34.1 Understanding Third-Party Authentication and Single Sign-On

You can configure Identity Manager to work with NetIQ Access Manager using SAML 2.0 or by configuring Access Gateway as a reverse proxy server.

SAML 2.0

Enables you to use a technology that is not password-based to log in to the identity applications through Access Manager. For example, users can log in through a user (client) certificate, such as from a smart card.

Access Manager interacts with OSP to map the user to a DN in the Identity Vault. When a user logs in to the identity applications through Access Manager, Access Manager can inject a SAML assertion (with the user’s DN as the identifier) into an HTTP header and forward the request to the identity applications. The identity applications use the SAML assertion to establish the LDAP connection with the Identity Vault.

Accessory portlets that allow single sign-on authentication based on passwords do not support single sign-on when SAML assertions are used for identity application authentication.

Reverse Proxy

Protects the identity applications by creating a reverse proxy that acts as the front end to your identity applications in your Identity Manager environment. In this approach, Access Gateway uses a Form Fill policy for single sign-on authentication to the identity applications. A reverse proxy can be configured to protect one or more proxy services by using a domain or path based proxy service, single sign-on access, and simultaneous logout.

The identity applications retrieve the access token from OSP and provide access to the user. This completes the single sign-on process for the first login. The identity applications uses this access token for providing single sign-on access for future authentication requests to any of the identity application and SSPR.