Authenticating with Identity Server and the Access Gateway
Novell Cool Solutions: Tip
By Ben Fjeldsted
Digg This -
Posted: 3 Jan 2007
A Forum reader recently asked:
"I have a single Linux Access Gateway with Identity Server and SSLVPN. I have tried the install several times; I can get the Reverse Proxy to work, but not the authentication. I have checked that my ISO's are correct, and I have followed the documentation to the letter. The error is not explained in the docs, and I cannot get it working. I can get the Access Gateway to serve the required pages, and I can get it to inject identities. But it won't authenticate against the built-in store. I have imported the trusted root in the ID server config and restarted everything, but no luck. Any help will be greatly appreciated."
And here's the response from Ben Fjeldsted ...
Here is what my setup is:
Here is how I set it up:
1. Within the Identity Server->Setup->[configuration name] my baseURL is set up like this:
Protocol dropdown - "https"
Domain text box - "login.digitalairlines.com"
Port text box - "8443"
Application text box - "nidp"
2. I generated a certificate for the Identity Server with the common name cn=login.digitalairlines.com and assigned it with the "Select SSL certificate link".
3. On the Access Gateway I created a Reverse Proxy with a public DNS name of "access.digitalairlines.com" and checked all of the checkboxes.
4. I used the AutoGenerate Cert link on the Service List page.
5. On my Identity Server I make sure that it can ping "access.digitalairlines.com".
6. On my Access Gateway I make sure that it can ping "login.digitalairlines.com".
7. With a web browser I make sure that when I hit the URL "https://login.digitalairlines.com:8443/nidp/idff/metadata" the only certificate warning that I see is that the request is from an untrusted CA. I make sure that I see the metadata and look for https://login.digitalairines.com:8443/nidp in it.
8. With a web browser I make sure that when I hit the URL "https://access.digitalairlines.com/nesp/idff/metadata" that the only certificate warning that I see is that the request is from an untrusted CA. I also make sure that I see the metadata and look for https://access.digitalairlines.com/nesp in it (or https://access.digitalairlines.com:443/nesp).
Only when these steps are complete and everything checks out will the authentication work ...
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com