Novell Access Manager 3.1 SP4 User guide

  • Hello! I am an AI chatbot trained to assist you with the Novell Access Manager 3.1 SP4 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
www.novell.com/documentation
Identity Server Guide
Access Manager 3.1 SP5
January 2013
Legal Notices
Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically
disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,
reservestherighttorevisethispublicationandtomakechangestoitscontent,at
anytime,withoutobligationtonotifyany
personorentityofsuchrevisionsorchanges.
Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany
expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright
to
makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof
suchchanges.
AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade
lawsofothercountries.Youagreeto
complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor
classificationtoexport,reexportorimportdeliverables.YouagreenottoexportorreexporttoentitiesonthecurrentU.S.
exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.
exportlaws.Youagreetonotuse
deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade
ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes
noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.
Copyright©2013Novell,
Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedona
retrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.
Novell, Inc.
1800 South Novell Place
Provo, UT 84606
U.S.A.
www.novell.com
OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell
DocumentationWebpage(http://www.novell.com/documentation).
Novell Trademarks
ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/
tmlist.html).
Third-Party Materials
Allthirdpartytrademarksarethepropertyoftheirrespectiveowners.
Contents 3
Contents
About This Guide 11
1 Configuring an Identity Server 13
1.1 Managing a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
1.1.1 Creating a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
1.1.2 Assigning an Identity Server to a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.1.3 Configuring a Cluster with Multiple Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
1.1.4 Configuring Session Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
1.1.5 Editing Cluster Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
1.1.6 Removing a Server from a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.1.7 Enabling and Disabling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
1.1.8 Modifying the Base URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
1.2 Enabling Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
1.3 Configuring Secure Communication on the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.3.1 Viewing the Services That Use the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
1.3.2 Viewing Services That Use the Encryption Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
1.3.3 Managing the Keys, Certificates, and Trust Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.4 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
1.4.1 Federation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
1.4.2 Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.4.3 Forcing 128-Bit Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
1.4.4 Securing the Identity Server Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
1.4.5 Configuring the Encryption Method for the SAML Assertion . . . . . . . . . . . . . . . . . . . . . . . . 32
1.4.6 Configuring SAML 2.0 to Sign Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
1.4.7 Blocking Access to Identity Server Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
1.5 Translating the Identity Server Configuration Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
1.5.1 Changing the Port on a Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
1.5.2 Changing the Port on a Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
1.6 Using netHSM for the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
1.6.1 Understanding How Access Manager Uses Signing and Interacts with the netHSM
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
1.6.2 Configuring the Identity Server for netHSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2 Customizing Login Pages, Logout Pages, and Messages 57
2.1 Customizing the Identity Server Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.1.1 Selecting the Login Page and Modifying It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
2.1.2 Configuring the Identity Server to Use Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . 69
2.1.3 Troubleshooting Tips for Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
2.2 Customizing the Identity Server Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
2.2.1 Rebranding the Logout Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.2.2 Replacing the Logout Page with a Custom Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
2.2.3 Configuring for Local Rather Than Global Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
2.3 Customizing Identity Server Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.3.1 Customizing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
2.3.2 Customizing the Branding of the Error Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
2.3.3 Customizing Tooltip Text for Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
2.4 Sample Custom Login Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
2.4.1 Modified login.jsp File for Credential Prompts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.4.2 Custom nidp.jsp File with Custom Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.4.3 Custom 3.1 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
4 Contents
2.4.4 Custom 3.0 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
3 Configuring Local Authentication 99
3.1 Configuring Identity User Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
3.1.1 Using More Than One LDAP User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
3.1.2 Configuring the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
3.1.3 Configuring an Admin User for the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
3.1.4 Configuring a User Store for Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
3.2 Creating Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
3.2.1 Creating Basic or Form-Based Authentication Classes. . . . . . . . . . . . . . . . . . . . . . . . . . .115
3.2.2 Specifying Common Class Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
3.3 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
3.4 Configuring Authentication Contracts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
3.4.1 Using a Password Expiration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
3.4.2 Using Activity Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
3.5 Specifying Authentication Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
3.5.1 Specifying Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
3.5.2 Creating a Contract for a Specific Authentication Type. . . . . . . . . . . . . . . . . . . . . . . . . . .128
3.6 Managing Direct Access to the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
3.6.1 Logging In to the User Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
3.6.2 Specifying a Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
3.6.3 Blocking Access to the User Portal Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
3.6.4 Blocking Access to the WSDL Services Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
4 Configuring Advanced Local Authentication Procedures 135
4.1 Configuring for RADIUS Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
4.2 Configuring Mutual SSL (X.509) Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
4.2.1 Configuring Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
4.2.2 Setting Up Mutual SSL Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
4.3 Creating an ORed Credential Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
4.4 Configuring for OpenID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
4.5 Configuring Password Retrieval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
4.6 Mapping Transient Identifier to Local User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4.6.1 Creating a Method to Use the PasswordFetchClassEx . . . . . . . . . . . . . . . . . . . . . . . . . .148
