Tutorial on how to single sign-on to Facebook using NetIQ Access Manager


This article is written for customers and partners who want to test NetIQ Access Manager (NAM) to understand and demonstrate how single sign-on works. Why single sign-on to Facebook? The reason is because it is probably the most widely used Website on the Internet that has a login page.

What are we trying to achieve?



We want to configure NAM to achieve 2 things:

Firstly, we want to configure NAM as a reverse proxy. This means that when the user keys in a URL (we will use a fictitious domain in this article => www.external.com), NAM will reverse proxy to www.facebook.com

Secondly, we want to configure NAM to automatically sign in to Facebook and thereby achieving single sign-on.

What do we need to achieve this?



All we need are the following:

    1. One laptop/workstation with 8 GB of Memory with 20GB Free Disk space.


    1. VMware workstation installed (I used VMware workstation 9 in this setup)


    1. Internet connection from laptop to the Internet (for connection to Facebook)

Installation and Configuration Procedures





Download NAM

1. tutorial-3

    • Choose Access Manager

    • Select the latest version of Access Manager

    • Press 'Submit Query'
2. tutorial-4

    • Choose to download the latest version of ‘AccessManagerAppliance’

Setup your VMware workstation

3. tutorial-5
    • Select your VM to boot from the ISO that you downloaded in Step 2
4. tutorial-6
    • Choose the Operating System as SUSE Linux Enterprise 11 64-bit

    • Note that later versions of NAM could be based on SUSE Linux Enterprise 12 64-bit
5. tutorial-7
    • You can call the VM whatever name that you want. I call it ‘NAM401’
6. tutorial-8
    • Choose 1 Processor but 2 Core per processor
7. tutorial-9
    • Choose 7640 MB memory.

    • Note that even though NAM requires 8GB of RAM, it can still work with 7640MB memory
8. tutorial-10
    • In this example, I choose Bridge Networking. It is important that whatever you choose, both the NAM VM and the host machine have to have access to the Internet.

    • Alternatively, you can also choose NAT
9. tutorial-11
    • Create a new virtual Disk
10. tutorial-12
    • Select the disk size to be 100GB.

    • However, unselect "Allocate all disk space now" in order conserve space. The whole setup should not take more than 20GB.
11. tutorial-13
    • Take the default VMDK file name
12. tutorial-14
    • Click 'Finish' to complete the creation of the VM.

Installation of NAM

13. tutorial-15
    • Choose 'Install Appliance'
14. tutorial-16
    • Agee to the license Agreement and click Next
15. tutorial-17
    • Choose your time zone
16. tutorial-18
    • The warning message appears because the memory is less than 8GB

    • Press 'Continue'
17. tutorial-19

You can key in any values that you want. In this example, I used the following values:

    • Hostname: nam

    • Domain Name: external.com

    • IP address: 192 168.1.30

    • Subnet Mask:

    • Default Gateway:

    • DNS Servers:,

    • Enter your root password
18. tutorial-20
    • Enter your admin password

    • Note that admin password is for your NAM application. Root password is the previous screen is for the Operating System
19. tutorial-21
    • Press 'Continue'
20. tutorial-22
    • Press 'Install'
21. tutorial-23
    • Press 'Install'
22. tutorial-24
    • Once the installation is done, you should see the above screen

    • Login to NAM application using the 'root' account and password
23. tutorial-25
24. tutorial-26
    • Add the following entry into host windows machine of C:\windows\system32\drivers\etc\hosts file

    • To test the following entry, ping www.external.com and nam.external.com from your host windows machine

Configure NAM for Reverse Proxy

25. tutorial-27

    • Login with admin and the password
26. tutorial-28
    • In the tab above, click 'Devices > Access Gateways > AG-Cluster'

    • Click on 'Adapter_List'
27. tutorial-29
    • Click on
28. tutorial-30
    • Click on 'New'
29. tutorial-31
    • Add in the secondary IP address ""
30. tutorial-32
    • When the secondary IP address is added, the secondary IP address is shown above

