Identity Console 1.7.2 install with OSP login - missing some configuration.

Hi all.

I am trying to configure Identity Console with OSP SSO as asked by one of my colleagues.

I have it working fine with LDAP authentication, but something is missing when trying the OSP mode.

My installation is docker based. OSP is in a different docker instance.

I had to remove the line ospclientpass from edirapi.conf to get identityconsole to start, but then it errors after redirect with: 

Unable to fetch UserInfo from OSP

I have set it up as the describe here:https://www.netiq.com/documentation/identity-console/pdfdoc/identity_console-install/identity_console-install.pdf on page 9.

edirtree is replaced by the actual treename in lowercase and the URL's are configured to match the environment.

I suspect that not being able to have ospclientpass is part of the issue, but IDC 1.7.2 doesn't seem to want to start with that option. I have not been able to find any other suggestions, so I'm asking here.

The OSP configuration in ism-configuration.properties is also done and I do get sent back...?

I have origin for both idc and osp set in the origin variable.

Any suggestions?

  • 0  

    Did you update the ism-configuration.properties with the client settings?

    Specifically these:

    com.netiq.edirapi.clientID = identityconsole
    com.netiq.edirapi.redirect.url = https://<Identity Console Server
    IP>:<Identity Console Listener Port>/eDirAPI/v1/<eDirectory Tree Name>/
    authcoderedirect
    com.netiq.edirapi.logout.url = https://<Identity Console Server
    IP>:<Identity Console Listener Port>/eDirAPI/v1/<eDirectory Tree Name>/
    logoutredirect
    com.netiq.edirapi.logout.return-param-name = logoutURL
    com.netiq.edirapi.response-types = code,token
    com.netiq.edirapi.clientPass._attr_obscurity = NONE
    com.netiq.edirapi.clientPass = novell

  • 0 in reply to   

    Yes I did. I changed the clientpass, though.

    It also seems to get to the OSP sign-in box if I am not already logged in, but I'm not 100% sure I were able to log in there. If I am logged in already, I get the message shown in my original reply.

    And of course I made sure the split lines are just one line in ism-configuration.properties

    It puzzles me that that one directive is rejected. I'll try removing the version file so it fully checks the configuration again, maybe that will help.

    I am not 100% sure if the OSP cert is the correct one, but so far I have not seen an indication that it fails because of that.

  • 0 in reply to 

    Well edirapi.version didn't change anything. I have not yet tried removing .configured, since now some colleagues need to use the IDC, so I have reverted to LDAP for now. Either way, why would only ospclientpass be a problem? Especially when it is listed in the manual?