Novell ACCESS MANAGER 3.1 SP2 - README 2010 Скачать руководство пользователя страница 42 | Manualshive

Страница: 42 / 374

background image

42

Novell Access Manager 3.1 SP2 Identity Server Guide

n

ov

do

cx (e

n)

16
Ap
ril 20

10

Access Manager allows you to use netHSM to store and manage the signing key pair of the Identity
Server. You must use the Administration Console to store and manage the other Access Manager
certificates. Access Manager uses the Java Security provider of the netHSM server to interact with
the netHSM server.

This section describes the following about the netHSM implementation:



Section 1.6.1, “Understanding How Access Manager Uses Signing and Interacts with the
netHSM Server,” on page 42



Section 1.6.2, “Configuring the Identity Server for netHSM,” on page 44

1.6.1 Understanding How Access Manager Uses Signing and
Interacts with the netHSM Server

The netHSM server provides a signing certificate that is used instead of the one provided by Access
Manager. Requests, responses, assertions, or payloads can be signed when there are interactions
during single sign-on or during attribute queries between service providers and identity providers
using any of the SAML1.1, SAML2, Liberty ID-FF, Liberty ID-WSF, or ID-SIS protocols.



“Access Manager Services That Use the Signing Certificate” on page 42



“Understanding the Interaction of the netHSM Server with Access Manager” on page 43

Access Manager Services That Use the Signing Certificate

The following services can be configured to use signing:



“Protocols” on page 42



“SOAP Back Channel” on page 42



“Profiles” on page 43

Protocols

The protocols can be configured to sign authentication requests.

To view your current configuration:

1

In the Administration Console, click

Devices

>

Identity Servers

>

Edit

.

2

In the

Identity Provider

section, view the setting for the

Require Signed Authentication

Requests

option. If it is selected, all authentication requests from identity providers are signed.

3

In the

Identity Consumer

section, view the settings for the

Require Signed Assertion

s and S

ign

Authentication Requests

options. If these options are selected, assertions and authentication

requests are signed.

SOAP Back Channel

The SOAP back channel is the channel that the protocols use to communicate directly with a
provider. The SOAP back channel is used for artifact resolutions and attribute queries for the
Identity Web Services Framework.

To view your current configuration for the SOAP back channel:

1

In the Administration Console, click

Devices

>

Identity Servers

>

Edit

.

«
...
40
41
42
43
44
...
»

Содержание ACCESS MANAGER 3.1 SP2 - README 2010

Страница 1: ...Novell www novell com novdocx en 16 April 2010 AUTHORIZED DOCUMENTATION Novell Access Manager 3 1 SP2 Identity Server Guide Access Manager 3 1 SP2 June 29 2010 Identity Server Guide...

Страница 2: ...nd the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import deliverables You agree...

Страница 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Страница 4: ...4 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 5: ...guring SAML 2 0 to Sign Messages 35 1 4 7 Blocking Access to Identity Server Pages 36 1 5 Translating the Identity Server Configuration Port 36 1 5 1 Changing the Port on a Windows Identity Server 36...

Страница 6: ...Page 136 4 Configuring Advanced Local Authentication Procedures 139 4 1 Configuring for RADIUS Authentication 139 4 2 Configuring Mutual SSL X 509 Authentication 140 4 2 1 Configuring Attribute Mappin...

Страница 7: ...urity 196 7 5 1 Configuring Communication Security for Liberty and SAML 1 1 197 7 5 2 Configuring Communication Security for a SAML 2 0 Identity Provider 197 7 5 3 Configuring Communication Security f...

Страница 8: ...e 241 8 6 Using CardSpace Cards for Authentication to Access Gateway Protected Resources 242 8 7 Managing CardSpace Trusted Providers 242 8 7 1 CardSpace Identity Provider Wizard 243 8 7 2 Renaming th...

Страница 9: ...1 Selecting a User Identification Method for SAML 1 1 280 11 2 2 Configuring the Attribute Matching Method for SAML 1 1 281 11 3 Defining the User Provisioning Method 282 11 4 User Provisioning Error...

Страница 10: ...work 337 14 6 9 Clustering 339 14 6 10 LDAP 340 14 7 Enabling Identity Server Audit Events 341 14 8 Monitoring Identity Server Alerts 343 14 9 Viewing the Command Status of the Identity Server 343 14...

Страница 11: ...ng with Liberty 363 B 2 Trusted Provider Reference Metadata 364 B 3 Identity Federation 364 B 4 Authorization Services 364 B 5 What s New in SAML 2 0 364 B 6 Identity Provider Process Flow 365 B 7 SAM...

Страница 12: ...12 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 13: ...317 Chapter 15 Troubleshooting the Identity Server and Authentication on page 349 Appendix A About Liberty on page 361 Appendix B Understanding How Access Manager Uses SAML on page 363 Appendix C Data...

Страница 14: ...Documentation Before proceeding you should be familiar with the Novell Access Manager 3 1 SP2 Installation Guide and the Novell Access Manager 3 1 SP2 Setup Guide which provide information about insta...

Страница 15: ...ontrol on page 27 Section 1 3 Configuring Secure Communication on the Identity Server on page 27 Section 1 4 Security Considerations on page 32 Section 1 5 Translating the Identity Server Configuratio...

Страница 16: ...ails on page 24 Section 1 1 6 Removing a Server from a Cluster Configuration on page 25 Section 1 1 7 Enabling and Disabling Protocols on page 25 Section 1 1 8 Modifying the Base URL on page 26 1 1 1...

Страница 17: ...1 In the Administration Console click Devices Identity Servers 2 Select the Identity Server s check box then click New Cluster Selecting the server is one way to assign it to the cluster configuration...

Страница 18: ...l Default ports are 8080 for HTTP or 8443 for HTTPS If you want to use port 80 or 443 specify the port here If you are configuring a Linux Identity Server you must also configure the operating system...

Страница 19: ...h a logout the user cannot log in again until the session timeout expires for one of the sessions When enabled this option affects performance in a cluster with multiple Identity Servers When a user i...

Страница 20: ...entication credentials WS Federation Allows disparate security mechanisms to exchange information about identities attributes and authentication 9 To continue creating the Identity Server configuratio...

Страница 21: ...re defined for the server 1 In the Administration Console click Devices Identity Servers 2 On the Servers page select the server s check box You can select all displayed servers by selecting the top l...

Страница 22: ...on server using port 8080 has the following TCP ports open 8443 secure Administration Console 7801 1 for back channel communication with cluster members You need to open two consecutive ports such as...

Страница 23: ...ibutes Configuring Session Failover 1 In the Administration Console click Devices Identity Servers 2 In the list of clusters and Identity Servers click the name of an Identity Server cluster 3 Click t...

Страница 24: ...a communications channel over which the cluster members maintain the integrity of the cluster For example this TCP channel is used to detect new cluster members as they join the cluster and to detect...

Страница 25: ...he cluster configuration The configuration however remains intact and can be reassigned later or assigned to another server 1 In the Administration Console click Devices Identity Servers 2 Select the...

Страница 26: ...fy the base URL and reestablish trust relationships 1 In the Administration Console click Devices Identity Servers Edit 2 Change the protocol domain port and application settings as necessary 3 Click...

Страница 27: ...time with certificates from a trusted certificate authority Connector The test connector certificate is used when you establish SSL communication between the Identity Server and the browsers and betwe...

Страница 28: ...ser store For configuration information see Section 3 1 Configuring Identity User Stores on page 104 This section describes the following tasks Section 1 3 1 Viewing the Services That Use the Signing...

Страница 29: ...utualTLS Message X509 has been selected as the security mechanism signing has been enabled for the profile 1 3 2 Viewing Services That Use the Encryption Key Pair All of the Liberty Web Service Provid...

Страница 30: ...Click Replace to replace the signing certificate SSL Required Displays the SSL connector keystore Click this link to access the keystore and replace the connector certificate Provider Displays the ID...

Страница 31: ...t import the root certificate chain for the other provider Failure to do so causes numerous system errors OCSP Trust Store The Identity Server uses this trust store for OCSP certificates Online Certif...

Страница 32: ...ess Manager 3 1 SP2 Administration Console Guide Be aware of the following options that can increase security Section 1 4 1 Federation Options on page 32 Section 1 4 2 Authentication Contracts on page...

Страница 33: ...hich is recommended for a production environment Any Contract Allows the user to use any contract defined for the Identity Server configuration If you have set up the Access Manager to require SSL con...

Страница 34: ...ps on each Identity Server 1 4 4 Securing the Identity Server Cookie An attacker can spoof a non secure browser into sending a JSESSION cookie that contains a valid user session To stop this from happ...