4.6.2 Using the PasswordFetchClassEx Method for Mapping a Transient User to a Local
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
4.7 Configuring Access Manager for NESCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
4.7.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
4.7.2 Creating a User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
4.7.3 Creating a Contract for the Smart Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
4.7.4 Assigning the NESCM Contract to a Protected Resource. . . . . . . . . . . . . . . . . . . . . . . . .156
4.7.5 Verifying the User’s Experience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
4.7.6 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5 Configuring for Kerberos Authentication 159
5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.2 Configuring Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
5.2.1 Installing the spn and the ktpass Utilities for Windows Server 2003 . . . . . . . . . . . . . . . . . 161
5.2.2 Creating and Configuring the User Account for the Identity Server. . . . . . . . . . . . . . . . . .162
5.2.3 Configuring the Keytab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
5.2.4 Adding the Identity Server to the Forward Lookup Zone. . . . . . . . . . . . . . . . . . . . . . . . . .163
5.3 Configuring the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
5.3.1 Enabling Logging for Kerberos Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
5.3.2 Configuring the Identity Server for Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Contents 5
5.3.3 Creating the Authentication Class, Method, and Contract. . . . . . . . . . . . . . . . . . . . . . . . .165
5.3.4 Creating the bcsLogin Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
5.3.5 Verifying the Kerberos Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
5.3.6 (Optional) Using the Name/Password Form Authentication . . . . . . . . . . . . . . . . . . . . . . . 169
5.3.7 (Optional) Configuring the Fall Back Authentication Class . . . . . . . . . . . . . . . . . . . . . . . .170
5.4 Configuring the Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
5.5 Configuring the Access Gateway for Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
6 Defining Shared Settings 173
6.1 Configuring Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
6.2 Editing Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
6.3 Configuring User Matching Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
6.4 Adding Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
6.4.1 Creating Shared Secret Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
6.4.2 Creating LDAP Attribute Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
6.5 Adding Authentication Card Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
6.6 Creating an Image Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
7 Configuring SAML and Liberty Trusted Providers 183
7.1 Understanding the Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.1.1 Identity Providers and Consumers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
7.1.2 Embedded Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
7.1.3 Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
7.2 Configuring General Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
7.2.1 Configuring the General Identity Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
7.2.2 Configuring the General Identity Consumer Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
7.2.3 Configuring the Introductions Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
7.2.4 Configuring the Trust Levels Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.3 Managing Trusted Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
7.3.1 Creating a Trusted Provider for Liberty or SAML 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
7.3.2 Creating a Trusted Service Provider for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
7.3.3 Creating a Trusted Identity Provider for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
7.4 Modifying a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
7.5 Configuring Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.5.1 Configuring Communication Security for Liberty and SAML 1.1 . . . . . . . . . . . . . . . . . . . .196
7.5.2 Configuring Communication Security for a SAML 2.0 Identity Provider . . . . . . . . . . . . . .197
7.5.3 Configuring Communication Security for a SAML 2.0 Service Provider . . . . . . . . . . . . . .198
7.6 Selecting Attributes for a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.6.1 Configuring the Attributes Obtained at Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .199
7.6.2 Configuring the Attributes Sent with Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
7.6.3 Sending Attributes to the Embedded Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .201
7.7 Managing Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
7.7.1 Viewing and Reimporting a Trusted Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . .202
7.7.2 Viewing Trusted Provider Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
7.7.3 Editing a SAML 1.1 Identity Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.7.4 Editing a SAML 1.1 Service Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
7.8 Configuring an Authentication Request for an Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.8.1 Configuring a Liberty Authentication Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
7.8.2 Configuring a SAML 2.0 Authentication Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
7.9 Configuring an Authentication Response for a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .211
7.9.1 Configuring the Liberty Authentication Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
7.9.2 Configuring the SAML 2.0 Authentication Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
7.9.3 Configuring the SAML 1.1 Authentication Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
7.10 Managing the Authentication Card of an Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
7.10.1 Modifying the Authentication Card for Liberty or SAML 2.0. . . . . . . . . . . . . . . . . . . . . . . .215
6 Contents
7.10.2 Modifying the Authentication Card for SAML 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
7.11 Using the Intersite Transfer Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
7.11.1 Understanding the Intersite Transfer Service URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
7.11.2 Specifying the Intersite Transfer Service URL for the Login URL Option . . . . . . . . . . . . .218
7.11.3 Using Intersite Transfer Service Links on Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . .219
7.11.4 Configuring an Intersite Transfer Service Target for a Service Provider . . . . . . . . . . . . . .221
7.11.5 Configuring Whitelist of Target URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
8 Configuring CardSpace 223
8.1 Overview of the CardSpace Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
8.2 Prerequisites for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
8.2.1 Enabling High Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
8.2.2 Configuring the Client Machines for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
8.3 CardSpace Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
8.3.1 Authenticating with a Personal Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
8.3.2 Authenticating with a Managed Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
8.3.3 Authenticating with a Managed Card Backed by a Personal Card . . . . . . . . . . . . . . . . . .235
8.4 Configuring the Identity Server as a Relying Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
8.4.1 Defining an Authentication Card and Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
8.4.2 Defining a Trusted Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
8.4.3 Cleaning Up Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
8.4.4 Defederating after User Portal Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
8.5 Configuring the Identity Server as an Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
8.5.1 Replacing the Signing Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
8.5.2 Configuring STS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
