Novell ACCESS MANAGER 3.1 SP2 - README 2010 Manual Download Page 215 | Manualshive

Page: 215 / 374

background image

Configuring SAML and Liberty Trusted Providers

215

n

ov

do

cx (e

n)

16
Ap
ril 20

10

The persistent and transient formats are generated automatically. For the others, you can select
an attribute. The available attributes depend upon the attributes that you have selected to send
with authentication (see

Section 7.6.1, “Configuring the Attributes Obtained at

Authentication,” on page 200

). If you do not select a value for the E-mail, Kerberos, X509, or

Unspecified format, a unique value is automatically generated.

6

To specify that this Identity Server must authenticate the user, disable the

Use proxied requests

option. When the option is disabled and the Identity Server cannot authenticate the user, the
user is denied access.
When this option is enabled, the Identity Server checks to see if other identity providers can
satisfy the request. If one or more can, the user is allowed to select which identity provider
performs the authentication. If a proxied identity provider performs the authentication, it sends
the response to the Identity Server. The Identity Server then sends the response to the service
provider.

7

Click

OK

twice, then update the Identity Server.

7.9.3 Configuring the SAML 1.1 Authentication Response

You can specify the name identifier and its format when the Identity Server sends an authentication
response. You can also restrict the use of the assertion.

When an identity provider sends an assertion, the assertion can be restricted to an intended audience.
The intended audience is defined to be any abstract URI in SAML 1.1. The URL reference can also
identify a document that describes the terms and conditions of audience membership.

1

In the Administration Console, click

Devices > Identity Servers > Edit > SAML 1.1 > [Service

Provider]

>

Authentication Response

.

2

To specify a name identifier format, select one of the following:



E-mail:

Specifies that an e-mail attribute can be used as the identifier.



X509:

Specifies that an X.509 certificate can be used as the identifier.



Unspecified:

Specifies that an unspecified format can be used and any value can be used.

The service provider and the identity provider need to agree on what value is placed in this
identifier.

3

To specify the format of the name identifier, select an attribute.

«
...
213
214
215
216
217
...
»

Summary of Contents for ACCESS MANAGER 3.1 SP2 - README 2010

Page 1: ...Novell www novell com novdocx en 16 April 2010 AUTHORIZED DOCUMENTATION Novell Access Manager 3 1 SP2 Identity Server Guide Access Manager 3 1 SP2 June 29 2010 Identity Server Guide...

Page 2: ...nd the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import deliverables You agree...

Page 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Page 4: ...4 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 5: ...guring SAML 2 0 to Sign Messages 35 1 4 7 Blocking Access to Identity Server Pages 36 1 5 Translating the Identity Server Configuration Port 36 1 5 1 Changing the Port on a Windows Identity Server 36...

Page 6: ...Page 136 4 Configuring Advanced Local Authentication Procedures 139 4 1 Configuring for RADIUS Authentication 139 4 2 Configuring Mutual SSL X 509 Authentication 140 4 2 1 Configuring Attribute Mappin...

Page 7: ...urity 196 7 5 1 Configuring Communication Security for Liberty and SAML 1 1 197 7 5 2 Configuring Communication Security for a SAML 2 0 Identity Provider 197 7 5 3 Configuring Communication Security f...

Page 8: ...e 241 8 6 Using CardSpace Cards for Authentication to Access Gateway Protected Resources 242 8 7 Managing CardSpace Trusted Providers 242 8 7 1 CardSpace Identity Provider Wizard 243 8 7 2 Renaming th...

Page 9: ...1 Selecting a User Identification Method for SAML 1 1 280 11 2 2 Configuring the Attribute Matching Method for SAML 1 1 281 11 3 Defining the User Provisioning Method 282 11 4 User Provisioning Error...

Page 10: ...work 337 14 6 9 Clustering 339 14 6 10 LDAP 340 14 7 Enabling Identity Server Audit Events 341 14 8 Monitoring Identity Server Alerts 343 14 9 Viewing the Command Status of the Identity Server 343 14...

Page 11: ...ng with Liberty 363 B 2 Trusted Provider Reference Metadata 364 B 3 Identity Federation 364 B 4 Authorization Services 364 B 5 What s New in SAML 2 0 364 B 6 Identity Provider Process Flow 365 B 7 SAM...

Page 12: ...12 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 13: ...317 Chapter 15 Troubleshooting the Identity Server and Authentication on page 349 Appendix A About Liberty on page 361 Appendix B Understanding How Access Manager Uses SAML on page 363 Appendix C Data...

Page 14: ...Documentation Before proceeding you should be familiar with the Novell Access Manager 3 1 SP2 Installation Guide and the Novell Access Manager 3 1 SP2 Setup Guide which provide information about insta...

Page 15: ...ontrol on page 27 Section 1 3 Configuring Secure Communication on the Identity Server on page 27 Section 1 4 Security Considerations on page 32 Section 1 5 Translating the Identity Server Configuratio...

Page 16: ...ails on page 24 Section 1 1 6 Removing a Server from a Cluster Configuration on page 25 Section 1 1 7 Enabling and Disabling Protocols on page 25 Section 1 1 8 Modifying the Base URL on page 26 1 1 1...

Page 17: ...1 In the Administration Console click Devices Identity Servers 2 Select the Identity Server s check box then click New Cluster Selecting the server is one way to assign it to the cluster configuration...

Page 18: ...l Default ports are 8080 for HTTP or 8443 for HTTPS If you want to use port 80 or 443 specify the port here If you are configuring a Linux Identity Server you must also configure the operating system...

Page 19: ...h a logout the user cannot log in again until the session timeout expires for one of the sessions When enabled this option affects performance in a cluster with multiple Identity Servers When a user i...

Page 20: ...entication credentials WS Federation Allows disparate security mechanisms to exchange information about identities attributes and authentication 9 To continue creating the Identity Server configuratio...

Page 21: ...re defined for the server 1 In the Administration Console click Devices Identity Servers 2 On the Servers page select the server s check box You can select all displayed servers by selecting the top l...

Page 22: ...on server using port 8080 has the following TCP ports open 8443 secure Administration Console 7801 1 for back channel communication with cluster members You need to open two consecutive ports such as...

Page 23: ...ibutes Configuring Session Failover 1 In the Administration Console click Devices Identity Servers 2 In the list of clusters and Identity Servers click the name of an Identity Server cluster 3 Click t...

Page 24: ...a communications channel over which the cluster members maintain the integrity of the cluster For example this TCP channel is used to detect new cluster members as they join the cluster and to detect...

Page 25: ...he cluster configuration The configuration however remains intact and can be reassigned later or assigned to another server 1 In the Administration Console click Devices Identity Servers 2 Select the...

Page 26: ...fy the base URL and reestablish trust relationships 1 In the Administration Console click Devices Identity Servers Edit 2 Change the protocol domain port and application settings as necessary 3 Click...

Page 27: ...time with certificates from a trusted certificate authority Connector The test connector certificate is used when you establish SSL communication between the Identity Server and the browsers and betwe...

Page 28: ...ser store For configuration information see Section 3 1 Configuring Identity User Stores on page 104 This section describes the following tasks Section 1 3 1 Viewing the Services That Use the Signing...

Page 29: ...utualTLS Message X509 has been selected as the security mechanism signing has been enabled for the profile 1 3 2 Viewing Services That Use the Encryption Key Pair All of the Liberty Web Service Provid...

Page 30: ...Click Replace to replace the signing certificate SSL Required Displays the SSL connector keystore Click this link to access the keystore and replace the connector certificate Provider Displays the ID...

Page 31: ...t import the root certificate chain for the other provider Failure to do so causes numerous system errors OCSP Trust Store The Identity Server uses this trust store for OCSP certificates Online Certif...

Page 32: ...ess Manager 3 1 SP2 Administration Console Guide Be aware of the following options that can increase security Section 1 4 1 Federation Options on page 32 Section 1 4 2 Authentication Contracts on page...

Page 33: ...hich is recommended for a production environment Any Contract Allows the user to use any contract defined for the Identity Server configuration If you have set up the Access Manager to require SSL con...

Page 34: ...ps on each Identity Server 1 4 4 Securing the Identity Server Cookie An attacker can spoof a non secure browser into sending a JSESSION cookie that contains a valid user session To stop this from happ...

Page 35: ...AES256 Because AES128 is the default specifying this value in the web xml file does not change any behavior 3 Save the file and copy it to each Identity Server in the cluster 4 Restart Tomcat on each...

Page 36: ...uration Port If your Identity Server must communicate through a firewall you must either set up a hole in your firewall for TCP ports 8080 or 8443 default ports used respectively for non secure and se...

