2.4 Using Single Sign-on Access in Identity Manager

To provide single sign-on access (SSO), Identity Manager uses the authentication service, NetIQ One SSO Provider (OSP). You must use OSP for the following components:

  • Identity Applications Administration

  • Identity Manager Dashboard

  • Identity Reporting

  • Self-Service Password Reset

  • User Application

The .iso image for Identity Manager installation program include a method for installing OSP. For more information about installing OSP, see Installing Password Management for Identity Manager.

2.4.1 Understanding Authentication with One SSO Provider

OSP supports the OAuth2 specification and requires an LDAP authentication server. By default, Identity Manager uses Identity Vault (eDirectory). OSP can communicate other types of authentication sources, or identity vaults, to handle the authentication requests. You can configure the type of authentication that you want OSP to use: userID and password, Kerberos, or SAML. However, OSP does not support MIT-style Kerberos or SAP login tickets.

How do OSP and SSO work?

If you use the Identity Vault as your authentication service and the specified containers in the Identity Vault have CNs and passwords, authorized users can log in to Identity Manager immediately after installation. Without these login accounts, only the administrator that you specify during installation can log in immediately.

When a user logs in to one of the browser-based components, the process redirects the user’s name/password pair to the OSP service, which queries the authentication server. The server validates the user credentials. Then OSP issues an OAuth2 access token to the component and browser. The browser uses the token during the user’s session to provide SSO access to any of the browser-based components.

If you use Kerberos or SAML, OSP accepts authentication from the Kerberos ticket server or SAML IDP then issues an OAuth2 access token to the component where the user logged in.

How does OSP work with Kerberos?

OSP and Kerberos ensure that users can log in once to create a session with one of the identity applications and Identity Reporting. If the user’s session times out, authorization occurs automatically and without user intervention. After logging out, users should always close the browser to ensure that their sessions end. Otherwise, the application redirects the user to the login window and OSP reauthorizes the user session.

How do I set up Authentication and Single Sign-on Access?

For OSP and SSO to function, you must install OSP. Then specify the URLs for client access to each component, the URL that redirects validation requests to OSP, and settings for the authentication server. You can provide this information during installation or afterward with the RBPM configuration utility. You can also specify the settings for your Kerberos ticket server or SAML IDP.

For more information about configuring authentication and single sign-on access, see Configuring Single Sign-on Access in Identity Manager in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

In a cluster, the configuration settings must be identical for all members of the cluster.

2.4.2 Understanding the Keystore for One SSO Provider

Identity Manager uses a keystore that supports http and https communication between the OSP service and the authentication server. You create the keystore when you install OSP. You also create a password that the OSP service uses for authorized interactions with the authentication server. For more information, see Installing Password Management for Identity Manager.

2.4.3 Understanding Audit Events for One SSO Provider

OSP generates a single event to represent when a user logs in or out of the User Application or Identity Reporting:

  • 003E0204 for login

  • 003E0201 for logout

XDAS taxonomy then interprets these OSP events either as a successful login/logout or SOAP call to the User Application or as “other than success.”