Novell Access Manager 3.1 SP4 User guide

www.novell.com/documentation

Identity Server Guide

Access Manager 3.1 SP5

January 2013

Legal Notices

Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically

disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,

reservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,withoutobligationtonotifyany

personorentityofsuchrevisionsorchanges.

Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany

expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright

to

makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof

suchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreeto

complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐exportorimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.

exportlaws.Youagreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade

ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes

noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.

Copyright©2013Novell,

Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedona 

retrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell

DocumentationWebpage(http://www.novell.com/documentation).

Novell Trademarks

ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/

tmlist.html).

Third-Party Materials

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Contents 3

Contents

About This Guide 11

1 Configuring an Identity Server 13

1.1 Managing a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.1.1 Creating a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.1.2 Assigning an Identity Server to a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.1.3 Configuring a Cluster with Multiple Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

1.1.4 Configuring Session Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

1.1.5 Editing Cluster Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

1.1.6 Removing a Server from a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.1.7 Enabling and Disabling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

1.1.8 Modifying the Base URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

1.2 Enabling Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

1.3 Configuring Secure Communication on the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

1.3.1 Viewing the Services That Use the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

1.3.2 Viewing Services That Use the Encryption Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

1.3.3 Managing the Keys, Certificates, and Trust Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1.4 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

1.4.1 Federation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

1.4.2 Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

1.4.3 Forcing 128-Bit Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

1.4.4 Securing the Identity Server Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

1.4.5 Configuring the Encryption Method for the SAML Assertion . . . . . . . . . . . . . . . . . . . . . . . . 32

1.4.6 Configuring SAML 2.0 to Sign Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

1.4.7 Blocking Access to Identity Server Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

1.5 Translating the Identity Server Configuration Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

1.5.1 Changing the Port on a Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

1.5.2 Changing the Port on a Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

1.6 Using netHSM for the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

1.6.1 Understanding How Access Manager Uses Signing and Interacts with the netHSM

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

1.6.2 Configuring the Identity Server for netHSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2 Customizing Login Pages, Logout Pages, and Messages 57

2.1 Customizing the Identity Server Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

2.1.1 Selecting the Login Page and Modifying It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

2.1.2 Configuring the Identity Server to Use Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . 69

2.1.3 Troubleshooting Tips for Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

2.2 Customizing the Identity Server Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

2.2.1 Rebranding the Logout Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

2.2.2 Replacing the Logout Page with a Custom Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

2.2.3 Configuring for Local Rather Than Global Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

2.3 Customizing Identity Server Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

2.3.1 Customizing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

2.3.2 Customizing the Branding of the Error Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

2.3.3 Customizing Tooltip Text for Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

2.4 Sample Custom Login Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

2.4.1 Modified login.jsp File for Credential Prompts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

2.4.2 Custom nidp.jsp File with Custom Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

2.4.3 Custom 3.1 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

4 Contents

2.4.4 Custom 3.0 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

3 Configuring Local Authentication 99

3.1 Configuring Identity User Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

3.1.1 Using More Than One LDAP User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

3.1.2 Configuring the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

3.1.3 Configuring an Admin User for the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

3.1.4 Configuring a User Store for Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

3.2 Creating Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

3.2.1 Creating Basic or Form-Based Authentication Classes. . . . . . . . . . . . . . . . . . . . . . . . . . .115

3.2.2 Specifying Common Class Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

3.3 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

3.4 Configuring Authentication Contracts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

3.4.1 Using a Password Expiration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

3.4.2 Using Activity Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

3.5 Specifying Authentication Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

3.5.1 Specifying Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

3.5.2 Creating a Contract for a Specific Authentication Type. . . . . . . . . . . . . . . . . . . . . . . . . . .128

3.6 Managing Direct Access to the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

3.6.1 Logging In to the User Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

3.6.2 Specifying a Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

3.6.3 Blocking Access to the User Portal Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

3.6.4 Blocking Access to the WSDL Services Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

4 Configuring Advanced Local Authentication Procedures 135

4.1 Configuring for RADIUS Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

4.2 Configuring Mutual SSL (X.509) Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

4.2.1 Configuring Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

4.2.2 Setting Up Mutual SSL Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

4.3 Creating an ORed Credential Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

4.4 Configuring for OpenID Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

4.5 Configuring Password Retrieval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

4.6 Mapping Transient Identifier to Local User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

4.6.1 Creating a Method to Use the PasswordFetchClassEx . . . . . . . . . . . . . . . . . . . . . . . . . .148

4.6.2 Using the PasswordFetchClassEx Method for Mapping a Transient User to a Local

User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

4.7 Configuring Access Manager for NESCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

4.7.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

4.7.2 Creating a User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

4.7.3 Creating a Contract for the Smart Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

4.7.4 Assigning the NESCM Contract to a Protected Resource. . . . . . . . . . . . . . . . . . . . . . . . .156

4.7.5 Verifying the User’s Experience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

4.7.6 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

5 Configuring for Kerberos Authentication 159

5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

5.2 Configuring Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

5.2.1 Installing the spn and the ktpass Utilities for Windows Server 2003 . . . . . . . . . . . . . . . . . 161

5.2.2 Creating and Configuring the User Account for the Identity Server. . . . . . . . . . . . . . . . . .162

5.2.3 Configuring the Keytab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

5.2.4 Adding the Identity Server to the Forward Lookup Zone. . . . . . . . . . . . . . . . . . . . . . . . . .163

5.3 Configuring the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

5.3.1 Enabling Logging for Kerberos Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

5.3.2 Configuring the Identity Server for Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Contents 5

5.3.3 Creating the Authentication Class, Method, and Contract. . . . . . . . . . . . . . . . . . . . . . . . .165

5.3.4 Creating the bcsLogin Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

5.3.5 Verifying the Kerberos Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

5.3.6 (Optional) Using the Name/Password Form Authentication . . . . . . . . . . . . . . . . . . . . . . . 169

