IDM UserApp 3.6.1 Single Sign On with Novell Access Manager 3.1.x
Novell made some changes between UserApp 3.5.1 and UserApp 3.6.x in how SSO can be achieved with NAM (Novell Access Manager).
This document assumes that you are using the User Application 3.6.1 (we are using the NON-Provisioning module which means that 3.6.1 is the highest version we can use. There is no 3.7 version with NON-Provisioning and version 4.0 is not shipping as of the date of this document).
This document also assumes that you are using NAM 3.1.1 or higher (I'm not sure if NAM 3.1 is even required, but the screen options are different than NAM 3.0).
For the purpose of this, we are assuming that the name of the User Application server is called: userapp.abc.com and is running on SLES 10 SP2 or higher with Jboss that is included with UserApp. We also assume you are using the expired password feature of NAM to redirect to the ChangePassword.jsf on UserApp (rather than the "forgotpassword" of UserApp)
Since UserApp requires eDirectory, our User Source in NAM is also assumed to be eDirectory.
This also ASSUMES that when you created your IDP cluster, that you used a user with ADMIN rights to the eDirectory tree so that it could extend the Schema for SAML. If you do did not, I will include the steps to do that after the fact.
First, make sure that you apply patch C for User App 3.6.1 If you don't, then the changepassword.jsf doesn't work properly (if you are redirecting your "expired password" URL in NAM to the ChangePassword.jsf). Otherwise, this assumes a standard install of UserApp 3.6.1 with the included MySQL and Jboss on port 8080. Since we are front-ending the server with NAM, we can setup SSL on port 443 for our Reverse Proxy in our LAG configuration.
This assumes that you are using NAM 3.1.1 or higher and that you are using the Linux Access Gateway (LAG). I don't know if this works with the Netware Access Gateway (NAG). We are also using a DNS-based multi-homing environment, although that shouldn't matter too much, but our Proxy Service configuration is based upon this.
Create another new policy. Call it whatever you want, but here's mine below:
It contains one rule for the SAML assertion injection.
If, like me, you did not use an "admin" user for your IDP configuration, it did not extend the Schema properly for SAML. To fix this, login to your Admin Console, find your IDP Cluster (I'm assuming you are using an IDP cluster) and edit it.
Click the "Local" tab and click on your defined User Store (eDirectory)
TEMPORARILY change the "admin name" to be either the admin user or a user with rights to extend the schema. Obviously enter the correct password. THEN, make certain to CHECK THE BOX for "Install NMAS SAML method"
Click Apply and OK and update your configs. Wait a little bit and it should extend the eDir schema. To verify that you have a SAML method, you can use iManager.
Once logged into iManager, select the NMAS -> NMAS Login Methods role
On the right-hand side, find the SAML Assertion object (you should have one)
Click the Affiliates tab
You'll see something like:
SCCotpbt3 (the name will vary)
If this is your FIRST and only IDP cluster, you should only have one of these and if you select it, you'll notice that the Provider ID will be something like:
Obviously the key item is the "accessManagerContainer"
Once you've verified this, you can re-edit your IDP configuration and change the userid/password BACK to what you had before and UNCHECK the "Install NMAS SAML method".
Login to your NAM Admin Console, find your LAG (or LAG Cluster), and you're going to create a new Proxy Service.
(obviously replace the Published DNS name with whatever matches your environment, and the IP address to the server that you have installed User App onto).
Then find the service you just created and click it to make adjustments.
There's nothing to change on the Proxy Service tab
So click the Web Servers tab.
I've never noticed any harm for the Host Header to be "Forward Received Host Name". However, you could also set it to be "Web Server Host Name" and then input the correct value in the box below.
Note that you will normally have to change the Connect Port since User App uses JBoss on port 8080 by default.
Now click on the Protected Resources tab.
I'm going to create two resources.
I created one called "everything" (you can call it "All", it doesn't really matter). The PATH will be defined as /*
Now, it's up to you if you wish to define an authorization policy or not. We DO define an authorization policy because we don't want just anyone being able to browse the web server unless they authenticate.
We also chose to define an Authentication tab policy as well (again, we don't want just anyone being able to look at stuff).
For the Identity Injection tab, select the two IDP policies you created previously:
Create a SECOND resource for the forgotten password (if you use that):
Define two paths as shown above. There is no Authentication or Authorization enabled for this (because if the user forgot their password then they CAN'T authenticate).
Click the Identity Injection tab and again, select the two IDP policies you created previously and remember to enable them (I always forget that).
Login to the NAM Admin Console, find the IDP cluster and edit it. Find the Local -> Contracts tab/section.
Edit the contract you are using (probably Secure Name/form)
The URL for the expired password would be:
This is the basic setup here.
You can continue to use the Cool Solutions article "Configuring Access Manager for UserApp and SAML" if you wish to further tighten down the UserApp (page 6 I think) but I've not bothered to do that.