Страница 35: ...AES256 Because AES128 is the default specifying this value in the web xml file does not change any behavior 3 Save the file and copy it to each Identity Server in the cluster 4 Restart Tomcat on each...

Страница 36: ...uration Port If your Identity Server must communicate through a firewall you must either set up a hole in your firewall for TCP ports 8080 or 8443 default ports used respectively for non secure and se...

Страница 37: ...figuring iptables for Multiple Components on page 39 These sections describe two solutions out of many possibilities For more information about iptables see the following Iptable Tutorial 1 2 2 http i...

Страница 38: ...ho n Flushing all IP Port redirection rules IPT_BIN t nat flush rc_status v restart 0 stop 0 start rc_status echo Usage 0 start stop restart exit 1 esac rc_exit For more information about init scripts...

Страница 39: ...steps on each server in the cluster Configuring iptables for Multiple Components If you need to use iptables for multiple components the host machine the Identity Server or the SSL VPN server you need...

Страница 40: ...that port 443 is being routed to the Identity Server by entering the following command iptables t nat nvL You should see an entry similar to the following pkts bytes target prot opt in out source dest...

Страница 41: ...if the filters have been registered correctly Chain POSTROUTING policy ACCEPT 20987 packets 1266K bytes pkts bytes target prot opt in out source destination 0 0 SNAT all 10 8 0 0 16 0 0 0 0 0 to 10 1...

Страница 42: ...protocols Access Manager Services That Use the Signing Certificate on page 42 Understanding the Interaction of the netHSM Server with Access Manager on page 43 Access Manager Services That Use the Si...

Страница 43: ...name of a profile then click Descriptions 3 Click the Description Name 4 If either Peer entity None Message X509 or Peer entity MutualTLS Message X509 has been selected as the security mechanism signi...

Страница 44: ...ed remote file system with the netHSM client An installed Identity Server assigned to a cluster configuration For instructions on a basic setup that assigns the Identity Server to a cluster configurat...

Страница 45: ...ith the values copied from the anonkneti command 6 Conditional If the Identity Server and the Administration Console are installed on the same machine modify the 9000 and 9001 TCP ports 6a In a text e...

Страница 46: ...initialize synchronization with the remote file system server Linux Enter the following commands opt nfast bin rfs sync update opt nfast bin rfs sync commit Windows Enter the following commands C nfas...

Страница 47: ...y provider 7 sun security jgss SunProvider security provider 8 com sun security sasl Provider 1c Save your changes 2 Add the nfast libraries to the CLASSPATH for Java For a Windows client add the foll...

Страница 48: ...e module protected DignorePassphrase true Required if you want the keystore to be module protected sun security tools KeyTool The name of the keytool command alias A name that helps you identify the k...

Страница 49: ...mypwd keystore A name for the keystore In this sample configuration the name is AMstore jks storepass The password for the keystore In this sample configuration the password is mypwd storetype The typ...

Страница 50: ...should now be issued by the CA you used and the public certificate of the CA should be there as the owner and the issuer 11 Copy the keystore to the idp directory on the Identity Server Linux opt nov...

Страница 51: ...2008 Program Files x86 Novell devman jcc certs idp 13b Make sure the novlwww user has at least read rights 13c Use the netHSM client to synchronize the cluster member with the remote file system serv...

Страница 52: ...lines JAVA_OPTS JAVA_OPTS Dcom novell nidp extern config file var opt novell tomcat5 webapps nidp WEB INF classes externKeystore properties JAVA_OPTS JAVA_OPTS Dprotect module DignorePassphrase true T...

Страница 53: ...p jar C nfast java classes kmjava jar C nfast java classes nfjava jar C nf ast java classes rsaprivenc jar C nfast java classes spp jar 2d Save your changes 3 Add the netHSM certificate configuration...

Страница 54: ...s nidp WEB INF classes If you specified a different location for this file in Step 3 use that location 4b Add the following lines com novell nidp extern signing providerClass com ncipher provider km n...

Страница 55: ...owing text BEGIN CERTIFICATE 6 Delete the ds X509Certificate tag and replace it with the following text END CERTIFICATE 7 Save the file as a text file with a cer extension 8 Open the file in Internet...

Страница 56: ...information on how to change the port see Step 6 on page 45 For other errors consult the netHSM documentation 3 Linux only If the novlwww user does not have rights to the cmdadp log and cmdadp debug...

Страница 57: ...ogs directory 4e Restart Tomcat by entering the following command etc init d novell tomcat5 restart 4f To tail the catalina out file enter the following command tail f var opt novell tomcat5 logs cata...

Страница 58: ...lid values See Step 5 on page 52 Verify that the tomcat5 conf file is configured correctly See Step 4 on page 52 5 Enable netHSM logging This logging feature is very verbose It should be turned on onl...

Страница 59: ...Identity Server to display the correct login page See Section 2 1 2 Configuring the Identity Server to Use Custom Login Pages on page 72 If the custom page doesn t display you need to discover the ca...

Страница 60: ...eed to modify the nidp jsp file The nidp jsp file uses iframes so the devices that your users use for authentication must also support iframes For configuration information see Customizing the nidp js...

Страница 61: ...er can be found in the user store with an identifier other than the username the cn attribute The instructions then explain how to create a contract that uses this method and how to modify the login j...

Страница 62: ...Configure the other options to fit your requirements For information on configuring the other options for a contract see Section 3 4 Configuring Authentication Contracts on page 124 2d Click OK 3 Upd...

Страница 63: ...ser for an e mail address JSP 50 Email Address 7c Translate the value and add this entry to your localized custom properties files 7d Copy the customized properties files to the WEB INF classes direct...

Страница 64: ...ng the available authentication cards The following sections explain how to modify the login page that these JSPs create Rebranding the Header on page 64 Customizing the Card Display on page 66 Custom...

Страница 65: ...Replace the Novell logo on the right of the header see Figure 2 2 5a Locate the following string String hdrLogo AMHeader_logo png 5b Replace the value of the hdrLogo string with the path and the file...

Страница 66: ...n the Authentication Cards section is not by modifying the content jsp file It is by using the Show Card option that appears on the definition of each card If this option is not selected the card does...

Страница 67: ...or an e mail address rather than a username This must be the filename without the JSP extension For example if you name your file email_login jsp then you would specify email_login for the property va...

Страница 68: ...ess 6c Translate the value and add this entry to your localized custom properties files 6d Copy the customized properties files to the WEB INF classes directory of each Identity Server in the cluster...

Страница 69: ...3 Access Manager 3 0 Default Login Page You can change the Novell branding and modify the credential prompts Modifying the Branding in the 3 0 Login Page on page 69 Modifying the Credentials in the 3...

Страница 70: ...appear For example title My World title 6 Remove the Novell N logo 6a Find the following line in the file div id headimage img src request getContextPath images Odyssey_LoginHead gif alt height 80 wi...

Страница 71: ...t for example label style width 100px Email Address label 2c Copy the modified file to each Identity Server in the cluster 2d Update the Identity Server cluster 2e Back up your customized file 3 Condi...

Страница 72: ...ge 73 Using Properties to Specify the Login Page For each resource that needs a unique login page you need to create an authentication method and add the JSP and MainJSP properties to the method You t...

Страница 73: ...each protected resource that you have created a custom contract for select the protected resource then configure it to use the custom contract 5 Update the Access Gateway 6 Conditional If the custom p...

Страница 74: ...owing fields Display name Specify a name for the method You might want to use a name that indicates which login page is assigned to this method Class Select a name password class Configure the other f...

Страница 75: ...contract You might want to use a name that indicates which login page is assigned to this contract URI Specify a value that uniquely identifies the contract from all other contracts No spaces can exi...

Страница 76: ...equals login3 custom3 include file custom3 jsp These else if statements set up three contracts for customized login pages The first else if statement specifies the URI of the login1 contract and confi...

Страница 77: ...at you have created a custom login page for assign that resource to use the contract that is configured to display the appropriate login page 5a Click Devices Access Gateways Edit Reverse Proxy Name P...

Страница 78: ...rver Logout You can also use the following methods to modify the Identity Server logout page Section 2 2 1 Rebranding the Logout Page on page 78 Section 2 2 2 Replacing the Logout Page with a Custom P...

Страница 79: ...rs and service providers to which the user has authenticated If you want to modify this behavior so that the logout request logs the user out of just the Identity Server and leaves the user authentica...

Страница 80: ...source Bundles for the language or the language and country For example nidp_custom_resources_en_US properties nidp_custom_resources_fr properties nidp_custom_resources_es properties If you want to su...

Страница 81: ...t for identity federation termination could not be completed SS WKSLdapCreds LDAP Credentials SS WKSELdapCredsUserName LDAP User Name SS WKSELdapCredsUserDN LDAP User DN SS WKSELdapCredsUserPassword L...

