Related Tips & Info

Tutorial on how to single sign-on to Facebook using NetIQ Access Manager

MigrationDeletedUser
0 Likes

This article is written for customers and partners who want to test NetIQ Access Manager (NAM) to understand and demonstrate how single sign-on works. Why single sign-on to Facebook? The reason is because it is probably the most widely used Website on the Internet that has a login page.



What are we trying to achieve?


 

tutorial-1



We want to configure NAM to achieve 2 things:



Firstly, we want to configure NAM as a reverse proxy. This means that when the user keys in a URL (we will use a fictitious domain in this article => www.external.com), NAM will reverse proxy to www.facebook.com



Secondly, we want to configure NAM to automatically sign in to Facebook and thereby achieving single sign-on.



What do we need to achieve this?


 

tutorial-2



All we need are the following:


    1. One laptop/workstation with 8 GB of Memory with 20GB Free Disk space.

 

    1. VMware workstation installed (I used VMware workstation 9 in this setup)

 

    1. Internet connection from laptop to the Internet (for connection to Facebook)




Installation and Configuration Procedures




 

 

 

 





Download NAM
1. tutorial-3


    • Choose Access Manager

    • Select the latest version of Access Manager

    • Press 'Submit Query'
2. tutorial-4


    • Choose to download the latest version of ‘AccessManagerAppliance’

Setup your VMware workstation
3. tutorial-5
    • Select your VM to boot from the ISO that you downloaded in Step 2
4. tutorial-6
    • Choose the Operating System as SUSE Linux Enterprise 11 64-bit

    • Note that later versions of NAM could be based on SUSE Linux Enterprise 12 64-bit
5. tutorial-7
    • You can call the VM whatever name that you want. I call it ‘NAM401’
6. tutorial-8
    • Choose 1 Processor but 2 Core per processor
7. tutorial-9
    • Choose 7640 MB memory.

    • Note that even though NAM requires 8GB of RAM, it can still work with 7640MB memory
8. tutorial-10
    • In this example, I choose Bridge Networking. It is important that whatever you choose, both the NAM VM and the host machine have to have access to the Internet.

    • Alternatively, you can also choose NAT
9. tutorial-11
    • Create a new virtual Disk
10. tutorial-12
    • Select the disk size to be 100GB.

    • However, unselect "Allocate all disk space now" in order conserve space. The whole setup should not take more than 20GB.
11. tutorial-13
    • Take the default VMDK file name
12. tutorial-14
    • Click 'Finish' to complete the creation of the VM.

Installation of NAM
13. tutorial-15
    • Choose 'Install Appliance'
14. tutorial-16
    • Agee to the license Agreement and click Next
15. tutorial-17
    • Choose your time zone
16. tutorial-18
    • The warning message appears because the memory is less than 8GB

    • Press 'Continue'
17. tutorial-19

You can key in any values that you want. In this example, I used the following values:



    • Hostname: nam

    • Domain Name: external.com

    • IP address: 192 168.1.30

    • Subnet Mask: 255.255.255.0

    • Default Gateway: 192.168.1.1

    • DNS Servers: 8.8.8.8, 8.8.4.4

    • Enter your root password
18. tutorial-20
    • Enter your admin password

    • Note that admin password is for your NAM application. Root password is the previous screen is for the Operating System
19. tutorial-21
    • Press 'Continue'
20. tutorial-22
    • Press 'Install'
21. tutorial-23
    • Press 'Install'
22. tutorial-24
    • Once the installation is done, you should see the above screen

    • Login to NAM application using the 'root' account and password
23. tutorial-25
24. tutorial-26
    • Add the following entry into host windows machine of C:\windows\system32\drivers\etc\hosts file

    • To test the following entry, ping www.external.com and nam.external.com from your host windows machine

Configure NAM for Reverse Proxy
25. tutorial-27

    • Login with admin and the password
26. tutorial-28
    • In the tab above, click 'Devices > Access Gateways > AG-Cluster'

    • Click on 'Adapter_List'
27. tutorial-29
    • Click on 192.168.1.0
28. tutorial-30
    • Click on 'New'
29. tutorial-31
    • Add in the secondary IP address "192.168.1.31"
30. tutorial-32
    • When the secondary IP address is added, the secondary IP address is shown above