Page 37: ...figuring iptables for Multiple Components on page 39 These sections describe two solutions out of many possibilities For more information about iptables see the following Iptable Tutorial 1 2 2 http i...

Page 38: ...ho n Flushing all IP Port redirection rules IPT_BIN t nat flush rc_status v restart 0 stop 0 start rc_status echo Usage 0 start stop restart exit 1 esac rc_exit For more information about init scripts...

Page 39: ...steps on each server in the cluster Configuring iptables for Multiple Components If you need to use iptables for multiple components the host machine the Identity Server or the SSL VPN server you need...

Page 40: ...that port 443 is being routed to the Identity Server by entering the following command iptables t nat nvL You should see an entry similar to the following pkts bytes target prot opt in out source dest...

Page 41: ...if the filters have been registered correctly Chain POSTROUTING policy ACCEPT 20987 packets 1266K bytes pkts bytes target prot opt in out source destination 0 0 SNAT all 10 8 0 0 16 0 0 0 0 0 to 10 1...

Page 42: ...protocols Access Manager Services That Use the Signing Certificate on page 42 Understanding the Interaction of the netHSM Server with Access Manager on page 43 Access Manager Services That Use the Si...

Page 43: ...name of a profile then click Descriptions 3 Click the Description Name 4 If either Peer entity None Message X509 or Peer entity MutualTLS Message X509 has been selected as the security mechanism signi...

Page 44: ...ed remote file system with the netHSM client An installed Identity Server assigned to a cluster configuration For instructions on a basic setup that assigns the Identity Server to a cluster configurat...

Page 45: ...ith the values copied from the anonkneti command 6 Conditional If the Identity Server and the Administration Console are installed on the same machine modify the 9000 and 9001 TCP ports 6a In a text e...

Page 46: ...initialize synchronization with the remote file system server Linux Enter the following commands opt nfast bin rfs sync update opt nfast bin rfs sync commit Windows Enter the following commands C nfas...

Page 47: ...y provider 7 sun security jgss SunProvider security provider 8 com sun security sasl Provider 1c Save your changes 2 Add the nfast libraries to the CLASSPATH for Java For a Windows client add the foll...

Page 48: ...e module protected DignorePassphrase true Required if you want the keystore to be module protected sun security tools KeyTool The name of the keytool command alias A name that helps you identify the k...

Page 49: ...mypwd keystore A name for the keystore In this sample configuration the name is AMstore jks storepass The password for the keystore In this sample configuration the password is mypwd storetype The typ...

Page 50: ...should now be issued by the CA you used and the public certificate of the CA should be there as the owner and the issuer 11 Copy the keystore to the idp directory on the Identity Server Linux opt nov...

Page 51: ...2008 Program Files x86 Novell devman jcc certs idp 13b Make sure the novlwww user has at least read rights 13c Use the netHSM client to synchronize the cluster member with the remote file system serv...

Page 52: ...lines JAVA_OPTS JAVA_OPTS Dcom novell nidp extern config file var opt novell tomcat5 webapps nidp WEB INF classes externKeystore properties JAVA_OPTS JAVA_OPTS Dprotect module DignorePassphrase true T...

Page 53: ...p jar C nfast java classes kmjava jar C nfast java classes nfjava jar C nf ast java classes rsaprivenc jar C nfast java classes spp jar 2d Save your changes 3 Add the netHSM certificate configuration...

Page 54: ...s nidp WEB INF classes If you specified a different location for this file in Step 3 use that location 4b Add the following lines com novell nidp extern signing providerClass com ncipher provider km n...

Page 55: ...owing text BEGIN CERTIFICATE 6 Delete the ds X509Certificate tag and replace it with the following text END CERTIFICATE 7 Save the file as a text file with a cer extension 8 Open the file in Internet...

Page 56: ...information on how to change the port see Step 6 on page 45 For other errors consult the netHSM documentation 3 Linux only If the novlwww user does not have rights to the cmdadp log and cmdadp debug...

Page 57: ...ogs directory 4e Restart Tomcat by entering the following command etc init d novell tomcat5 restart 4f To tail the catalina out file enter the following command tail f var opt novell tomcat5 logs cata...

Page 58: ...lid values See Step 5 on page 52 Verify that the tomcat5 conf file is configured correctly See Step 4 on page 52 5 Enable netHSM logging This logging feature is very verbose It should be turned on onl...

Page 59: ...Identity Server to display the correct login page See Section 2 1 2 Configuring the Identity Server to Use Custom Login Pages on page 72 If the custom page doesn t display you need to discover the ca...

Page 60: ...eed to modify the nidp jsp file The nidp jsp file uses iframes so the devices that your users use for authentication must also support iframes For configuration information see Customizing the nidp js...

Page 61: ...er can be found in the user store with an identifier other than the username the cn attribute The instructions then explain how to create a contract that uses this method and how to modify the login j...

Page 62: ...Configure the other options to fit your requirements For information on configuring the other options for a contract see Section 3 4 Configuring Authentication Contracts on page 124 2d Click OK 3 Upd...

Page 63: ...ser for an e mail address JSP 50 Email Address 7c Translate the value and add this entry to your localized custom properties files 7d Copy the customized properties files to the WEB INF classes direct...

Page 64: ...ng the available authentication cards The following sections explain how to modify the login page that these JSPs create Rebranding the Header on page 64 Customizing the Card Display on page 66 Custom...

Page 65: ...Replace the Novell logo on the right of the header see Figure 2 2 5a Locate the following string String hdrLogo AMHeader_logo png 5b Replace the value of the hdrLogo string with the path and the file...

Page 66: ...n the Authentication Cards section is not by modifying the content jsp file It is by using the Show Card option that appears on the definition of each card If this option is not selected the card does...

Page 67: ...or an e mail address rather than a username This must be the filename without the JSP extension For example if you name your file email_login jsp then you would specify email_login for the property va...

Page 68: ...ess 6c Translate the value and add this entry to your localized custom properties files 6d Copy the customized properties files to the WEB INF classes directory of each Identity Server in the cluster...

Page 69: ...3 Access Manager 3 0 Default Login Page You can change the Novell branding and modify the credential prompts Modifying the Branding in the 3 0 Login Page on page 69 Modifying the Credentials in the 3...

Page 70: ...appear For example title My World title 6 Remove the Novell N logo 6a Find the following line in the file div id headimage img src request getContextPath images Odyssey_LoginHead gif alt height 80 wi...

Page 71: ...t for example label style width 100px Email Address label 2c Copy the modified file to each Identity Server in the cluster 2d Update the Identity Server cluster 2e Back up your customized file 3 Condi...

Page 72: ...ge 73 Using Properties to Specify the Login Page For each resource that needs a unique login page you need to create an authentication method and add the JSP and MainJSP properties to the method You t...

Page 73: ...each protected resource that you have created a custom contract for select the protected resource then configure it to use the custom contract 5 Update the Access Gateway 6 Conditional If the custom p...

Page 74: ...owing fields Display name Specify a name for the method You might want to use a name that indicates which login page is assigned to this method Class Select a name password class Configure the other f...

Page 75: ...contract You might want to use a name that indicates which login page is assigned to this contract URI Specify a value that uniquely identifies the contract from all other contracts No spaces can exi...

Page 76: ...equals login3 custom3 include file custom3 jsp These else if statements set up three contracts for customized login pages The first else if statement specifies the URI of the login1 contract and confi...

Page 77: ...at you have created a custom login page for assign that resource to use the contract that is configured to display the appropriate login page 5a Click Devices Access Gateways Edit Reverse Proxy Name P...

Page 78: ...rver Logout You can also use the following methods to modify the Identity Server logout page Section 2 2 1 Rebranding the Logout Page on page 78 Section 2 2 2 Replacing the Logout Page with a Custom P...

Page 79: ...rs and service providers to which the user has authenticated If you want to modify this behavior so that the logout request logs the user out of just the Identity Server and leaves the user authentica...

Page 80: ...source Bundles for the language or the language and country For example nidp_custom_resources_en_US properties nidp_custom_resources_fr properties nidp_custom_resources_es properties If you want to su...

Page 81: ...t for identity federation termination could not be completed SS WKSLdapCreds LDAP Credentials SS WKSELdapCredsUserName LDAP User Name SS WKSELdapCredsUserDN LDAP User DN SS WKSELdapCredsUserPassword L...

Page 82: ...on Attempting to load Custom Properties File Name Custom Properties FileName The locale specifier in the Custom Properties File filename could not be successfully parsed into a valid locale Loading of...

