To ensure proper integration, you must install the appropriate version of Identity Applications to recognize Identity Governance. This procedure assumes that you have configured single sign-on for the identity applications.
On the server where you installed Identity Applications, log in as an administrator.
Stop Tomcat.
Based on the platform, download and extract the Identity_Manager_4.7.4_Linux.zip or Identity_Manager_4.7.4_Windows.zip file from the download site.
Navigate to the following directory based on your platform:
Linux: <patch extracted location>/Identity_Manager_4.7.4_Linux/osp/ig
Windows: <extracted patch location>\Identity_Manager_4.7.4_Windows\osp\ig
(Conditional) If you are using Identity Governance 3.6, copy the uaconfig-ig36-defs.xml file and place it in the /opt/netiq/idm/apps/tomcat/conf/ directory.
(Conditional) If you are using Identity Governance 3.5, copy the uaconfig-ig-defs.xml file and place it in the /opt/netiq/idm/apps/tomcat/conf/ directory.
From the /opt/netiq/idm/apps/tomcat/conf/ directory, edit the ism-configuration.properties file and add the following lines:
com.netiq.iac.bootstrapadmin.authsrc = bisadus
com.netiq.idm.osp.fileauthsrc.enabled = false
If you want to use the new jwt token, then add:
com.netiq.idm.osp.oauth.access-token-format.format = jwt
Navigate to the /opt/netiq/idm/apps/tomcat/bin directory.
Edit the setenv.sh file and add the following line before -Duser.language entry in the file:
-Dcom.netiq.uaconfig.impl.custom.clients=path_to_conf_dir/uaconfig-ig36-defs.xml
For example, if you are using Identity Governance 3.6, add the following line:
-Dcom.netiq.uaconfig.impl.custom.clients=/opt/netiq/idm/apps/tomcat/conf/uaconfig-ig36-defs.xml
Save and close the setenv.sh file.
Launch the configuration update utility by running ./configupdate.sh from the command prompt.
Navigate to the Authentication tab and click Show Advanced Options.
(Conditional) If you are using Identity Governance 3.6, you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings.
(Conditional) If you are using Identity Governance 3.5.x and the authentication method is set to Kerberoes or SAML 2.0, then you must select the LDAP user check box under the Identity Governance Bootstrap Administrator settings. If the authentication method is set to Name and Password, you can select the file-based user system or the LDAP user as your bootstrap administrator.
Navigate to the IG SSO Clients tab.
(Conditional) If you want to change the authentication server for Identity Governance after installation, specify the values based on the settings that you specified in Step 3 and Step 4 of the Using the Same Authentication Server as Identity Manager section.
The following considerations apply to these settings:
(Conditional) If you are using Identity Governance 3.6, the default OAuth client ID is ig.
NOTE:The client secret is specified during the Identity Governance installation. You can change the client ID and client secret after installation.
Specify the following details for Identity Governance Client:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Identity Governance to the authentication server. The default value is ig.
OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.
Specify the following details for Identity Governance Utility Client:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Identity Governance Utility to the authentication server. The default value is iac.
OAuth client secret: Specifies the password for the single sign-on client for the Identity Governance utility client.
Specify the following details for Request Client:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Request to the authentication server. The default value is cx.
OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/cx/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.
Specify the following details for Data Connectivity Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Connectivity Service to the authentication server. The default value is iac-daas.
OAuth client secret: Specifies the password for the single sign-on client for the Data Connectivity Service client.
Specify the following details for General Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for General Service to the authentication server. The default value is iac-service.
OAuth client secret: Specifies the password for the single sign-on client for the General Service client.
Specify the following details for Data Transformation and Processing Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Transformation and Processing Service to the authentication server. The default value is iac-dtp.
OAuth client secret: Specifies the password for the single sign-on client for the Data Transformation and Processing Service client.
Specify the following details for Workflow Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Workflow Service to the authentication server. The default value is wf.
OAuth client secret: Specifies the password for the single sign-on client for the Workflow Service client.
(Conditional) If you are using Identity Governance 3.5.x, the default OAuth client ID is iac.
NOTE:The client secret is specified during the Identity Governance installation. You can change the client ID and client secret after installation.
Specify the following details for Identity Governance Client:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Identity Governance to the authentication server. The default value is iac.
OAuth client secret: Specifies the password for the single sign-on client for the Identity Governance client.
OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.
Specify the following details for Request Client:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Request to the authentication server. The default value is cx.
OAuth client secret: Specifies the password for the single sign-on client for the Request client.
OAuth Redirect URI: The OAuth redirect URL must be an absolute URL and include the specified value for OAuth client ID. For example, https://myserver.host:8443/cx/oauth.html. By default, the configuration update utility provides some of this URL. However, you must ensure that you add the server and port information.
Specify the following details for Data Connectivity Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Connectivity service to the authentication server. The default value is iac-daas.
OAuth client secret: Specifies the password for the single sign-on client for the Data Connectivity Service client.
Specify the following details for General Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for General Service to the authentication server. The default value is iac-service.
OAuth client secret: Specifies the password for the single sign-on client for the General Service client.
Specify the following details for Data Transformation and Processing Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Data Transformation and Processing Service to the authentication server. The default value is iac-dtp.
OAuth client secret: Specifies the password for the single sign-on client for the Data Transformation and Processing Service client.
Specify the following details for Workflow Service:
OAuth Client ID: Specifies the name that you want to use to identify the single sign-on client for Workflow Service to the authentication server. The default value is wf.
OAuth client secret: Specifies the password for the single sign-on client for the Workflow Service client.
(Conditional) If you are installing Identity Governance for the first time, specify the following details during the Identity Governance installation:
For the authentication server details, specify the Identity Manager OSP server details.
Specify the LDAP user details when prompted for the Bootstrap administrator details.
(Conditional) If you have already installed Identity Governance, log in to the server where Identity Governance is installed and update the configuration values in the configuration utility (configutil) and configuration update utility (configupdate). For more information, see Step 3 and Step 4 of the Using the Same Authentication Server as Identity Manager section.
Delete the localhost folder in the tomcat/work/Catalina directory.
Delete all the files and folders in the /opt/netiq/idm/apps/tomcat/temp directory.
Restart Tomcat on the Identity Governance server.
systemctl restart identity_tomcat.service
Restart Tomcat on the Identity Applications server.
systemctl restart netiq-tomcat.service
In Identity Manager and Identity Governance integrated setup, both Identity Applications and Identity Governance are browser-based applications, each having a distinct session time out property and value. The value represents the amount of time users can leave a page unattended in their web browser before the server displays a session-time-out warning.
The Identity Applications session time out value is represented by the com.netiq.idm.session-timeout property, whereas the Identity Governance session time out is represented by the com.netiq.idm.osp.oauth.public.refreshTokenTTL property. You must configure value for both these properties in the ism-configuration.properties file after Identity Manager and Identity Governance integration.
To set the session time out, perform the following actions:
Login in to the Identity Applications server.
Navigate to the /opt/netiq/idm/apps/tomcat/conf/ location.
Open the ism-configuration.properties file in a text editor and add the two properties namely, com.netiq.idm.session-timeout and com.netiq.idm.osp.oauth.public.refreshTokenTTL with appropriate values.
Save the file and restart the Tomcat service.
NOTE:To keep the session-timeout warning same for both the applications, it is recommended that the value you set for com.netiq.idm.osp.oauth.public.refreshTokenTTL must be 120 seconds less than the value provided for the com.netiq.idm.session-timeout property.