8.5.3 Creating a Managed Card Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
8.6 Using CardSpace Cards for Authentication to Access Gateway Protected Resources. . . . . . . . . . 242
8.7 Managing CardSpace Trusted Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
8.7.1 CardSpace Identity Provider Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
8.7.2 Renaming the CardSpace Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
8.7.3 Updating the Metadata of the CardSpace Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
8.8 Managing Card Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
8.8.1 General Template Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
8.8.2 Template Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
8.9 Configuring Authentication Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
8.9.1 Configuring the General Details of a Card Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
8.9.2 Configuring Attribute Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
8.9.3 Configuring User Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
8.10 Cleaning Up Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
9 Configuring STS 251
9.1 Configuring STS Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
9.2 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
9.3 Configuring the Authentication Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
10 Configuring WS Federation 253
10.1 Using the Identity Server as an Identity Provider for ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
10.1.1 Configuring the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
10.1.2 Configuring the ADFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
10.1.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
10.1.4 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
10.2 Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource . . . . 264
10.2.1 Configuring the Identity Server as a Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . .264
10.2.2 Configuring the ADFS Server to Be an Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . .267
Contents 7
10.2.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
10.2.4 Additional WS Federation Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.3 Managing WS Federation Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
10.3.1 Creating an Identity Provider for WS Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10.3.2 Creating a Service Provider for WS Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10.4 Modifying a WS Federation Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
10.4.1 Renaming the Trusted Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
10.4.2 Configuring the Attributes Obtained at Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .272
10.4.3 Modifying the User Identification Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
10.4.4 Viewing the WS Identity Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
10.4.5 Editing the WS Identity Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
10.4.6 Modifying the Authentication Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
10.4.7 Assertion Validity Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
10.5 Modifying a WS Federation Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
10.5.1 Renaming the Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
10.5.2 Configuring the Attributes Sent with Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
10.5.3 Modifying the Authentication Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
10.5.4 Viewing the WS Service Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
10.5.5 Editing the WS Service Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
11 SP Brokering 279
11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
11.2 Configuring the SP Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
11.3 Creating and Viewing Brokering Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
11.3.1 Creating a Brokering Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
11.3.2 Configuring Trusted Identity Providers and Service Providers . . . . . . . . . . . . . . . . . . . . . 286
11.3.3 Creating and Viewing Brokering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
11.3.4 Constructing Brokering URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
11.3.5 Validating Brokering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
11.4 Generating the Brokering URLs by Using an ID and Target in the Intersite Transfer Service. . . . .294
12 Configuring User Identification Methods for Federation 295
12.1 Defining User Identification for Liberty and SAML 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
12.1.1 Selecting a User Identification Method for Liberty or SAML 2.0 . . . . . . . . . . . . . . . . . . . .295
12.1.2 Configuring the Attribute Matching Method for Liberty or SAML 2.0 . . . . . . . . . . . . . . . . .297
12.2 Defining User Identification for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
12.2.1 Selecting a User Identification Method for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
12.2.2 Configuring the Attribute Matching Method for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . .300
12.3 Defining Options for Liberty or SAML 2.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
12.4 Defining Session Synchronization for the A-Select SAML 2.0 Identity Provider . . . . . . . . . . . . . . .301
12.5 Configuring the Liberty or SAML 2.0 Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
12.5.1 Session Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
12.6 Defining the User Provisioning Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
12.7 User Provisioning Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
13 Configuring Communication Profiles 309
13.1 Configuring a Liberty Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
13.2 Configuring a SAML 1.1 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
13.3 Configuring a SAML 2.0 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
14 Configuring Liberty Web Services 313
14.1 Configuring the Web Services Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
14.2 Managing Web Services and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
8 Contents
14.2.1 Modifying Service and Profile Details for Employee, Custom, and Personal Profiles . . . .315
14.2.2 Modifying Details for Authentication, Discovery, LDAP, and User Interaction Profiles . . .317
14.2.3 Editing Web Service Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
14.2.4 Editing Web Service Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
14.2.5 Create Web Service Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
14.3 Configuring Credential Profile Security and Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
14.4 Customizing Attribute Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
14.5 Configuring the Web Service Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
14.6 Mapping LDAP and Liberty Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
14.6.1 Configuring One-to-One Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
14.6.2 Configuring Employee Type Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
14.6.3 Configuring Employee Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
14.6.4 Configuring Postal Address Attribute Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
14.6.5 Configuring Contact Method Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
14.6.6 Configuring Gender Attribute Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
14.6.7 Configuring Marital Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
15 Maintaining an Identity Server 339
15.1 Managing an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
15.1.1 Updating an Identity Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
15.1.2 Restarting the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
15.2 Editing Server Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
15.3 Configuring Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
15.3.1 Enabling Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
15.3.2 Managing Log File Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
15.4 Configuring Session-Based Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
15.4.1 Creating the Administrator Class, Method, and Contract . . . . . . . . . . . . . . . . . . . . . . . . .345