Page 83: ...replace this text open the err jsp file and locate the following text that appears between the head head tags title handler getResource JSPResDesc TITLE title Replace the content between the title and...

Page 84: ...s how to do this in the Administration Console You can also use an LDAP browser 1 In the Administration Console click Devices Identity Servers Edit Local Contracts 2 Click the name of a contract then...

Page 85: ...email address Figure 2 4 illustrates the login page that these changes produce Figure 2 4 Custom Credentials Such a JSP file must be used with a contract that uses a method that defines the query for...

Page 86: ...style type text css media screen td label font size 0 85em padding right 0 2em label font size 0 77em padding right 0 2em input font family sans serif instructions color 4d6d8b font size 0 8em margin...

Page 87: ...ource JSPResDesc PASSWORD label td td align left input type password class smalltext name Ecom_Password size 30 td tr tr td align right colspan 2 style white space nowrap input alt handler getResource...

Page 88: ...that the following custom nidp jsp file and main jsp file create Figure 2 5 Custom Branding with Custom Credential Prompts The credential frame uses the same modifications in the sample from Section...

Page 89: ...ollowing lines in the file The header background image that gets repeated String hdrBgndImg custom_images images2 jpeg Figure 2 7 illustrates the image images3 jpeg that this custom page uses for the...

Page 90: ...om_images images3 jpeg String hdrLogo custom_images hhbimages jpeg String hdrTitle Enter MY WORLD String query request getQueryString if query null query length 0 query query else query DOCTYPE HTML P...

Page 91: ...line height 17px text decoration none background color transparent NLtab tr subtab td color white padding 2px NLtab tr subtab a font size 8em color white text decoration none padding 2px 5px 2px 5px...

Page 92: ...var element2 g_curSubtab element1 className selx if element1 id element2 id element2 className unselx g_curSubtab element1 function showHelp var helpURL login html if g_curSubtab id fedsubtab helpURL...

Page 93: ...mg src handler getImage hdrImage false div div id logo img src handler getImage hdrLogo false div div id title hdrTitle div td tr table td tr tr td table cellspacing 5 width 100 tr td include file men...

Page 94: ...e been added are marked in bold in the following file page language java page pageEncoding UTF 8 contentType text html charset UTF 8 page import com novell nidp page import com novell nidp resource js...

Page 95: ...e value You then need to create a contract that uses this method and assign it to a protected resource 2 4 3 Custom 3 1 login jsp File To create this type of page you need to start with the login jsp...

Page 96: ...tle HHB CUSTOM LOGIN title META HTTP EQUIV Content Language CONTENT handler getLanguageCode meta http equiv content type content text html charset utf 8 style type text css media screen td label font...

Page 97: ...ign center label handler getResource JSPResDesc USERNAME label td td align center input type text class smalltext name Ecom_User_ID size 30 td tr tr td align center label handler getResource JSPResDes...

Page 98: ...Do not include the JSP extension in the value MainJSP property values Property Name MainJSP Property Value true You then need to create a contract that uses this method and assign it to a protected re...

Page 99: ...pe text html charset UTF 8 page import com novell nidp common provider page import java util page import com novell nidp ui page import com novell nidp page import com novell nidp servlets page import...

Page 100: ...topmargin 0 rightmargin 0 onLoad document IDPLogin Ecom_User_ID focus form name IDPLogin enctype application x www form urlencoded method POST action String request getAttribute url AUTOCOMPLETE off t...

Page 101: ...e 30 div td tr tr td nowrap nowrap div label handler getResource JSPResDesc PASSWORD label div td td style white space nowrap div input type password class smalltext name Ecom_Password size 30 nbsp nb...

Page 102: ...create a method and a contract The method needs to use a name password class and have the following properties defined Query property values Property Name Query Property Value objectclass person mail...

Page 103: ...s specify how the Identity Server requests authentication information and what it should do to validate those credentials See Section 3 2 Creating Authentication Classes on page 117 Methods The pairin...

Page 104: ...east one configured user store for the Identity Server to be functional Modify To modify the configuration of an existing user store click the name of a user store For configuration information see Se...

Page 105: ...on store Ensure that you also delete those objects from the configuration store See Orphaned Objects in the Trust Configuration Store in the Novell Access Manager 3 1 SP2 Administration Console Guide...

Page 106: ...a user store This ensures read write access to all objects used by Access Manager For more information about this user see Section 3 1 3 Configuring an Admin User for the User Store on page 109 Each...

Page 107: ...ot sharing secrets with other applications the secrets it is using are never locked and you do not need enable this option 4 Under LDAP timeout settings specify the following LDAP Operation Specify ho...

Page 108: ...gorithm is used to map a user to a replica All requests on behalf of that user are sent to that replica Users are moved from their replica to another replica only when their replica is no longer avail...

Page 109: ...n limits and remaining grace logins If you enable provisioning with the SAML or Liberty protocols the admin user needs write rights to create users in the user store If your user store is an eDirector...

Page 110: ...ooting tips see Troubleshooting the Storing of Secrets on page 115 Configuring the Configuration Datastore to Store the Secrets When you use the configuration datastore of the Administration Console a...

Page 111: ...the Identity Servers page update the Identity Server 6 To use the secret store to store policy secrets see Creating and Managing Shared Secrets in the Novell Access Manager 3 1 SP2 Policy Guide Config...

Page 112: ...sword to a unique alphanumeric value Preferred Encryption Method Specifies the preferred encryption method Select the method that complies with your security model Password Based Encryption With MD5 a...

Page 113: ...to authenticate as that user and access the user s secrets Without this NMAS method the Identity Server is denied access to the user s secrets To use a remote SecretStore your network environment must...

Page 114: ...d objects to the tree 4 Click Liberty Web Service Providers 5 Click Credential Profile 6 Scroll to the Remote Storage of Secrets section 7 Click New under Novell Secret Store User Store References Thi...

Page 115: ...ceive a prompt for a passphrase when secrets are locked complete the following configuration steps 1 Require all users to set up a passphrase also called the Master Password Access Manager uses the Se...

Page 116: ...u can find a SAML Assertion object in the Authorized Login Methods container The SAML_Assertion object contains an alphanumeric generated name for a SAML affiliate object This object has four attribut...

Page 117: ...entity Server and eDirectory server are not time synchronized the credentials can become invalid before a user has time to use them Either make sure that the time of your Identity Server and eDirector...

Page 118: ...defines authentication levels for classes that can be used in authentication requests For more information on how to configure and use this class see Section 7 2 4 Configuring the Trust Levels Class...

Page 119: ...Configuring for RADIUS Authentication on page 139 for configuration steps KerberosClass The authentication class used for using Kerberos for Active Directory and Identity Server authentication See Sec...

Page 120: ...22 These properties can also be specified on a method derived from the class If you are going to create multiple methods from the same class consider the following conditions If you want the methods t...

Page 121: ...credentials The objectclass value must be a valid object class in the LDAP user store The email attribute must be a valid attribute of the person class When you specify such a Query you must also modi...

Page 122: ...you associate authentication classes with user stores You use a particular authentication class to obtain credentials about an entity and then validate those credentials against a list of user stores...

Page 123: ...res to search You can select from the list of all the user stores you have set up If you have several user stores the system searches through them based on the order specified here If a user store is...

Page 124: ...ng Authentication Contracts Authentication contracts define how authentication occurs An Identity Server can have several authentication contracts available such as name password X 509 or Kerberos Fro...

Page 125: ...1 Using a Password Expiration Service on page 127 Allow User Interaction If you specify a password expiration servlet you can enable this option which allows the users to decide whether to go to the s...

Page 126: ...ivity Realm s Specify the name of the realm that can be used to indicate activity Use a comma separated list to specify multiple realms This allows a user s session to be kept alive when the user is a...

Page 127: ...use the Identity Server configuration 9 To use this contract you must configure Access Manager to use it You can assign it as the default contract for the Identity Server See Section 3 5 Specifying A...

Page 128: ...the sid and id values as part of the value used for the Identity Server return URL Grace Logins If you specify a password service and do not specify a value for the number of grace logins in eDirecto...

Page 129: ...ine how activity at one protected resource affects the activity timeout at another protected resource An activity realm essentially represents a time line that tracks the last activity for any resourc...

Page 130: ...is set to the greatest timeout value of the contracts configured for the Identity Server NIDPActivity Specify NIDPActivity for the realm when any activity at the Identity Server by the user can be us...

Page 131: ...cess Manager 3 1 SP2 Access Gateway Guide Authentication Type Specifies the default authentication contracts to be used for each authentication type When a service provider requests a specific authent...

