35.4 SSO Clients Parameters

When configuring the identity applications, this tab defines the values for managing single sign-on access to the applications.

By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:

For more information about configuring single sign-on access, see Section XIII, Configuring Single Sign-on Access in Identity Manager.

35.4.1 Landing

This section defines the values for the URL that users need to access the landing page for the identity applications. Usually, this URL directs users to Identity Manager Home.

Figure 35-1 Landing

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for Identity Manager Home to the authentication server. The default value is ualanding.

OAuth client secret

Required

Specifies the password for the single sign-on client for Identity Manager Home.

URL link to dash page

Required

Specifies the relative URL to use to access the Provisioning Dashboard from Identity Manager Home. The default value is /dash.

OAuth redirect url

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, http://10.10.10.48:8180/landing/com.netiq.test.

35.4.2 Dashboard

This section defines the values for the URL that users need to access the landing page for the identity applications. Usually, this URL directs users to Identity Manager Home.

Figure 35-2 Dashboard

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for Identity Manager Provisioning Dashboard to the authentication server. The default value is uadash.

OAuth client secret

Required

Specifies the password for the single sign-on client for Identity Manager Provisioning Dashboard.

OAuth redirect url

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, http://10.10.10.48:8180/dash/com.netiq.test.

User email

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s email attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is Email.

User phone

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s phone number attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is TelephoneNumber.

User mobile

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s mobile phone number attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is MobileNumber.

User firstname

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s first name attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is FirstName.

User location

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s location attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is Location.

User department

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s department attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is Department.

User lastname

Required

Specifies the value that the Roles Based Provisioning Module uses to identify a user’s last name attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is LastName.

User title

Required

Specifies the value that the Roles Based Provisioning Module uses to identity a user’s job title attribute in the user information REST API results.

The value must match the Entities configured using Designer. The default value is Title.

35.4.3 RBPM

This section defines the values for the URL that users need to access the User Application.

Figure 35-3 RBPM

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for the User Application to the authentication server. The default value is rbpm.

OAuth client secret

Required

Specifies the password for the single sign-on client for the User Application.

URL link to landing page

Required

Specifies the relative URL to use to access Identity Manager Home from the User Application. The default value is /landing.

OAuth redirect url

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, http://10.10.10.48:8180/IDMProv/oauth.

RBPM to eDirectory SAML configuration

This option is initially set to Auto. Once the certificate is created in the Security container, this option is set to No Change by default.

IMPORTANT:NetIQ recommends to change the default option to Auto only when the RBPMTrustedRootcertificate expires. Do not change the default option frequently.

Signing Certificate

Applies when you select Manual PKCS8.

Specifies they public key certificate that you want to use for SAML authentication.

Signing Key

Applies when you select Manual PKCS8 or Manual PKCS12.

Specifies the file that contains the signing key which RBPM uses for SAML authentication.

Signing Key Password

Applies when you select Manual PKCS8 or Manual PKCS12.

Specifies the password which protects the file containing the signing key which RBPM uses for SAML authentication.

Signing Key Alias

Applies when you select Manual PKCS12.

Specifies the alias of the signing key in the keystore.

IMPORTANT:The NMAS certificate is automatically created if you change the value of RBPM to eDirectory SAML configuration setting to Auto.

35.4.4 Reporting

This section defines the values for the URL that users need to access Identity Reporting. The utility display these values only if you add Identity Reporting to your Identity Manager solution.

Figure 35-4 Reporting

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for the Identity Reporting to the authentication server. The default value is rpt.

OAuth client secret

Required

Specifies the password for the single sign-on client for Identity Reporting.

URL link to landing page

Required

Specifies the relative URL to use to access Identity Manager Home from Identity Reporting. The default value is /landing.

If you installed Identity Reporting and the identity applications in separate servers, then specify an absolute URL. Use the following format: protocol://server:port/path.

OAuth redirect url

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, http://10.10.10.48:8180/idmrpt/oauth.

35.4.5 DCS Driver

This section defines the values for managing the Data Collection Services driver. For more information about the driver, see Section 40.0, Managing the Drivers for Reporting.

Figure 35-5 DCS

OAuth client ID

Specifies the name that you want to use to identify the single sign-on client for the Data Collection Service driver to the authentication server. The default value for this parameter is dcsdrv.

OAuth client secret

Specifies the password for the single sign-on client for the Data Collection Service driver.

35.4.6 Catalog Administrator

This section defines the values for the URL that users need to access Catalog Administrator.

Figure 35-6 catalog Administrator

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for Catalog Administrator to the authentication server. The default value is rra.

OAuth client secret

Required

Specifies the password for the single sign-on client for Catalog Administrator.

URL link to landing page

Required

Specifies the relative URL to use to access Identity Manager Home from Catalog Administrator. The default value is /landing.

OAuth redirect url

Required

Specifies the absolute URL to which the authentication server redirects a browser client when authentication is complete.

Use the following format: protocol://server:port/path. For example, http://10.10.10.48:8180/rra/com.netiq.test.

35.4.7 Self Service Password Reset

This section defines the values for the identity applications to communicate with SSPR.

Figure 35-7 SSPR

OAuth client ID

Required

Specifies the name that you want to use to identify the single sign-on client for SSPR to the authentication server. The default value is sspr.

OAuth client secret

Required

Specifies the password for the single sign-on client for SSPR.

OAuth redirect URL

Required

Specifies the absolute URL to which the client will redirect when actions such as password changes or challenge questions have been completed in SSPR. For example, forward to the Identity Manager home page.

Use the following format: protocol://server:port/path. For example, http://10.10.10.48:8180/sspr/public/oauth.