Страница 82: ...on Attempting to load Custom Properties File Name Custom Properties FileName The locale specifier in the Custom Properties File filename could not be successfully parsed into a valid locale Loading of...

Страница 83: ...replace this text open the err jsp file and locate the following text that appears between the head head tags title handler getResource JSPResDesc TITLE title Replace the content between the title and...

Страница 84: ...s how to do this in the Administration Console You can also use an LDAP browser 1 In the Administration Console click Devices Identity Servers Edit Local Contracts 2 Click the name of a contract then...

Страница 85: ...email address Figure 2 4 illustrates the login page that these changes produce Figure 2 4 Custom Credentials Such a JSP file must be used with a contract that uses a method that defines the query for...

Страница 86: ...style type text css media screen td label font size 0 85em padding right 0 2em label font size 0 77em padding right 0 2em input font family sans serif instructions color 4d6d8b font size 0 8em margin...

Страница 87: ...ource JSPResDesc PASSWORD label td td align left input type password class smalltext name Ecom_Password size 30 td tr tr td align right colspan 2 style white space nowrap input alt handler getResource...

Страница 88: ...that the following custom nidp jsp file and main jsp file create Figure 2 5 Custom Branding with Custom Credential Prompts The credential frame uses the same modifications in the sample from Section...

Страница 89: ...ollowing lines in the file The header background image that gets repeated String hdrBgndImg custom_images images2 jpeg Figure 2 7 illustrates the image images3 jpeg that this custom page uses for the...

Страница 90: ...om_images images3 jpeg String hdrLogo custom_images hhbimages jpeg String hdrTitle Enter MY WORLD String query request getQueryString if query null query length 0 query query else query DOCTYPE HTML P...

Страница 91: ...line height 17px text decoration none background color transparent NLtab tr subtab td color white padding 2px NLtab tr subtab a font size 8em color white text decoration none padding 2px 5px 2px 5px...

Страница 92: ...var element2 g_curSubtab element1 className selx if element1 id element2 id element2 className unselx g_curSubtab element1 function showHelp var helpURL login html if g_curSubtab id fedsubtab helpURL...

Страница 93: ...mg src handler getImage hdrImage false div div id logo img src handler getImage hdrLogo false div div id title hdrTitle div td tr table td tr tr td table cellspacing 5 width 100 tr td include file men...

Страница 94: ...e been added are marked in bold in the following file page language java page pageEncoding UTF 8 contentType text html charset UTF 8 page import com novell nidp page import com novell nidp resource js...

Страница 95: ...e value You then need to create a contract that uses this method and assign it to a protected resource 2 4 3 Custom 3 1 login jsp File To create this type of page you need to start with the login jsp...

Страница 96: ...tle HHB CUSTOM LOGIN title META HTTP EQUIV Content Language CONTENT handler getLanguageCode meta http equiv content type content text html charset utf 8 style type text css media screen td label font...

Страница 97: ...ign center label handler getResource JSPResDesc USERNAME label td td align center input type text class smalltext name Ecom_User_ID size 30 td tr tr td align center label handler getResource JSPResDes...

Страница 98: ...Do not include the JSP extension in the value MainJSP property values Property Name MainJSP Property Value true You then need to create a contract that uses this method and assign it to a protected re...

Страница 99: ...pe text html charset UTF 8 page import com novell nidp common provider page import java util page import com novell nidp ui page import com novell nidp page import com novell nidp servlets page import...

Страница 100: ...topmargin 0 rightmargin 0 onLoad document IDPLogin Ecom_User_ID focus form name IDPLogin enctype application x www form urlencoded method POST action String request getAttribute url AUTOCOMPLETE off t...

Страница 101: ...e 30 div td tr tr td nowrap nowrap div label handler getResource JSPResDesc PASSWORD label div td td style white space nowrap div input type password class smalltext name Ecom_Password size 30 nbsp nb...

Страница 102: ...create a method and a contract The method needs to use a name password class and have the following properties defined Query property values Property Name Query Property Value objectclass person mail...

Страница 103: ...s specify how the Identity Server requests authentication information and what it should do to validate those credentials See Section 3 2 Creating Authentication Classes on page 117 Methods The pairin...

Страница 104: ...east one configured user store for the Identity Server to be functional Modify To modify the configuration of an existing user store click the name of a user store For configuration information see Se...

Страница 105: ...on store Ensure that you also delete those objects from the configuration store See Orphaned Objects in the Trust Configuration Store in the Novell Access Manager 3 1 SP2 Administration Console Guide...

Страница 106: ...a user store This ensures read write access to all objects used by Access Manager For more information about this user see Section 3 1 3 Configuring an Admin User for the User Store on page 109 Each...

Страница 107: ...ot sharing secrets with other applications the secrets it is using are never locked and you do not need enable this option 4 Under LDAP timeout settings specify the following LDAP Operation Specify ho...

Страница 108: ...gorithm is used to map a user to a replica All requests on behalf of that user are sent to that replica Users are moved from their replica to another replica only when their replica is no longer avail...

Страница 109: ...n limits and remaining grace logins If you enable provisioning with the SAML or Liberty protocols the admin user needs write rights to create users in the user store If your user store is an eDirector...

Страница 110: ...ooting tips see Troubleshooting the Storing of Secrets on page 115 Configuring the Configuration Datastore to Store the Secrets When you use the configuration datastore of the Administration Console a...

Страница 111: ...the Identity Servers page update the Identity Server 6 To use the secret store to store policy secrets see Creating and Managing Shared Secrets in the Novell Access Manager 3 1 SP2 Policy Guide Config...

Страница 112: ...sword to a unique alphanumeric value Preferred Encryption Method Specifies the preferred encryption method Select the method that complies with your security model Password Based Encryption With MD5 a...

Страница 113: ...to authenticate as that user and access the user s secrets Without this NMAS method the Identity Server is denied access to the user s secrets To use a remote SecretStore your network environment must...

Страница 114: ...d objects to the tree 4 Click Liberty Web Service Providers 5 Click Credential Profile 6 Scroll to the Remote Storage of Secrets section 7 Click New under Novell Secret Store User Store References Thi...

Страница 115: ...ceive a prompt for a passphrase when secrets are locked complete the following configuration steps 1 Require all users to set up a passphrase also called the Master Password Access Manager uses the Se...

Страница 116: ...u can find a SAML Assertion object in the Authorized Login Methods container The SAML_Assertion object contains an alphanumeric generated name for a SAML affiliate object This object has four attribut...

Страница 117: ...entity Server and eDirectory server are not time synchronized the credentials can become invalid before a user has time to use them Either make sure that the time of your Identity Server and eDirector...

Страница 118: ...defines authentication levels for classes that can be used in authentication requests For more information on how to configure and use this class see Section 7 2 4 Configuring the Trust Levels Class...

Страница 119: ...Configuring for RADIUS Authentication on page 139 for configuration steps KerberosClass The authentication class used for using Kerberos for Active Directory and Identity Server authentication See Sec...

Страница 120: ...22 These properties can also be specified on a method derived from the class If you are going to create multiple methods from the same class consider the following conditions If you want the methods t...

Страница 121: ...credentials The objectclass value must be a valid object class in the LDAP user store The email attribute must be a valid attribute of the person class When you specify such a Query you must also modi...

Страница 122: ...you associate authentication classes with user stores You use a particular authentication class to obtain credentials about an entity and then validate those credentials against a list of user stores...

Страница 123: ...res to search You can select from the list of all the user stores you have set up If you have several user stores the system searches through them based on the order specified here If a user store is...

Страница 124: ...ng Authentication Contracts Authentication contracts define how authentication occurs An Identity Server can have several authentication contracts available such as name password X 509 or Kerberos Fro...

Страница 125: ...1 Using a Password Expiration Service on page 127 Allow User Interaction If you specify a password expiration servlet you can enable this option which allows the users to decide whether to go to the s...

Страница 126: ...ivity Realm s Specify the name of the realm that can be used to indicate activity Use a comma separated list to specify multiple realms This allows a user s session to be kept alive when the user is a...

Страница 127: ...use the Identity Server configuration 9 To use this contract you must configure Access Manager to use it You can assign it as the default contract for the Identity Server See Section 3 5 Specifying A...

Страница 128: ...the sid and id values as part of the value used for the Identity Server return URL Grace Logins If you specify a password service and do not specify a value for the number of grace logins in eDirecto...

Страница 129: ...ine how activity at one protected resource affects the activity timeout at another protected resource An activity realm essentially represents a time line that tracks the last activity for any resourc...

Страница 130: ...is set to the greatest timeout value of the contracts configured for the Identity Server NIDPActivity Specify NIDPActivity for the realm when any activity at the Identity Server by the user can be us...

