9.3 Configuring eDirectory

9.3.1 Creating Indexes in eDirectory

To improve User Application performance, the eDirectory Administrator should create indexes for the manager, ismanager and srvprvUUID attributes. Without indexes on these attributes, User Application users can experience impeded performance, particularly in a clustered environment.

These indexes can be created automatically during installation if you select Create eDirectory Indexes on the Advanced tab of the User Application Configuration Panel (described in Table A-2), or refer to the Novell eDirectory Administration Guide for directions on using Index Manager to create indexes.

9.3.2 Installing and Configuring SAML Authentication Method

This configuration is only required if you want to use the SAML authentication method and are not also using Access Manager. If you are using Access Manager, your eDirectory tree will already include the method. The procedure includes:

  • Installing the SAML Method in your eDirectory tree.

  • Editing eDirectory attributes using iManager

Installing the SAML method in your eDirectory tree

  1. Locate then unzip the nmassaml.zip file.

  2. Install the SAML methods into your eDirectory tree:

    1. Extend the schema stored in authsaml.sch. Refer to Extending the eDirectory Schema for Roles Based Provisioning Module for more information. If eDirectory is installed on Linux, you can use the following command to extend the schema:

      ndssch -h edir_ip edir_admin authsaml.sch 
      
    2. Install the SAML method. Refer to “How to Install NMAS Method” , in the Novell Modular Authentication Services Administration Guide, for more information. If eDirectory is installed on Linux, you can use the following command to install the method:

      nmasinst -addmethod edir_admin tree ./config.txt
      

Editing eDirectory Attributes

  1. Open iManager and go to Roles and Tasks > Directory Administration > Create Object.

  2. Select Show all object classes.

  3. Create a new object of class authsamlAffiliate.

  4. Select authsamlAffiliate, then click OK. (You may name this object any valid name.)

  5. To specify the Context, select the SAML Assertion.Authorized Login Methods.Security container object in the tree, then click OK.

  6. You must add attributes to the class object authsamlAffiliate.

    1. Go to the iManager View Objects > Browse tab and find your new affiliate object in the SAML Assertion.Authorized Login Methods.Security container.

    2. Select the new affiliate object, then select Modify Object.

    3. Add an authsamlProviderID attribute to the new affiliate object. This attribute is used to match an assertion with its affiliate. The contents of this attribute must be an exact match with the Issuer attribute sent by the SAML assertion.

    4. Click the OK.

    5. Add authsamlValidBefore and authsamlValidAfter attributes to the affiliate object. These attributes define the amount of time, in seconds, around the IssueInstant in an assertion when the assertion is considered valid. A typical default is 180 seconds.

    6. Click OK.

  7. Select the Security container, then select Create Object to create a Trusted Root Container in your Security Container.

  8. Create a Trusted Root objects in the Trusted Root Container.

    1. Return to Roles and Tasks > Directory Administration then select Create Object.

    2. Select Show all object classes again.

    3. To create a Trusted Root object for the certificate that your affiliate will use to sign assertions. You must have a der encoded copy of the certificate to do this.

    4. Create new trusted root objects for each certificate in the signing certificate's chain up to the root CA certificate.

    5. Set the Context to the Trusted Root Container created earlier, then click OK.

  9. Return to the Object Viewer.

  10. Add an authsamlTrustedCertDN attribute to your affiliate object, then click OK.

    This attribute should point to the "Trusted Root Object" for the signing certificate that you created in the previous step. (All assertions for the affiliate must be signed by certificates pointed to by this attribute, or they will be rejected.)

  11. Add an authsamlCertContainerDN attribute to your affiliate object, then click OK.

    This attribute should point to the "Trusted Root Container" that you created before. (This attribute is used to verify the certificate chain of the signing certificate.)