7.20 Sample Configurations

7.20.1 Setting Up Google Applications

Google Applications are pre-configured to establish federation with external service providers.

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].

    For the protocol, click SAML 2.0.

  2. Click New > Service Provider.

    Trusted Service Provider

    NOTE:By default, the Provider Type > General is selected.

  3. Select Google Application from the Provider Type drop-down list.

    By default, the Metadata Text source is selected and the Text field is pre-filled with the metadata XML. You should edit the Location in the metadata text and replace YOURDOMAIN with the domain name configured in Google Applications.

  4. In the Name option, specify a name by which you want to refer to the provider and click Next.

  5. Review the metadata certificates and click Finish. For Google Applications, the certificates page displayed is empty because the metadata does not contain information about the certificates. The system displays the trusted provider on the protocol page. For example, if you have specified the Name as GoogleApps, the page displays the trusted service provider when you click Finish.

    Figure 7-8 Trusted Service Provider for Google Application/Office 365/Sales Force

    Trusted provider list
  6. Click OK, then update the Identity Server.

    The wizard allows you to configure the required options and relies upon the default settings for the other federation options. For information about how to configure the default settings and how to configure the other available options, see Section 7.4, Modifying a Trusted Provider.

You can configure Access Manager to provide the single sign-on services to Google applications by using Security Assertion Markup Language (SAML) 2.0. For more information, see Integrating Google Apps and Novell Access Manager using SAML 2.0.

7.20.2 Setting Up Office 365 Services

Office 365 is pre-configured to establish federation with external service providers. For more information, see Section 7.20.1, Setting Up Google Applications. In Step 3, select Office 365. The system displays the trusted provider on the protocol page. For example, if you have specified the Name as Office365, the screen displays the trusted service provider Office365 as in Figure 7-8, when you click Finish.

Access Manager is compatible with Microsoft Office 365 and provides single sign-on access to Office 365 services.

For more information, see Section 11.0, Configuring Single Sign-On for Office 365 Services.

7.20.3 Integrating Salesforce With Access Manager By Using SAML 2.0

Salesforce.com is pre-configured to establish federation with external service providers.

Integrating Salesforce With Access Manager By Using SAML 2.0 for Identity Provider Initiated Login

To integrate Salesforce for idpsend, follow the procedure in Section 7.20.1, Setting Up Google Applications. In Step 3, select Salesforce. The system displays the trusted provider on the protocol page. For example, if you have specified the Name as SalesForce, the screen displays the trusted service provider as in Figure 7-8, when you click Finish.

Access Manager allows your users to use their existing LDAP credentials for single sign-on access to salesforce.com as well as any Web applications protected by Access Manager.

For information using SAML 2.0 for Identity Provider initiated login, follow the procedure below.

  1. Create domain in Salesforce.

    To enable IDP-initiated login in Salesforce.com, you must enable and configure the My Domain option in Salesforce.com. Defining your own domain provides the basis for an IDP-initiated URL.

    1. Login as administrator. Go to Administration Setup > Domain Management > My Domain.

    2. Specify the subdomain name and check the availability.

    3. Agree to the terms and conditions and click Register Domain.

  2. If you have already configured your identity provider for Salesforce.com using the wizard, you must update configuration in the identity provider according to the new domain. Perform the following steps.

    1. Downaload the metadata from Salesforce site for your domain. See Step 3. Send and import this metadata into your Identity Server Salesforce configuration. For reimporting metadata in Access Manager Identity Server, see Section 7.9.1, Viewing and Reimporting a Trusted Provider’s Metadata.

    2. Change the Intersite Transfer URL to point to the new domain URL

  3. Perform Step 4 and Step 5.

  4. Update the Identity Server.

Integrating Salesforce With Access Manager By Using SAML 2.0 for Service Provider Initiated Login

Service provider configuration options offer you more flexibility and control for example, simultaneously federating with more than one Identity Server. Salesforce.com also supports SP-initiated login along with IDP-initiated login. SP-initiated login lets the user use a simple and intuitive URL to access the target application.

Follow the procedure given below to integrate Salesforce with Access Manager by using SAML 2.0 for service provider initiated login. Assume that the user has a Salesforce account.

  1. Create domain in Salesforce.

    To enable SP-initiated login in Salesforce.com, you must enable and configure the My Domain option in Salesforce.com. Defining your own domain provides the basis for an SP-initiated URL.

    1. Login as administrator. Go to Administration Setup > Domain Management > My Domain.

    2. Specify the subdomain name and check the availability.

    3. Agree to the terms and conditions and click Register Domain.

      If you have already configured your identity provider for Salesforce.com using wizard, you must update configuration in the identity provider according to the new domain. Perform the following steps.

    NOTE:Configure SSO configuration. Follow the procedure below to enable SAML support in Salesforce.

    1. Go to your Salesforce account and login.

    2. From the left panel, select Security Control > Single sign setting > Saml Single Sign-on Setting > New and fill the form.

    3. To enable SAML select Security Control > Single sign setting > Saml Single Sign-on Setting > Federated Single Sign-On Using SAML > Edit > Enable Saml.

  2. Change the Intersite Transfer URL to point to the new domain URL.

  3. Import Salesforce metadata in Access Manager.

    As with any other SAML federation you must configure both your Access Manager Identity Server and Salesforce.com Service Provider (SP) to establish a trust. You now have an option to download your metadata from Salesforce.com. To download your specific metadata go to your Salesforce.com instance.

    1. Login as administrator. Go to Administration Setup > Security Controls > Single Sign-On Settings.

    2. Select Name which you have configured above and Download Metadata.

    3. Reimport this metadata into your service provider configuration in Access Manager assuming that you have created Salesforce using the wizard.

    The metadata file you download will include a certificate. For Access Manager to trust or use this certificate, the trusted root certificate chain that minted the certificate must exist in the Access Manager certificate trust stores.

  4. Import certificate in Access Manager, for example, Salesforce.com.

    1. Open the downloaded metadata .xml file with a file editor and search for the certificate in the X509Certificate element (between <ds:X509Certificate> and </ds:X509Certificate>).

    2. Copy the information into its own file and give it a .cer file extension. Windows will recognize this as a certificate.

    3. Double click and open the file.

    4. Click Certification Path to see the chain of authority for the certificate.

      You will need the trusted root certificate for every CA in the chain that you see listed.

    5. In the example above, select the VeriSign Class 3 International Server CA – G3 and click View Certificate.

    6. Click Details.

  5. You can now export the CA trusted root certificate.

    1. Click Copy to File…. This will launch the Windows Certificate Export Wizard.

    2. Select .DER encoded when prompted. Give the file a name and save.

    3. Repeat this process for every CA in the certificate path chain.

    4. Use the Access Manager Administration Console to import the resulting CA trusted root certificates into your Access Manager keystores.

After importing, add these certificates into the Identity Server Keystore. For more information, see Managing Certificates and Keystores in the NetIQ Access Manager 4.0 SP1 Administration Console Guide.

Ensure to add Root certificate of Salesforce into your OCSP trust store else, OCSP validation fails and the Identity Server displays an error.

7.20.4 Integrating Shibboleth Identity Provider With Access Manager

You can establish a single sign-on exchange between Access Manager SAML 2 service provider and a Shibboleth SAML 2 identity provider.

For more information, see Integrating Access Manager with Shibboleth’s Identity Provider Server.