5.3.7 (Optional) Configuring the Fall Back Authentication Class . . . . . . . . . . . . . . . . . . . . . . . .170

5.4 Configuring the Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

5.5 Configuring the Access Gateway for Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

6 Defining Shared Settings 173

6.1 Configuring Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

6.2 Editing Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

6.3 Configuring User Matching Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

6.4 Adding Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

6.4.1 Creating Shared Secret Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

6.4.2 Creating LDAP Attribute Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

6.5 Adding Authentication Card Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

6.6 Creating an Image Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

7 Configuring SAML and Liberty Trusted Providers 183

7.1 Understanding the Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

7.1.1 Identity Providers and Consumers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

7.1.2 Embedded Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

7.1.3 Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

7.2 Configuring General Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

7.2.1 Configuring the General Identity Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

7.2.2 Configuring the General Identity Consumer Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

7.2.3 Configuring the Introductions Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188

7.2.4 Configuring the Trust Levels Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

7.3 Managing Trusted Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

7.3.1 Creating a Trusted Provider for Liberty or SAML 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

7.3.2 Creating a Trusted Service Provider for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

7.3.3 Creating a Trusted Identity Provider for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

7.4 Modifying a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

7.5 Configuring Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

7.5.1 Configuring Communication Security for Liberty and SAML 1.1 . . . . . . . . . . . . . . . . . . . .196

7.5.2 Configuring Communication Security for a SAML 2.0 Identity Provider . . . . . . . . . . . . . .197

7.5.3 Configuring Communication Security for a SAML 2.0 Service Provider . . . . . . . . . . . . . .198

7.6 Selecting Attributes for a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

7.6.1 Configuring the Attributes Obtained at Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .199

7.6.2 Configuring the Attributes Sent with Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

7.6.3 Sending Attributes to the Embedded Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .201

7.7 Managing Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

7.7.1 Viewing and Reimporting a Trusted Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . .202

7.7.2 Viewing Trusted Provider Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

7.7.3 Editing a SAML 1.1 Identity Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

7.7.4 Editing a SAML 1.1 Service Provider’s Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

7.8 Configuring an Authentication Request for an Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

7.8.1 Configuring a Liberty Authentication Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

7.8.2 Configuring a SAML 2.0 Authentication Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

7.9 Configuring an Authentication Response for a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . .211

7.9.1 Configuring the Liberty Authentication Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

7.9.2 Configuring the SAML 2.0 Authentication Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

7.9.3 Configuring the SAML 1.1 Authentication Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . .214

7.10 Managing the Authentication Card of an Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

7.10.1 Modifying the Authentication Card for Liberty or SAML 2.0. . . . . . . . . . . . . . . . . . . . . . . .215

6 Contents

7.10.2 Modifying the Authentication Card for SAML 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216

7.11 Using the Intersite Transfer Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216

7.11.1 Understanding the Intersite Transfer Service URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217

7.11.2 Specifying the Intersite Transfer Service URL for the Login URL Option . . . . . . . . . . . . .218

7.11.3 Using Intersite Transfer Service Links on Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . .219

7.11.4 Configuring an Intersite Transfer Service Target for a Service Provider . . . . . . . . . . . . . .221

7.11.5 Configuring Whitelist of Target URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

8 Configuring CardSpace 223

8.1 Overview of the CardSpace Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223

8.2 Prerequisites for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225

8.2.1 Enabling High Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226

8.2.2 Configuring the Client Machines for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

8.3 CardSpace Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228

8.3.1 Authenticating with a Personal Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228

8.3.2 Authenticating with a Managed Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

8.3.3 Authenticating with a Managed Card Backed by a Personal Card . . . . . . . . . . . . . . . . . .235

8.4 Configuring the Identity Server as a Relying Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

8.4.1 Defining an Authentication Card and Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

8.4.2 Defining a Trusted Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

8.4.3 Cleaning Up Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

8.4.4 Defederating after User Portal Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

8.5 Configuring the Identity Server as an Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

8.5.1 Replacing the Signing Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

8.5.2 Configuring STS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

8.5.3 Creating a Managed Card Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

8.6 Using CardSpace Cards for Authentication to Access Gateway Protected Resources. . . . . . . . . . 242

8.7 Managing CardSpace Trusted Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242

8.7.1 CardSpace Identity Provider Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

8.7.2 Renaming the CardSpace Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

8.7.3 Updating the Metadata of the CardSpace Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

8.8 Managing Card Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

8.8.1 General Template Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

8.8.2 Template Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

8.9 Configuring Authentication Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

8.9.1 Configuring the General Details of a Card Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

8.9.2 Configuring Attribute Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

8.9.3 Configuring User Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

8.10 Cleaning Up Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

9 Configuring STS 251

9.1 Configuring STS Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

9.2 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

9.3 Configuring the Authentication Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252

10 Configuring WS Federation 253

10.1 Using the Identity Server as an Identity Provider for ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

10.1.1 Configuring the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

10.1.2 Configuring the ADFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

10.1.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261

10.1.4 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262

10.2 Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource . . . . 264

10.2.1 Configuring the Identity Server as a Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . .264

10.2.2 Configuring the ADFS Server to Be an Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . .267

Contents 7

10.2.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

10.2.4 Additional WS Federation Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

10.3 Managing WS Federation Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

10.3.1 Creating an Identity Provider for WS Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

10.3.2 Creating a Service Provider for WS Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

10.4 Modifying a WS Federation Identity Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

10.4.1 Renaming the Trusted Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

10.4.2 Configuring the Attributes Obtained at Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .272

10.4.3 Modifying the User Identification Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

10.4.4 Viewing the WS Identity Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