Page 132: ...what a trusted service provider is asking for in its authentication request 1 In the Administration Console click Devices Identity Servers Edit Local Contracts 2 To create a new contract click New 3...

Page 133: ...cking Access to the WSDL Services Page on page 136 3 6 1 Logging In to the User Portal Users can log directly in to the Identity Server when they enter the Base URL of the Identity Server in their bro...

Page 134: ...If you have configured the Identity Server to be an identity provider for service providers a Federation page is accessible after login From this page users can federate and defederate their accounts...

Page 135: ...that administrators might want to restrict such as the user s attributes and federations with other third party SAML or Liberty providers Help Desk Support Most users have no need to access the infor...

Page 136: ...nt Mozilla 4 0 compatible MSIE 7 0 Windows NT 5 1 NET CLR 2 0 50727 NET CLR 3 0 04506 648 NET CLR 3 5 21022 NET CLR 3 0 4506 2152 NET CLR 3 5 30729 Host idp126 lab novell com 8443 Connection Keep Aliv...

Page 137: ...is page you can block access 1 Log in as the root or administrator user 2 Open the web xml file for editing Linux opt novell nids lib webapp WEB INF Windows Server 2003 Program Files Novell Tomcat web...

Page 138: ...s full and users have access to the page 4 Restart Tomcat for your modifications to take effect Linux Enter the following command etc init d novell tomcat5 restart Windows Enter the following commands...

Page 139: ...1 Configuring for RADIUS Authentication RADIUS enables communication between remote access servers and a central server Secure token authentication through RADIUS is possible because Access Manager wo...

Page 140: ...ity Injection policies and you did not enable the Require Password option add the password fetch method as a second method to the contract For more information about this class and method see Section...

Page 141: ...h authentication request Access Manager caches CRLs so the revoked status of a newly revoked certificate is not picked up until the next cache refresh For higher security requirements use OCSP validat...

Page 142: ...and the intermediate certificates in the chain are in the trust store the Identity Server only validates the client leaf certificate If the trust store only contains the root certificate the browser...

Page 143: ...s filled in with the certificate name of the user certificate When Auto Provision X509 is enabled and the attribute that is used for subject name mapping is changed from the default sasAllowableSubjec...

Page 144: ...zero 0 or with a hexadecimal notation 0x If the serial number is 0x0BAC05 the value of the serial number in the attribute must be BAC05 The certificate number is displayed in Internet Explorer with a...

Page 145: ...4 1 1 Updating an Identity Server Configuration on page 318 6 Update any associated Access Gateways to read the new authentication contract 7 Assign the contract to protect resources See Configuring P...

Page 146: ...dd more than one property 6 Click Next 7 Conditional If you selected the Use Radius option configure the Radius properties For information about the configuration options see Section 4 1 Configuring f...

Page 147: ...tected resources to use the contract for authentication When the users supply the OpenID they are granted access if the Identity Server has been configured to trust the provider of the OpenID server 1...

Page 148: ...e attribute specified in the LDAP Attribute Name option On subsequent logins the Identity Server can identify the user by using the specified attribute and the user is not prompted for additional info...

Page 149: ...or RADIUS Authentication on page 139 X 509 See Configuring Mutual SSL X 509 Authentication on page 140 OpenID See Configuring for OpenID Authentication on page 147 Smart Card See Configuring Access Ma...

Page 150: ...www novell com documentation iasclient30x nescm_install data bookinfo html Provision your smart card according to your company policy Make sure you have a basic Access Gateway configuration with a pro...

Page 151: ...and fill the following fields Name The display name for the LDAP directory server for example nescm_server IP Address The IP address of the LDAP directory server The port is set automatically to the...

Page 152: ...od The following sections describe these tasks Creating an NMAS Class for NESCM on page 152 Creating a Method to Use the NMAS Class on page 153 Creating an Authentication Contract to Use the Method on...

Page 153: ...th Creating a Method to Use the NMAS Class on page 153 Creating a Method to Use the NMAS Class When you create a method you can specify property values that are applied to just this method and not the...

Page 154: ...lect the user store created in Section 4 6 2 Creating a User Store on page 150 then click the left arrow to move this user store into the User stores list Leave other settings on this page unchanged 5...

Page 155: ...a card for the contract by filling in the following fields ID Optional Specify an alphanumeric value that identifies the card If you need to reference this card outside of the Administration Console y...

Page 156: ...to Use the Method on page 154 If the contract is not listed make sure you have updated the changes to the servers first to the Identity Server and then the Access Gateway If you have multiple Identit...

Page 157: ...user for the token Verify that you have configured the class and method correctly See Creating an NMAS Class for NESCM on page 152 and Creating a Method to Use the NMAS Class on page 153 Certificate...

Page 158: ...158 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 159: ...for extending a Kerberos single sign on environment to Web transactions and services It lets peers determine which GSSAPI mechanisms are shared and lets them select one and establish a security contex...

Page 160: ...indows XP with Internet Explorer 7 or 8 Some minimal testing has been done with Internet Explorer 6 To make Kerberos work with Internet Explorer 6 you need to enable integrated Windows authentication...

Page 161: ...n the Active Directory Server The Identity Server can communicate with only one KDC identified by IP address in the configuration This limitation is caused by the underlying Sun JGSS and limits the Id...

Page 162: ...ple configuration this is amser 4 Click Next and configure the password and its options Password Specify a password for this user Confirm password Enter the same password User must change password at...

Page 163: ...urity Windows Server 2008 C Program Files x86 Novell jre lib security 3 If the cluster contains multiple Identity Servers copy the keytab file to each member of the cluster 5 2 4 Adding the Identity S...

Page 164: ...or Kerberos Transactions Enabling logging is not required but it is highly recommended If Kerberos authentication does not function after you have finished the configuration tasks the first step in so...

Page 165: ...Directory user store add a replica In the Server replicas section click New 5a Fill in the following fields Name Specify a name of the replica for reference This can be the name of your Active Directo...

Page 166: ...ashes for example C Program Files Novell jre lib security Instructions for creating this file are in Creating the bcsLogin Configuration File on page 168 Kerberos KDC Specify the IP address of the Act...

Page 167: ...In the Local page click Contracts New 11 Fill in the following fields Display name Specify a name that you can use to identify this method URI Specify a value that uniquely identifies the contract fro...

Page 168: ...Tab need to specify unique information for your configuration The principal line needs to specify the service principle name for the Identity Server The keyTab line needs to specify the location of th...

Page 169: ...Kerberos and verify that a subsequent line contains a Commit Succeeded phrase For the configuration example the lines look similar to the following principal s key obtained from the keytab principal...

Page 170: ...rowser Specify a comma delimited list of trusted domains or URLs For this example configuration you would add http amser provo novell com to the list 4d If the deployed SPNEGO solution is using the ad...

Page 171: ...orer 7 x To access this option click Tools Internet Options Security Custom Level then scroll down to User Authentication 5 5 Configuring the Access Gateway for Kerberos Authentication If you have set...

Page 172: ...172 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 173: ...tributes you specify on the Identity Server are used in attribute requests and responses depending on whether you are configuring a service provider request or identity provider response Attribute set...

Page 174: ...ext 4 To add an attribute to the set click New 5 Fill in the following fields Specify the attribute Select from the following Local Attribute Select an attribute from the drop down list of all server...

Page 175: ...select none If you want an identity provider to use a default namespace select none The urn oasis names tc SAML 1 0 assertion value is sent as the default If you are defining an attribute set for Car...

Page 176: ...are destroyed Use the attributes in the assertion to match a user in the local user store When you want the service provider to take this action you need to create a user matching expression Use the...

Page 177: ...he name of an existing user matching expression 3 Specify a name for the user lookup expression 4 Click the Add Attributes icon plus sign then select attributes to add to the logic group Use the Shift...

Page 178: ...should match the policy that uses it For a Form Fill policy the entry name should match a form field name For an Identity Injection policy the entry name should match the Custom Header Name For more...

Page 179: ...The X 500 commonName attribute which contains a name of an object If the object corresponds to a person it is typically the person s full name departmentNumber Identifies a department within an organi...

Page 180: ...4 bit attribute data encoding click an attribute s check box then click one of the following links Set Encode Specifies that LDAP returns a raw format of the attribute rather than binary format which...

Page 181: ...need to be placed in an image set that allows the browser to display the image associated with the requested locale If the browser requests a locale for which you have not defined an image the All Loc...

