Introduction

NetIQ Access Manager is a comprehensive Web Access Management solution to secure web resources across cloud, mobile and enterprise. It supports different federation protocols including SAML, WS-Fed, WS-Trust etc. SimpleSAMLphp is a simple application written in native PHP that deals with authentication. SimpleSAMLphp also supports several federation protocols, authentication mechanisms and can be used both for local authentication, as a service provider or as an identity provider. The SimpleSAMLPHP documentation at https://simplesamlphp.org/docs/stable/simplesamlphp-sp has a section Integrating authentication with your own application which helps to integrate your application with simplesamlphp. Here is the API reference for the integration https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api

This document is the first part of SAML 2.0 integration between NetIQ Access Manager and SimpleSAMLphp. NetIQ Access Manager can act as both Identity Provider and Service Provider in a SAML 2.0 implementation and the same is the case with SimpleSAMLphp. In this document, we will focus on NetIQ Access Manager acting as an Identity provider and SimpleSAMLphp acting as a Service Provider.

How it works

When the user accesses the application protected by SimpleSAMLphp as a Service Provider (SP), the user's browser is prompted with different authentication options including local authentication and remote identity provider. If the user selects the remote identity provider, which is NetIQ Access Manager Identity Provider (IDP), the browser would be redirected to IDP with an HTTP POST containing a SAML2.0 AuthnRequest from SimpleSAMLphp to NetIQ Access Manager IDP for authentication. Once the user authenticates at IDP by providing proper credentials, the browser would be redirected back to SimpleSAMLphp with an HTTP POST request containing the SAML Assertion from IDP to the SimpleSAMLphp’s Assertion Consumer (ACS) URL. The assertion would contain the Name Identifier and the user’s attributes shared by the Identity Provider to the Service Provider.

Pre-requisites

This solution is tested with following versions of the products:

• • NetIQ Access Manager 4.4

• • SimpleSAMLphp 1.14

NetIQ Access Manager is installed and configured to perform local authentication to an LDAP directory. Installation and Configuration of NetIQ Access Manager can be done following the documentation available in this link: https://www.netiq.com/documentation/access-manager-43/. Let’s consider the NetIQ Access Manager Identity Server URL is configured as: https://www.idp.com:8443/nidp.

Setting up SimpleSAMLphp

We are assuming that basic SimpleSAMLphp is installed and configured to perform local authentication. Detailed steps for installation and configuration is available at simplesamlphp official website: https://simplesamlphp.org/docs/stable/simplesamlphp-install#section_4.

SimpleSAMLPHP can be installed on either a Windows or Linux box. For this document, let’s assume simplesamlphp is installed on a Linux box under /var/simplesamlphp folder. In all the future references in this doc, /var/simplesamlphp is referred as the base folder. For Windows, the folder structure would need to be updated as is the case.

Enabling a certificate for SimpleSAMLPHP

For the SimpleSAMLPHP to sign requests and response sent to the Identity Provider, as well as receiving encrypted responses, you need to enable a certificate for your Service Provider. Recommendation is to use a certificate signed by a well-known CA. However, if you do not have a certificate signed by a well-known CA, you can use openssl to create a local CA and also to create a certificate signed by this same local CA. The following commands will create a local CA and a server certificate:

To create a private key for Root CA:

$ openssl genrsa -out rootCA.key 2048

Then create a Root CA certificate in pem format:

$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Then create a private key for the simplesamlphp server:

$ openssl genrsa -out simplesaml.key 2048

Then create a certificate signing request using the private key created:

$ openssl req -new -key simplesaml.key -out simplesaml.csr

Then get the certificate signing request signed by root CA and create a server certificate:

$ openssl x509 -req -in simplesaml.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out simplesaml.crt -days 500 -sha256

From this list of keys and certificates created, we would need the following for the configuration:

• • pem

• • key

• • crt

Place all four files rootCA.key, rootCA.pem, simplesaml.key, and simplesaml.crt in the cert folder (/var/simplesamlphp/cert/) of the simplesamlphp server. If you are keeping these certs in a different folder ensure that the certdir parameter in the /var/simplesamlphp/config/config.php is updated to that folder.

rootCA.pem needs to be copied to NetIQ Access Manager’s Identity Server trust store so that simplesaml.crt certificate can be trusted by NetIQ Access Manager. Refer to https://www.netiq.com/documentation/access-manager-44/admin/data/trustedroots.html#b556wtz to know how to do this.

simplesaml.key and simplesaml.crt would be used to host the SimpleSAMLphp server. For this, add following keys into the sp configuration in /var/simplesamlphp/config/authsources.php

<?php$config = array(  /* This is the name of this authentication source, and will be used to access it later. */        'default-sp' => array(                       'saml:SP',                       'privatekey' => 'simplesaml.key',                       'certificate' => 'simplesaml.crt',                       ),);

SAML2.0 Configuration

As previously mentioned, this document focuses only on the SAML 2.0 configuration between NetIQ Access Manager as Identity Provider and SimpleSAMLphp as Service Provider.