Страница 131: ...cess Manager 3 1 SP2 Access Gateway Guide Authentication Type Specifies the default authentication contracts to be used for each authentication type When a service provider requests a specific authent...

Страница 132: ...what a trusted service provider is asking for in its authentication request 1 In the Administration Console click Devices Identity Servers Edit Local Contracts 2 To create a new contract click New 3...

Страница 133: ...cking Access to the WSDL Services Page on page 136 3 6 1 Logging In to the User Portal Users can log directly in to the Identity Server when they enter the Base URL of the Identity Server in their bro...

Страница 134: ...If you have configured the Identity Server to be an identity provider for service providers a Federation page is accessible after login From this page users can federate and defederate their accounts...

Страница 135: ...that administrators might want to restrict such as the user s attributes and federations with other third party SAML or Liberty providers Help Desk Support Most users have no need to access the infor...

Страница 136: ...nt Mozilla 4 0 compatible MSIE 7 0 Windows NT 5 1 NET CLR 2 0 50727 NET CLR 3 0 04506 648 NET CLR 3 5 21022 NET CLR 3 0 4506 2152 NET CLR 3 5 30729 Host idp126 lab novell com 8443 Connection Keep Aliv...

Страница 137: ...is page you can block access 1 Log in as the root or administrator user 2 Open the web xml file for editing Linux opt novell nids lib webapp WEB INF Windows Server 2003 Program Files Novell Tomcat web...

Страница 138: ...s full and users have access to the page 4 Restart Tomcat for your modifications to take effect Linux Enter the following command etc init d novell tomcat5 restart Windows Enter the following commands...

Страница 139: ...1 Configuring for RADIUS Authentication RADIUS enables communication between remote access servers and a central server Secure token authentication through RADIUS is possible because Access Manager wo...

Страница 140: ...ity Injection policies and you did not enable the Require Password option add the password fetch method as a second method to the contract For more information about this class and method see Section...

Страница 141: ...h authentication request Access Manager caches CRLs so the revoked status of a newly revoked certificate is not picked up until the next cache refresh For higher security requirements use OCSP validat...

Страница 142: ...and the intermediate certificates in the chain are in the trust store the Identity Server only validates the client leaf certificate If the trust store only contains the root certificate the browser...

Страница 143: ...s filled in with the certificate name of the user certificate When Auto Provision X509 is enabled and the attribute that is used for subject name mapping is changed from the default sasAllowableSubjec...

Страница 144: ...zero 0 or with a hexadecimal notation 0x If the serial number is 0x0BAC05 the value of the serial number in the attribute must be BAC05 The certificate number is displayed in Internet Explorer with a...

Страница 145: ...4 1 1 Updating an Identity Server Configuration on page 318 6 Update any associated Access Gateways to read the new authentication contract 7 Assign the contract to protect resources See Configuring P...

Страница 146: ...dd more than one property 6 Click Next 7 Conditional If you selected the Use Radius option configure the Radius properties For information about the configuration options see Section 4 1 Configuring f...

Страница 147: ...tected resources to use the contract for authentication When the users supply the OpenID they are granted access if the Identity Server has been configured to trust the provider of the OpenID server 1...

Страница 148: ...e attribute specified in the LDAP Attribute Name option On subsequent logins the Identity Server can identify the user by using the specified attribute and the user is not prompted for additional info...

Страница 149: ...or RADIUS Authentication on page 139 X 509 See Configuring Mutual SSL X 509 Authentication on page 140 OpenID See Configuring for OpenID Authentication on page 147 Smart Card See Configuring Access Ma...

Страница 150: ...www novell com documentation iasclient30x nescm_install data bookinfo html Provision your smart card according to your company policy Make sure you have a basic Access Gateway configuration with a pro...

Страница 151: ...and fill the following fields Name The display name for the LDAP directory server for example nescm_server IP Address The IP address of the LDAP directory server The port is set automatically to the...

Страница 152: ...od The following sections describe these tasks Creating an NMAS Class for NESCM on page 152 Creating a Method to Use the NMAS Class on page 153 Creating an Authentication Contract to Use the Method on...

Страница 153: ...th Creating a Method to Use the NMAS Class on page 153 Creating a Method to Use the NMAS Class When you create a method you can specify property values that are applied to just this method and not the...

Страница 154: ...lect the user store created in Section 4 6 2 Creating a User Store on page 150 then click the left arrow to move this user store into the User stores list Leave other settings on this page unchanged 5...

Страница 155: ...a card for the contract by filling in the following fields ID Optional Specify an alphanumeric value that identifies the card If you need to reference this card outside of the Administration Console y...

Страница 156: ...to Use the Method on page 154 If the contract is not listed make sure you have updated the changes to the servers first to the Identity Server and then the Access Gateway If you have multiple Identit...

Страница 157: ...user for the token Verify that you have configured the class and method correctly See Creating an NMAS Class for NESCM on page 152 and Creating a Method to Use the NMAS Class on page 153 Certificate...

Страница 158: ...158 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 159: ...for extending a Kerberos single sign on environment to Web transactions and services It lets peers determine which GSSAPI mechanisms are shared and lets them select one and establish a security contex...

Страница 160: ...indows XP with Internet Explorer 7 or 8 Some minimal testing has been done with Internet Explorer 6 To make Kerberos work with Internet Explorer 6 you need to enable integrated Windows authentication...

Страница 161: ...n the Active Directory Server The Identity Server can communicate with only one KDC identified by IP address in the configuration This limitation is caused by the underlying Sun JGSS and limits the Id...

Страница 162: ...ple configuration this is amser 4 Click Next and configure the password and its options Password Specify a password for this user Confirm password Enter the same password User must change password at...

Страница 163: ...urity Windows Server 2008 C Program Files x86 Novell jre lib security 3 If the cluster contains multiple Identity Servers copy the keytab file to each member of the cluster 5 2 4 Adding the Identity S...

Страница 164: ...or Kerberos Transactions Enabling logging is not required but it is highly recommended If Kerberos authentication does not function after you have finished the configuration tasks the first step in so...

Страница 165: ...Directory user store add a replica In the Server replicas section click New 5a Fill in the following fields Name Specify a name of the replica for reference This can be the name of your Active Directo...

Страница 166: ...ashes for example C Program Files Novell jre lib security Instructions for creating this file are in Creating the bcsLogin Configuration File on page 168 Kerberos KDC Specify the IP address of the Act...

Страница 167: ...In the Local page click Contracts New 11 Fill in the following fields Display name Specify a name that you can use to identify this method URI Specify a value that uniquely identifies the contract fro...

Страница 168: ...Tab need to specify unique information for your configuration The principal line needs to specify the service principle name for the Identity Server The keyTab line needs to specify the location of th...

Страница 169: ...Kerberos and verify that a subsequent line contains a Commit Succeeded phrase For the configuration example the lines look similar to the following principal s key obtained from the keytab principal...

Страница 170: ...rowser Specify a comma delimited list of trusted domains or URLs For this example configuration you would add http amser provo novell com to the list 4d If the deployed SPNEGO solution is using the ad...

Страница 171: ...orer 7 x To access this option click Tools Internet Options Security Custom Level then scroll down to User Authentication 5 5 Configuring the Access Gateway for Kerberos Authentication If you have set...

Страница 172: ...172 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 173: ...tributes you specify on the Identity Server are used in attribute requests and responses depending on whether you are configuring a service provider request or identity provider response Attribute set...

Страница 174: ...ext 4 To add an attribute to the set click New 5 Fill in the following fields Specify the attribute Select from the following Local Attribute Select an attribute from the drop down list of all server...

Страница 175: ...select none If you want an identity provider to use a default namespace select none The urn oasis names tc SAML 1 0 assertion value is sent as the default If you are defining an attribute set for Car...

Страница 176: ...are destroyed Use the attributes in the assertion to match a user in the local user store When you want the service provider to take this action you need to create a user matching expression Use the...

Страница 177: ...he name of an existing user matching expression 3 Specify a name for the user lookup expression 4 Click the Add Attributes icon plus sign then select attributes to add to the logic group Use the Shift...

Страница 178: ...should match the policy that uses it For a Form Fill policy the entry name should match a form field name For an Identity Injection policy the entry name should match the Custom Header Name For more...

Страница 179: ...The X 500 commonName attribute which contains a name of an object If the object corresponds to a person it is typically the person s full name departmentNumber Identifies a department within an organi...

Страница 180: ...4 bit attribute data encoding click an attribute s check box then click one of the following links Set Encode Specifies that LDAP returns a raw format of the attribute rather than binary format which...

Страница 181: ...need to be placed in an image set that allows the browser to display the image associated with the requested locale If the browser requests a locale for which you have not defined an image the All Loc...