10.4.5 Editing the WS Identity Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

10.4.6 Modifying the Authentication Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

10.4.7 Assertion Validity Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

10.5 Modifying a WS Federation Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

10.5.1 Renaming the Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

10.5.2 Configuring the Attributes Sent with Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

10.5.3 Modifying the Authentication Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

10.5.4 Viewing the WS Service Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

10.5.5 Editing the WS Service Provider Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

11 SP Brokering 279

11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279

11.2 Configuring the SP Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

11.3 Creating and Viewing Brokering Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

11.3.1 Creating a Brokering Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285

11.3.2 Configuring Trusted Identity Providers and Service Providers . . . . . . . . . . . . . . . . . . . . . 286

11.3.3 Creating and Viewing Brokering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

11.3.4 Constructing Brokering URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

11.3.5 Validating Brokering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

11.4 Generating the Brokering URLs by Using an ID and Target in the Intersite Transfer Service. . . . .294

12 Configuring User Identification Methods for Federation 295

12.1 Defining User Identification for Liberty and SAML 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

12.1.1 Selecting a User Identification Method for Liberty or SAML 2.0 . . . . . . . . . . . . . . . . . . . .295

12.1.2 Configuring the Attribute Matching Method for Liberty or SAML 2.0 . . . . . . . . . . . . . . . . .297

12.2 Defining User Identification for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298

12.2.1 Selecting a User Identification Method for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . .299

12.2.2 Configuring the Attribute Matching Method for SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . .300

12.3 Defining Options for Liberty or SAML 2.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

12.4 Defining Session Synchronization for the A-Select SAML 2.0 Identity Provider . . . . . . . . . . . . . . .301

12.5 Configuring the Liberty or SAML 2.0 Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

12.5.1 Session Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

12.6 Defining the User Provisioning Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

12.7 User Provisioning Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

13 Configuring Communication Profiles 309

13.1 Configuring a Liberty Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

13.2 Configuring a SAML 1.1 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

13.3 Configuring a SAML 2.0 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

14 Configuring Liberty Web Services 313

14.1 Configuring the Web Services Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314

14.2 Managing Web Services and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314

8 Contents

14.2.1 Modifying Service and Profile Details for Employee, Custom, and Personal Profiles . . . .315

14.2.2 Modifying Details for Authentication, Discovery, LDAP, and User Interaction Profiles . . .317

14.2.3 Editing Web Service Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

14.2.4 Editing Web Service Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319

14.2.5 Create Web Service Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

14.3 Configuring Credential Profile Security and Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

14.4 Customizing Attribute Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

14.5 Configuring the Web Service Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

14.6 Mapping LDAP and Liberty Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

14.6.1 Configuring One-to-One Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

14.6.2 Configuring Employee Type Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

14.6.3 Configuring Employee Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331

14.6.4 Configuring Postal Address Attribute Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333

14.6.5 Configuring Contact Method Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

14.6.6 Configuring Gender Attribute Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

14.6.7 Configuring Marital Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

15 Maintaining an Identity Server 339

15.1 Managing an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

15.1.1 Updating an Identity Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341

15.1.2 Restarting the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341

15.2 Editing Server Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

15.3 Configuring Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

15.3.1 Enabling Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

15.3.2 Managing Log File Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

15.4 Configuring Session-Based Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

15.4.1 Creating the Administrator Class, Method, and Contract . . . . . . . . . . . . . . . . . . . . . . . . .345

15.4.2 Creating the Logging Session Class, Method, and Contract. . . . . . . . . . . . . . . . . . . . . . .346

15.4.3 Enabling Basic Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

15.4.4 Responding to an Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

15.5 Monitoring the Health of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

15.5.1 Health States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

15.5.2 Viewing the Health Details of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

15.5.3 Viewing the Health Details of a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354

15.6 Monitoring Identity Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

15.6.1 Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356

15.6.2 Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356

15.6.3 Incoming HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

15.6.4 Outgoing HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

15.6.5 Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358

15.6.6 SAML 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358

15.6.7 SAML 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359

15.6.8 WSF (Web Services Framework) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359

15.6.9 Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361

15.6.10 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362

15.6.11 SP Brokering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363

15.7 Enabling Identity Server Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363

15.8 Monitoring Identity Server Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365

15.9 Viewing the Command Status of the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365

15.9.1 Viewing the Status of Current Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366

15.9.2 Viewing Detailed Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366

15.10 Tuning the Identity Server for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

15.10.1 Basic Tuning Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

15.10.2 Disabling User Profile Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

15.10.3 Configuring a Specific IP Address for Proxied Requests. . . . . . . . . . . . . . . . . . . . . . . . . .369

15.10.4 Configuring Java Memory Allocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371

Contents 9

16 Troubleshooting the Identity Server and Authentication 373

16.1 Useful Networking Tools for the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

16.2 Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors. . . . . . . . . . . . . . . . . . 374

16.2.1 The Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374

16.2.2 DNS Name Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375

16.2.3 Certificate Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

16.2.4 Certificates in the Required Trust Stores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

16.2.5 Enabling Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378

16.2.6 Testing Whether the Provider Can Access the Metadata . . . . . . . . . . . . . . . . . . . . . . . . .380

16.2.7 Manually Creating Any Auto-Generated Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

16.3 Authentication Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

16.3.1 Authentication Classes and Duplicate Common Names. . . . . . . . . . . . . . . . . . . . . . . . . .381

16.3.2 General Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

16.3.3 Slow Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

16.3.4 Federation Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

16.3.5 Mutual Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

16.3.6 Browser Hangs in an Authentication Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

16.3.7 Duplicate Set-Cookie Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383

16.4 Problems Reading Keystores After Identity Server Re-installation . . . . . . . . . . . . . . . . . . . . . . . . . 384