    • Click 'Ok'
31. tutorial-33
    • Click 'Ok'
32. tutorial-34
    • Click 'Update All'

    • Note that in order for any changes to take effect, you need to come to this screen to update all.
33. tutorial-35
    • Press Ok to update all
34. tutorial-36
    • In the tab above, click 'Devices > Access Gateways > AG-Cluster'

    • Click on 'Reverse Proxy/Authentication'
35. tutorial-37
    • Click on 'New' to create a new Reverse Proxy List
36. tutorial-38
    • Type in the name of the Reverse Proxy. In this example, I used "FB-RP"
37. tutorial-39
    • Make sure that the FB-RP is listening on the secondary IP address: 192.168.1.31

    • Make sure that 'Enable SSL between Browser and Access Gateway' and 'Redirect request from Non-Secure Port to Secure Port' is checked

    • Click on the Certificate Icon besides the 'Server Certificate' Field.
38. tutorial-40
    • Click on 'New' to create a new certificate
39. tutorial-41
    • Select 'User local certificate authority'

    • Key in the Certificate name. In this example, I used 'FB-RP-Certificate'

    • Click on the icon next to the subject field.

    • The Edit Subject text box will appear.
40. tutorial-42
    • You should see that the Server Certificate is the one that was created in the previous step
41. tutorial-43
    • At the bottom of the page, click 'New' to create a new Proxy Service List
42. tutorial-44

For the new Proxy Service, I keyed in the following values:



    • Proxy Service Name: FB-Proxy


    • Web Server IP address: 31.13.79.96 (this is public IP address of Facebook)
43. tutorial-45
    • Enable the FB-Proxy

    • Click on 'FB-Proxy'
44. tutorial-46
    • Go to the 'Web Servers' tab

    • Check 'Connect using SSL'
45. tutorial-47
    • Go to 'Protected Resources' tab

    • Click on 'New'
46. tutorial-48
    • Key in the name of the Protected Resource List. I call this "FB-RL"
47. tutorial-49
    • In the Authentication Procedure, choose “Name/Password - Form (60)”
48.

Click ‘Ok’ until you see the following page:


tutorial-50
    • Click 'Update all'
49.

At this point, you can test whether your reverse proxy works.




    • On your windows host, open a web browser.


    • You should be prompted with a login prompt. Key in the Admin and password

Configure NAM for Single Sign-on
50.

When Facebook website comes up, right click on the website and view source. Look for the following information:




    • Title id
      tutorial-51

    • Form id
      tutorial-52

    • Id for email and id for pass
      tutorial-53
51. tutorial-54
    • Go to Devices > AG-Cluster > FB-RP > FB-Proxy

    • Click on "Protected Resources" Tab

    • Click on 'Form Fill'
52. tutorial-55
    • Click on 'Manage polices'
53. tutorial-56
    • Check on 'fill_allowance' and click on 'Copy'

    • Click 'ok'
54. tutorial-57
    • Check on 'fill_allowance-Copy_1' and click on Rename

    • Choose the new name to be 'fill_FB'

    • Click on 'fill_FB' to edit this form fill
55. tutorial-58

Fill in the following for this page with the information that we found in Step 50:




    • Page Matching Criteria: <title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>

    • Form ID: login_form

    • email: LDAP Attribute: mail

    • pass: Credential Profile: LDAP Credentials:LDAP Password

    • Under the Submit Options, check "Auto Submit"
56. tutorial-59
    • Click 'Apply Changes'
57. tutorial-60
    • Click on fill_FB and Enable this policy
58.

Click ‘Ok’ until you see the following page:


tutorial-61
    • Click 'Update all'
59. tutorial-62
    • At the top of iManager, click on the 'Magnifying Glass' icon
60. tutorial-63
    • On the Tree tab, go to the "Novell" container

    • On the Right Panel, click on 'Alice'
61. tutorial-64
    • In the Internet E-mail address field, add the email that facebook requires to login with

    • Go to the "Restriction" Tab
62. tutorial-65
    • Set the password
63. tutorial-66
    • Set the same password as your Facebook account
64.

At this point, you can test whether your Single Sign-on works.



    • On your windows host, open a web browser.


    • You should be prompted with a login prompt. Key in the Alice username and password that you sent in Step 63.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.