Страница 182: ...182 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 183: ...n page 216 Section 7 11 Using the Intersite Transfer Service on page 217 About SAML and Liberty For information about how Access Manager uses SAML see Appendix B Understanding How Access Manager Uses...

Страница 184: ...to the trusted partner s identity provider or service provider in your Identity Server configuration You can obtain metadata via a URL or an XML document then enter it in the system when you create t...

Страница 185: ...TPS 3 Administrators must exchange Identity Server metadata with the trusted partner Metadata is generated by the Identity Server and can be obtained via a URL or an XML document then entered in the s...

Страница 186: ...r has been configured to trust 1 In the Administration Console click Devices Identity Servers Edit Identity Providers 2 To specify identity provider settings fill in the following fields Show logged o...

Страница 187: ...entity Server 7 2 2 Configuring the General Identity Consumer Options The following options affect all identity consumers service providers that the Identity Server has been configured to trust 1 In t...

Страница 188: ...be restarted whenever you assign an Identity Server to a configuration and whenever you update a certificate key store See Section 1 3 3 Managing the Keys Certificates and Trust Stores on page 29 3 Cl...

Страница 189: ...for which you want to set a level create a property for that class 3a Set the Property Name to the name of the class For example use one of the following urn oasis names tc SAML 2 0 ac classes Previo...

Страница 190: ...vider to authenticate the user and the Identity Server acts as a service provider When you create a trusted service provider you are configuring the Identity Server to provide authentication for the s...

Страница 191: ...Console are on different machines use HTTP to import the metadata If you are required to use HTTPS with this configuration you must import the trusted root certificate of the provider into the trust...

Страница 192: ...f the user has already authenticated and the credentials satisfy the requirements of this contract the user is passively authenticated If the user s credentials do not satisfy the requirements of this...

Страница 193: ...cate of the provider into the trust store of the Administration Console You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration...

Страница 194: ...Metadata URL Specify the metadata URL for a trusted provider The system retrieves protocol metadata using the specified URL Examples of metadata URLs for an Identity Server acting as an identity provi...

Страница 195: ...ify the image to be displayed on the card Select the image from the drop down list To add an image to the list click Select local image Show Card Determine whether the card is shown to the user which...

Страница 196: ...ult certificate see Section 1 3 3 Managing the Keys Certificates and Trust Stores on page 29 Mutual SSL This method is probably the fastest method and if you are fine tuning your system for performanc...

Страница 197: ...Relies upon message signing using a digital signature Mutual SSL Specifies that this trusted provider provides a digital certificate mutual SSL when it sends a SOAP message SSL communication requires...

Страница 198: ...gnature Mutual SSL Specifies that this trusted provider provides a digital certificate mutual SSL when it sends a SOAP message SSL communication requires only the client to trust the server For mutual...

Страница 199: ...re Mutual SSL Specifies that this trusted provider provides a digital certificate mutual SSL when it sends a SOAP message SSL communication requires only the client to trust the server For mutual SSL...

Страница 200: ...uses the attributes that you have selected The request asks the identity provider to provide values for these attributes You can then use these attributes to create policies to match user accounts or...

Страница 201: ...se these attributes to identify the user to create policies to match user accounts or if it allows provisioning to create a user accounts on the service provider 1 In the Administration Console click...

Страница 202: ...resources and how the policies are defined However if the LDAP values are gathered at authentication one LDAP query can retrieve all the needed values for the user 1 In the Administration Console clic...

Страница 203: ...click the Metadata tab This page displays the current metadata the trusted provider is using 3 To reimport the metadata 3a Copy the URL in the providerID field Liberty or the entityID SAML 3b SAML 1 1...

Страница 204: ...e trusted provider 1 In the Administration Console click Devices Identity Servers Edit SAML 1 1 Identity Provider Metadata You can reimport the metadata see Step 2 or edit it see Step 4 2 To reimport...

Страница 205: ...ionService section of the metadata 6 To specify signing certificate settings fill in the following fields Attribute authority Specifies the signing certificate of the partner SAML 1 1 attribute author...

Страница 206: ...es that authentication assertions from the trusted provider must be signed Artifact consumer URL Specifies where the partner receives incoming SAML artifacts For example https dns 8443 nidp saml spass...

Страница 207: ...ntication Card Authentication Request 2 Configure the federation options Allow Federation Determines whether federation is allowed The federation options that control when and how federation occurs ca...

Страница 208: ...request can be proxied Force authentication at Identity Provider Specifies that the trusted identity provider must prompt users for authentication even if they are already logged in Use automatic int...

Страница 209: ...this selection is made When the identity provider sends a response to the service provider the user needs to be identified on the service provider If you enable this option make sure you configure a u...

Страница 210: ...he authentication request to another identity provider A value of None specifies that the trusted identity provider cannot redirect an authentication request Values 1 5 determine the number of times t...

Страница 211: ...e than one is found the user is presented with the matching cards and is allowed to select the contract If a match is not found the user is denied access Minimum Indicates that the contract must be as...

Страница 212: ...1 1 respond to the Intersite Transfer Service For configuration information see one of the following Section 7 9 1 Configuring the Liberty Authentication Response on page 212 Section 7 9 2 Configuring...

Страница 213: ...entifier is sent when the request from the service provider does not specify a format 5 To specify that this Identity Server must authenticate the user disable the Use proxied requests option When the...

Страница 214: ...es between sessions can be sent E mail Specifies that an e mail attribute can be used as the identifier Kerberos Specifies that a Kerberos token can be used as the identifier X509 Specifies that an X...

Страница 215: ...Identity Server The Identity Server then sends the response to the service provider 7 Click OK twice then update the Identity Server 7 9 3 Configuring the SAML 1 1 Authentication Response You can spe...

Страница 216: ...ou do not assign a value the Identity Server creates one for its internal use The internal value is not persistent Whenever the Identity Server is rebooted it can change A specified value is persisten...

Страница 217: ...L URL for site a id ID of target For example https idp sitea novell com 8443 nidp saml idpsend id 206test The target and the target ID are specified in the service provider configuration at the identi...

Страница 218: ...443 nidp saml2 metadata Liberty https idp siteb novell com 8443 nidp idff metadata If you are setting up federations with a third party service provider search its documentation for the URL or locatio...

Страница 219: ...for a card to appear as a login option you must specify a Login URL and select the Show Card option Figure 7 4 illustrates a possible configuration that requires the Intersite Transfer Service for th...

Страница 220: ...this Web page are configured with the URL of the Intersite Transfer Service of the identity provider to be used for authentication Clicking these links directs the user to the appropriate identity pro...

Страница 221: ...Service 2 Fill in the following ID Optional Specify an alphanumeric value that identifies the target If you specified an ID for the target you can use this value to simplify the Intersite Transfer URL...

Страница 222: ...t in the URL you need to specify the target in this field Allow any target If this option is selected the user can use the target that was specified in the Intersite Transfer URL If this option is not...

Страница 223: ...Gateway Protected Resources on page 242 Section 8 7 Managing CardSpace Trusted Providers on page 242 Section 8 8 Managing Card Templates on page 244 Section 8 9 Configuring Authentication Cards on pa...

Страница 224: ...ed in the token Figure 8 1 illustrates that the provider for the identity and token can be either an identity provider when a managed card is selected or the CardSpace client when a personal card is s...

Страница 225: ...te set created for CardSpace is dependent upon this profile Click Identity Servers Edit Liberty Web Service Provider Select the Personal Profile then click Enable Apply Update the Identity Server Reco...

Страница 226: ...Microsoft NET Framework 3 5 http www microsoft com downloads details aspx FamilyId 333325FD AE52 4E35 B531 508D977D32A6 displaylang en 1b Install the package 1c To verify that it has been installed c...

Страница 227: ...hen enable the site and install the add on 5 Download the appropriate selector for your OS For SLES 10 with 32 bit hardware select Download DigitalMe for SUSE Linux Enterprise 10 i586 and save it as a...

Страница 228: ...gure the Identity Server to be a relying party and then allow the user to log in to the Identity Server by using a personal card Figure 8 3 illustrates this process Figure 8 3 Using a Personal Card to...

Страница 229: ...ailable attribute list select the attributes that you want the card to return and move them to the Required attribute list For this scenario move Common First Name and Personal Private Identifier to t...

Страница 230: ...to configure a trusted relationship between the relying party and the identity provider so that a user can authenticate to the relying party with a managed card Prerequisite on page 230 Configuring a...

Страница 231: ...equests a security token For this scenario do not enable this option because the instructions haven t explained how to configure this option for the relying party Allow Users to Back a Managed Card Us...

Страница 232: ...he Identity Server and have a file containing the public key of the signing certificate of the Identity Server 1 To obtain the public key certificate of the identity provider 1a Log in to the Administ...