Page 182: ...182 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 183: ...n page 216 Section 7 11 Using the Intersite Transfer Service on page 217 About SAML and Liberty For information about how Access Manager uses SAML see Appendix B Understanding How Access Manager Uses...

Page 184: ...to the trusted partner s identity provider or service provider in your Identity Server configuration You can obtain metadata via a URL or an XML document then enter it in the system when you create t...

Page 185: ...TPS 3 Administrators must exchange Identity Server metadata with the trusted partner Metadata is generated by the Identity Server and can be obtained via a URL or an XML document then entered in the s...

Page 186: ...r has been configured to trust 1 In the Administration Console click Devices Identity Servers Edit Identity Providers 2 To specify identity provider settings fill in the following fields Show logged o...

Page 187: ...entity Server 7 2 2 Configuring the General Identity Consumer Options The following options affect all identity consumers service providers that the Identity Server has been configured to trust 1 In t...

Page 188: ...be restarted whenever you assign an Identity Server to a configuration and whenever you update a certificate key store See Section 1 3 3 Managing the Keys Certificates and Trust Stores on page 29 3 Cl...

Page 189: ...for which you want to set a level create a property for that class 3a Set the Property Name to the name of the class For example use one of the following urn oasis names tc SAML 2 0 ac classes Previo...

Page 190: ...vider to authenticate the user and the Identity Server acts as a service provider When you create a trusted service provider you are configuring the Identity Server to provide authentication for the s...

Page 191: ...Console are on different machines use HTTP to import the metadata If you are required to use HTTPS with this configuration you must import the trusted root certificate of the provider into the trust...

Page 192: ...f the user has already authenticated and the credentials satisfy the requirements of this contract the user is passively authenticated If the user s credentials do not satisfy the requirements of this...

Page 193: ...cate of the provider into the trust store of the Administration Console You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration...

Page 194: ...Metadata URL Specify the metadata URL for a trusted provider The system retrieves protocol metadata using the specified URL Examples of metadata URLs for an Identity Server acting as an identity provi...

Page 195: ...ify the image to be displayed on the card Select the image from the drop down list To add an image to the list click Select local image Show Card Determine whether the card is shown to the user which...

Page 196: ...ult certificate see Section 1 3 3 Managing the Keys Certificates and Trust Stores on page 29 Mutual SSL This method is probably the fastest method and if you are fine tuning your system for performanc...

Page 197: ...Relies upon message signing using a digital signature Mutual SSL Specifies that this trusted provider provides a digital certificate mutual SSL when it sends a SOAP message SSL communication requires...

Page 198: ...gnature Mutual SSL Specifies that this trusted provider provides a digital certificate mutual SSL when it sends a SOAP message SSL communication requires only the client to trust the server For mutual...

Page 199: ...re Mutual SSL Specifies that this trusted provider provides a digital certificate mutual SSL when it sends a SOAP message SSL communication requires only the client to trust the server For mutual SSL...

Page 200: ...uses the attributes that you have selected The request asks the identity provider to provide values for these attributes You can then use these attributes to create policies to match user accounts or...

Page 201: ...se these attributes to identify the user to create policies to match user accounts or if it allows provisioning to create a user accounts on the service provider 1 In the Administration Console click...

Page 202: ...resources and how the policies are defined However if the LDAP values are gathered at authentication one LDAP query can retrieve all the needed values for the user 1 In the Administration Console clic...

Page 203: ...click the Metadata tab This page displays the current metadata the trusted provider is using 3 To reimport the metadata 3a Copy the URL in the providerID field Liberty or the entityID SAML 3b SAML 1 1...

Page 204: ...e trusted provider 1 In the Administration Console click Devices Identity Servers Edit SAML 1 1 Identity Provider Metadata You can reimport the metadata see Step 2 or edit it see Step 4 2 To reimport...

Page 205: ...ionService section of the metadata 6 To specify signing certificate settings fill in the following fields Attribute authority Specifies the signing certificate of the partner SAML 1 1 attribute author...

Page 206: ...es that authentication assertions from the trusted provider must be signed Artifact consumer URL Specifies where the partner receives incoming SAML artifacts For example https dns 8443 nidp saml spass...

Page 207: ...ntication Card Authentication Request 2 Configure the federation options Allow Federation Determines whether federation is allowed The federation options that control when and how federation occurs ca...

Page 208: ...request can be proxied Force authentication at Identity Provider Specifies that the trusted identity provider must prompt users for authentication even if they are already logged in Use automatic int...

Page 209: ...this selection is made When the identity provider sends a response to the service provider the user needs to be identified on the service provider If you enable this option make sure you configure a u...

Page 210: ...he authentication request to another identity provider A value of None specifies that the trusted identity provider cannot redirect an authentication request Values 1 5 determine the number of times t...

Page 211: ...e than one is found the user is presented with the matching cards and is allowed to select the contract If a match is not found the user is denied access Minimum Indicates that the contract must be as...

Page 212: ...1 1 respond to the Intersite Transfer Service For configuration information see one of the following Section 7 9 1 Configuring the Liberty Authentication Response on page 212 Section 7 9 2 Configuring...

Page 213: ...entifier is sent when the request from the service provider does not specify a format 5 To specify that this Identity Server must authenticate the user disable the Use proxied requests option When the...

Page 214: ...es between sessions can be sent E mail Specifies that an e mail attribute can be used as the identifier Kerberos Specifies that a Kerberos token can be used as the identifier X509 Specifies that an X...

Page 215: ...Identity Server The Identity Server then sends the response to the service provider 7 Click OK twice then update the Identity Server 7 9 3 Configuring the SAML 1 1 Authentication Response You can spe...

Page 216: ...ou do not assign a value the Identity Server creates one for its internal use The internal value is not persistent Whenever the Identity Server is rebooted it can change A specified value is persisten...

Page 217: ...L URL for site a id ID of target For example https idp sitea novell com 8443 nidp saml idpsend id 206test The target and the target ID are specified in the service provider configuration at the identi...

Page 218: ...443 nidp saml2 metadata Liberty https idp siteb novell com 8443 nidp idff metadata If you are setting up federations with a third party service provider search its documentation for the URL or locatio...

Page 219: ...for a card to appear as a login option you must specify a Login URL and select the Show Card option Figure 7 4 illustrates a possible configuration that requires the Intersite Transfer Service for th...

Page 220: ...this Web page are configured with the URL of the Intersite Transfer Service of the identity provider to be used for authentication Clicking these links directs the user to the appropriate identity pro...

Page 221: ...Service 2 Fill in the following ID Optional Specify an alphanumeric value that identifies the target If you specified an ID for the target you can use this value to simplify the Intersite Transfer URL...

Page 222: ...t in the URL you need to specify the target in this field Allow any target If this option is selected the user can use the target that was specified in the Intersite Transfer URL If this option is not...

Page 223: ...Gateway Protected Resources on page 242 Section 8 7 Managing CardSpace Trusted Providers on page 242 Section 8 8 Managing Card Templates on page 244 Section 8 9 Configuring Authentication Cards on pa...

Page 224: ...ed in the token Figure 8 1 illustrates that the provider for the identity and token can be either an identity provider when a managed card is selected or the CardSpace client when a personal card is s...

Page 225: ...te set created for CardSpace is dependent upon this profile Click Identity Servers Edit Liberty Web Service Provider Select the Personal Profile then click Enable Apply Update the Identity Server Reco...

Page 226: ...Microsoft NET Framework 3 5 http www microsoft com downloads details aspx FamilyId 333325FD AE52 4E35 B531 508D977D32A6 displaylang en 1b Install the package 1c To verify that it has been installed c...

Page 227: ...hen enable the site and install the add on 5 Download the appropriate selector for your OS For SLES 10 with 32 bit hardware select Download DigitalMe for SUSE Linux Enterprise 10 i586 and save it as a...

Page 228: ...gure the Identity Server to be a relying party and then allow the user to log in to the Identity Server by using a personal card Figure 8 3 illustrates this process Figure 8 3 Using a Personal Card to...

Page 229: ...ailable attribute list select the attributes that you want the card to return and move them to the Required attribute list For this scenario move Common First Name and Personal Private Identifier to t...

Page 230: ...to configure a trusted relationship between the relying party and the identity provider so that a user can authenticate to the relying party with a managed card Prerequisite on page 230 Configuring a...

Page 231: ...equests a security token For this scenario do not enable this option because the instructions haven t explained how to configure this option for the relying party Allow Users to Back a Managed Card Us...

Page 232: ...he Identity Server and have a file containing the public key of the signing certificate of the Identity Server 1 To obtain the public key certificate of the identity provider 1a Log in to the Administ...