    • Click 'Ok'
31. tutorial-33
    • Click 'Ok'
32. tutorial-34
    • Click 'Update All'

    • Note that in order for any changes to take effect, you need to come to this screen to update all.
33. tutorial-35
    • Press Ok to update all
34. tutorial-36
    • In the tab above, click 'Devices > Access Gateways > AG-Cluster'

    • Click on 'Reverse Proxy/Authentication'
35. tutorial-37
    • Click on 'New' to create a new Reverse Proxy List
36. tutorial-38
    • Type in the name of the Reverse Proxy. In this example, I used "FB-RP"
37. tutorial-39
    • Make sure that the FB-RP is listening on the secondary IP address:

    • Make sure that 'Enable SSL between Browser and Access Gateway' and 'Redirect request from Non-Secure Port to Secure Port' is checked

    • Click on the Certificate Icon besides the 'Server Certificate' Field.
38. tutorial-40
    • Click on 'New' to create a new certificate
39. tutorial-41
    • Select 'User local certificate authority'

    • Key in the Certificate name. In this example, I used 'FB-RP-Certificate'

    • Click on the icon next to the subject field.

    • The Edit Subject text box will appear.

40. tutorial-42
    • You should see that the Server Certificate is the one that was created in the previous step
41. tutorial-43
    • At the bottom of the page, click 'New' to create a new Proxy Service List

42. tutorial-44

For the new Proxy Service, I keyed in the following values:

    • Proxy Service Name: FB-Proxy

    • Web Server IP address: (this is public IP address of Facebook)

43. tutorial-45
    • Enable the FB-Proxy

    • Click on 'FB-Proxy'
44. tutorial-46
    • Go to the 'Web Servers' tab

    • Check 'Connect using SSL'
45. tutorial-47
    • Go to 'Protected Resources' tab

    • Click on 'New'
46. tutorial-48
    • Key in the name of the Protected Resource List. I call this "FB-RL"
47. tutorial-49
    • In the Authentication Procedure, choose “Name/Password - Form (60)”

Click ‘Ok’ until you see the following page:

    • Click 'Update all'

At this point, you can test whether your reverse proxy works.

    • On your windows host, open a web browser.

    • You should be prompted with a login prompt. Key in the Admin and password

Configure NAM for Single Sign-on


When Facebook website comes up, right click on the website and view source. Look for the following information:

    • Title id

    • Form id

    • Id for email and id for pass
51. tutorial-54
    • Go to Devices > AG-Cluster > FB-RP > FB-Proxy

    • Click on "Protected Resources" Tab

    • Click on 'Form Fill'
52. tutorial-55
    • Click on 'Manage polices'
53. tutorial-56
    • Check on 'fill_allowance' and click on 'Copy'

    • Click 'ok'
54. tutorial-57
    • Check on 'fill_allowance-Copy_1' and click on Rename

    • Choose the new name to be 'fill_FB'

    • Click on 'fill_FB' to edit this form fill
55. tutorial-58

Fill in the following for this page with the information that we found in Step 50:

    • Page Matching Criteria: <title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>

    • Form ID: login_form

    • email: LDAP Attribute: mail

    • pass: Credential Profile: LDAP Credentials:LDAP Password

    • Under the Submit Options, check "Auto Submit"
56. tutorial-59
    • Click 'Apply Changes'
57. tutorial-60
    • Click on fill_FB and Enable this policy

Click ‘Ok’ until you see the following page:

    • Click 'Update all'
59. tutorial-62
    • At the top of iManager, click on the 'Magnifying Glass' icon
60. tutorial-63
    • On the Tree tab, go to the "Novell" container

    • On the Right Panel, click on 'Alice'

61. tutorial-64
    • In the Internet E-mail address field, add the email that facebook requires to login with

    • Go to the "Restriction" Tab

62. tutorial-65
    • Set the password

63. tutorial-66
    • Set the same password as your Facebook account


At this point, you can test whether your Single Sign-on works.

    • On your windows host, open a web browser.

    • You should be prompted with a login prompt. Key in the Alice username and password that you sent in Step 63.


How To-Best Practice
Comment List