Страница 233: ...ou want the card to return and move them to the Required attribute list For this scenario move Common First Name and Personal Private Identifier to the Required attribute list The Personal Private Ide...

Страница 234: ...ard Continue with Section 8 3 3 Authenticating with a Managed Card Backed by a Personal Card on page 234 Managed cards can be used to access resources protected by the Access Gateway For configuration...

Страница 235: ...ing as the relying party you need to define how you want the user to authenticate This involves defining who can issue the credentials and what credentials are required Section 8 4 1 Defining an Authe...

Страница 236: ...ither a personal card or a managed card from any trusted provider A trusted provider is a provider that is listed in the trusted provider list See Section 8 4 2 Defining a Trusted Provider on page 237...

Страница 237: ...tributes for setting up a user account See Section 11 3 Defining the User Provisioning Method on page 282 Attribute matching Select this option when you want to use attributes to match an identity ser...

Страница 238: ...ders page click New then fill in the following fields Name Specify a display name for the provider This name appears in the list of trusted providers that you can select for an authentication card pro...

Страница 239: ...ity Servers Edit CardSpace 2 Click Configuration 3 Specify a value for the relying party maximum age 4 Click Apply then update the Identity Server 8 4 4 Defederating after User Portal Login If you wan...

Страница 240: ...n Service STS which controls what claims are available what authentication method can be used to validate the credentials on the card and whether a name identifier is added to the SAML assertion 1 In...

Страница 241: ...ing fields Name Specify a display name for the template Description Specify the text to be displayed on the card This can contain information about how the card can be used or the type of resource tha...

Страница 242: ...ersonal card to log in If you select a profile that is configured for a managed card the user can supply a managed card to log in 6 Click User Identification then configure the following fields Satisf...

Страница 243: ...s the following value https test lab novell com 8443 nidp sts services Trust Identity Provider Specify the signing certificate of the Identity Server You need to export the public key certificate to a...

Страница 244: ...eld so it might be blank 2 Select from the following actions New To create a new managed card template click New For configuration details see Section 8 8 1 General Template Details on page 244 Delete...

Страница 245: ...tribute set select New Attribute Set If the set you have created for CardSpace is not listed you need to configure the STS to use the set Click Identity Servers Edit STS Attribute Sets to manage the c...

Страница 246: ...le or to modify an existing profile 1 In the Administration Console click Devices Identity Servers Edit CardSpace Authentication Card Profiles New Name of Profile 2 Configure the following fields Name...

Страница 247: ...t to the Optional Attribute list 3 Select one of the following actions If you are creating a profile click Next Continue with Section 8 9 3 Configuring User Identification on page 247 If you have fini...

Страница 248: ...ensure that the account matches 4 Conditional If you selected a user identification method that requires a matching method or a provision setting configure the required method Provisioning Settings A...

Страница 249: ...05 identity claims namespace A CardSpace attribute set has been created that can be used as is or modified to match claims you want to share For more information about CardSpace claims see Understandi...

Страница 250: ...tication Request page to select the format for the name identifier that is returned in the SAML assertion The selected attribute sets Identity Servers Edit STS Attribute Sets determine the values that...

Страница 251: ...r on page 269 Section 10 5 Modifying a WS Federation Service Provider on page 273 10 1 Using the Identity Server as an Identity Provider for ADFS The Identity Server can provide authentication for res...

Страница 252: ...ration on page 254 Enabling the Attribute Set on page 254 Creating a WS Federation Service Provider on page 255 Configuring the Name Identifier Format on page 256 Setting Up Roles for ClaimApp and Tok...

Страница 253: ...lect an image such as Form Auth Username Password This is the default image for the Name Password Form contract Show Card Enable this option so that the card can be presented to the user as a login op...

Страница 254: ...ext 4 To add a mapping for the mail attribute 4a Click New 4b Fill in the following fields Local attribute Select LDAP Attribute mail LDAP Attribute Profile Remote attribute Specify emailAddress This...

Страница 255: ...federation treyresearch This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string This value is specified in the Properties of the Trust Policy...

Страница 256: ...g fields Attribute set Select the WS Federation attribute set you created Send with authentication Move the All Roles attribute to the Send with authentication list 3 Click Apply then click Authentica...

Страница 257: ...he Select Trusted Root s icon This adds the trusted root of the ADFS signing certificate to the Trust Store 4 On the Select Trusted Roots page select the trusted root or certificate that you want to i...

Страница 258: ...ovider and the service provider must be configured to trust the other provider This task sets up the trust between the ADFS server and the Identity Server 1 In the Active Directory Federation Services...

Страница 259: ...Mapping with the following values Incoming group claim name Specify TokenApp Organization group claim Specify Adatum TokenApp Claim 4 Continue with Disabling CRL Checking on page 259 Disabling CRL Che...

Страница 260: ...10 1 4 Troubleshooting Turning On Logging on the ADFS server on page 260 Common Errors on page 260 Turning On Logging on the ADFS server If you see the message Server Error in adfs Application display...

Страница 261: ...the correct namespace for WSFed CRL Errors 2008 08 01T19 56 55 WARNING VerifyCertChain Cert chain did not verify error code was 0x80092012 2008 08 01T19 56 55 ERROR KeyInfo processing failed because...

Страница 262: ...ver and gives the user the option of logging in at the Active Directory Federation Services server 4 The user logs into the Active Directory Federation Services server and is provided a token 5 The to...

Страница 263: ...ML 1 1 Liberty and SAML 2 0 enabled by default In order to use the WS Federation protocol it must be enabled on the Identity Server Because the WS Federation Protocol uses the STS Secure Token Service...

Страница 264: ...inue with Modifying the User Identification Specification on page 264 Modifying the User Identification Specification The default settings for user identification are set to do nothing The user can au...

Страница 265: ...by step guide uses self signed certificates for signing it is the same certificate in both the trust store and in the relationship To import the ADFS signing certificate s trusted root or the certifi...

Страница 266: ...is in this list 4 Navigate to Active Directory by clicking Federation Services Trust Policy Account Stores 5 Enable the E mail Organizational Claim 5a Right click this claim then select Properties 5b...

Страница 267: ...rds select the Adatum contract 3 Conditional If you are not joined to the Adatum domain enter a username and password in the browser pop up Use a name and a password that are valid in the Adatum domai...

Страница 268: ...s not load the definition However the definition is not deleted Modify Click the name of a provider For configuration information see Section 10 4 Modifying a WS Federation Identity Provider on page 2...

Страница 269: ...ls Logout URL Optional Specify the URL that the user can use for logging out The default value is https adfsresource treyresearch net adfs ls Service Provider Specify the path to the signing certifica...

Страница 270: ...ute specified at the service provider 2a Specify a set name then click Next 2b On the Define Attributes page click New 2c Select a local attribute 2d Specify the name of the remote attribute 2e For th...

Страница 271: ...and used with subsequent logins When federation is not enabled a new account is created every time the user logs in This option requires that you specify a user provisioning method Attribute matching...

Страница 272: ...ation Console click Devices Identity Servers Edit WS Federation Identity Provider Metadata Edit 2 Configure the following fields Provider ID This is the provider ID The ADFS server provides this value...

Страница 273: ...explains how to modify a WS Federation service provider after it has been created Section 10 3 2 Creating a Service Provider for WS Federation on page 269 explains the steps required to create the ser...

Страница 274: ...contain an identifier for the user If you do not own the service provider you need to contact the administrator of the service provider and negotiate whether the user needs to be identified and how to...

Страница 275: ...licy on the ADFS server The label is Federation Services endpoint URL The default value is https adfsresource treyresearch net adfs ls ssoUrl This is the logout URL The default value is https adfsreso...

Страница 276: ...ps adfsresource treyresearch net adfs ls The ADFS server makes no distinction between the login URL and the logout URL 3 If you need to import a new signing certificate click the Browse button and fol...

Страница 277: ...ion 11 1 Defining User Identification for Liberty and SAML 2 0 on page 277 Section 11 2 Defining User Identification for SAML 1 1 on page 280 Section 11 3 Defining the User Provisioning Method on page...

Страница 278: ...tribute matching Select this option when you want to use attributes to match an identity server account with a service provider account This option requires that you specify a user matching method Pro...

Страница 279: ...ssions on page 176 5 Specify what action to take if no match is found Do nothing Specifies that an identity provider account is not matched with a service provider account This option allows the user...

Страница 280: ...der to uniquely identify a user on the service provider 1 In the Administration Console click Devices Identity Servers Edit SAML 1 1 Identity Provider User Identification 2 In the Satisfies contract o...