15.4.2 Creating the Logging Session Class, Method, and Contract. . . . . . . . . . . . . . . . . . . . . . .346
15.4.3 Enabling Basic Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
15.4.4 Responding to an Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
15.5 Monitoring the Health of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
15.5.1 Health States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
15.5.2 Viewing the Health Details of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
15.5.3 Viewing the Health Details of a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
15.6 Monitoring Identity Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
15.6.1 Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
15.6.2 Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
15.6.3 Incoming HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
15.6.4 Outgoing HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
15.6.5 Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
15.6.6 SAML 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
15.6.7 SAML 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
15.6.8 WSF (Web Services Framework) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
15.6.9 Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
15.6.10 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
15.6.11 SP Brokering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
15.7 Enabling Identity Server Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
15.8 Monitoring Identity Server Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
15.9 Viewing the Command Status of the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
15.9.1 Viewing the Status of Current Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
15.9.2 Viewing Detailed Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
15.10 Tuning the Identity Server for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
15.10.1 Basic Tuning Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
15.10.2 Disabling User Profile Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
15.10.3 Configuring a Specific IP Address for Proxied Requests. . . . . . . . . . . . . . . . . . . . . . . . . .369
15.10.4 Configuring Java Memory Allocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Contents 9
16 Troubleshooting the Identity Server and Authentication 373
16.1 Useful Networking Tools for the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
16.2 Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors. . . . . . . . . . . . . . . . . . 374
16.2.1 The Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
16.2.2 DNS Name Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
16.2.3 Certificate Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
16.2.4 Certificates in the Required Trust Stores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
16.2.5 Enabling Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
16.2.6 Testing Whether the Provider Can Access the Metadata . . . . . . . . . . . . . . . . . . . . . . . . .380
16.2.7 Manually Creating Any Auto-Generated Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
16.3 Authentication Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
16.3.1 Authentication Classes and Duplicate Common Names. . . . . . . . . . . . . . . . . . . . . . . . . .381
16.3.2 General Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
16.3.3 Slow Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
16.3.4 Federation Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
16.3.5 Mutual Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
16.3.6 Browser Hangs in an Authentication Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
16.3.7 Duplicate Set-Cookie Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
16.4 Problems Reading Keystores After Identity Server Re-installation . . . . . . . . . . . . . . . . . . . . . . . . . 384
16.5 After Setting Up the User Store to Use SecretStore, Users Report 500 Errors . . . . . . . . . . . . . . . .384
16.6 When Multiple Browser Logout Option Is Enabled User Is Not Getting Logged Out From
Different Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
16.7 302 Redirect to RelayState URL After Receiving a SAML Response Is Being Sent to an
Incorrect URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
16.8 Enabling Secure or HTTPOnly Flags for Cluster Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
A About Liberty 387
B Understanding How Access Manager Uses SAML 389
B.1 Attribute Mapping with Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
B.2 Trusted Provider Reference Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
B.3 Identity Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
B.4 Authorization Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
B.5 What's New in SAML 2.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
B.6 Identity Provider Process Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
B.7 SAML Service Provider Process Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
C Data Model Extension XML 395
C.1 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
C.2 Writing Data Model Extension XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
10 Novell Access Manager 3.1 SP5 Identity Server Guide
About This Guide 11
About This Guide
Thisguidedescribesthefollow ingfeaturesoftheIdentityServer:
Chapter 1,“ConfiguringanIdentityServer,”onpage 13
Chapter 2,“CustomizingLoginPages,LogoutPages,andMessages,”onpage 57
Chapter 3,“ConfiguringLocalAuthentication,”onpage 99
Chapter 4,“ConfiguringAdvancedLocalAuthenticationProcedures,”onpage 135
Chapter 5,“ConfiguringforKerberosAuthentication,”onpage 159
Chapter 6,“DefiningShared
Settings,”onpage 173
Chapter 7,“ConfiguringSAMLandLibertyTrustedProviders,”onpage 183
Chapter 8,“ConfiguringCardSpace,”onpage 223
Chapter 9,“ConfiguringSTS,”onpage 251
Chapter 10,“ConfiguringWSFederation,”onpage 253
Chapter 11,“SPBrokering,”onpage 279
Chapter 12,“ConfiguringUserIdentificationMethodsforFederation,”onpage 295
Chapter 13,“ConfiguringCommunicationProfiles,”onpage 309
Chapter 14,“Configuring
LibertyWebServices,”onpage 313
Chapter 15,“MaintaininganIdentityServer,”onpage 339
Chapter 16,“TroubleshootingtheIdentityServerandAuthentication,”onpage 373
Appendix A,“A b o u t Liberty,”onpage 387
Appendix B,“UnderstandingHowAccessManagerUsesSAML,”onpage 389
Appendix C,“DataModelExtensionXML,”onpage 395
Thisguideisintendedtohelpyouunderstandand
configureallofthefeaturesprovidedbythe
IdentityServer.
Itisrecommendedthatyoufirstbecomefamiliarwiththeinform ationintheNetIQAccessManager
3.1SP5SetupGuide,whichhelpsyouunderstandhowtoperformabasicIdentityServer
configuration,setuparesourceprotectedbyanAccess
Gateway,andconfigureSSL.
Thesetupguideandthisguidearedesignedtoworktogether,andimportantinformationandsetup
stepsarenotalwaysrepeatedinboth places.
Audience
ThisguideisintendedforAccessManageradministrators.Itisassumedthatyouhaveknowledgeof
evolvingInternetprotocols,suchas:
ExtensibleMarkupLanguage(XML)
SimpleObjectAccessProtocol(SOAP)
SecurityAssertionMarkupLanguage(SAML)
PublicKeyInfrastructure(PKI)digitalsignatureconceptsandInternetsecurity
12 Novell Access Manager 3.1 SP5 Identity Server Guide
SecureSocketLayer/TransportLayerSecurity(SSL/TLS)
HypertextTransferProtocol(HTTPandHTTPS)
UniformResourceIdentifiers(URIs)
DomainNameSystem(DNS)
WebServicesDescriptionLanguage(WSDL)
Feedback
Wewanttohearyourcommentsandsuggestionsaboutthisguideandtheotherdocumentation
includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe
onlinedocumentation,orgotoDocumentationFeedback(http://www.novell.com/documentation/
feedback.html)atwww.novell.com/documentation/feedback.htmlandenteryourcommentsthere.
Documentation Updates
ForthemostrecentversionoftheAccessManagerIdentityServerGuide,visittheNovellAccess
ManagerDocumentationWebsite(http://www.novell.com/documentation/novellaccessmanager31/).
Additional Documentation
Beforeproceeding,youshouldbefamiliarwiththeNovellAccessManager3.1SP4Installati onGuide
andtheNetIQAccessManager3.1SP5SetupGuide,whichprovideinformationaboutinstallingand
settinguptheAccessManagersystem.
IfyouareunfamiliarwithSAML1.1,see“SAMLOverview”(http://www.novell.com/
documentation/saml/saml/data/ag8qdk7.html)ontheDocumentation
Website(http://
www.novell.com/documentation/az.html).
