1. Introduction / Use cases

NetIQ IDP can act as a SAML2 Identity Provider as well as a SAM2 Service Provider. In most cases, we configure NAM IDP as an Identity Provider to SaaS/Cloud-based Service Provider and use the organization’s network credentials to log in to SaaS applications.

In this solution, I will explain how to configure NAM IDP to act as a Service Provider and use any SAML enabled IDP (for example Salesforce, ForgeRock etc.) for authentication and authorization. I have taken Salesforce as an Identity provider and given a step by step process to enable users to authenticate using Salesforce IDP and access NAM protected resources seamlessly.

2. Solution Steps

2.1 Configure Salesforce as Identity Provider

The links below show you how to set up Salesforce as an identity provider for a third-party application that’s configured as a service provider. In Salesforce, you create a connected app (i.e. NAM IDP) for the service provider. Users can then log in to Salesforce and use single sign-on (SSO) to access the service provider protected resources.

https://help.salesforce.com/articleView?id=identity_provider_enable.htm&type=5

https://help.salesforce.com/articleView?id=identity_provider_examples.htm&type=5

1. 1. Create NAM IDP as Managed Connected Apps in Salesforce:
      
      
      
      

1. 1. Here are the configuration details for Connected App (i.e. NAM IDP):
      
      
      
      

1. 1. In the custom attribute section, you can choose SAML assertion attributes which will be used by NAM IDP to match a user profile. In this example, I have used FederationID and I will match the Salesforce IDP authenticated user with NAM IDP local user using federation ID. You may use any other attribute like email, username, etc.
      
      
      
      

1. 1. Format Start URL as follows: Copy Salesforce IDP initiated login URL and append RelayState= NAM protected resource URL. For example: https://<Salesforcedoamin>/idp/login?app=0sp6A000000KysJ&RelayState=<NAM Protected Resource URL>
      
      
      
      

1. 1. Download the Metadata XML file:

2.2 Configure NAM IDP as Service Provider

1. 1. Go to IDP cluster -> SAML 2.0 tab and create a new Identity Provider using the Salesforce metadata XML file.
      
      
      
      

1. 1. If you choose authentication contract, the user has to satisfy this selected contract on top of Salesforce login. I have kept this blank to have the seamless experience for the user.
      
      
      
      

1. 1. Go to Identity Servers -> Shared Settings -> Attribute Sets tab and create a new attribute set as below:
      
      
      
      

1. 1. Go to Identity Servers -> Shared Settings -> User Matching Expressions tab and create a user matching expression. In my example, I have chosen FederationID as SAML assertion in the Salesforce configuration and I will match the user in NAM user store based on FederationID. I have stored the FederationID into Active Directory’s roomNumber attribute and here is my user matching expression.
      
      
      
      

1. 1. Go to IDP cluster -> SAML 2.0 -> Salesforce-Demo -> Configuration -> Attributes tab and select the Attribute Set created in step (iii).
      
      
      
      

1. 1. Go to User Identification tab and select Attribute Matching settings and click on the edit button.
      
      
      
      

1. 1. Choose the User Store and Select the User Matching Expression created on step (iv)
      
      
      
      

2.3 Configure NAM Contract to trust external Provider

Till now we have configured trust between Salesforce IDP and NAM IDP. Now the user will be able to authenticate using Salesforce credentials and Salesforce will send a SAML assertion to NAM IDP. NAM IDP will match the user by FederationID and create a session for the user.

Follow the step below to access NAM Access Gateway protected resources using the session.

Open the contract which is being used as authentication procedure in Access Gateway protected resource. In this example I have used Secure Name Password Form:

Select the “Satisfiable by External Provider” checkbox and put the Allowable Class as “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”

You can find this value in AuthnContextClassRef element of Salesforce SAML assertion.

3. Test the solution

1. 1. Login to Salesforce and select App Launcher and select the Managed App created for NAM. This App will redirect the user to the Start URL given in step 2.1 (iv).
      
      

1. 1. Or directly access the below URL:
      https://<Salesforcedoamin>/idp/login?app=0sp6A000000KysJ&RelayState=<NAM Protected Resource URL>

This will open the Salesforce login page and on successful login, the user will be redirected to NAM protected resources.