Following are Identity Server enhancements for Access Manager 3.1 SP3 release:
Federation Enhancements: The following features are enhanced in the SAML and Liberty protocols:
NIDP Principal Consistency:
Allows you to set the identity provider session timeout, configure assertion validity time, overwrite the temporary user, and identify real users. For more information, see Configuring Authentication Methods
and Configuring the Attribute Matching Method for SAML 1.1
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Whitelist of Target URLs:
Allows you to access only the target URL which is available in the domain list. For more information, see Configuring Whitelist of Target URLs
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Local Method Execution Post Federation:
This feature authenticates the user as the local service provider after the remote password authentication. This features also configures the assertion validity time and overwrites the temporary user and real user identifications. For more information, see Defining User Identification for Liberty and SAML 2.0
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Mapping Between Types and Contracts:
The Identity Server is contract-based and this setting permits an association to be made between a contract and the external provider assertion. For more information, see Modifying the Authentication Card for Liberty or SAML 2.0
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Password Fetch Class Extensions:
The Novell Access Manager supports password retrieval of the users who are mapped based on the CN of the user object and attribute value of the user object in different ways. For more information see, Configuring Password Retrieval
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
SP Brokering:
The Novell Access Manager Identity Service acts as a federation gateway or a service provider broker (SP Broker). This feature is used along with the Intersite Transfer Service of the identity provider, which enables authentication at a trusted service provider. The SP Broker feature helps control the authentication flow between several identity providers and service providers in a federation circle by allowing the administrator to configure policies that control Intersite Transfers. For example, an administrator can configure a policy with SP Broker that allows only certain users from an identity provider to be authenticated at a given service provider.For more information, see SP Brokering
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
A-Select Feature Enhancements: The following sections provides information about A-Select feature.
Defining Session Synchronization forLiberty or SAML 2.0:
You need to configure the properties for the session synchronization between the service provider and the target identity provider. For more information, see Defining Session Synchronization for the A-Select SAML 2.0 Identity Provider
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Defining Options for Liberty or SAML 2.0:
According to Single Logout Profile in OASIS SAML V2.0 profiles, the session users can use a front channel binding. This profile is initiated to maximize the successful logout to all users which is propagated by the session authority. For more information, see Defining Options for Liberty or SAML 2.0
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Configuring Liberty or SAML 2.0 SessionTimeout:
You can configure the web.xml parameter in the ESP (Embedded Service Provider). When timeout is reached, the ESP creates a SAML 2.0 logout request to remote Identity Provider over SOAP backchannel. For more information, see Configuring the Liberty or SAML 2.0 Session Timeout
in the Novell Access Manager 3.1 SP5 Identity Server Guide.
Load Balancing Feature:
The load balance feature at session level helps you to configure the web servers at different levels. For more information, see Configuring Web Servers
in the Novell Access Manager 3.1 SP5 Access Gateway Guide.
Configuring High Availability:
The High Availability option of the Linux Access Gateway helps improve overall reliability. This section provides information on hardware requirements, configuration details about fresh installation and upgrade scenarios, and functionality details of the High Availability option. For more information, see Configuring the High Availability Feature
in the Novell Access Manager 3.1 SP5 Access Gateway Guide.
Session Stickiness Option:
You can use the session stickiness option if multiple Web Servers are configured for a service. Selecting this option makes the proxy server to use the same web server for all fills during a session. For more information, see Configuring Web Servers
in the Novell Access Manager 3.1 SP5 Access Gateway Guide.
Policy View Administrator:
A policy view administrator has rights only to view policy containers. The super administrators can create a special type of delegated administrators called policy view administrators who can only view the policies in the policy container assigned to them. They policy view administrators can login to Access Manager with their credentials and they are allowed to view only the policy containers assigned to them. For more information, see Administration Console
in the Novell Access Manager 3.1 SP5 Administration Console Guide.
The Network Address Translation (NAT) protocol maps all the public IP addresses to communicate with a single private IP address. The network administrators create a NAT table to map the public-to-private and private-to-public IP address. The IP address can be static or dynamic.
Access Manager can be configured by using NAT, which enables the communication between the Administration Console from local network to other Access Manager devices such as Identity Server and Access Gateway. The devices can be in the external network or in another private network. The NAT address needs be to configured in router.
Once a new LDAP SSL connection is made, it is kept open for reuse. For every new user requests, the same LDAP SSL connection can be used to rebind to a different user. The connection establishment overhead for every LDAP request is removed which boosts the performance in slow links. The maximum number of connections in the pool and the interval for which a connection can be kept open (LDAP timeout) can be configured.