ForconceptualinformationaboutLiberty,andtolearnaboutwhatisnewforSAML2.0,see
Appendix A,“A b o u t Liberty,”onpage 387andAppendix B,“UnderstandingHowAccessManager
UsesSAML,”onpage 389.
ForinformationabouttheotherAccessManagerdevicesandfeatures,seethefollowing:
NetIQAccess
Manager3.1SP5AdministrationConsoleGuide
NetIQAccessManager3.1SP5AccessGatewayGuide
NetIQAccessManager3.1SP5PolicyGuide
NetIQAccessManager3.1SP5J2EEAgentGuide
NetIQAccessManager3.1SP5SSLVPNServerGuide
NetIQAccessManager3.1SP5EventCodes
1
Configuring an Identity Server 13
1
Configuring an Identity Server
AfteryoulogintotheAdministrationConsole,clickDevices>IdentityServers.Thesystemdisplays
theIdentityServersthatcanbemanagedfromthisAdministrationConsole.
AnewlyinstalledIdentityServerisinanunconfiguredstateandishalted.Itremainsinthisstateand
cannotfunctionuntilyou
createaclusterconfigurationandassigntheIdentityServertothenew
configuration.TheclusterconfigurationdefineshowtheIdentityServerfunctionsinanAccess
Managerconfiguration.Youcanassignmultipleserverstousethesameconfiguration,whichenables
failoverandloadbalancingservices.
Section 1.1,“ManagingaClusterConfiguration,”on
page 13
Section 1.2,“EnablingRoleBasedAccessControl,”onpage 25
Section 1.3,“ConfiguringSecureCommunicationontheIdentityServer,”onpage 25
Section 1.4,“SecurityConsiderations,”onpage 30
Section 1.5,“TranslatingtheIdentityServerConfigurationPort,”onpage 33
Section 1.6,“UsingnetHSMfortheSigningKeyPair ,onpage 38
Forinformationonconfiguringlocalauthenticationoptions,see
thefollowing:
Chapter 3,“ConfiguringLocalAuthentication,”onpage 99
Chapter 4,“ConfiguringAdvancedLocalAuthenticationProcedures,”onpage 135
Chapter 6,“DefiningSharedSettings,”onpage 173
Chapter 14,“ConfiguringLibertyWebServices,”onpage 313
1.1 Managing a Cluster Configuration
AfteryouinstallanIdentityServer,youmustcreateaclusterconfigurationinordertoconfigurethe
IdentityServer.EvenifyouhaveonlyoneIdentityServer,youmustassignittoacluster
configurationtoconfigureit.IfyouhavemultipleIdentityServers,youcancreatemultiple
configurationsandassign
differentIdentityServerstothemasshowninFigure11.
14 Novell Access Manager 3.1 SP5 Identity Server Guide
Figure 1-1 IdentityServerConfigurations
WhenyouassignmultipleIdentityServerstothesameconfiguration,youneedtoinstallaload
balancerthatsupportseitherLayer4orLayer7.Thisde viceisreferredtoasanL4switchinthis
manual.TheL4switchallowstheworkloadtobebalancedamongthemachines.
Whether
youhaveonemachineormultip lemachinesinacluster,theAccessManager software
configurationprocessisthesame.Thissectiondescribesthefollowingclustermanagementtasks:
Section 1.1.1,“CreatingaClusterConfiguration,”onpage 14
Section 1.1.2,AssigninganIdentityServertoaClusterConfiguration,”onpage 19
Section 1.1.3,“ConfiguringaClusterwith
MultipleIdentityServers,”onpage 19
Section 1.1.4,“ConfiguringSessionFailover,”onpage 20
Section 1.1.5,“EditingClusterDetails,”onpage 21
Section 1.1.6,“RemovingaServerfromaClusterConfiguration,”onpage 23
Section 1.1.7,“EnablingandDisablingProtocols,”onpage 23
Section 1.1.8,“ModifyingtheBaseURL,”onpage 24
1.1.1 Creating a Cluster Configuration
ThissectiondiscussesallthesettingsavailablewhencreatinganIdentityServerconfiguration.Ifyou
wantadescriptionofjusttheoptionsrequiredtogetafunctionalconfiguration,seeCreatingaBasic
IdentityServerConfigurationintheNetIQAccessManager3.1SP5SetupGuide.
AnIdentityServeralwaysoperates
asanidentityproviderandcanoptionallybeconfiguredtorunas
anidentityconsumer(alsoknownasaserviceprovider),usingLiberty,SAML1.1,SAML2.0,
CardSpaceorWSFederationprotocols.Thesetopicsarenotdescribedinthissection.
InanIdentityServerconfiguration,youspecifythefollowinginformation:
The
DNSnamefortheIdentityServerorclusteredserversite.
CertificatesfortheIdentityServer.
Organizationalandcontactinformationfortheserver,whichispublishedinthemetadataofthe
LibertyandSAMLprotocols.
TheLDAPdirectories(userstores)usedtoauthenticateusers,andthetrustedrootforsecure
communicationbetween
theIdentityServerandtheuserstore.
Identity Server 1
Configuration A
Identity Server 2
Configuration A Configuration B
Identity Server 1
Identity Server 2
Configuring an Identity Server 15
TocreateanIdentityServerconfiguration:
1 IntheAdministrationConsole,clickDevices>IdentityServers.
2 SelecttheIdentityServerscheckbox,thenclickNewCluster.
Selectingtheserverisonewaytoassignittotheclusterconfiguration.