16.5 After Setting Up the User Store to Use SecretStore, Users Report 500 Errors . . . . . . . . . . . . . . . .384

16.6 When Multiple Browser Logout Option Is Enabled User Is Not Getting Logged Out From

Different Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

16.7 302 Redirect to RelayState URL After Receiving a SAML Response Is Being Sent to an

Incorrect URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

16.8 Enabling Secure or HTTPOnly Flags for Cluster Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385

A About Liberty 387

B Understanding How Access Manager Uses SAML 389

B.1 Attribute Mapping with Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389

B.2 Trusted Provider Reference Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

B.3 Identity Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

B.4 Authorization Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

B.5 What's New in SAML 2.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

B.6 Identity Provider Process Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

B.7 SAML Service Provider Process Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

C Data Model Extension XML 395

C.1 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

C.2 Writing Data Model Extension XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398

10 Novell Access Manager 3.1 SP5 Identity Server Guide

About This Guide 11

About This Guide

Thisguidedescribesthefollow ingfeaturesoftheIdentityServer:

 Chapter 1,“ConfiguringanIdentityServer,”onpage 13

 Chapter 2,“CustomizingLoginPages,LogoutPages,andMessages,”onpage 57

 Chapter 3,“ConfiguringLocalAuthentication,”onpage 99

 Chapter 4,“ConfiguringAdvancedLocalAuthenticationProcedures,”onpage 135

 Chapter 5,“ConfiguringforKerberosAuthentication,”onpage 159

 Chapter 6,“DefiningShared

Settings,”onpage 173

 Chapter 7,“ConfiguringSAMLandLibertyTrustedProviders,”onpage 183

 Chapter 8,“ConfiguringCardSpace,”onpage 223

 Chapter 9,“ConfiguringSTS,”onpage 251

 Chapter 10,“ConfiguringWSFederation,”onpage 253

 Chapter 11,“SPBrokering,”onpage 279

 Chapter 12,“ConfiguringUserIdentificationMethodsforFederation,”onpage 295

 Chapter 13,“ConfiguringCommunicationProfiles,”onpage 309

 Chapter 14,“Configuring

LibertyWebServices,”onpage 313

 Chapter 15,“MaintaininganIdentityServer,”onpage 339

 Chapter 16,“TroubleshootingtheIdentityServerandAuthentication,”onpage 373

 Appendix A,“A b o u t Liberty,”onpage 387

 Appendix B,“UnderstandingHowAccessManagerUsesSAML,”onpage 389

 Appendix C,“DataModelExtensionXML,”onpage 395

Thisguideisintendedtohelpyouunderstandand

configureallofthefeaturesprovidedbythe

IdentityServer.

Itisrecommendedthatyoufirstbecomefamiliarwiththeinform ationintheNetIQAccessManager

3.1SP5SetupGuide,whichhelpsyouunderstandhowtoperformabasicIdentityServer

configuration,setuparesourceprotectedbyanAccess

Gateway,andconfigureSSL.

Thesetupguideandthisguidearedesignedtoworktogether,andimportantinformationandsetup

stepsarenotalwaysrepeatedinboth places.

Audience

ThisguideisintendedforAccessManageradministrators.Itisassumedthatyouhaveknowledgeof

evolvingInternetprotocols,suchas:

 ExtensibleMarkupLanguage(XML)

 SimpleObjectAccessProtocol(SOAP)

 SecurityAssertionMarkupLanguage(SAML)

 PublicKeyInfrastructure(PKI)digitalsignatureconceptsandInternetsecurity

12 Novell Access Manager 3.1 SP5 Identity Server Guide

 SecureSocketLayer/TransportLayerSecurity(SSL/TLS)

 HypertextTransferProtocol(HTTPandHTTPS)

 UniformResourceIdentifiers(URIs)

 DomainNameSystem(DNS)

 WebServicesDescriptionLanguage(WSDL)

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthisguideandtheotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe

onlinedocumentation,orgotoDocumentationFeedback(http://www.novell.com/documentation/

feedback.html)atwww.novell.com/documentation/feedback.htmlandenteryourcommentsthere.

Documentation Updates

ForthemostrecentversionoftheAccessManagerIdentityServerGuide,visittheNovellAccess

ManagerDocumentationWebsite(http://www.novell.com/documentation/novellaccessmanager31/).

Additional Documentation

Beforeproceeding,youshouldbefamiliarwiththeNovellAccessManager3.1SP4Installati onGuide

andtheNetIQAccessManager3.1SP5SetupGuide,whichprovideinformationaboutinstallingand

settinguptheAccessManagersystem.

IfyouareunfamiliarwithSAML1.1,see“SAMLOverview”(http://www.novell.com/

documentation/saml/saml/data/ag8qdk7.html)ontheDocumentation

Website(http://

www.novell.com/documentation/a‐z.html).

ForconceptualinformationaboutLiberty,andtolearnaboutwhatisnewforSAML2.0,see

Appendix A,“A b o u t Liberty,”onpage 387andAppendix B,“UnderstandingHowAccessManager

UsesSAML,”onpage 389.