Page 233: ...ou want the card to return and move them to the Required attribute list For this scenario move Common First Name and Personal Private Identifier to the Required attribute list The Personal Private Ide...

Page 234: ...ard Continue with Section 8 3 3 Authenticating with a Managed Card Backed by a Personal Card on page 234 Managed cards can be used to access resources protected by the Access Gateway For configuration...

Page 235: ...ing as the relying party you need to define how you want the user to authenticate This involves defining who can issue the credentials and what credentials are required Section 8 4 1 Defining an Authe...

Page 236: ...ither a personal card or a managed card from any trusted provider A trusted provider is a provider that is listed in the trusted provider list See Section 8 4 2 Defining a Trusted Provider on page 237...

Page 237: ...tributes for setting up a user account See Section 11 3 Defining the User Provisioning Method on page 282 Attribute matching Select this option when you want to use attributes to match an identity ser...

Page 238: ...ders page click New then fill in the following fields Name Specify a display name for the provider This name appears in the list of trusted providers that you can select for an authentication card pro...

Page 239: ...ity Servers Edit CardSpace 2 Click Configuration 3 Specify a value for the relying party maximum age 4 Click Apply then update the Identity Server 8 4 4 Defederating after User Portal Login If you wan...

Page 240: ...n Service STS which controls what claims are available what authentication method can be used to validate the credentials on the card and whether a name identifier is added to the SAML assertion 1 In...

Page 241: ...ing fields Name Specify a display name for the template Description Specify the text to be displayed on the card This can contain information about how the card can be used or the type of resource tha...

Page 242: ...ersonal card to log in If you select a profile that is configured for a managed card the user can supply a managed card to log in 6 Click User Identification then configure the following fields Satisf...

Page 243: ...s the following value https test lab novell com 8443 nidp sts services Trust Identity Provider Specify the signing certificate of the Identity Server You need to export the public key certificate to a...

Page 244: ...eld so it might be blank 2 Select from the following actions New To create a new managed card template click New For configuration details see Section 8 8 1 General Template Details on page 244 Delete...

Page 245: ...tribute set select New Attribute Set If the set you have created for CardSpace is not listed you need to configure the STS to use the set Click Identity Servers Edit STS Attribute Sets to manage the c...

Page 246: ...le or to modify an existing profile 1 In the Administration Console click Devices Identity Servers Edit CardSpace Authentication Card Profiles New Name of Profile 2 Configure the following fields Name...

Page 247: ...t to the Optional Attribute list 3 Select one of the following actions If you are creating a profile click Next Continue with Section 8 9 3 Configuring User Identification on page 247 If you have fini...

Page 248: ...ensure that the account matches 4 Conditional If you selected a user identification method that requires a matching method or a provision setting configure the required method Provisioning Settings A...

Page 249: ...05 identity claims namespace A CardSpace attribute set has been created that can be used as is or modified to match claims you want to share For more information about CardSpace claims see Understandi...

Page 250: ...tication Request page to select the format for the name identifier that is returned in the SAML assertion The selected attribute sets Identity Servers Edit STS Attribute Sets determine the values that...

Page 251: ...r on page 269 Section 10 5 Modifying a WS Federation Service Provider on page 273 10 1 Using the Identity Server as an Identity Provider for ADFS The Identity Server can provide authentication for res...

Page 252: ...ration on page 254 Enabling the Attribute Set on page 254 Creating a WS Federation Service Provider on page 255 Configuring the Name Identifier Format on page 256 Setting Up Roles for ClaimApp and Tok...

Page 253: ...lect an image such as Form Auth Username Password This is the default image for the Name Password Form contract Show Card Enable this option so that the card can be presented to the user as a login op...

Page 254: ...ext 4 To add a mapping for the mail attribute 4a Click New 4b Fill in the following fields Local attribute Select LDAP Attribute mail LDAP Attribute Profile Remote attribute Specify emailAddress This...

Page 255: ...federation treyresearch This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string This value is specified in the Properties of the Trust Policy...

Page 256: ...g fields Attribute set Select the WS Federation attribute set you created Send with authentication Move the All Roles attribute to the Send with authentication list 3 Click Apply then click Authentica...

Page 257: ...he Select Trusted Root s icon This adds the trusted root of the ADFS signing certificate to the Trust Store 4 On the Select Trusted Roots page select the trusted root or certificate that you want to i...

Page 258: ...ovider and the service provider must be configured to trust the other provider This task sets up the trust between the ADFS server and the Identity Server 1 In the Active Directory Federation Services...

Page 259: ...Mapping with the following values Incoming group claim name Specify TokenApp Organization group claim Specify Adatum TokenApp Claim 4 Continue with Disabling CRL Checking on page 259 Disabling CRL Che...

Page 260: ...10 1 4 Troubleshooting Turning On Logging on the ADFS server on page 260 Common Errors on page 260 Turning On Logging on the ADFS server If you see the message Server Error in adfs Application display...

Page 261: ...the correct namespace for WSFed CRL Errors 2008 08 01T19 56 55 WARNING VerifyCertChain Cert chain did not verify error code was 0x80092012 2008 08 01T19 56 55 ERROR KeyInfo processing failed because...

Page 262: ...ver and gives the user the option of logging in at the Active Directory Federation Services server 4 The user logs into the Active Directory Federation Services server and is provided a token 5 The to...

Page 263: ...ML 1 1 Liberty and SAML 2 0 enabled by default In order to use the WS Federation protocol it must be enabled on the Identity Server Because the WS Federation Protocol uses the STS Secure Token Service...

Page 264: ...inue with Modifying the User Identification Specification on page 264 Modifying the User Identification Specification The default settings for user identification are set to do nothing The user can au...

Page 265: ...by step guide uses self signed certificates for signing it is the same certificate in both the trust store and in the relationship To import the ADFS signing certificate s trusted root or the certifi...

Page 266: ...is in this list 4 Navigate to Active Directory by clicking Federation Services Trust Policy Account Stores 5 Enable the E mail Organizational Claim 5a Right click this claim then select Properties 5b...

Page 267: ...rds select the Adatum contract 3 Conditional If you are not joined to the Adatum domain enter a username and password in the browser pop up Use a name and a password that are valid in the Adatum domai...

Page 268: ...s not load the definition However the definition is not deleted Modify Click the name of a provider For configuration information see Section 10 4 Modifying a WS Federation Identity Provider on page 2...

Page 269: ...ls Logout URL Optional Specify the URL that the user can use for logging out The default value is https adfsresource treyresearch net adfs ls Service Provider Specify the path to the signing certifica...

Page 270: ...ute specified at the service provider 2a Specify a set name then click Next 2b On the Define Attributes page click New 2c Select a local attribute 2d Specify the name of the remote attribute 2e For th...

Page 271: ...and used with subsequent logins When federation is not enabled a new account is created every time the user logs in This option requires that you specify a user provisioning method Attribute matching...

Page 272: ...ation Console click Devices Identity Servers Edit WS Federation Identity Provider Metadata Edit 2 Configure the following fields Provider ID This is the provider ID The ADFS server provides this value...

Page 273: ...explains how to modify a WS Federation service provider after it has been created Section 10 3 2 Creating a Service Provider for WS Federation on page 269 explains the steps required to create the ser...

Page 274: ...contain an identifier for the user If you do not own the service provider you need to contact the administrator of the service provider and negotiate whether the user needs to be identified and how to...

Page 275: ...licy on the ADFS server The label is Federation Services endpoint URL The default value is https adfsresource treyresearch net adfs ls ssoUrl This is the logout URL The default value is https adfsreso...

Page 276: ...ps adfsresource treyresearch net adfs ls The ADFS server makes no distinction between the login URL and the logout URL 3 If you need to import a new signing certificate click the Browse button and fol...

Page 277: ...ion 11 1 Defining User Identification for Liberty and SAML 2 0 on page 277 Section 11 2 Defining User Identification for SAML 1 1 on page 280 Section 11 3 Defining the User Provisioning Method on page...

Page 278: ...tribute matching Select this option when you want to use attributes to match an identity server account with a service provider account This option requires that you specify a user matching method Pro...

Page 279: ...ssions on page 176 5 Specify what action to take if no match is found Do nothing Specifies that an identity provider account is not matched with a service provider account This option allows the user...

Page 280: ...der to uniquely identify a user on the service provider 1 In the Administration Console click Devices Identity Servers Edit SAML 1 1 Identity Provider User Identification 2 In the Satisfies contract o...