Страница 281: ...K twice 6 Update the Identity Server 11 2 2 Configuring the Attribute Matching Method for SAML 1 1 A user matching expression is a set of logic groups with attributes that uniquely identify a user Use...

Страница 282: ...Defining the User Provisioning Method If you have selected Provision account as the user identification method or have created an attribute matching setting that allows for provisioning when no match...

Страница 283: ...or SAML 2 0 Identity Provider User Identification 2 Click the Provisioning settings icon 3 Select the required attributes from the Available Attributes list and move them to the Attributes list Requir...

Страница 284: ..._02 as shown in the following illustration Use the following settings to specify how this is accomplished Segment 1 The required attribute to use as the first segment for the user name The values disp...

Страница 285: ...hether to prompt the user for a password or to create a password automatically Min password length The minimum length of the password Max password length The maximum length of the password Prompt for...

Страница 286: ...hat are either too short or too long Username unavailable The provisioned user account was deleted without first defederating the user Remove orphaned identity objects from the configuration datastore...

Страница 287: ...for the identity provider and the service provider The Artifact binding provides an increased level of security by using a back channel means of communication between the two servers during authentic...

Страница 288: ...when the user logs in Select one or more of these methods for the identity provider and the identity consumer The Artifact binding provides an increased level of security by using the back channel fo...

Страница 289: ...t A browser based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider SAML messages are transmitted within URL parameters S...

Страница 290: ...290 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 291: ...ry Service The service assigned to an identity provider that enables a Web Service Consumer to determine which Web service provider provides the required resource LDAP Attribute Mapping Access Manager...

Страница 292: ...To delete an existing profile select the profile then click Delete Enable To enable a profile select the profile then click Enable Disable To disable a profile select the profile then click Disable Ed...

Страница 293: ...vice provider to cooperate in redirecting the resource owner to the Web service provider and back to the Web service consumer 3 Click OK 4 On the Servers page update the Identity Server 13 2 1 Modifyi...

Страница 294: ...u have mapped a Liberty attribute to an LDAP attribute in your user store the values can be read from the LDAP user store To create LDAP attribute maps see Section 13 6 Mapping LDAP and Liberty Attrib...

Страница 295: ...r XML definitions of data model extensions in this field Data model extensions hook into the existing Web service data model at predefined locations All schema model extensions reside inside of a sche...

Страница 296: ...he profile or service 3 Click Descriptions 4 Click the description name or click New 5 Fill in the following fields Name The Web Service Description name Security Mechanism Required Liberty uses chann...

Страница 297: ...e containing the service description URIs need to be constant across all implementations of a service to enable interoperability 7 Click OK 8 Update the Identity Server configuration 13 2 4 Editing We...

Страница 298: ...are displayed in the Inherited column If you want the user to have Write permission for a given data item and that data item is used in an LDAP Attribute Map then you must configure the LDAP Attribute...

Страница 299: ...ted from the settings in the Administration Console Thereafter inheritance can come from the service policy or the parent data item s policy Ask Me Specifies that the service provider requests from th...

Страница 300: ...Profile Details page you can specify whether this profile is displayed for end users and determine how you control and store encrypted secrets You can store and access secrets locally on remote eDirec...

Страница 301: ...y a user The Discovery Service returns a list of resource IDs when a trusted service provider queries for the services owned by a given user The Discovery Service has the option of encrypting the reso...

Страница 302: ...You only need to configure the fields in Step 5a To store the secrets in your LDAP user store click New in Extended Schema User Store References and configure the following fields User Store Select a...

Страница 303: ...ed Web services consumers or by a dedicated interaction service provider that has a reliable means of communication with the users 1 In the Administration Console click Devices Identity Servers Edit L...

Страница 304: ...ributes You can create an LDAP attribute map or edit an existing one To create an attribute map you specify how single value and multi value data items map to single value and multi value LDAP attribu...

Страница 305: ...rious Liberty values to map to any LDAP attribute names that you use 1 In the Administration Console click Devices Identity Servers Edit Liberty LDAP Attribute Mapping New One to One 2 Configure the f...

Страница 306: ...tributes that you can map to the single valued LDAP attributes that you have defined for your directory Mapping Personal Profile Multiple Value Data Items to LDAP Attributes Use the fields on this pag...

Страница 307: ...Hire Job Start Date Department and so on Mapping Employee Profile Multiple Value Data Items to LDAP Attributes Map the Liberty Employee Profile multiple value attributes to the LDAP attributes you hav...

Страница 308: ...n the same way you use any other profile attribute Mapping Custom Profile Multiple Value Data Items to LDAP Attributes Customizable Multi Valued Strings 1 5 Similar to customizable strings for single...

Страница 309: ...LDAP attribute name that you want to map to the Liberty Employee Type attribute 4 In the LDAP Attribute Value fields type the predefined LDAP attribute values that you want to map to the Liberty Empl...

Страница 310: ...e user store that a map applies to If a user logs into a user store that is not in the map s user store list that map is not used to read or write attributes for that user 3 In the LDAP Attribute Name...

Страница 311: ...s to Read Write you can specify rights for individual data items In order for user provisioning to succeed you must select Read Write from the Access Rights drop down menu for any maps that use an att...

Страница 312: ...ition in Delimited LDAP Attribute specify the order in which the information is contained in the string Select 1 for the value that comes first in the string 2 for the value that follows the first del...

Страница 313: ...n the following fields to map to the Liberty Contact Method attribute Provider LDAP Attribute Maps to the Liberty attribute MsgProvider which is the service provider or domain that provides the messag...

Страница 314: ...down menu that provide the broadest control for the page If you set this to Read Write you can specify rights for individual data items In order for user provisioning to succeed you must select Read...

Страница 315: ...ame you want to give the map Description A description of the map Access Rights A drop down menu that provide the broadest control for the page If you set this to Read Write you can specify rights for...

Страница 316: ...re the values that you want to store in the LDAP attribute for each given Liberty attribute value The LDAP attribute map then maps the actual Liberty URI value back and forth to this supplied value 5...

Страница 317: ...on 14 9 Viewing the Command Status of the Identity Server on page 343 Section 14 10 Tuning the Identity Server for Performance on page 344 14 1 Managing an Identity Server The Identity Servers page is...

Страница 318: ...you to update the configuration An Update Servers status is displayed under the Status column on the Servers page You must click Update Servers to update the configuration so that your changes take ef...

Страница 319: ...ifferent directory is not recommended because the system does not detect the change A user received authentication from an identity provider that is no longer trusted This occurs if you remove a trust...

Страница 320: ...All administrative and end user actions and events are logged to a central event log This allows easy access to this information for security and operational purposes Additionally the log system provi...

Страница 321: ...the Access Gateway is on Linux do not specify a path In a mixed platform environment you must use the default path Maximum Log Files Specifies the maximum number of Identity Server XML log files to le...

Страница 322: ...tatistical data such as counts levels and so on are included in the file log 4a In the Statistics Logging section select Enabled 4b In the Log Interval field specify the time interval in seconds that...

Страница 323: ...rights to create logging tickets and uses the User Portal to create a logging ticket for the user 4 The operator sends the logging ticket password and the URL to access the logging ticket class to the...

Страница 324: ...Property Value cn jdoe o users The Property Value must be the DN of an operator in the user stores you selected in Step 3b Use LDAP typed comma notation for the DN 3d Repeat Step 3c for each IDP Admin...

Страница 325: ...User Stores Select the user stores that contain the users that potentially can experience problems then move them to the list of User Stores 3c Click Finish 4 To create the contract 4a Click Contract...

Страница 326: ...en a user reports a problem Creating a Logging Ticket on page 326 Enabling a Logging Session on page 327 Viewing the Log File on page 328 Creating a Logging Ticket These steps are performed by an IDP...

Страница 327: ...dentity Server including the port Make sure the port agrees with the HTTP scheme either http or https Replace LogSession with the ID you specified for the authentication card when defining the Logging...

Страница 328: ...L of the resource that is causing the problem 6 Perform any other actions necessary to create the problem behavior 7 Log out and send your user identifier to the help desk Viewing the Log File These s...

Страница 329: ...tity Server Section 14 5 1 Health States on page 329 Section 14 5 2 Viewing the Health Details of an Identity Server on page 330 Section 14 5 3 Viewing the Health Details of a Cluster on page 332 14 5...

Страница 330: ...icance of the current state For more information about the icons see Section 14 5 1 Health States on page 329 2 To ensure that the information is current select one of the following Click Refresh to r...

Страница 331: ...er 3 1 SP2 Administration Console Guide If you want to convert a secondary console to your primary console see Converting a Secondary Console into a Primary Console in the Novell Access Manager 3 1 SP...

Страница 332: ...Administration Console 3 To view health details about a specific member of the cluster click the server s health icon SSL Communication Indicates whether SSL communication is operating correctly This...

