The User Application must be able to interact with the objects in your Identity Vault. In some cases, you might need to configure the authentication methods and indexes in eDirectory to enable the Identity Vault and User Application to communicate effectively.
To improve User Application performance, the eDirectory Administrator should create indexes for the manager, ismanager and srvprvUUID attributes. Without indexes on these attributes, User Application users can experience impeded performance, particularly in a clustered environment.
You can create these indexes automatically during installation by selecting Create eDirectory Indexes on the Advanced tab of the User Application Configuration Panel. For more information about using Index Manager to create indexes, see the Novell eDirectory Administration Guide.
This configuration is only required if you want to use the SAML authentication method and are not also using Access Manager. If you are using Access Manager, your eDirectory tree will already include the method. The procedure includes the following activities:
Locate and then unzip the nmassaml.zip file.
To install the SAML method in your eDirectory tree, complete the following steps:
Extend the schema stored in the authsaml.sch
For example, on Linux, enter the following command:
ndssch -h edir_ip edir_admin authsaml.sch
Install the SAML method.
For example, on Linux, enter the following command:
nmasinst -addmethod edir_admin tree ./config.txt
Open iManager.
Expand Roles and Tasks > Directory Administration > Create Object.
Select Show all object classes.
Create a new object of class authsamlAffiliate.
Select authsamlAffiliate, then click OK.
You can give this object any valid name.
To specify the Context, select the SAML Assertion.Authorized Login Methods.Security container object in the tree, then click OK.
To add attributes to the class object authsamlAffiliate, complete the following steps:
Click the iManager View Objects > Browse tab.
Locate your new affiliate object in the SAML Assertion.Authorized Login Methods.Security container.
Select the new affiliate object, then select Modify Object.
Add an authsamlProviderID attribute to the new affiliate object.
This attribute is used to match an assertion with its affiliate. The contents of this attribute must be an exact match with the Issuer attribute sent by the SAML assertion.
Click OK.
Add authsamlValidBefore and authsamlValidAfter attributes to the affiliate object.
These attributes define the amount of time, in seconds, around the IssueInstant in an assertion when the assertion is considered valid. A typical default is 180 seconds.
Click OK.
Select the Security container.
Select Create Object to create a Trusted Root Container in your Security Container.
To create a Trusted Root objects in the Trusted Root Container, complete the following steps:
Go to Roles and Tasks > Directory Administration, then select Create Object.
Select Show all object classes.
To create a Trusted Root object for the certificate that your affiliate will use to sign assertions. You must have a der encoded copy of the certificate to do this.
Create new trusted root objects for each certificate in the signing certificate's chain up to the root CA certificate.
Set the Context to the Trusted Root Container created earlier, then click OK.
Return to the Object Viewer.
Add an authsamlTrustedCertDN attribute to your affiliate object, then click OK.
This attribute should point to the "Trusted Root Object" for the signing certificate that you created in the previous step. (All assertions for the affiliate must be signed by certificates pointed to by this attribute, or they will be rejected.)
Add an authsamlCertContainerDN attribute to your affiliate object, then click OK.
This attribute should point to the "Trusted Root Container" that you created before. (This attribute is used to verify the certificate chain of the signing certificate.)