Page 281: ...K twice 6 Update the Identity Server 11 2 2 Configuring the Attribute Matching Method for SAML 1 1 A user matching expression is a set of logic groups with attributes that uniquely identify a user Use...

Page 282: ...Defining the User Provisioning Method If you have selected Provision account as the user identification method or have created an attribute matching setting that allows for provisioning when no match...

Page 283: ...or SAML 2 0 Identity Provider User Identification 2 Click the Provisioning settings icon 3 Select the required attributes from the Available Attributes list and move them to the Attributes list Requir...

Page 284: ..._02 as shown in the following illustration Use the following settings to specify how this is accomplished Segment 1 The required attribute to use as the first segment for the user name The values disp...

Page 285: ...hether to prompt the user for a password or to create a password automatically Min password length The minimum length of the password Max password length The maximum length of the password Prompt for...

Page 286: ...hat are either too short or too long Username unavailable The provisioned user account was deleted without first defederating the user Remove orphaned identity objects from the configuration datastore...

Page 287: ...for the identity provider and the service provider The Artifact binding provides an increased level of security by using a back channel means of communication between the two servers during authentic...

Page 288: ...when the user logs in Select one or more of these methods for the identity provider and the identity consumer The Artifact binding provides an increased level of security by using the back channel fo...

Page 289: ...t A browser based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider SAML messages are transmitted within URL parameters S...

Page 290: ...290 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 291: ...ry Service The service assigned to an identity provider that enables a Web Service Consumer to determine which Web service provider provides the required resource LDAP Attribute Mapping Access Manager...

Page 292: ...To delete an existing profile select the profile then click Delete Enable To enable a profile select the profile then click Enable Disable To disable a profile select the profile then click Disable Ed...

Page 293: ...vice provider to cooperate in redirecting the resource owner to the Web service provider and back to the Web service consumer 3 Click OK 4 On the Servers page update the Identity Server 13 2 1 Modifyi...

Page 294: ...u have mapped a Liberty attribute to an LDAP attribute in your user store the values can be read from the LDAP user store To create LDAP attribute maps see Section 13 6 Mapping LDAP and Liberty Attrib...

Page 295: ...r XML definitions of data model extensions in this field Data model extensions hook into the existing Web service data model at predefined locations All schema model extensions reside inside of a sche...

Page 296: ...he profile or service 3 Click Descriptions 4 Click the description name or click New 5 Fill in the following fields Name The Web Service Description name Security Mechanism Required Liberty uses chann...

Page 297: ...e containing the service description URIs need to be constant across all implementations of a service to enable interoperability 7 Click OK 8 Update the Identity Server configuration 13 2 4 Editing We...

Page 298: ...are displayed in the Inherited column If you want the user to have Write permission for a given data item and that data item is used in an LDAP Attribute Map then you must configure the LDAP Attribute...

Page 299: ...ted from the settings in the Administration Console Thereafter inheritance can come from the service policy or the parent data item s policy Ask Me Specifies that the service provider requests from th...

Page 300: ...Profile Details page you can specify whether this profile is displayed for end users and determine how you control and store encrypted secrets You can store and access secrets locally on remote eDirec...

Page 301: ...y a user The Discovery Service returns a list of resource IDs when a trusted service provider queries for the services owned by a given user The Discovery Service has the option of encrypting the reso...

Page 302: ...You only need to configure the fields in Step 5a To store the secrets in your LDAP user store click New in Extended Schema User Store References and configure the following fields User Store Select a...

Page 303: ...ed Web services consumers or by a dedicated interaction service provider that has a reliable means of communication with the users 1 In the Administration Console click Devices Identity Servers Edit L...

Page 304: ...ributes You can create an LDAP attribute map or edit an existing one To create an attribute map you specify how single value and multi value data items map to single value and multi value LDAP attribu...

Page 305: ...rious Liberty values to map to any LDAP attribute names that you use 1 In the Administration Console click Devices Identity Servers Edit Liberty LDAP Attribute Mapping New One to One 2 Configure the f...

Page 306: ...tributes that you can map to the single valued LDAP attributes that you have defined for your directory Mapping Personal Profile Multiple Value Data Items to LDAP Attributes Use the fields on this pag...

Page 307: ...Hire Job Start Date Department and so on Mapping Employee Profile Multiple Value Data Items to LDAP Attributes Map the Liberty Employee Profile multiple value attributes to the LDAP attributes you hav...

Page 308: ...n the same way you use any other profile attribute Mapping Custom Profile Multiple Value Data Items to LDAP Attributes Customizable Multi Valued Strings 1 5 Similar to customizable strings for single...

Page 309: ...LDAP attribute name that you want to map to the Liberty Employee Type attribute 4 In the LDAP Attribute Value fields type the predefined LDAP attribute values that you want to map to the Liberty Empl...

Page 310: ...e user store that a map applies to If a user logs into a user store that is not in the map s user store list that map is not used to read or write attributes for that user 3 In the LDAP Attribute Name...

Page 311: ...s to Read Write you can specify rights for individual data items In order for user provisioning to succeed you must select Read Write from the Access Rights drop down menu for any maps that use an att...

Page 312: ...ition in Delimited LDAP Attribute specify the order in which the information is contained in the string Select 1 for the value that comes first in the string 2 for the value that follows the first del...

Page 313: ...n the following fields to map to the Liberty Contact Method attribute Provider LDAP Attribute Maps to the Liberty attribute MsgProvider which is the service provider or domain that provides the messag...

Page 314: ...down menu that provide the broadest control for the page If you set this to Read Write you can specify rights for individual data items In order for user provisioning to succeed you must select Read...

Page 315: ...ame you want to give the map Description A description of the map Access Rights A drop down menu that provide the broadest control for the page If you set this to Read Write you can specify rights for...

Page 316: ...re the values that you want to store in the LDAP attribute for each given Liberty attribute value The LDAP attribute map then maps the actual Liberty URI value back and forth to this supplied value 5...

Page 317: ...on 14 9 Viewing the Command Status of the Identity Server on page 343 Section 14 10 Tuning the Identity Server for Performance on page 344 14 1 Managing an Identity Server The Identity Servers page is...

Page 318: ...you to update the configuration An Update Servers status is displayed under the Status column on the Servers page You must click Update Servers to update the configuration so that your changes take ef...

Page 319: ...ifferent directory is not recommended because the system does not detect the change A user received authentication from an identity provider that is no longer trusted This occurs if you remove a trust...

Page 320: ...All administrative and end user actions and events are logged to a central event log This allows easy access to this information for security and operational purposes Additionally the log system provi...

Page 321: ...the Access Gateway is on Linux do not specify a path In a mixed platform environment you must use the default path Maximum Log Files Specifies the maximum number of Identity Server XML log files to le...

Page 322: ...tatistical data such as counts levels and so on are included in the file log 4a In the Statistics Logging section select Enabled 4b In the Log Interval field specify the time interval in seconds that...

Page 323: ...rights to create logging tickets and uses the User Portal to create a logging ticket for the user 4 The operator sends the logging ticket password and the URL to access the logging ticket class to the...

Page 324: ...Property Value cn jdoe o users The Property Value must be the DN of an operator in the user stores you selected in Step 3b Use LDAP typed comma notation for the DN 3d Repeat Step 3c for each IDP Admin...

Page 325: ...User Stores Select the user stores that contain the users that potentially can experience problems then move them to the list of User Stores 3c Click Finish 4 To create the contract 4a Click Contract...

Page 326: ...en a user reports a problem Creating a Logging Ticket on page 326 Enabling a Logging Session on page 327 Viewing the Log File on page 328 Creating a Logging Ticket These steps are performed by an IDP...

Page 327: ...dentity Server including the port Make sure the port agrees with the HTTP scheme either http or https Replace LogSession with the ID you specified for the authentication card when defining the Logging...

Page 328: ...L of the resource that is causing the problem 6 Perform any other actions necessary to create the problem behavior 7 Log out and send your user identifier to the help desk Viewing the Log File These s...

Page 329: ...tity Server Section 14 5 1 Health States on page 329 Section 14 5 2 Viewing the Health Details of an Identity Server on page 330 Section 14 5 3 Viewing the Health Details of a Cluster on page 332 14 5...

Page 330: ...icance of the current state For more information about the icons see Section 14 5 1 Health States on page 329 2 To ensure that the information is current select one of the following Click Refresh to r...

Page 331: ...er 3 1 SP2 Administration Console Guide If you want to convert a secondary console to your primary console see Converting a Secondary Console into a Primary Console in the Novell Access Manager 3 1 SP...

Page 332: ...Administration Console 3 To view health details about a specific member of the cluster click the server s health icon SSL Communication Indicates whether SSL communication is operating correctly This...

