If the IDM User Application is installed, it is often in a larger context. One of the common requirements is to integrate User Application or specific parts into a portal, granting the users a single sign-on experience. Another common requirement is a strong authentication, e.g., via a certificate login to the portal.
Leveraging the power of Novell Access Manager and SAML, the solution described in this article makes true single sign-on capability available to any part of User Application, with any form of authentication method possible.
This document assumes that you are familiar with the Novell Access Manager configuration. If you are not, please refer to the Novell Access Manager documentation: http://www.novell.com/documentation/novellaccessmanager/index.html
How it Works
When the user first accesses the User Application, he must authenticate to the IDP, if he hasn't already done so. After a successful authentication, the Access Gateway will inject a SAML assertion into HTTP header of the Get request. User application will recognize this and, if the user is not already authenticated, will use the SAML assertion to authenticate the user to the user store via LDAP. For this to work, the NMAS method "SAML Assertion" must be installed and correctly configured on the user store, as User Application uses this method for a successful authentication.
This document is designed for use with the following as minimum software requirements:
- Access Manager 3.0.1
- User Application 3.5.1
Access Manager and User Application must be configured to use the same user store. The user store must be eDirectory. The NMAS method must be present and configured on the user store (see the User Store section at the end of this document). The method described in this document will work regardless of the authentication method used by Access Manager.
Access Gateway Resources
1. Create a new path-based resource for /IDM.
Figure 1 - Path-based resource for /IDM
2. Correct the server port and enable Forwarding of Encoding Header.
Figure 2 - Enabling Forwarding of Encoding Header
3. Under the HTTP Options for the Path-Based Multi-Homing tab, enable X-Forward-For.
Figure 3 - Enabling X-Forward-For
4. Create two new Protected Resources, if you use username and password. If you don't use a password, e.g. because you use a certificate login, you do not need the second resource UserAppForgotPassword.
Figure 4 - Creating Protected Resources
The base resource for User Application is shown below.
Figure 5 - URL Path for UserApp
1. Assign an Authorization Policy to this resource.
Figure 6 - Authorization Policy
2. Assign Identity Injection policies to inject the Access Manager Session Cookie and HTTP_AUTHORIZATION header.
Figure 7 - Injection Policy list
The UserAppForgotPassword resource is a public resource and will have the following paths:
Figure 8 - Path for UserAppForgotPassword resource
1. Add a Bypass PIN for the whole of User Application.
Figure 9 - Bypass PIN
Below are the two policies required for the Identity Injection:
Figure 10 - II_Authorization Rule
Figure 11 - II_AG_Cookie Rule
If Access Manager uses Username/Password as its authentication method, you should use the following methods for a smooth user experience.
Password Expiry Handling
In the IDP Contracts, modify the Password Expiry URL to be:
This will populate certain values to aid the user experience. For example, <USERID> will be replaced with the user DN, such as cn=jbloggs,ou=unit,ou=location,o=organization).
Forgot Password Link
An example of the JSP code for a link to use of the Forgot Password feature on the Access Manager login page is shown below:
<form name="fpwdForm1" method="POST" action="https://mydomain.com/IDM/jsps/pwdmgt/ForgotPassword.jsp">
<input type="hidden" name="idp_return_url" value="<%= (String) request.getAttribute("url") %>" />
To lock down UserApp so requests can be made only by Access Manager,
1. Stop UserApp.
2. Edit the [path to jboss]/server/IDM/deploy/jbossweb-tomcat55.saw/context.xml file with the following modifications:
3. Add privileged="true" to the Context element.
4. Add a new parameter to the Context element as follows:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="220.127.116.11,18.104.22.168" deny="" />
5. Start UserApp and test that the /IDM path can only be requested by Access Manager.
You will have to do the following steps only if you use Username/Password as the Access Manager authentication method and want to use User Application to handle forgotten passwords.
1. Log in to User Application with Administration rights.
2. Verify the Forgot Password settings.
Figure 12 - Forgot Password settings
On the user store, you must check the configuration the NMAS Method "SAML Assertion". This method should be automatically installed by NAM once you configure the user store in NAM. Additionally, NAM should have installed the required signing certificates.
1. On the user store, go to NMAS > NMAS Login Methods > SAML Assertion and choose the Affiliates tab. The page should look like this:
Figure 13 - SAML Assertion
2. Check the configured affiliate, and your page should look like this:
Figure 14 - Configured affiliate for SAML Assertion
If the Trusted Certificate field is empty, you can just choose the Public Key certificate that's in the Trusted Root Container named in the Trusted Root Container field. NAM should have created this certificate automatically.
If the Signing Certificate is not present on the user store, you will have to export it from the NAM config store and import it into the user store.
Make sure your time is synchronized between IDP, AG and the user store server you access. By default, the SAML Assertion has a validation window of 3 minutes. If the time is not synchronized, the login will fail.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.