3.3 Determining Deployment Configuration Parameters for Novell SecureLogin

In order to provide the synchronization functionality described in the deployment scenario illustrated in Figure 2-1, the first step is to gather all of the business process information related to the Identity Manager and SecureLogin environments. You can print Table 3-1, Credential Provisioning Policies Worksheet for SecureLogin, and use it as a worksheet to record the information.

Table 3-1 Credential Provisioning Policies Worksheet for SecureLogin

Configuration Information Needed

Information

1) Which applications will be configured for SecureLogin Single Sign-On provisioning?

 

2) Verify that SecureLogin application definitions are preconfigured on the authentication server and are inheritable by new users provisioned to those systems.

 

3) The DNS name or IP address of the SecureLogin repository server.

 

4) The SSL LDAP port for the SecureLogin repository server.

 

5) The fully qualified LDAP distinguished name of the administrator for the SecureLogin repository server.

 

6) The password of the administrator for the SecureLogin repository server.

 

7) The full path and the name of the SSL certificate exported from the SecureLogin server. The certificate must be local to the Identity Manager server.

 

8) Determine if one SecureLogin repository will be used by multiple drivers or if each driver will use a separate repository.

 

9) The application ID for each SecureLogin application.

 

10) List all required authentication keys for each application, such as, Username, Password, Client, and Language. They might be different for each application.

 

11) Determine if any of the authentication key values can be set with a static value.

 

12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values).

 

13) If you are implementing SecureLogin provisioning on a driver that is also synchronizing a password to the target application, determine if the SecureLogin provisioning takes place before or after the password is set in the target application server.

 

14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)

 

15) Determine the DN of the User objects for the target application.

 

16) If you are implementing a SecureLogin passphrase, determine the passphrase question and answer.

Question: Answer:

3.3.1 Example Provisioning Configuration Data

Using the provisioning scenario in Figure 2-1, the following example data provisions a user’s SecureLogin credentials for the SAP Finance server for users in the Finance Active Directory authentication tree:

Table 3-2 Example Credential Provisioning Policies Worksheet for SecureLogin

Configuration Information Needed

Information

1) Which applications will be configured for SecureLogin Single Sign-On provisioning?

SAP Finance Application

2) Verify that SecureLogin application definitions are preconfigured on the authentication server and are inheritable by new users provisioned to those systems.

Verified

3) The DNS name or IP address of the SecureLogin repository server.

151.150.191.5

4) The SSL LDAP port for the SecureLogin repository server.

636

5) The fully qualified LDAP distinguished name of the administrator for the SecureLogin repository server.

cn=admin,ou=prod,dc=testco,dc=.com

6) The password of the administrator for the SecureLogin repository server.

dixml

7) The full path and the name of the SSL certificate exported from the SecureLogin server. The certificate must be local to the Identity Manager server.

c:\novell\nds\FinanceAD.cer

8) Determine if one SecureLogin repository will be used by multiple drivers or if each driver will use a separate repository.

For this example, there is only one repository.

9) The application ID for each SecureLogin application.

SAP - 151.150.191.27

10) List all required authentication keys for each application, such as, Username, Password, Client, and Language. They might be different for each application.

SAP Client 010 Login Parameter Client SAP Client 010 Login Parameter Language SAP Client 010 Login Parameter Username SAP Client 010 Login Parameter Password

11) Determine if any of the authentication key values can be set with a static value.

SAP Client 010 Login Parameter Client:”010” SAP Client 010 Login Parameter Language: “EN”

12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values).

SAP Client 010 Login Parameter Username: Identity Vault attribute “sapUsername” SAP Client 010 Login Parameter Password: Event <password>

13) If you are implementing SecureLogin provisioning on a driver that is also synchronizing a password to the target application, determine if the SecureLogin provisioning takes place before or after the password is set in the target application server.

After

14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)

SAP driver

15) Determine the DN of the User objects for the target application.

Identity Vault attribute “DirXML-ADContext”

16) If you are going to provision the SecureLogin passphrase, determine the passphrase question and answer.

Question: “Employee code?” Answer: Identity Vault attribute “workforceID”

Miscellaneous Environment Information:

  • The Finance department AD tree serves as the SecureLogin repository for all Finance applications.

  • All finance department provisioning drivers are in a driver set called Finance Drivers.

  • The SAP user account must be deleted and the SecureLogin credentials for the SAP user account must be removed from the Active Directory user when the Identity Vault attribute “employeeStatus” is set to the value “I”.

After all of the configuration data has been determined, proceed to Section 3.4, Creating a Repository Object for Novell SecureLogin.