To improve User Application performance, the eDirectory™ Administrator should create indexes for the manager, ismanager and srvprvUUID attributes. Without indexes on these attributes, User Application users can experience impeded performance, particularly in a clustered environment.
These indexes can be created automatically during installation if you select on the tab of the User Application Configuration Panel (described in Table A-2), or refer to the Novell eDirectory Administration Guidehttp://www.novell.com/documentation for directions on using Index Manager to create indexes.
This configuration is only required if you want to use the SAML authentication method and are not also using Access Manager. If you are using Access Manager, your eDirectory tree will already include the method. The procedure includes:
Installing the SAML Method in your eDirectory tree.
Editing eDirectory attributes using iManager
Locate then unzip the nmassaml.zip file in the .iso.
Install the SAML method into your eDirectory tree.
Extend the schema stored in the authsaml.sch
The following example shows how to perform this on Linux:
ndssch -h <edir_ip> <edir_admin> authsaml.sch
Install the SAML method.
The following example shows how to perform this on Linux:
nmasinst -addmethod <edir_admin> <tree> ./config.txt
Open iManager and go to .
Select .
Create a new object of class authsamlAffiliate.
Select authsamlAffiliate, then click . (You may name this object any valid name.)
To specify the Context, select the container object in the tree, then click
You must add attributes to the class object authsamlAffiliate.
Go to the iManager tab and find your new affiliate object in the SAML Assertion.Authorized Login Methods.Security container.
Select the new affiliate object, then select .
Add an attribute to the new affiliate object. This attribute is used to match an assertion with its affiliate. The contents of this attribute must be an exact match with the Issuer attribute sent by the SAML assertion.
Click the .
Add and attributes to the affiliate object. These attributes define the amount of time, in seconds, around the in an assertion when the assertion is considered valid. A typical default is 180 seconds.
Click .
Select the Security container, then select to create a in your Security Container.
Create a objects in the Trusted Root Container.
Return to then select .
Select again.
To create a object for the certificate that your affiliate will use to sign assertions. You must have a der encoded copy of the certificate to do this.
Create new trusted root objects for each certificate in the signing certificate's chain up to the root CA certificate.
Set the Context to the Trusted Root Container created earlier, then click .
Return to the Object Viewer.
Add an attribute to your affiliate object, then click .
This attribute should point to the "Trusted Root Object" for the signing certificate that you created in the previous step. (All assertions for the affiliate must be signed by certificates pointed to by this attribute, or they will be rejected.)
Add an attribute to your affiliate object, then click .
This attribute should point to the "Trusted Root Container" that you created before. (This attribute is used to verify the certificate chain of the signing certificate.)