Configuring NetIQ Access Manager as SAML 2.0 Identity Provider in SimpleSAMLphp

The metadata of NetIQ Access Manager’s Identity Provider needs to be added to the SimpleSAMLphp for SimpleSAMLphp to know the details of the Identity Provider it needs to connect to. This is configured in the metadata stored in metadata/saml20-idp-remote.php.

Configuring the metadata of remote IDP

The SAML2.0 metadata of Netiq Access Manager is exposed at the following URL – https://www.idp.com:8443/nidp/saml2/metadata. Since metadata is exposed in XML format, it can be easily configured using the built-in XML to simpleSAMLphp metadata converter available with SimpleSAMLphp installation as https://<base-url>/simplesaml/admin/metadata-converter.php. Export the NetIQ Access Manager metadata file in XML format and provide it as input to the metadata-converter. The output from the metadata-converter can be copied and pasted to the metadata/saml20-idp-remote.php.

Sample of saml20-idp-remote.php

<?php

$metadata['https://www.idp.com:8443/nidp/saml2/metadata'] = array (

'entityid' => 'https://www.idp.com:8443/nidp/saml2/metadata',

'description' =>

array (

'en' => 'idp',

),

'OrganizationName' =>

array (

'en' => 'idp',

),

'name' =>

array (

'en' => 'idp',

),

'OrganizationDisplayName' =>

array (

'en' => 'idp',

),

'url' =>

array (

'en' => 'https://www.idp.com:8443/nidp',

),

'OrganizationURL' =>

array (

'en' => 'https://www.idp.com:8443/nidp',

),

'contacts' =>

array (

0 =>

array (

'contactType' => 'other',

'company' => 'NetIQ',

),

),

'metadata-set' => 'saml20-idp-remote',

'SingleSignOnService' =>

array (

0 =>

array (

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

'Location' => 'https://www.idp.com:8443/nidp/saml2/sso',

),

1 =>

array (

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

'Location' => 'https://www.idp.com:8443/nidp/saml2/sso',

),

),

'SingleLogoutService' =>

array (

0 =>

array (

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

'Location' => 'https://www.idp.com:8443/nidp/saml2/slo',

'ResponseLocation' => 'https://www.idp.com:8443/nidp/saml2/slo_return',

),

1 =>

array (

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

'Location' => 'https://www.idp.com:8443/nidp/saml2/slo',

'ResponseLocation' => 'https://www.idp.com:8443/nidp/saml2/slo_return',

),

2 =>

array (

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',

'Location' => 'https://www.idp.com:8443/nidp/saml2/soap',

),

),

'ArtifactResolutionService' =>

array (

0 =>

array (

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',

'Location' => 'https://www.idp.com:8443/nidp/saml2/soap',

'index' => 0,

'isDefault' => true,

),

),

'NameIDFormats' =>

array (

0 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',

),

'keys' =>

array (

0 =>

array (

'encryption' => false,

'signing' => true,

'type' => 'X509Certificate',

'X509Certificate' => '

MIIFDD///////////////////////////////////////////AAAAAAAAAwEjAQAgEAAgh//////////wEBADASMBACA………………………………………………………………….49pPYC/ beE WMaNb6qIKx7XunPzSgOG582aoX3mM3sChYT5lEXuV4K5Y PziM9zd414IxupYNAlOb//////

',

),

1 =>

array (

'encryption' => true,

'signing' => false,

'type' => 'X509Certificate',

'X509Certificate' => '

MIIFKzCCBBOgAwIBAgIkAhwR//////////////////////////………………………………… Ym6vuvsi1n Uq0ZN3tRJQ7fh1B6sE8spGKc1EvwpGD74hfJaq KQ==

',

),

),

);

Setting the default Identity Provider as NetIQ Access Manager

If you want the simplesamlphp to automatically redirect to NetIQ Access Manager IDP for authentication, you can add the entity ID of the IDP in config/authsources.php. The entity ID of the NetIQ Access Manager is the SAML2.0 metadata URL.

// The entity ID of the IdP this should SP should contact.        // Can be NULL/unset, in which case the user will be shown a list of available IdPs.        'idp' => 'https://www.idp.com:8443/nidp/saml2/metadata',

Setting a specific entity ID for the SimpleSAMLphp

To distinguish the SAML assertion between multiple SAML providers, the entity ID has to be unique. You can select the base URL of the SimpleSAMLPHP for this purpose.

In the config/authsources.php, add a key-value pair as follows:

// The entity ID of this SP.        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.        'entityID' => 'https://wsnamcc.namcc.com:445',

Sample authsources.php file

$config = array(

// This is a authentication source which handles admin  authentication.

'admin' => array(               // The default is to use core:AdminPassword, but it can be replaced with any authentication source.        'core:AdminPassword',

),

// An authentication source which can authenticate against both SAML 2.0 and Shibboleth 1.3 IdPs.

'default-sp' => array(

'saml:SP',

'privatekey' => 'simplesaml.key',

'certificate' => 'simplesaml.crt',        // The entity ID of this SP. Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.

'entityID' => 'https://wsnamcc.namcc.com:445',        // The entity ID of the IdP this should SP should contact. Can be NULL/unset, in which case the user will be shown a list of available IdPs.

'idp' => 'https://www.idp.com:8443/nidp/saml2/metadata',

),

);

Setting up Netiq Access Manager

Here, we need to export the SimpleSAMLphp’s SAML 2.0 SP Metdata and import it into the NetIQ Access Manager through the NetIQ Access Manager’s administration console.

Exporting the SimpleSAMLphp’s SAML 2.0 SP Metadata in XML Format

The SAML 2.0 SP metadata would be available at: https:///simplesaml/module.php/core/frontpage_federation.php

Copy the metadata in XML format.

Sample SimpleSAMLphp SAML 2.0 SP Metadata

<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://wsnamcc.namcc.com:445">  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">    <md:KeyDescriptor use="signing">      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">        <ds:X509Data>          <ds:X509Certificate>MIIDlDCCAnwCCQDLOu6VoYJTPDANBgkqhkiG9w0BAQsFADCBizELMAkG………………………………………………………………………………………………………………wDSUFNMRowGAYDVQQDDBF3c25hbWNjLm5hbWNjLmNvbTEpMCcGCSqGSIb3DQEJYaQW51cGt1bWF4dY8Ws4kvR0CekI=</ds:X509Certificate>        </ds:X509Data>      </ds:KeyInfo>    </md:KeyDescriptor>    <md:KeyDescriptor use="encryption">      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">        <ds:X509Data>          <ds:X509Certificate>MIIDlDCCAnwCCQDLOu6VoYJTPDANBgk………………………………………………………qcpVgWs4kvR0CekI=</ds:X509Certificate>        </ds:X509Data>      </ds:KeyInfo>    </md:KeyDescriptor>    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp" index="1"/>    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="2"/>    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>  </md:SPSSODescriptor>  <md:ContactPerson contactType="technical">    <md:GivenName>Administrator</md:GivenName>    <md:EmailAddress>Administrator@example.org</md:EmailAddress>  </md:ContactPerson></md:EntityDescriptor>

Creating SimpleSAMLphp as a new service provider in NetIQ Access Manager.

Login in NetIQ Access Manager Administration Console and go to Identity Server configuration. Create a new SAML2.0 Service Provider by selecting following parameters:

Provider Type: General

Source: Metadata text

Name: simplesamlphp

Text: <Paste the SP metadata here>

Click Next and click Finish in the next page.

With this, the basic SAML 2.0 setup of NetIQ Access Manager as IDP and SimpleSAMLphp as SP is complete. You can go ahead and test the setup now to see the basic flow working.

Testing the basic SAML2.0 Setup

1. 1. Open a browser and go to the base URL of the SimpleSAMLphp installation: https:///simplesaml/

1. 1. Select the Authentication tab and click on Test configured authentication sources

1. 1. Select default-sp from the list of authentication sources

1. 1. The browser should get redirected to https://www.idp.com:8443/nidp/saml2/sso where user is prompted to enter the credentials.

1. 1. Once the proper credentials are submitted, browser would be again redirected to the simplesamlphp test page with the SAML Subject section containing:
      
      
      
      • • NameId xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      
      
      
      • Format urn:oasis:names:tc:SAML2.0:nameid-format:transient

Configuring NetIQ Access Manager Identity Provider to send addition attributes to SimpleSAMLphp

1. 1. From the NetIQ Access Manager Administration Console, create an attribute set in the identity server as follows:

1. 1. Go to the Attributes configuration of the existing SimpleSAMLphp Service Provider Configuration and select the attribute set configured in step 1 above and move the attributes to Send with authentication box as shown below:

1. 1. Save the configuration and update the identity Server cluster.

Testing the new configuration of additional attributes sent from NetIQ Access Manager

1. 1. Similar to testing the basic setup, open a browser and go to the base URL of the SimpleSAMLphp installation: https:///simplesaml/

1. 1. Select the Authentication tab and click on Test configured authentication sources

1. 1. Select default-sp from the list of authentication sources

1. 1. The browser should get redirected to https://www.idp.com:8443/nidp/saml2/sso where user is prompted to enter the credentials.

1. 1. Once the proper credentials are submitted, browser would be again redirected to the simplesamlphp test page

1. 1. This time the simplesamlphp test page would have two sections:
      
      
      
      1. 1. SAML Subject section containing:
            
            NameId xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
            
            Format urn:oasis:names:tc:SAML2.0:nameid-format:transien
      
      
      
      1. Your attributes section containing:
         
         UserName xxxxxxxxxxxxxxxxxx
         
         Email xxxx@xxx.xxx

Appendix

SAML Authentication Request Sample:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

ID="_66f4844dfd48bd4930cdf090f605bc3f6c0a6b6bbc"

Version="2.0"

IssueInstant="2017-06-13T18:58:20Z"

Destination="https://www.idp.com:8443/nidp/saml2/sso"                 AssertionConsumerServiceURL="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

>

<saml:Issuer>https://wsnamcc.namcc.com:445</saml:Issuer>

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

AllowCreate="true"

/>

</samlp:AuthnRequest>

SAML Assertion Sample:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

Destination="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"

ID="idXdZc2ikJp3DogxosuqqbwwLbcO8"

InResponseTo="_66f4844dfd48bd4930cdf090f605bc3f6c0a6b6bbc"

IssueInstant="2017-06-13T19:01:34Z"

Version="2.0">

<saml:Issuer>https://www.idp.com:8443/nidp/saml2/metadata</saml:Issuer>

<samlp:Status>

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

</samlp:Status>

<saml:Assertion ID="idB7wYR8DSTUNsTxB3OldWYU6yURs"

IssueInstant="2017-06-13T19:01:34Z"

Version="2.0">

<saml:Issuer>https://www.idp.com:8443/nidp/saml2/metadata</saml:Issuer>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#"

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"

/>

<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<ds:Reference URI="#idB7wYR8DSTUNsTxB3OldWYU6yURs">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">MS9BkaYMcNHLjEqjWeDBprbBeD4=</DigestValue>

</ds:Reference>

</ds:SignedInfo>

<SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">

--------------------------Signature Value------------------------------------

</SignatureValue>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

--------------------------X.509 Certificate----------------------------------

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature>

<saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

NameQualifier="https://www.idp.com:8443/nidp/saml2/metadata"

SPNameQualifier="https://wsnamcc.namcc.com:445"

>p BqQ6Epd57B267/it v YTTrv E36/xGBjk/w==</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml:SubjectConfirmationData InResponseTo="_66f4844dfd48bd4930cdf090f605bc3f6c0a6b6bbc"

NotOnOrAfter="2017-06-13T19:06:34Z"                                              Recipient="https://wsnamcc.namcc.com:445/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"/>

</saml:SubjectConfirmation>

</saml:Subject>

<saml:Conditions NotBefore="2017-06-13T18:56:34Z"

NotOnOrAfter="2017-06-13T19:06:34Z">

<saml:AudienceRestriction>

<saml:Audience>https://wsnamcc.namcc.com:445</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2017-06-13T18:59:00Z"

SessionIndex="ids0oBDDmEZGUJwlt_9ZKN-75BzXU">

<saml:AuthnContext>                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

<saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef>

</saml:AuthnContext>

</saml:AuthnStatement>

<saml:AttributeStatement>

<saml:Attribute xmlns:xs="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

Name="UserName"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml:AttributeValue xsi:type="xs:string">xxxxxxxxxx</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion>

</samlp:Response>