ForinformationabouttheotherAccessManagerdevicesandfeatures,seethefollowing:

 NetIQAccess

Manager3.1SP5AdministrationConsoleGuide

 NetIQAccessManager3.1SP5AccessGatewayGuide

 NetIQAccessManager3.1SP5PolicyGuide

 NetIQAccessManager3.1SP5J2EEAgentGuide

 NetIQAccessManager3.1SP5SSLVPNServerGuide

 NetIQAccessManager3.1SP5EventCodes

1

Configuring an Identity Server 13

1

Configuring an Identity Server

AfteryoulogintotheAdministrationConsole,clickDevices>IdentityServers.Thesystemdisplays

theIdentityServersthatcanbemanagedfromthisAdministrationConsole.

AnewlyinstalledIdentityServerisinanunconfiguredstateandishalted.Itremainsinthisstateand

cannotfunctionuntilyou

createaclusterconfigurationandassigntheIdentityServertothenew

configuration.TheclusterconfigurationdefineshowtheIdentityServerfunctionsinanAccess

Managerconfiguration.Youcanassignmultipleserverstousethesameconfiguration,whichenables

failoverandloadbalancingservices.

 Section 1.1,“ManagingaClusterConfiguration,”on

page 13

 Section 1.2,“EnablingRole‐BasedAccessControl,”onpage 25

 Section 1.3,“ConfiguringSecureCommunicationontheIdentityServer,”onpage 25

 Section 1.4,“SecurityConsiderations,”onpage 30

 Section 1.5,“TranslatingtheIdentityServerConfigurationPort,”onpage 33

 Section 1.6,“UsingnetHSMfortheSigningKeyPair ,”onpage 38

Forinformationonconfiguringlocalauthenticationoptions,see

thefollowing:

 Chapter 3,“ConfiguringLocalAuthentication,”onpage 99

 Chapter 4,“ConfiguringAdvancedLocalAuthenticationProcedures,”onpage 135

 Chapter 6,“DefiningSharedSettings,”onpage 173

 Chapter 14,“ConfiguringLibertyWebServices,”onpage 313

1.1 Managing a Cluster Configuration

AfteryouinstallanIdentityServer,youmustcreateaclusterconfigurationinordertoconfigurethe

IdentityServer.EvenifyouhaveonlyoneIdentityServer,youmustassignittoacluster

configurationtoconfigureit.IfyouhavemultipleIdentityServers,youcancreatemultiple

configurationsandassign

differentIdentityServerstothemasshowninFigure1‐1.

14 Novell Access Manager 3.1 SP5 Identity Server Guide

Figure 1-1 IdentityServerConfigurations

WhenyouassignmultipleIdentityServerstothesameconfiguration,youneedtoinstallaload

balancerthatsupportseitherLayer4orLayer7.Thisde viceisreferredtoasanL4switchinthis

manual.TheL4switchallowstheworkloadtobebalancedamongthemachines.

Whether

youhaveonemachineormultip lemachinesinacluster,theAccessManager software

configurationprocessisthesame.Thissectiondescribesthefollowingclustermanagementtasks:

 Section 1.1.1,“CreatingaClusterConfiguration,”onpage 14

 Section 1.1.2,“AssigninganIdentityServertoaClusterConfiguration,”onpage 19

 Section 1.1.3,“ConfiguringaClusterwith

MultipleIdentityServers,”onpage 19

 Section 1.1.4,“ConfiguringSessionFailover,”onpage 20

 Section 1.1.5,“EditingClusterDetails,”onpage 21

 Section 1.1.6,“RemovingaServerfromaClusterConfiguration,”onpage 23

 Section 1.1.7,“EnablingandDisablingProtocols,”onpage 23

 Section 1.1.8,“ModifyingtheBaseURL,”onpage 24

1.1.1 Creating a Cluster Configuration

ThissectiondiscussesallthesettingsavailablewhencreatinganIdentityServerconfiguration.Ifyou

wantadescriptionofjusttheoptionsrequiredtogetafunctionalconfiguration,see“CreatingaBasic

IdentityServerConfiguration”intheNetIQAccessManager3.1SP5SetupGuide.

AnIdentityServeralwaysoperates

asanidentityproviderandcanoptionallybeconfiguredtorunas

anidentityconsumer(alsoknownasaserviceprovider),usingLiberty,SAML1.1,SAML2.0,

CardSpaceorWSFederationprotocols.Thesetopicsarenotdescribedinthissection.

InanIdentityServerconfiguration,youspecifythefollowinginformation:

 The

DNSnamefortheIdentityServerorclusteredserversite.

 CertificatesfortheIdentityServer.

 Organizationalandcontactinformationfortheserver,whichispublishedinthemetadataofthe

LibertyandSAMLprotocols.

 TheLDAPdirectories(userstores)usedtoauthenticateusers,andthetrustedrootforsecure

communicationbetween

theIdentityServerandtheuserstore.

Identity Server 1

Configuration A

Identity Server 2

Configuration A Configuration B

Identity Server 1

Identity Server 2

Configuring an Identity Server 15

TocreateanIdentityServerconfiguration:

1 IntheAdministrationConsole,clickDevices>IdentityServers.

2 SelecttheIdentityServer’scheckbox,thenclickNewCluster.

Selectingtheserverisonewaytoassignittotheclusterconfiguration.

3 IntheNewClusterdialogbox,specifyanameforthe clusterconfiguration.

Ifyoudidnotselecttheserverinthepreviousstep,youcannowselecttheserverorserversthat

youwanttoassigntothisconfiguration.

Formoreinformationaboutassigningserverstoaconfiguration,seeSection 1.1.2,

“Assigningan

IdentityServertoaClusterConfiguration,”onpage 19.

4 ClickOK.

5 FillinthefollowingfieldstospecifytheBaseURLforyourIdentity Serverconfiguration:

Name:Specifyanamebywhichyouwanttorefertotheconfiguration.Thisfieldispopulated

withthenameyouprovidedintheNewClusterdialogbox.Youcanchangethisnamehere,if

necessary.

16 Novell Access Manager 3.1 SP5 Identity Server Guide

IMPORTANT:CarefullydetermineyoursettingsforthebaseURL,protocol,anddomain.After

youhaveconfiguredtrustrelationshipsbetweenproviders,changingthesesettingsinvalidates

thetrustmodelandrequiresareimport oftheprovider’smetadata.

ModifyingthebaseURLalsoinvalidatesthetrustbetweentheEmbeddedServiceProviderof

Access

Managerdevices.Tore‐establishthetrustaftermodifyingthebaseURL,youmustrestart

theEmbeddedServiceProvideroneachdevice.

BaseURL:SpecifytheapplicationpathfortheIdentityServer.TheIdentityServerprotocolsrely

onthisbaseURLtogenerateURLendpointsforeachprotocol.

 Protocol:Selectthecommunicationprotocol.SpecifyHTTPSinordertorunsecurely(in

SSLmode)andforprovisioning.

UseHTTPonlyifyoudonotrequiresecurityorhave

installedanSSLterminatorinfrontoftheIdentityServer.

 Domain:SpecifytheDNSnameassignedtotheIdentityServer.WhenyouareusinganL4

switch,thisDNSnameshouldresolvetothevirtualIPaddresssetup

ontheL4switchfor

theIdentityServers.UsinganIPaddressisnotrecommended.

 Port:Specifytheportvaluefortheprotocol.Defaultportsare8080forHTTPor8443for

HTTPS.Ifyouwanttouseport80or443,specifytheporthere.

 Ifyouareconfiguring

aLinuxIdentityServer,youmustalsoconfiguretheoperating

systemtotranslatetheport.SeeSection 1.5,“TranslatingtheIdentityServer

ConfigurationPort,”onpage 33.

 IfyouareconfiguringaWindowsIdentityServer,youmustalsomodifytheTomcat

server.xml

filelocatedinthe

\Program Files\Novell\Tomcat\conf

directoryfor

WindowsServer2003orthe

\Program Files (x86)\Novell\Tomcat\conf

directory

forWindowsServer2008.Changetheportsfrom8080and8443to80and443,then

restarttheTomcatservice.

 Application:SpecifytheIdentityServerapplication.Leavethedefaultvaluenidp.

SSLCertificate:DisplaysthecurrentlyassignedSSLcertificate.

TheIdentityServercomeswitha

test-connector

certificatethatyoumustreplacetouseSSLin

yourproductionenvironment.Youcanreplacethetestcertificatenoworafteryouconfigurethe

IdentityServer.Ifyoucreatethecertificateandreplacethe

test-connector

certificatenow,you

cansavesometimebyrestartingTomcatonlyonce.Tomcatmustberestartedwheneveryou

assignanIdentityServertoaconfigurationandwheneveryouupdateacertificatekeystore.See

Section 1.3.3,“ManagingtheKeys,Certificates,andTrustStores,”onpage 27.

Forinformationonhowtoreplace

the

test-connector

certificate,see“EnablingSSL

Communication”intheNetIQAccessManager3.1SP5SetupGuide.

6 Toconfiguresessionlimits,fillinthefollowingfields:

LDAPAccess:SpecifythemaximumnumberofLDAPconnectionstheIdentityServercan

createtoaccesstheconfigurationstore.Youcanadjustthisamountforsystemperformance.

DefaultTimeout:Specifythesessiontimeoutyouwantassignedasa defaultvaluewhenyou

createacontract.ThisvalueisalsoassignedtoasessionwhentheIdentityServercannot

associateacontractwiththeauthenticatedsession.Duringfederation,iftheauthentication

requestusesatyperatherthanacontract,theIdentityServercannotalwaysassociateacontract

withtherequest.

ThetraditionalSSLVPN

serverusestheAnyContractoptionforauthentication.Theuseris

assignedthetimeoutvalueofthecontractusedforauthentication,andnotthisdefaulttimeout

value.

IfyouwanttoknowwhattimeoutvaluetheSSLVPNuserisassigned,youneedtosel e cta

contractwiththeappropriate

timeoutvalue.ClickDevices>AccessGateways>[NameofReverse

Proxy]>[NameofProxyService]>SSLVPN_Default.TheSSLVPN_Defau ltnameisthedefault

Configuring an Identity Server 17

namefortheSSLVPNprotectedresource.If youhavemodifiedthisname,selectthatprotected

resource.IntheAuthenticationProcedureoption,selectaname/passwordcontractwiththe

appropriatetimeoutvalue.

LimitUserSessions:Specifywhetherusersessionsarelimited.Ifselected,youcanspecifythe

maximumnumberofconcurrentsessions

auserisallowedtoauthenticate.

Ifyoudecidetolimitusersessions,youshouldalsogivecloseconsiderationtothesession

timeoutvalue(thedefaultis60minutes).Iftheuserclosesthebrowserwithoutloggingout(or

anerrorcausesthebrowsertoclose),thesessionisnotcleared

untilthesessiontimeoutexpires.

