This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is possible to use NAM NetIQ with Keycloak?

Hi guys, I have a question.

I'm working on a project with NAM NetIQ and keycloak and I need to do this flow:

  • I have an ec2 inside private subnet with a Keycloak container that I need to use for SSO with SAML protocol
  • I need to use NAM NetIQ as SP with Keycloak as IdP for redirecting purposes

My question is: is a problem if my keycloak resides in a private subnet or NAM NetIQ work without problem?

Thanks in advance

  • Suggested Answer

    0  

    If you will be using so called "front channel" SAML binding (e.g. POST or REDIRECT) SSO can work even if keycloak and NAM cannot communicate directly. Only requirement is that browser can talk to both of them (of course Blush)

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi, thanks for the answer. So, as you said, I can be able to integrate NAM and Keycloak without problem but what do you means with "browser can talk to both of them"? I don't get it very clearly

  • 0   in reply to 
    but what do you means with "browser can talk to both of them"? I don't get it very clearly

    Looking from end user perspective, flow will most probably be like this:

    • There will be user trying to connect to service on NAM (acting as a SAML SP).
    • NAM will redirect user to Keycloak for authentication (acting as SAML IDP).
    • User will authenticate on Keycloak server (if needed).
    • Keycloak will redirect user back to NAM with SAML response.
    • NAM will parse SAML response and locally authenticate user.

    So end user will need to be able to access bot Keycloak and NAM with his/her browser.

    Does this makes sense? If not, I might have misunderstood your original post.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Yes my flow is something like this, my user after authentication with Keycloak will be redirect to NAM with a SAML response, and after that user will be able to access Amazon Connect service.

    I think is possibile to obtain this behaviour.

    Do you have any docs or tutorial to follow for configuring this flow? I'm new on this and I don't know how to get

    Thanks

  • 0   in reply to 

    I don't have any tutorials but roughly you need to do following (as with any SAML federation):

    1. Establish trust between IdP and SP by exchanging SAML metadata (configure SP on IdP and configure IdP on SP)
    2. On IDP configure attributes that will be sent to SP
    3. On SP properly map received attributes
    4. On SP configure user matching/provisioning (how to match received information to existing users or create new users)

    Starting point for reading (regarding NAM):

    #1 Configure IdP on SP (NAM): https://www.microfocus.com/documentation/access-manager/5.0/admin/saml1createidp.html

    #3 https://www.microfocus.com/documentation/access-manager/5.0/admin/idpattrs.html

    #4 https://www.microfocus.com/documentation/access-manager/5.0/admin/bmmudo8.html

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks for your help and links! I very appreciate it!

    I have another question, NAM can work as IdP in the same way it works as SP? Because, probably I need that keycloak interacts with NAM for authentication and after the success of this operation they will be redirect via keycloak for accessing the Amazon Connect

  • 0   in reply to 
    NAM can work as IdP in the same way it works as SP?

    Yes, it can. NAM can be either SP or IDP.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks!

    Kind regards

  • 0

    it may be possible to implement some level of integration between NetIQ and Keycloak using standard protocols such as SAML (Security Assertion Markup Language) or OpenID Connect (OIDC). These protocols allow coomeet premium for single sign-on (SSO) and identity federation between different systems.

  • 0 in reply to 

    Hi, I think that I'm stuck. I have successfully configured keycloak client for connecting to AWS console, after that I have sent my metadata.xml to NAM authority (a team that manage the configuration) but now I think that something went wrong. In a guide that they give to me (very disorganized guide) there is a step "Configuration of the Client SP" with metadata.xml for NAM Server but previously the step 2 o this guide required my metadata.xml. So, if it is clear to you, I have configured my client sp correctly for aws console access and this metadata.xml was given to the team for SAML integration with NAM, but I think that it was the wrong xml.

    Sorry for the long explanation and I think is ok, thanks