9.3 Configuring eDirectory

9.3.1 Creating Indexes in eDirectory

To improve User Application performance, the eDirectory™ Administrator should create indexes for the manager, ismanager and srvprvUUID attributes. Without indexes on these attributes, User Application users can experience impeded performance, particularly in a clustered environment.

These indexes can be created automatically during installation if you select Create eDirectory Indexes on the Advanced tab of the User Application Configuration Panel (described in Table A-2), or refer to the Novell eDirectory Administration Guidehttp://www.novell.com/documentation for directions on using Index Manager to create indexes.

9.3.2 Installing and Configuring SAML Authentication Method

This configuration is only required if you want to use the SAML authentication method and are not also using Access Manager. If you are using Access Manager, your eDirectory tree will already include the method. The procedure includes:

  • Installing the SAML Method in your eDirectory tree.

  • Editing eDirectory attributes using iManager

Installing the SAML method in your eDirectory tree

  1. Locate then unzip the nmassaml.zip file in the .iso.

  2. Install the SAML method into your eDirectory tree.

    1. Extend the schema stored in the authsaml.sch

      The following example shows how to perform this on Linux:

      ndssch -h <edir_ip> <edir_admin> authsaml.sch
      
    2. Install the SAML method.

      The following example shows how to perform this on Linux:

      nmasinst   -addmethod <edir_admin> <tree> ./config.txt 
      

Editing eDirectory Attributes

  1. Open iManager and go to Roles and Tasks > Directory Administration > Create Object.

  2. Select Show all object classes.

  3. Create a new object of class authsamlAffiliate.

  4. Select authsamlAffiliate, then click OK. (You may name this object any valid name.)

  5. To specify the Context, select the SAML Assertion.Authorized Login Methods.Security container object in the tree, then click OK.

  6. You must add attributes to the class object authsamlAffiliate.

    1. Go to the iManager View Objects > Browse tab and find your new affiliate object in the SAML Assertion.Authorized Login Methods.Security container.

    2. Select the new affiliate object, then select Modify Object.

    3. Add an authsamlProviderID attribute to the new affiliate object. This attribute is used to match an assertion with its affiliate. The contents of this attribute must be an exact match with the Issuer attribute sent by the SAML assertion.

    4. Click the OK.

    5. Add authsamlValidBefore and authsamlValidAfter attributes to the affiliate object. These attributes define the amount of time, in seconds, around the IssueInstant in an assertion when the assertion is considered valid. A typical default is 180 seconds.

    6. Click OK.

  7. Select the Security container, then select Create Object to create a Trusted Root Container in your Security Container.

  8. Create a Trusted Root objects in the Trusted Root Container.

    1. Return to Roles and Tasks > Directory Administration then select Create Object.

    2. Select Show all object classes again.

    3. To create a Trusted Root object for the certificate that your affiliate will use to sign assertions. You must have a der encoded copy of the certificate to do this.

    4. Create new trusted root objects for each certificate in the signing certificate's chain up to the root CA certificate.

    5. Set the Context to the Trusted Root Container created earlier, then click OK.

  9. Return to the Object Viewer.

  10. Add an authsamlTrustedCertDN attribute to your affiliate object, then click OK.

    This attribute should point to the "Trusted Root Object" for the signing certificate that you created in the previous step. (All assertions for the affiliate must be signed by certificates pointed to by this attribute, or they will be rejected.)

  11. Add an authsamlCertContainerDN attribute to your affiliate object, then click OK.

    This attribute should point to the "Trusted Root Container" that you created before. (This attribute is used to verify the certificate chain of the signing certificate.)