Using Access Manager to single sign-on to Advanced Authentication enrollment service


The following guide shows how the NetIQ Advanced Authentication Framework (AAF) product can be enabled to accept user credentials passed in by Access Manager (NAM), so that users can single sign-on to the AAF enrollment page after having authenticated successfully to the NAM Identity server. Access Manager 4.3 and Advanced Authentication Framework 5.5 were used as part of the test.


Change are required on both the AAF and NAM side. Here's a description of the required changes:

Advanced Authentication Framework configuration changes:

  1. Login to the Advanced Authentication Administration Console and make sure that an Authentication Management chain exists with the LDAP Password method, and that it is assigned to all users as shown below. One can include other methods but we will use the users LDAP password.


  • Enable AAF to be able to authenticate users using the basic authentication protocol exchange.

    This is documented at where it states that:

    To achieve basic authentication, in the Event Edit screen for Authenticators Management, set the Allow basic authentication option to ON.

    NOTE: The basic authentication is supported only for the Authentication Management event and for the Password (PIN), LDAP Password, and HOTP methods.

    You must enter /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.

    Going into the Event menu in the AAF Admin Console, and highlighting the Authenticators Management event, we add the chain created in the previous step and enable the basic authentication feature. With this enabled, we can configure NAM to inject the required credentials in requests destined for the AAF server for the purpose of single signing the users on.


Access Manager Configuration changes:

By default, the Access Gateway component of NAM can be used to accelerate a back end web server, and inject users credentials into the Authorization Basic HTTP header to SSO to any web server that has basic authentication enabled. This Authorization Basic HTTP header is a standard header where one typically includes a base64 encoded version of the username:password. With AAF, the back end expects more than just the username:password and to inject this additional information, we need to use NAM virtual attributes feature -

  1. Setup NAM to inject the non standard Authorization Basic HTTP header.

    From the reference to the AAF documentation above, our virtual attribute setup will be used to append the users cn, with the LDAP_PASSWORD:1 string (assuming user authenticated to NAM with this chain). To do this we created the vNAAFUser virtual attribute based on the users cn and manipulated the data with javascript. The screenshot below shows the basic javascript needed to do this.


  • Create an Identity Injection policy that injects the above virtual attribute value as part of the username, with the users password as the password. This policy will later be applied to the protected resources associated with the accelerated AAF enrollment portal.


  • Accelerate the AAF Enrollment server using the Access Gateway

    In this example, we setup a domain based multi-homed proxy for the Advanced Authentication Enrollment server. We created a protected resource for the path (can be /* or specifically /account/basic) and assigned a specific authentication contract to this protected resource, while enabling the identity injection policy from the previous step. Update the Access Gateway after applying these changes.


At this stage, everything is ready to start the test. Bringing up a browser, the test user accessed the AAF enrollment portal via the Access Gateway at and after submitting the user credentials at the Identity Server, the user was single signed on to the AAF enrollment site.



How To-Best Practice
Comment List