Thanks for the guide, it's interesting.
Is there a guide like this for setting up Google as a SAML2 Identity Provider for NAM?
NetIQ IDP can act as a SAML2 Identity Provider as well as a SAM2 Service Provider. In most cases, we configure NAM IDP as an Identity Provider to SaaS/Cloud-based Service Provider and use the organization’s network credentials to log in to SaaS applications.
In this solution, I will explain how to configure NAM IDP to act as a Service Provider and use any SAML enabled IDP (for example Salesforce, ForgeRock etc.) for authentication and authorization. I have taken Salesforce as an Identity provider and given a step by step process to enable users to authenticate using Salesforce IDP and access NAM protected resources seamlessly.
The links below show you how to set up Salesforce as an identity provider for a third-party application that’s configured as a service provider. In Salesforce, you create a connected app (i.e. NAM IDP) for the service provider. Users can then log in to Salesforce and use single sign-on (SSO) to access the service provider protected resources.
Till now we have configured trust between Salesforce IDP and NAM IDP. Now the user will be able to authenticate using Salesforce credentials and Salesforce will send a SAML assertion to NAM IDP. NAM IDP will match the user by FederationID and create a session for the user.
Follow the step below to access NAM Access Gateway protected resources using the session.
Open the contract which is being used as authentication procedure in Access Gateway protected resource. In this example I have used Secure Name Password Form:
Select the “Satisfiable by External Provider” checkbox and put the Allowable Class as “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”
You can find this value in AuthnContextClassRef element of Salesforce SAML assertion.
This will open the Salesforce login page and on successful login, the user will be redirected to NAM protected resources.