Page 333: ...choose Devices Identity Servers 2 In the Statistics column click View 3 Click either of the following options Statistics Select this option to view the statistics as currently gathered The page is st...

Page 334: ...er was started Consumed Authentication Failures The number of failed consumed authentications since the Identity Server was started Logouts The number of explicit logouts performed by users This does...

Page 335: ...number of current cached artifact objects During authentication an artifact is generated that maps to an assertion This cache holds the artifact to assertion mapping until the artifact resolution req...

Page 336: ...nd interval Last Interval Mean Request Duration Milliseconds The mean age of all outgoing HTTP requests that were processed during the last 60 second interval Historical Maximum Request Duration Milli...

Page 337: ...Service changes performed since the Identity Server was started Custom Profile Service Queries The number of Novell Custom Profile Web Service queries performed since the Identity Server was started...

Page 338: ...The number of attempts to use the User Profile object as a data location for a query or a modify of any Web Service since the Identity Server was started A User Profile object is a directory object s...

Page 339: ...of payload examinations and ID broadcasts the lower the performance of the entire system If these numbers are high verify the configuration of the L4 switch Make sure that the session persistence opt...

Page 340: ...r was started Each LDAP replica contains two connection pools the user connection pool and the administration connection pool User connections are used to authenticate users and they are created and i...

Page 341: ...tity Server was started This would result in an LDAP Service Not Available error Connection Waits Aborted Due To Closed Pool The number of times that an LDAP connection wait terminated because of a cl...

Page 342: ...an identity provider User Account Provisioned Generated by the Identity Server when functioning as an identity consumer and when an account has been provisioned User Account Provisioned Failure Genera...

Page 343: ...etry up to 10 times before they fail The first few retries are spaced a few minutes apart then they move to 10 minute intervals These commands can take over an hour to result in a failure As long as t...

Page 344: ...Select one of the following actions Delete To delete a command click Delete Click OK in the confirmation dialog box Refresh To update the current cache of recently executed commands click Refresh 5 Cl...

Page 345: ...s generate more authentication traffic Carefully consider the security requirements for your resources and set limits that meet the requirements If you only need to verify that the users are actively...

Page 346: ...following profiles Personal Profile Employee Profile Custom Profile 3 Either disable the Credential Profile which also disables using Form Fill or Identity Injection with credentials or enable the Cre...

Page 347: ...the Xmx value the default is 1024 with 2048 This allows Java to use 2 GB of memory 5 Find the following line in the file JAVA_OPTS JAVA_OPTS Dnids freemem threshold 0 6 Change the Dnids freemem thresh...

Page 348: ...that there is free memory available so that the other internal Java processes can continue to function When this threshold is reached the user receives a 503 server busy message and a threshold error...

Page 349: ...ing the Identity Server Configuration Port on page 36 netcat A networking utility that reads and writes data across network connections using the TCP IP protocol Netcat is useful for checking connecti...

Page 350: ...54 Section 15 2 6 Testing Whether the Provider Can Access the Metadata on page 356 Section 15 2 7 Manually Creating Any Auto Generated Certificates on page 357 For information about metadata validatio...

Page 351: ...r tries to access the metadata on the identity provider it sends the request to the hostname defined in the base URL configuration of the Identity Server The base URL in the Identity Server configurat...

Page 352: ...tServiceReturnURL To test that the Identity Server can resolve the hostname of the Access Gateway send a ping command with the hostname of the Access Gateway For example from the Identity Server ping...

Page 353: ...name see The Server Certificate Has an Invalid Subject Name on page 356 15 2 4 Certificates in the Required Trust Stores Make sure that the issuers of the Identity Server and Embedded Service Provide...

Page 354: ...same name as the Subject name then this certificate is the root certificate If the Issuer has a different name than the Subject name the certificate is an intermediate certificate in the chain Click...

Page 355: ...Provider Cannot Resolve the Base URL of the Identity Server on page 355 Trusted Roots Are Not Imported into the Appropriate Trusted Root Containers on page 356 The Server Certificate Has an Invalid S...

Page 356: ...failed to load Identity Provider metadata amLogEntry The Server Certificate Has an Invalid Subject Name When the certificate has an invalid subject name the handshake fails In the log entries below t...

Page 357: ...ollowing issues that occur during authentication Section 15 3 1 Authentication Classes and Duplicate Common Names on page 357 Section 15 3 2 General Authentication Troubleshooting Tips on page 358 Sec...

Page 358: ...Access Manager devices to use the Identity Server for authentication click Identity Servers Edit General Configuration Check the properties of the class and method For example the search format on th...

Page 359: ...uthentication class Click Identity Servers Servers Edit Local Classes x 509 Properties Enabling this option provides detailed error messages on the login browser rather than generic messages Ensure th...

Page 360: ...ty with devices that have not been upgraded to Access Manager 3 1 SP1 The devices requiring this old style cookie include Identity Servers that haven t been upgraded and any device with an Embedded Se...

Page 361: ...esources including specifications white papers FAQs and presentations can be found at the Liberty Alliance Resources Web site http www projectliberty org liberty resource_center The following table pr...

Page 362: ...362 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Page 363: ...eference Metadata on page 364 Section B 3 Identity Federation on page 364 Section B 4 Authorization Services on page 364 Section B 5 What s New in SAML 2 0 on page 364 Section B 6 Identity Provider Pr...

Page 364: ...t costs because multiple organizations do not need to independently collect and maintain identity related data such as passwords From the end user s perspective this results in an enhanced experience...

Page 365: ...AML service provider The Identity Server at abc com generates the artifact This starts the process of generating and sending the SAML assertion The HREF would look similar to the following http nidp c...

Page 366: ...edirect containing the artifact back to the browser The redirect looks similar to the following http xyz com auth afct TARGET http xyz com index html SAMLArtifact artifact 4 The remote SAML server req...

Page 367: ...d in a SOAP envelope In this example the assertion contains the attributes lastname Jones and phonenumber 555 1212 3 The Identity Server determines which attributes to use when locating the user The I...

Page 368: ...s names for these attributes are lastname and phonenumber respectively c The Identity Server uses the PP service to lookup the values for the user s PP sn and PP ph attributes The Identity Server now...

Page 369: ...chema model extension root or inside of a schema model extension There can only be one group per root or extension Each root is hooked into the existing Web service data model Multiple roots can be ho...

Page 370: ...vell nidp resource NIDPResDesc class Group Element resourceID The resource ID of the display name of the group This resource ID is assumed to be a key in the resource bundle supplied by the resource d...

Page 371: ...value is a signed integer If this attribute is omitted the default value is java lang Integer MAX_VALUE lower optional The lower bound of a numeric value This attribute is only used if the format att...

Page 372: ...in the namespace novell liberty wsf config 1 0 0 and that namespace must be defined on the SchemaExtensions element Normally the namespace prefix wsfc is used An example of data model extension XML is...

Page 373: ...nResourceId PP EXT AU GROUP DESC wsfc Extension name Automobile class Automobile syntax Container resourceId PP EXT Automobile min 0 max UNBOUNDED namingClass AutomobileLicensePlate wsfc Group resourc...

Page 374: ...374 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Reviews:

No comments

Related manuals for ACCESS MANAGER 3.1 SP2 - README 2010

IP Office CTI Link

Brand: Avaya Pages: 28

LANDXPLORER 2011 - SYSTEM REQUIREMENTS

Brand: Autodesk Pages: 3

Brand: APPLIED ACOUSTICS SYSTEMS Pages: 70

Brand: Avision Pages: 47

Brand: Sonifex Pages: 68

15606-011408-9008 - MAPGUIDE R6.3 NAMED-100U PK

Brand: Autodesk Pages: 204

BREEZE-CLUSTERING BREEZE LIVE

Brand: MACROMEDIA Pages: 10

COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION...

Brand: MACROMEDIA Pages: 152

Brand: Xerox Pages: 370

DIRECTOR MX 2004-GETTING STARTED WITH...

Brand: MACROMEDIA Pages: 68

TIVOLI ADSTAR 5697-VM3

Brand: IBM Pages: 62

Brand: Waves Pages: 13

DocuSP 50. Series

Brand: Xerox Pages: 32

Handycam DCR-IP1

Brand: Sony Pages: 82

Handycam DCR-IP220

Brand: Sony Pages: 2

Director-s SYS-503

Brand: Roland Pages: 92

Brand: Dymo Pages: 118

CLIENT SECURITY 9.01 - S

Brand: F-SECURE Pages: 15

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands