Configure NAM Identity Server (NetIQ IDP) as a Service Provider

Configure NAM Identity Server (NetIQ IDP) as a Service Provider

 

1. Introduction / Use cases

 



NetIQ IDP can act as a SAML2 Identity Provider as well as a SAM2 Service Provider. In most cases, we configure NAM IDP as an Identity Provider to SaaS/Cloud-based Service Provider and use the organization’s network credentials to log in to SaaS applications.

In this solution, I will explain how to configure NAM IDP to act as a Service Provider and use any SAML enabled IDP (for example Salesforce, ForgeRock etc.) for authentication and authorization. I have taken Salesforce as an Identity provider and given a step by step process to enable users to authenticate using Salesforce IDP and access NAM protected resources seamlessly.

 

2. Solution Steps

 



 

2.1 Configure Salesforce as Identity Provider

 



The links below show you how to set up Salesforce as an identity provider for a third-party application that’s configured as a service provider. In Salesforce, you create a connected app (i.e. NAM IDP) for the service provider. Users can then log in to Salesforce and use single sign-on (SSO) to access the service provider protected resources.

https://help.salesforce.com/articleView?id=identity_provider_enable.htm&type=5

https://help.salesforce.com/articleView?id=identity_provider_examples.htm&type=5


    1. Create NAM IDP as Managed Connected Apps in Salesforce:



 

    1. Here are the configuration details for Connected App (i.e. NAM IDP):



 

    1. In the custom attribute section, you can choose SAML assertion attributes which will be used by NAM IDP to match a user profile. In this example, I have used FederationID and I will match the Salesforce IDP authenticated user with NAM IDP local user using federation ID. You may use any other attribute like email, username, etc.



 

    1. Format Start URL as follows: Copy Salesforce IDP initiated login URL and append RelayState= NAM protected resource URL. For example: https://<Salesforcedoamin>/idp/login?app=0sp6A000000KysJ&RelayState=<NAM Protected Resource URL>



 

    1. Download the Metadata XML file:






 

2.2 Configure NAM IDP as Service Provider

 




    1. Go to IDP cluster -> SAML 2.0 tab and create a new Identity Provider using the Salesforce metadata XML file.



 

    1. If you choose authentication contract, the user has to satisfy this selected contract on top of Salesforce login. I have kept this blank to have the seamless experience for the user.



 

    1. Go to Identity Servers -> Shared Settings -> Attribute Sets tab and create a new attribute set as below:



 

    1. Go to Identity Servers -> Shared Settings -> User Matching Expressions tab and create a user matching expression. In my example, I have chosen FederationID as SAML assertion in the Salesforce configuration and I will match the user in NAM user store based on FederationID. I have stored the FederationID into Active Directory’s roomNumber attribute and here is my user matching expression.



 

    1. Go to IDP cluster -> SAML 2.0 -> Salesforce-Demo -> Configuration -> Attributes tab and select the Attribute Set created in step (iii).



 

    1. Go to User Identification tab and select Attribute Matching settings and click on the edit button.



 

    1. Choose the User Store and Select the User Matching Expression created on step (iv)






 

2.3 Configure NAM Contract to trust external Provider

 



Till now we have configured trust between Salesforce IDP and NAM IDP. Now the user will be able to authenticate using Salesforce credentials and Salesforce will send a SAML assertion to NAM IDP. NAM IDP will match the user by FederationID and create a session for the user.

Follow the step below to access NAM Access Gateway protected resources using the session.

Open the contract which is being used as authentication procedure in Access Gateway protected resource. In this example I have used Secure Name Password Form:

Select the “Satisfiable by External Provider” checkbox and put the Allowable Class as “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

You can find this value in AuthnContextClassRef element of Salesforce SAML assertion.



 

3. Test the solution

 




    1. Login to Salesforce and select App Launcher and select the Managed App created for NAM. This App will redirect the user to the Start URL given in step 2.1 (iv).

 

    1. Or directly access the below URL:
      https://<Salesforcedoamin>/idp/login?app=0sp6A000000KysJ&RelayState=<NAM Protected Resource URL>



This will open the Salesforce login page and on successful login, the user will be redirected to NAM protected resources.

Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
When you configure NAM as a service provider how do you send the ID information to the application that NAM is acting as a service provider for?
I did not understand your question. Are you asking about sending User ID (authenticated against external IDP) to Application protected by NAM?
If you share some example, I will be able to answer your question.

@koushikbecit Thanks for the guide, it's interesting.

Is there a guide like this for setting up Google as a SAML2 Identity Provider for NAM?

 

Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-31 11:54
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.