Страница 333: ...choose Devices Identity Servers 2 In the Statistics column click View 3 Click either of the following options Statistics Select this option to view the statistics as currently gathered The page is st...

Страница 334: ...er was started Consumed Authentication Failures The number of failed consumed authentications since the Identity Server was started Logouts The number of explicit logouts performed by users This does...

Страница 335: ...number of current cached artifact objects During authentication an artifact is generated that maps to an assertion This cache holds the artifact to assertion mapping until the artifact resolution req...

Страница 336: ...nd interval Last Interval Mean Request Duration Milliseconds The mean age of all outgoing HTTP requests that were processed during the last 60 second interval Historical Maximum Request Duration Milli...

Страница 337: ...Service changes performed since the Identity Server was started Custom Profile Service Queries The number of Novell Custom Profile Web Service queries performed since the Identity Server was started...

Страница 338: ...The number of attempts to use the User Profile object as a data location for a query or a modify of any Web Service since the Identity Server was started A User Profile object is a directory object s...

Страница 339: ...of payload examinations and ID broadcasts the lower the performance of the entire system If these numbers are high verify the configuration of the L4 switch Make sure that the session persistence opt...

Страница 340: ...r was started Each LDAP replica contains two connection pools the user connection pool and the administration connection pool User connections are used to authenticate users and they are created and i...

Страница 341: ...tity Server was started This would result in an LDAP Service Not Available error Connection Waits Aborted Due To Closed Pool The number of times that an LDAP connection wait terminated because of a cl...

Страница 342: ...an identity provider User Account Provisioned Generated by the Identity Server when functioning as an identity consumer and when an account has been provisioned User Account Provisioned Failure Genera...

Страница 343: ...etry up to 10 times before they fail The first few retries are spaced a few minutes apart then they move to 10 minute intervals These commands can take over an hour to result in a failure As long as t...

Страница 344: ...Select one of the following actions Delete To delete a command click Delete Click OK in the confirmation dialog box Refresh To update the current cache of recently executed commands click Refresh 5 Cl...

Страница 345: ...s generate more authentication traffic Carefully consider the security requirements for your resources and set limits that meet the requirements If you only need to verify that the users are actively...

Страница 346: ...following profiles Personal Profile Employee Profile Custom Profile 3 Either disable the Credential Profile which also disables using Form Fill or Identity Injection with credentials or enable the Cre...

Страница 347: ...the Xmx value the default is 1024 with 2048 This allows Java to use 2 GB of memory 5 Find the following line in the file JAVA_OPTS JAVA_OPTS Dnids freemem threshold 0 6 Change the Dnids freemem thresh...

Страница 348: ...that there is free memory available so that the other internal Java processes can continue to function When this threshold is reached the user receives a 503 server busy message and a threshold error...

Страница 349: ...ing the Identity Server Configuration Port on page 36 netcat A networking utility that reads and writes data across network connections using the TCP IP protocol Netcat is useful for checking connecti...

Страница 350: ...54 Section 15 2 6 Testing Whether the Provider Can Access the Metadata on page 356 Section 15 2 7 Manually Creating Any Auto Generated Certificates on page 357 For information about metadata validatio...

Страница 351: ...r tries to access the metadata on the identity provider it sends the request to the hostname defined in the base URL configuration of the Identity Server The base URL in the Identity Server configurat...

Страница 352: ...tServiceReturnURL To test that the Identity Server can resolve the hostname of the Access Gateway send a ping command with the hostname of the Access Gateway For example from the Identity Server ping...

Страница 353: ...name see The Server Certificate Has an Invalid Subject Name on page 356 15 2 4 Certificates in the Required Trust Stores Make sure that the issuers of the Identity Server and Embedded Service Provide...

Страница 354: ...same name as the Subject name then this certificate is the root certificate If the Issuer has a different name than the Subject name the certificate is an intermediate certificate in the chain Click...

Страница 355: ...Provider Cannot Resolve the Base URL of the Identity Server on page 355 Trusted Roots Are Not Imported into the Appropriate Trusted Root Containers on page 356 The Server Certificate Has an Invalid S...

Страница 356: ...failed to load Identity Provider metadata amLogEntry The Server Certificate Has an Invalid Subject Name When the certificate has an invalid subject name the handshake fails In the log entries below t...

Страница 357: ...ollowing issues that occur during authentication Section 15 3 1 Authentication Classes and Duplicate Common Names on page 357 Section 15 3 2 General Authentication Troubleshooting Tips on page 358 Sec...

Страница 358: ...Access Manager devices to use the Identity Server for authentication click Identity Servers Edit General Configuration Check the properties of the class and method For example the search format on th...

Страница 359: ...uthentication class Click Identity Servers Servers Edit Local Classes x 509 Properties Enabling this option provides detailed error messages on the login browser rather than generic messages Ensure th...

Страница 360: ...ty with devices that have not been upgraded to Access Manager 3 1 SP1 The devices requiring this old style cookie include Identity Servers that haven t been upgraded and any device with an Embedded Se...

Страница 361: ...esources including specifications white papers FAQs and presentations can be found at the Liberty Alliance Resources Web site http www projectliberty org liberty resource_center The following table pr...

Страница 362: ...362 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Страница 363: ...eference Metadata on page 364 Section B 3 Identity Federation on page 364 Section B 4 Authorization Services on page 364 Section B 5 What s New in SAML 2 0 on page 364 Section B 6 Identity Provider Pr...

Страница 364: ...t costs because multiple organizations do not need to independently collect and maintain identity related data such as passwords From the end user s perspective this results in an enhanced experience...

Страница 365: ...AML service provider The Identity Server at abc com generates the artifact This starts the process of generating and sending the SAML assertion The HREF would look similar to the following http nidp c...

Страница 366: ...edirect containing the artifact back to the browser The redirect looks similar to the following http xyz com auth afct TARGET http xyz com index html SAMLArtifact artifact 4 The remote SAML server req...

Страница 367: ...d in a SOAP envelope In this example the assertion contains the attributes lastname Jones and phonenumber 555 1212 3 The Identity Server determines which attributes to use when locating the user The I...

Страница 368: ...s names for these attributes are lastname and phonenumber respectively c The Identity Server uses the PP service to lookup the values for the user s PP sn and PP ph attributes The Identity Server now...

Страница 369: ...chema model extension root or inside of a schema model extension There can only be one group per root or extension Each root is hooked into the existing Web service data model Multiple roots can be ho...

Страница 370: ...vell nidp resource NIDPResDesc class Group Element resourceID The resource ID of the display name of the group This resource ID is assumed to be a key in the resource bundle supplied by the resource d...

Страница 371: ...value is a signed integer If this attribute is omitted the default value is java lang Integer MAX_VALUE lower optional The lower bound of a numeric value This attribute is only used if the format att...

Страница 372: ...in the namespace novell liberty wsf config 1 0 0 and that namespace must be defined on the SchemaExtensions element Normally the namespace prefix wsfc is used An example of data model extension XML is...

Страница 373: ...nResourceId PP EXT AU GROUP DESC wsfc Extension name Automobile class Automobile syntax Container resourceId PP EXT Automobile min 0 max UNBOUNDED namingClass AutomobileLicensePlate wsfc Group resourc...

Страница 374: ...374 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...

Отзывы:

Нет отзывов

Похожие инструкции для ACCESS MANAGER 3.1 SP2 - README 2010

Work.Group/Windows 3

Бренд: Amanda Страницы: 106

Бренд: AMX Страницы: 54

Бренд: SonicWALL Страницы: 20

Бренд: Blackberry Страницы: 9

ENHANCED GOOGLE MAIL PLUG IN - LEARN MORE

Бренд: Blackberry Страницы: 16

PRD-10459-003 - Enterprise Server For IBM Lotus Domino

Бренд: Blackberry Страницы: 420

AMIGOPOD 0.99.35

Бренд: AMIGOPOD Страницы: 23

Бренд: AMIGOPOD Страницы: 47

APPLICATION STACK 2.1 RELEASE

Бренд: Red Hat Страницы: 26

Бренд: Bay Networks Страницы: 112

Бренд: DigiDesign Страницы: 68

Бренд: Native Instruments Страницы: 16

ANTI-VIRUS 5.0 - FOR LOTUS NOTES-DOMINO

Бренд: KAPERSKY Страницы: 137

Dynamics Processor MV2

Бренд: Waves Страницы: 13

ML 2851ND - B/W Laser Printer

Бренд: Samsung Страницы: 30

FLASH REMOTING MX

Бренд: MACROMEDIA Страницы: 180

FLASH MEDIA SERVER 2

Бренд: MACROMEDIA Страницы: 234

Бренд: MACROMEDIA Страницы: 412

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды