1. Introduction

 
The Identity Server is the central authentication and identity access point for all services performed by Access Manager. Whereas Access Gateway performs the authorization and access check for resources protected by Access Manager.

If you would like to perform authentication and authorization together without making any changes in the underline application (protected resources) and would like to show different error messages for authentication and authorization errors, you need to extend the NetIQ Authentication class and write your own authentication class.

In this document, I have an example and a step-by-step process for creating a custom authentication class and how to perform authentication and authorization together. The class will also return authentication or authorization errors to the login form and the login form will display the error messages accordingly.

Please follow the developer guide to get familiar with all customization opportunities with NAM.

2. Develop Authentication Class

2.1 Prerequisite

• • Java IDE with JDK 1.7 and above

• • jar, higgins-sts-api_1.0.0.jar (can be copied from IDP server) and servlet-api.jar (can be copied from any web server’s lib directory)

2.2 Create Java Project and develop Custom Authentication Class

 
Create a Java project and copy the following code. You will need nidp.jar, higgins-sts-api_1.0.0.jar and servlet-api.jar to compile and build the project.

MyAuthenticalClass code: MyAuthenticationClass

This custom authentication class has the following logic:

• • It validates user’s credential with user store.

• • If user’s credential is valid, it checks for group membership for authorization. Otherwise returns to the JSP page with Login error.

• • If user has group membership, the code will return as login success. Otherwise it will return as authorization error.

You can modify the code and build your own authorization logic as per your requirement.

If you would like to understand the authentication class and its implementation, please use the NetIQ Developer guide link: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/b96adnj.html

2.3 Create JAR file and deploy into IDP

 
Right click on the Java project and export as a JAR file. Copy the JAR file to IDP server (Path: “/opt/novell/nids/lib/webapp/WEB-INF/lib”).

You must restart the IDP service to use this Authentication Class.

Command to restart IDP: /etc/init.d/novell-idp restart

2.4 Use Custom AuthN Class in IDP

• • Go to IDP Cluster -> local -> Classes and create a new class, add the following values and click on Next.

Display Name: MyAuthenticationClass
Java Class: Other
Java class path: com.nam.authn.MyAuthenticationClass

• • Provide two properties to your custom developed authentication class and click on Finish. The authentication class will get these properties and execute business logic for authorization.

• • Create a New method and use the MyAuthenticationClass. Here I am using JSP as mylogin. I have copied login_latest.jsp and created mylogin.jsp with the Authorization error message. You can develop your own login page to use branding accordingly.

Here is the mylogin.jsp file: mylogin.jsp

• • Create a contact and use the method you just created and Use the contact to any protected resources.

2.5 Show AuthN and AuthZ error message in Login Page

 
If you look at the doAuthenticate() method in the MyAuthentication.java file, you will find the following code snippet at line number 114. If there is any authorization error, the authentication class will add an attribute to the request.

if(noAuthz)
m_PageToShow.addAttribute("AuthZError", noAuthz);

You need to look for the attribute in the login page and show authorization message to the user.

Here is the code block (mylogin.jsp, line number 160) which is looking for the authorization error and shows the authorization error message to the user.

Boolean isAuthZError = (Boolean) request.getAttribute("AuthZError");
String strAuthZErrorMessage = "You are not authorized to access this application.";

3. Test the Authentication Class

 
If you login as a user who is not authorized (Does not have membership of the group), you will get following unauthorized error message.



Also, you will find the following log in the IDP log file, run following command:

tail -f /var/opt/novell/nam/logs/idp/tomcat/catalina.out |grep -i "MyAuthenticationClass ---->"

Log entries from IDP server:

MyAuthenticationClass ----> Property Values in groupName : CN=ServiceDesk,OU=All Groups,DC=Novell,DC=com

MyAuthenticationClass ----> Inside doAuthenticate Method

MyAuthenticationClass ----> Admin Defined LDAP Query : null

MyAuthenticationClass ----> Inside doAuthenticate Method

MyAuthenticationClass ----> Admin Defined LDAP Query : null

MyAuthenticationClass ----> Inside doAuthenticate Method

MyAuthenticationClass ----> Admin Defined LDAP Query : null

MyAuthenticationClass ----> authenticateWithPassword: AUTHENTICATED with LDAP

MyAuthenticationClass ----> authorizationWithQuery : (&(objectClass=user)(sAMAccountName=jondoe)(memberOf=CN=ServiceDesk,OU=All Groups,DC=Novell,DC=com))

MyAuthenticationClass ----> Authorization Error : true

 

Please contact me if you have any questions.