1.3 Creating a Basic Identity Server Configuration

After you log in to the Administration Console, click Devices > Identity Servers. The system displays the installed server, as shown in the following example:

At this point the Identity Server is in an unconfigured state and is halted. It remains in this state and cannot function until you create an Identity Server configuration, which defines how an Identity Server or Identity Server cluster operates.

When creating the Identity Server configuration, you specify the following information:

NOTE:This task is a basic setup to help you become familiar with Access Manager. It discusses only the required fields for creating a configuration. For information about all of the fields in the interface, see Creating a Cluster Configuration in the Novell Access Manager 3.1 SP5 Identity Server Guide.

To create an Identity Server configuration:

  1. On a client workstation, enable browser pop-ups, then log in to the Administration Console.

  2. In the Administration Console, click Devices > Identity Servers.

  3. Select the check box next to the Identity Server, then click New Cluster.

    Selecting the server is one way to assign it to the cluster configuration.

  4. In the New Cluster dialog box, specify a name for the cluster configuration.

    If you did not select the server in the previous step, you can now select the server or servers that you want to assign to this configuration. For more information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration in the Novell Access Manager 3.1 SP5 Identity Server Guide.

  5. Click OK.

    The following example shows a new cluster configuration called idp-corporate:

  6. Fill in the following fields to specify the properties for your Identity Server configuration:

    Name: The name by which you want to refer to the Identity Server configuration. This field is populated with the name you provided in the New Cluster dialog box. You can change the name here, if necessary.

    Base URL: The application path for the Identity Server. The Identity Server protocols rely on this base URL to generate URL endpoints for each protocol.

    • Protocol: The communication protocol. Select HTTP for a basic setup.

    • Domain: The domain name used to access the Identity Server. For a basic setup, this is the DNS name of the machine on which you installed the Identity Server. Using an IP address is not recommended.

    • Port: The port values for the protocol. For HTTP, this is 8080.

    • Application: The Identity Server application path. Leave the default value as nidp.

  7. Click Next.

    The system displays the Organization page.

    Use this page to specify organization information for the Identity Server configuration. The information you specify on this page is published in the metadata of the Liberty 1.2 and SAML protocols. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at the Identity Server.

    The following fields require information:

    Name: The name of the organization.

    Display Name: The display name for the organization. This can be the same as the name of the organization.

    URL: The organization’s URL for contact purposes.

    Optional fields include Company, First Name, Last Name, Email, Telephone, and Contact Type.

  8. Click Next.

    The system displays the User Store page.

    Use this page to configure the user store that references users in your organization. User stores are LDAP directory servers to which end users authenticate. You can configure a user store to use more than one replica of the directory server, to provide load balancing and failover capability. You must reference an existing user store.

    For more information about the options on this page and configuring for load balancing and failover,

    Name: A display name for the LDAP directory.

    Admin Name: The distinguished name of the admin user of the LDAP directory. Administrator-level rights are required for setting up a user store.

    Admin Password and Confirm Password: The password for the admin user and the confirmation for the password.

    Directory Type: The type of LDAP directory. You can specify eDirectory, Active Directory, or Sun ONE.

    If eDirectory has been configured to use Domain Services for Windows, eDirectory behaves like Active Directory. When you configure such a directory to be a user store, its Directory Type must be set to Active Directory for proper operation.

  9. Under Server Replicas, click New to specify the user store replica information. It is recommended that you specify an LDAP server that contains a read/write replica.

    Name: The display name for the LDAP directory server.

    IP Address: The IP address of the LDAP directory server. The port is set automatically to the standard LDAP ports.

    For information about adding multiple replicas for load balancing and failover, see Configuring the User Store in the Novell Access Manager 3.1 SP5 Identity Server Guide.

  10. Select Use secure LDAP connections. The port changes to 636, which is the secure LDAP port.

    This is the only configuration we recommend for the connection between the Identity Server and the LDAP server in a production environment. If you use port 389, usernames and passwords are sent in clear text on the wire.

  11. Click Auto import trusted root.

  12. Click OK to confirm the import.

  13. Select one of the certificates in the list.

    You are prompted to choose either a server certificate or a root CA certificate. To trust one certificate, choose Server Certificate. Choose Root CA Certificate to trust any certificate signed by that certificate authority.

  14. Specify an alias, then click OK.

    An alias is a name you use to identify the certificate used by Access Manager.

  15. Click Close, then click OK.

  16. Under Server Replicas, verify the Validation Status.

    The system displays a green check mark if the connection is valid. If it is red, you have a configuration error:

    • Check the distinguished name of the admin user, the password, and the IP address of the replica.

    • Make sure that the specified admin user can log into the user store.

    • Check for network communication problems between the Identity Server and the LDAP server.

    • Enable verbose logging on the Identity Server, then search for the IP address or name of the user store in the log file (Linux: catalina.out; Windows: stdout.log) and identify errors.

      For logging information, see Enabling Component Logging in the Novell Access Manager 3.1 SP5 Identity Server Guide.

  17. Add a search context. Click New, specify the DN of the context, select a scope, then click OK.

    The search context is used to locate users in the directory. If a user exists outside of the specified search context and its scope (object, subtree, one level), the Identity Server cannot find the user, and the user cannot log in.

    If the search context you specify finds more that one user with the same username, the Identity Server cannot authenticate these users. A username must be unique within a search context.

  18. Click Finish to save the server configuration.

  19. Restart Tomcat as prompted.

    If your Administration Console is installed on the same machine as your Identity Server, your connection is broken. Refresh the page and log in to the Administration Console.

    The Health status icons for the configuration and the Identity Server should turn green.

    It might take several seconds for the Identity Server to start and for the system to display a green light. If the health does not turn green, see Monitoring the Health of an Identity Server in the Novell Access Manager 3.1 SP5 Identity Server Guide.

  20. (Optional) Verify the configuration:

    1. In a browser, enter the Base URL of the Identity Server as the URL.

    2. Select a card without the locking icon.

      Cards with a locking icon require HTTPS and SSL. In this basic setup, you configured the Identity Server to use HTTP.

    3. Log in using the credentials of a user in the LDAP server.

    4. (Conditional) If the URL returns an error rather than displaying a login page, verify the following:

      • The browser machine can resolve the DNS name of the Identity Server.

      • The browser machine can access the port.

  21. If you have already installed an Access Gateway, continue with one of the following:

    To install an Access Gateway, see Installing the Linux Access Gateway Appliance or Installing the Access Gateway Service in the NetIQ Access Manager 3.1 SP5 Installation Guide.