Iftheusersessionlimitisreachedandthosesessionshavenotbeenclearedwithalogout,the

usercannotloginagainuntilthesessiontimeoutexpiresforoneofthesessions.

Whenenabled,thisoptionaffectsperformanceinaclusterwithmultipleIdentityServers.

When

auserislimitedtoaspecificnumberofsessions,theIdenti tyServersmustcheckwiththeother

serversbeforeestablishinganewsession.

Allowmultiplebrowsersessionlogout:Specifywhetherauserwithmorethanonesessionto

theserverispresentedwithanoptiontologoutof

allsessions.Ifyoudonotselectthisoption,

onlythecurrentsessioncanbeloggedout.Deselectthisoptionininstanceswheremultiple

usersloginasguests.Then,whenoneuserlogsout,noneoftheotherguestsareloggedout.

Whenyouenablethisoption,youmustalso

restartanyEmbeddedServiceProvidersthatuse

thisIdentityServerconfiguration.

7 ToconfigureTCPtimeouts,fillinthefollowingfields:

LDAP:SpecifyhowlonganLDAPrequesttotheuserstorecantakebeforetimingout.

Proxy:Specifyhowlongarequesttoanotherclustermembercantakebeforetimingout.Whena

memberofaclusterreceivesarequestfromauser

whohasauthenticatedwithanothercluster

member,themembersendsarequesttotheauthenticatingmemberforinformationaboutthe

user.

Request:SpecifyhowlonganHTTPrequesttoanotherdevicecantakebeforetimingout.

8 Tocontrolwhichprotocolscanbeusedforauthentication,selectoneormoreofthefollowing

protocols.

IMPORTANT:Enableonlytheprotocolsthatyouareusing.

IfyouareusingotherAccessManagerdevicessuchastheAccessGateway,SSLVPN,orthe

J2EEAgents,youneedtoenabletheLibertyprotocol.TheAccessManagerdevicesusean

EmbeddedServiceProvider.IfyoudisabletheLibertyprotocol,you

disablethetrusted

relationshipsthesedeviceshavewiththeIdentityServer,andauthenticationfails.

Liberty:UsesastructuredversionofSAMLtoexchangeauthenticationandauthorizat ion data

betweentrustedidentityprovidersandserviceprovidersandprovidestheframeworkforuser

federation.

SAML1.1:UsesXMLforexchangingauthenticationandauthorizationdatabetweentrusted

identityproviders

andserviceproviders.

SAML2.0:UsesXMLforexchangingencryptedauthenticationandauthorizationdatabetween

trustedidentityprovidersandserviceprovidersandprovidestheframeworkforuser

federation.

STS:Asecuritytokenservicethatcreatesdigitalidentitiesfromclaims,whichcanthenbeused

asacardoratokenfor

authentication.

CardSpace:UsesMicrosoftclientsoftwarethatstoresauser’sinformationinadigitalidentityor

informationcard,whichcanthenbepresentedandusedasauthenticationcredentials.

WSFederation:Allowsdisparatesecuritymechanismstoexchangeinformationabout

identities,attributes,andauthentication.

18 Novell Access Manager 3.1 SP5 Identity Server Guide

9 TocontinuecreatingtheIdentityServerconfiguration,clickNext.

ThesystemdisplaystheOrganizationpage.

Usethispagetospecifyorganizationinformationfor theIdentityServerconfiguration.The

informationyouspecifyonthispageispublishedinthemetada tafortheLiberty1.2andSAML

protocols.Themetadataistradedwith

federationpartnersandsuppliesvariousinformation

regardingcontactandorganizationinformationlocatedattheIdentityServer.

Thefollowingfieldsrequireinformation:

 Name:Thenameoftheorganization.

 DisplayName:Thedisplaynamefortheorganization.

 URL:Theorganization’sURLforcontactpurposes.

OptionalfieldsincludeCompany,FirstName,LastName,Email,Telephone,

andContactType.

10 ClickNexttoconfiguretheuserstore.

Youmust referenceyourownuserstoreandauto‐importtheSSLcertificate.SeeSection 3.1,

“ConfiguringIdentityUserStores,”onpage 100forinformationaboutthisprocedure.

11 Afteryouconfiguretheuserstore,thesystemdisplaysthenewconfigurationontheServers

page.

ThestatusiconsfortheconfigurationandtheIdentityServershouldturngreen.Itmighttakeseveral

secondsfortheIdentityServertostartandforthesystemtodisplayagreenicon.Ifit

doesnot,itis

likelythattheIdentityServerisnotcommunicatingwiththeuserstoreyousetup.Ensurethatyou

haveenteredtheuserstoreinformationcorrectly,andthatyouimportedtheSSLcertificatetothe

userstore.(Edit>Local>[UserStoreName].)

Configuring an Identity Server 19

1.1.2 Assigning an Identity Server to a Cluster Configuration

Afteryoucreateaconfiguration,youmustassignanIdentityServertoit.Forclustering,youcan

assignmorethanoneIdentityServertotheconfiguration(seeSection 1.1.3,“ConfiguringaCluster

withMultipleIdentityServers,”onpage 19forthestepstosetupacluster).Aconfigurationusesany

sharedsettings

youhavespeci fied , suchasattributesets,usermatchingexpressions,andcustom

attributesthataredefinedfortheserver.

1 IntheAdministrationConsole,clickDevices>IdentityServers.

2 OntheServerspage,selecttheserver’scheckbox.

Youcan selectalldisplayedserversbyselectingthetop‐levelServercheckbox.

