To provide single sign-on access (SSO), Identity Manager uses the authentication service, NetIQ One SSO Provider (OSP). You must use OSP for the following components:
Catalog Administrator
Identity Manager Dashboard
Identity Reporting
Self-Service Password Reset
User Application
Both the .iso image for Identity Manager and the Identity Manager Integrated Installer program include a method for installing OSP. For more information about installing OSP, see Section 32.0, Installing Password Management for Identity Manager.
OSP supports the OAuth2 specification and requires an LDAP authentication server. By default, Identity Manager uses Identity Vault (eDirectory). OSP can communicate other types of authentication sources, or identity vaults, to handle the authentication requests. You can configure the type of authentication that you want OSP to use: userID and password, Kerberos, or SAML. However, OSP does not support MIT-style Kerberos or SAP login tickets.
If you use the Identity Vault as your authentication service and the specified containers in the Identity Vault have CNs and passwords, authorized users can log in to Identity Manager immediately after installation. Without these login accounts, only the administrator that you specify during installation can log in immediately.
When a user logs in to one of the browser-based components, the process redirects the user’s name/password pair to the OSP service, which queries the authentication server. The server validates the user credentials. Then OSP issues an OAuth2 access token to the component and browser. The browser uses the token during the user’s session to provide SSO access to any of the browser-based components.
If you use Kerberos or SAML, OSP accepts authentication from the Kerberos ticket server or SAML IDP then issues an OAuth2 access token to the component where the user logged in.
OSP and Kerberos ensure that users can log in once to create a session with one of the identity applications and Identity Reporting. If the user’s session times out, authorization occurs automatically and without user intervention. After logging out, users should always close the browser to ensure that their sessions end. Otherwise, the application redirects the user to the login window and OSP reauthorizes the user session.
For OSP and SSO to function, you must install OSP. Then specify the URLs for client access to each component, the URL that redirects validation requests to OSP, and settings for the authentication server. You can provide this information during installation or afterward with the RBPM configuration utility. You can also specify the settings for your Kerberos ticket server or SAML IDP.
For more information about configuring authentication and single sign-on access, see Section XV, Configuring Single Sign-on Access in Identity Manager. In a cluster, the configuration settings must be identical for all members of the cluster.
Identity Manager uses a keystore that supports http and https communication between the OSP service and the authentication server. You create the keystore when you install OSP. You also create a password that the OSP service uses for authorized interactions with the authentication server. For more information, see Section 32.0, Installing Password Management for Identity Manager.
OSP generates a single event to represent when a user logs in or out of the User Application or Identity Reporting:
003E0204 for login
003E0201 for logout
XDAS taxonomy then interprets these OSP events either as a successful login/logout or SOAP call to the User Application or as “other than success.”