell/nam/idp/webapps/nidp/jsp directory on Linux. On Windows, they are located by default in the C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp directory.

For more information, see “Customizing the Identity Server Login Page” in the NetIQ Access Manager Administration Guide.

  1. Modify the top.jsp file according to TID 7004020 and TID 7018468.

  2. (Optional) For backup purposes, copy and rename the login.jsp file. For example, rename it to idm_login.jsp.

  3. Open the Administration Console for Access Manager.

  4. Create a new user store to connect to Identity Vault.

    1. Click Devices > Identity Servers > Edit > Local > User Stores.

    2. Click New and specify the required Identity Vault details:

      Name

      Specify the DNS of the Identity Vault.

      Admin Name

      Specify the Identity Vault administrator name in the LDAP format.

      Admin Password

      Specify the Identity Vault administrator password.

      Directory type

      Select eDirectory from the list.

      Server Replica
      1. Click New and specify Name and IP Address/DNS Name of Identity Vault.

      2. Check Use Secure LDAP connections.

      3. Click Auto import trusted root to import the Identity Vault certificate.

      4. Click OK.

      Search Contexts
      1. Click New.

      2. In Search Context, specify the search container.

      3. In Scope, select Subtree.

      4. Click OK.

  5. To create a new login method, complete the following steps:

    1. Click Devices > Identity Servers > Edit > Local > Methods.

    2. Click New, then specify the Display Name for the new method. For example, IDM Name/Password.

    3. For Class, specify Name/Password-Form.

    4. For User Store, specify Identity Vault as an LDAP user store.

    5. In the Properties section, click New, then specify the following properties:

      Name

      Value

      JSP

      idm_login

      MainJSP

      true

    6. Click OK.

    7. Click Finish.

  6. To create a contract that uses the new login method, complete the following steps:

    1. Click Contracts > New.

    2. In the Configuration tab, specify the Display Name for the new contract. For example, IDM Name/Password.

    3. For URI, specify name/password/uri/idm.

    4. Under Methods, add the method that you created in Step 5. For example, IDM Name/Password.

    5. Click Next.

    6. In the Authentication Card tab, specify an ID for the card. For example, IDM_NamePassword.

    7. Specify an image for the card.

    8. Click Finish.

  7. To specify the default values for how the system processes the new authentication contract, complete the following steps:

    1. On the Local tab, click Defaults.

    2. For User Store, specify Identity Vault as an LDAP user store.

    3. For Authentication Contract, specify the contract that you created in Step 6. For example, IDM Name/Password-Form.

    4. Click OK.

  8. To update the Identity Server, click Devices > Identity Servers > Update > Update All Configuration.