3 IntheNewClusterdialogbox,specifyanameforthe clusterconfiguration.
Ifyoudidnotselecttheserverinthepreviousstep,youcannowselecttheserverorserversthat
youwanttoassigntothisconfiguration.
Formoreinformationaboutassigningserverstoaconfiguration,seeSection 1.1.2,
Assigningan
IdentityServertoaClusterConfiguration,”onpage 19.
4 ClickOK.
5 FillinthefollowingfieldstospecifytheBaseURLforyourIdentity Serverconfiguration:
Name:Specifyanamebywhichyouwanttorefertotheconfiguration.Thisfieldispopulated
withthenameyouprovidedintheNewClusterdialogbox.Youcanchangethisnamehere,if
necessary.
16 Novell Access Manager 3.1 SP5 Identity Server Guide
IMPORTANT:CarefullydetermineyoursettingsforthebaseURL,protocol,anddomain.After
youhaveconfiguredtrustrelationshipsbetweenproviders,changingthesesettingsinvalidates
thetrustmodelandrequiresareimport oftheprovidersmetadata.
ModifyingthebaseURLalsoinvalidatesthetrustbetweentheEmbeddedServiceProviderof
Access
Managerdevices.ToreestablishthetrustaftermodifyingthebaseURL,youmustrestart
theEmbeddedServiceProvideroneachdevice.
BaseURL:SpecifytheapplicationpathfortheIdentityServer.TheIdentityServerprotocolsrely
onthisbaseURLtogenerateURLendpointsforeachprotocol.
Protocol:Selectthecommunicationprotocol.SpecifyHTTPSinordertorunsecurely(in
SSLmode)andforprovisioning.
UseHTTPonlyifyoudonotrequiresecurityorhave
installedanSSLterminatorinfrontoftheIdentityServer.
Domain:SpecifytheDNSnameassignedtotheIdentityServer.WhenyouareusinganL4
switch,thisDNSnameshouldresolvetothevirtualIPaddresssetup
ontheL4switchfor
theIdentityServers.UsinganIPaddressisnotrecommended.
Port:Specifytheportvaluefortheprotocol.Defaultportsare8080forHTTPor8443for
HTTPS.Ifyouwanttouseport80or443,specifytheporthere.
Ifyouareconfiguring
aLinuxIdentityServer,youmustalsoconfiguretheoperating
systemtotranslatetheport.SeeSection 1.5,“TranslatingtheIdentityServer
ConfigurationPort,”onpage 33.
IfyouareconfiguringaWindowsIdentityServer,youmustalsomodifytheTomcat
server.xml
filelocatedinthe
\Program Files\Novell\Tomcat\conf
directoryfor
WindowsServer2003orthe
\Program Files (x86)\Novell\Tomcat\conf
directory
forWindowsServer2008.Changetheportsfrom8080and8443to80and443,then
restarttheTomcatservice.
Application:SpecifytheIdentityServerapplication.Leavethedefaultvaluenidp.
SSLCertificate:DisplaysthecurrentlyassignedSSLcertificate.
TheIdentityServercomeswitha
test-connector
certificatethatyoumustreplacetouseSSLin
yourproductionenvironment.Youcanreplacethetestcertificatenoworafteryouconfigurethe
IdentityServer.Ifyoucreatethecertificateandreplacethe
test-connector
certificatenow,you
cansavesometimebyrestartingTomcatonlyonce.Tomcatmustberestartedwheneveryou
assignanIdentityServertoaconfigurationandwheneveryouupdateacertificatekeystore.See
Section 1.3.3,“ManagingtheKeys,Certificates,andTrustStores,”onpage 27.
Forinformationonhowtoreplace
the
test-connector
certificate,seeEnablingSSL
CommunicationintheNetIQAccessManager3.1SP5SetupGuide.
6 Toconfiguresessionlimits,fillinthefollowingfields:
LDAPAccess:SpecifythemaximumnumberofLDAPconnectionstheIdentityServercan
createtoaccesstheconfigurationstore.Youcanadjustthisamountforsystemperformance.
DefaultTimeout:Specifythesessiontimeoutyouwantassignedasa defaultvaluewhenyou
createacontract.ThisvalueisalsoassignedtoasessionwhentheIdentityServercannot
associateacontractwiththeauthenticatedsession.Duringfederation,iftheauthentication
requestusesatyperatherthanacontract,theIdentityServercannotalwaysassociateacontract
withtherequest.
ThetraditionalSSLVPN
serverusestheAnyContractoptionforauthentication.Theuseris
assignedthetimeoutvalueofthecontractusedforauthentication,andnotthisdefaulttimeout
value.
IfyouwanttoknowwhattimeoutvaluetheSSLVPNuserisassigned,youneedtosel e cta
contractwiththeappropriate
timeoutvalue.ClickDevices>AccessGateways>[NameofReverse
Proxy]>[NameofProxyService]>SSLVPN_Default.TheSSLVPN_Defau ltnameisthedefault
Configuring an Identity Server 17
namefortheSSLVPNprotectedresource.If youhavemodifiedthisname,selectthatprotected
resource.IntheAuthenticationProcedureoption,selectaname/passwordcontractwiththe
appropriatetimeoutvalue.
LimitUserSessions:Specifywhetherusersessionsarelimited.Ifselected,youcanspecifythe
maximumnumberofconcurrentsessions
auserisallowedtoauthenticate.
Ifyoudecidetolimitusersessions,youshouldalsogivecloseconsiderationtothesession
timeoutvalue(thedefaultis60minutes).Iftheuserclosesthebrowserwithoutloggingout(or
anerrorcausesthebrowsertoclose),thesessionisnotcleared
untilthesessiontimeoutexpires.
Iftheusersessionlimitisreachedandthosesessionshavenotbeenclearedwithalogout,the
usercannotloginagainuntilthesessiontimeoutexpiresforoneofthesessions.
Whenenabled,thisoptionaffectsperformanceinaclusterwithmultipleIdentityServers.
When
auserislimitedtoaspecificnumberofsessions,theIdenti tyServersmustcheckwiththeother
serversbeforeestablishinganewsession.
Allowmultiplebrowsersessionlogout:Specifywhetherauserwithmorethanonesessionto
theserverispresentedwithanoptiontologoutof
allsessions.Ifyoudonotselectthisoption,
onlythecurrentsessioncanbeloggedout.Deselectthisoptionininstanceswheremultiple
usersloginasguests.Then,whenoneuserlogsout,noneoftheotherguestsareloggedout.
Whenyouenablethisoption,youmustalso
restartanyEmbeddedServiceProvidersthatuse
thisIdentityServerconfiguration.
7 ToconfigureTCPtimeouts,fillinthefollowingfields:
LDAP:SpecifyhowlonganLDAPrequesttotheuserstorecantakebeforetimingout.
Proxy:Specifyhowlongarequesttoanotherclustermembercantakebeforetimingout.Whena
memberofaclusterreceivesarequestfromauser
whohasauthenticatedwithanothercluster
member,themembersendsarequesttotheauthenticatingmemberforinformationaboutthe
user.
Request:SpecifyhowlonganHTTPrequesttoanotherdevicecantakebeforetimingout.
8 Tocontrolwhichprotocolscanbeusedforauthentication,selectoneormoreofthefollowing
protocols.
IMPORTANT:Enableonlytheprotocolsthatyouareusing.
IfyouareusingotherAccessManagerdevicessuchastheAccessGateway,SSLVPN,orthe
J2EEAgents,youneedtoenabletheLibertyprotocol.TheAccessManagerdevicesusean
EmbeddedServiceProvider.IfyoudisabletheLibertyprotocol,you
disablethetrusted
relationshipsthesedeviceshavewiththeIdentityServer,andauthenticationfails.
Liberty:UsesastructuredversionofSAMLtoexchangeauthenticationandauthorizat ion data
betweentrustedidentityprovidersandserviceprovidersandprovidestheframeworkforuser
federation.
SAML1.1:UsesXMLforexchangingauthenticationandauthorizationdatabetweentrusted
identityproviders
andserviceproviders.
SAML2.0:UsesXMLforexchangingencryptedauthenticationandauthorizationdatabetween
trustedidentityprovidersandserviceprovidersandprovidestheframeworkforuser
federation.
STS:Asecuritytokenservicethatcreatesdigitalidentitiesfromclaims,whichcanthenbeused
asacardoratokenfor
authentication.
CardSpace:UsesMicrosoftclientsoftwarethatstoresausersinformationinadigitalidentityor
informationcard,whichcanthenbepresentedandusedasauthenticationcredentials.
WSFederation:Allowsdisparatesecuritymechanismstoexchangeinformationabout
identities,attributes,andauthentication.
18 Novell Access Manager 3.1 SP5 Identity Server Guide
9 TocontinuecreatingtheIdentityServerconfiguration,clickNext.
ThesystemdisplaystheOrganizationpage.
Usethispagetospecifyorganizationinformationfor theIdentityServerconfiguration.The
informationyouspecifyonthispageispublishedinthemetada tafortheLiberty1.2andSAML
protocols.Themetadataistradedwith
federationpartnersandsuppliesvariousinformation
regardingcontactandorganizationinformationlocatedattheIdentityServer.
Thefollowingfieldsrequireinformation:
Name:Thenameoftheorganization.
DisplayName:Thedisplaynamefortheorganization.
URL:Theorganization’sURLforcontactpurposes.
OptionalfieldsincludeCompany,FirstName,LastName,Email,Telephone,
andContactType.
10 ClickNexttoconfiguretheuserstore.
Youmust referenceyourownuserstoreandautoimporttheSSLcertificate.SeeSection 3.1,
“ConfiguringIdentityUserStores,”onpage 100forinformationaboutthisprocedure.
11 Afteryouconfiguretheuserstore,thesystemdisplaysthenewconfigurationontheServers
page.
ThestatusiconsfortheconfigurationandtheIdentityServershouldturngreen.Itmighttakeseveral
secondsfortheIdentityServertostartandforthesystemtodisplayagreenicon.Ifit
doesnot,itis
likelythattheIdentityServerisnotcommunicatingwiththeuserstoreyousetup.Ensurethatyou
haveenteredtheuserstoreinformationcorrectly,andthatyouimportedtheSSLcertificatetothe
userstore.(Edit>Local>[UserStoreName].)
Configuring an Identity Server 19
1.1.2 Assigning an Identity Server to a Cluster Configuration
Afteryoucreateaconfiguration,youmustassignanIdentityServertoit.Forclustering,youcan
assignmorethanoneIdentityServertotheconfiguration(seeSection 1.1.3,“ConfiguringaCluster
withMultipleIdentityServers,”onpage 19forthestepstosetupacluster).Aconfigurationusesany
sharedsettings
youhavespeci fied , suchasattributesets,usermatchingexpressions,andcustom
attributesthataredefinedfortheserver.
1 IntheAdministrationConsole,clickDevices>IdentityServers.
2 OntheServerspage,selecttheserverscheckbox.
Youcan selectalldisplayedserversbyselectingthetoplevelServercheckbox.
3 ClickActions>AssigntoCluster.
4 Selecttheconfiguration’scheckbox,thenclickAssign.
YouarepromptedtorestartTomcat.ThestatusiconfortheIdentityServershouldturngreen.It
mighttakeseveralsecondsfortheIdentityServertostartandforthesystemtodisplaythegreen
icon.
1.1.3 Configuring a Cluster with Multiple Identity Servers
Toaddcapacityandtoenablesystemfailover,youcanclusteragroupofIdentityServersand
configuretheminaclusterconfigurationtoactasasingleserver.Youcanalsoconfiguretheclusterto
supportsessionfailover,sothatusersdon’thavetoreauthenticatewhenanIdentityServergoes
down.
AclusterofIdentityServersshouldresidebehindanL4switch.ClientsaccessthevirtualIP(VIP)
addressoftheclusterpresentedontheL4switch,andtheL4switchalleviatesserverloadby
balancingtrafficacrossthecluster.WheneverauseraccessesthevirtualIPaddressassignedto
theL4
switch,thesystemroutestheusertooneoftheIdentityServersinthecluster,astrafficnecessitates.
Tosetupacluster,completethefollowingtasks:
InstallanL4switch.Youcan usethesameswitchforIdentityServerclusteringandAccess
Gatewayclustering,providedthatyouusedifferentvirtualIPs.TheLBalgorithmcanbe
anything(hash/stickybit),definedattheRealserverlevel.Forconfigurationtips,see
ConfigurationTipsfortheL4Switch
intheNetIQAccessManager3.1SP5SetupGuide.
Enablepersistence(sticky)sessionsontheL4switch.Normallyyoudefinethisatthevirtual
serverlevel.
CreateanIdentityServerconfigurationforthecluster.YouassignalltheIdentityServerstothis
configuration.
SeeSection 1.1.1,“CreatingaClusterConfiguration,”onpage 14forinformationabout
creatinganIdentityServerconfiguration.
SeeSection 1.1.2,AssigninganIdentityServertoaClusterConfiguration,”onpage 19for
informationaboutassigningidentity
serverstoconfigurations.
EnsurethattheDNSnameofthebaseURLfortheclusterconfigurationresolvesviaDNStothe
IPaddressoftheL4virtualIPaddress.TheL4switchbalancestheloadbetweentheIdentity
Serversinthecluster.
EnsurethattheL4administrationserverusingport8080hasthefollowingTCPportsopen:
8443(secureAdministrationConsole)
7801+1(forbackchannelcommunicationwithclustermembers).Youneedtoopentwo
consecutiveports,suchas7801and7802.
20 Novell Access Manager 3.1 SP5 Identity Server Guide
636(forsecureLDAP)
389(forclearLDAP)
524(networkcontrolprotocolontheL4switchforservercommunication)
Theidentityproviderportsmustalsobeopen:
8080(nonsecurelogin)
8443(securelogin)
1443(servercommunication)
Ifyouareusingintroductions(seeSection 7.2,“ConfiguringGeneralProviderOptions,”on
page 18 6),youmustconfiguretheL4switchtoloa dbalance onports8445(identityprovider)
and8446(identityconsumer).
Toenablesessionfailoversousersdon’thavetoreauthenticatewhenanIdentityServergoes
down,seeSection 1.1.4,“ConfiguringSessionFailover,”onpage 20.
Tomodifythenameoftheclusteroreditcommunicationdetails,seeSection 1.1.5,“Editing
ClusterDetails,”onpage 21.
1.1.4 Configuring Session Failover
WhenyousetupanIdentityServerclusterandaddmorethanoneIdentityServertothecluster,you
havesetupfaulttolerance.ThisensuresthatifoneoftheIdentityServersgoesdown,usersstillhave
accesstoyoursitebecausetheremainingIdentityServercanbeusedfor
authentication.However,it
doesn’tprovidesessionfailover.Ifauserhasau thenticatedtothefailedIdentityServer,thatuseris
promptedtoauthenticateandthesessioninformationislost.
WhenyouenablesessionfailoverandanIdentityServergoesdown,theuserssessioninformationis
preserved.Anotherpeerserverin
theclusterrecreatestheauthoritativesessioninformationinthe
background.Theuserisnotrequiredtologinagainandexperiencesnointerruptionofservices.
“Prerequisites”onpage 20
“ConfiguringSessionFailoveronpage 21
“HowFailoverPeersAreSelected”onpage 21
Prerequisites
AnIdentityServerclusterwithtwoormoreIdentityServers.
SufficientmemoryontheIdentityServerstostoreadditionalauthenticationinformation.When
anIdentityServerisselectedtobeafailoverpeer,theIdentityServerstoresabout1KBofsession
informationforeachuserauthenticatedontheothermachine.
Sufficientnetworkbandwidthfortheincreasedlogintraffic.TheIdentityServersendsthe
sessioninformationtoalltheIdentityServersthathavebeenselectedtobeitsfailoverpeers.
AlltrustedEmbeddedServicesProvidersneedtobeconfiguredtosendtheattributesusedin
FormFillandIdentityInjectionpolicies
atauthentication.Ifyouuseanyattributesotherthan
thestandardcredentialattributesinyourcontracts,youalsoneedtosendtheseattributes.To
configuretheattributestosend,clickDevices>IdentityServers>Edit>Liberty> [NameofService
Provider]>Attributes.
/