Configure NAM Identity Server (NetIQ IDP) as a Service Provider
1. Introduction / Use cases
NetIQ IDP can act as a SAML2 Identity Provider as well as a SAM2 Service Provider. In most cases, we configure NAM IDP as an Identity Provider to SaaS/Cloud-based Service Provider and use the organization’s network credentials to log in to SaaS applications.
In this solution, I will explain how to configure NAM IDP to act as a Service Provider and use any SAML enabled IDP (for example Salesforce, ForgeRock etc.) for authentication and authorization. I have taken Salesforce as an Identity provider and given a step by step process to enable users to authenticate using Salesforce IDP and access NAM protected resources seamlessly.
2. Solution Steps
2.1 Configure Salesforce as Identity Provider
The links below show you how to set up Salesforce as an identity provider for a third-party application that’s configured as a service provider. In Salesforce, you create a connected app (i.e. NAM IDP) for the service provider. Users can then log in to Salesforce and use single sign-on (SSO) to access the service provider protected resources.
- In the custom attribute section, you can choose SAML assertion attributes which will be used by NAM IDP to match a user profile. In this example, I have used FederationID and I will match the Salesforce IDP authenticated user with NAM IDP local user using federation ID. You may use any other attribute like email, username, etc.
- Download the Metadata XML file:
2.2 Configure NAM IDP as Service Provider
- Go to Identity Servers -> Shared Settings -> User Matching Expressions tab and create a user matching expression. In my example, I have chosen FederationID as SAML assertion in the Salesforce configuration and I will match the user in NAM user store based on FederationID. I have stored the FederationID into Active Directory’s roomNumber attribute and here is my user matching expression.
2.3 Configure NAM Contract to trust external Provider
Till now we have configured trust between Salesforce IDP and NAM IDP. Now the user will be able to authenticate using Salesforce credentials and Salesforce will send a SAML assertion to NAM IDP. NAM IDP will match the user by FederationID and create a session for the user.
Follow the step below to access NAM Access Gateway protected resources using the session.
Open the contract which is being used as authentication procedure in Access Gateway protected resource. In this example I have used Secure Name Password Form:
Select the “Satisfiable by External Provider” checkbox and put the Allowable Class as “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified”
You can find this value in AuthnContextClassRef element of Salesforce SAML assertion.
3. Test the solution
- Or directly access the below URL:
https://<Salesforcedoamin>/idp/login?app=0sp6A000000KysJ&RelayState=<NAM Protected Resource URL>
This will open the Salesforce login page and on successful login, the user will be redirected to NAM protected resources.