3 ClickActions>AssigntoCluster.

4 Selecttheconfiguration’scheckbox,thenclickAssign.

YouarepromptedtorestartTomcat.ThestatusiconfortheIdentityServershouldturngreen.It

mighttakeseveralsecondsfortheIdentityServertostartandforthesystemtodisplaythegreen

icon.

1.1.3 Configuring a Cluster with Multiple Identity Servers

Toaddcapacityandtoenablesystemfailover,youcanclusteragroupofIdentityServersand

configuretheminaclusterconfigurationtoactasasingleserver.Youcanalsoconfiguretheclusterto

supportsessionfailover,sothatusersdon’thavetoreauthenticatewhenanIdentityServergoes



down.

AclusterofIdentityServersshouldresidebehindanL4switch.ClientsaccessthevirtualIP(VIP)

addressoftheclusterpresentedontheL4switch,andtheL4switchalleviatesserverloadby

balancingtrafficacrossthecluster.WheneverauseraccessesthevirtualIPaddressassignedto

theL4

switch,thesystemroutestheusertooneoftheIdentityServersinthecluster,astrafficnecessitates.

Tosetupacluster,completethefollowingtasks:

 InstallanL4switch.Youcan usethesameswitchforIdentityServerclusteringandAccess

Gatewayclustering,providedthatyouusedifferentvirtualIPs.TheLBalgorithmcanbe

anything(hash/stickybit),definedattheRealserverlevel.Forconfigurationtips,see

“ConfigurationTipsfortheL4Switch”

intheNetIQAccessManager3.1SP5SetupGuide.

 Enablepersistence(sticky)sessionsontheL4switch.Normallyyoudefinethisatthevirtual

serverlevel.

 CreateanIdentityServerconfigurationforthecluster.YouassignalltheIdentityServerstothis

configuration.

 SeeSection 1.1.1,“CreatingaClusterConfiguration,”onpage 14forinformationabout

creatinganIdentityServerconfiguration.

 SeeSection 1.1.2,“AssigninganIdentityServertoaClusterConfiguration,”onpage 19for

informationaboutassigningidentity

serverstoconfigurations.

 EnsurethattheDNSnameofthebaseURLfortheclusterconfigurationresolvesviaDNStothe

IPaddressoftheL4virtualIPaddress.TheL4switchbalancestheloadbetweentheIdentity

Serversinthecluster.

 EnsurethattheL4administrationserverusingport8080hasthefollowingTCPportsopen:

 8443(secureAdministrationConsole)

 7801+1(forback‐channelcommunicationwithclustermembers).Youneedtoopentwo

consecutiveports,suchas7801and7802.

20 Novell Access Manager 3.1 SP5 Identity Server Guide

 636(forsecureLDAP)

 389(forclearLDAP)

 524(networkcontrolprotocolontheL4switchforservercommunication)

Theidentityproviderportsmustalsobeopen:

 8080(non‐securelogin)

 8443(securelogin)

 1443(servercommunication)

 Ifyouareusingintroductions(seeSection 7.2,“ConfiguringGeneralProviderOptions,”on

page 18 6),youmustconfiguretheL4switchtoloa dbalance onports8445(identityprovider)

and8446(identityconsumer).

 Toenablesessionfailoversousersdon’thavetoreauthenticatewhenanIdentityServergoes

down,seeSection 1.1.4,“ConfiguringSessionFailover,”onpage 20.

 Tomodifythenameoftheclusteroreditcommunicationdetails,seeSection 1.1.5,“Editing

ClusterDetails,”onpage 21.

1.1.4 Configuring Session Failover

WhenyousetupanIdentityServerclusterandaddmorethanoneIdentityServertothecluster,you

havesetupfaulttolerance.ThisensuresthatifoneoftheIdentityServersgoesdown,usersstillhave

accesstoyoursitebecausetheremainingIdentityServercanbeusedfor

authentication.However,it

doesn’tprovidesessionfailover.Ifauserhasau thenticatedtothefailedIdentityServer,thatuseris

promptedtoauthenticateandthesessioninformationislost.

WhenyouenablesessionfailoverandanIdentityServergoesdown,theuser’ssessioninformationis

preserved.Anotherpeerserverin

theclusterre‐createstheauthoritativesessioninformationinthe

background.Theuserisnotrequiredtologinagainandexperiencesnointerruptionofservices.

 “Prerequisites”onpage 20

 “ConfiguringSessionFailover”onpage 21

 “HowFailoverPeersAreSelected”onpage 21

Prerequisites

 AnIdentityServerclusterwithtwoormoreIdentityServers.

 SufficientmemoryontheIdentityServerstostoreadditionalauthenticationinformation.When

anIdentityServerisselectedtobeafailoverpeer,theIdentityServerstoresabout1KBofsession

informationforeachuserauthenticatedontheothermachine.

 Sufficientnetworkbandwidthfortheincreasedlogintraffic.TheIdentityServersendsthe

sessioninformationtoalltheIdentityServersthathavebeenselectedtobeitsfailoverpeers.

 AlltrustedEmbeddedServicesProvidersneedtobeconfiguredtosendtheattributesusedin

FormFillandIdentityInjectionpolicies

atauthentication.Ifyouuseanyattributesotherthan

thestandardcredentialattributesinyourcontracts,youalsoneedtosendtheseattributes.To

configuretheattributestosend,clickDevices>IdentityServers>Edit>Liberty> [NameofService

Provider]>Attributes.

Page is loading ...

Novell Access Manager 3.1 SP4 User guide

Novell Access Manager 3.1 SP4 User guide

Related papers

Other documents