Enabling SSO for AGS using NetIQ Access Manager

Enabling SSO for AGS using NetIQ Access Manager

NetIQ Knowledge Depot - Cool Solution
-By Gary L. Gilbert



Introduction



NetIQ Access ManagerTM can deploy standards-based web single sign-on (SSO), which means users only have to remember one password to access all the web-based applications they are authorized to use. That means far fewer helpdesk calls-and the reduced likelihood of users resorting to vulnerable written reminders.

In this article, I'll describe steps for implementing SSO for NetIQ Access Governance SuiteTM 6.0 using NetIQ Access ManagerTM 3.2.x. This article assumes that you are familiar with Access Manager and how to configure proxy services. For detailed administration configuration guidance, please refer to the NetIQ Access ManagerTM documentation located at - https://www.netiq.com/documentation/netiqaccessmanager32.

Prerequisites
Access Manager and AGS must be configured to use the same user store unless user credentials are synchronized between each system's user store. The methods described in this document will work regardless of the authentication method or the multi-homing option used by Access Manager.

Technical Overview



SSO using Identity Injection

Whenever a user tries to access the Access Governance Suite application defined as a protected resource on the Access Gateway, the user will be redirected to the Identity Server for authentication to Access Manager. Once authenticated, the Access Gateway will invoke a specific Identity Injection policy before redirecting to the targeted application (i.e. AGS.) This policy is used for injecting the user's name and application reference in the authentication header of the AGS request.

On the AGS server, a special custom SSO Authentication Rule must configured to receive the custom header information. The custom rule is written in JAVA code and accepts interface arguments from the AGS rule engine. It reads the custom header information sent from Access Manager and returns an Identity object. If the code executes successfully, the rule returns the object to the authenticator service and then seamlessly authenticates the user allowing for a single sign-on user experience.

The following process flow illustrates the SSO process and shows the interaction between each of the services mentioned in this article.

2146.Image


    1. A user tries to access the AGS dashboard protected by NetIQ Access ManagerTM.

 

    1. Access Manager identifies the Access Governance Suite (AGS) dashboard as a protected resource, requiring authentication (and potentially an authorization check as well).

 

    1. The user's credentials are checked against the SSO data store (typically eDirectory) via Access Manager's Identity Server.
      NOTE: AGS must have already aggregated and correlated the accounts against this data store.

 

    1. Access Manager will insert a user token (mapping from the SSO's data store) in the header of the HTTP request.

 

    1. The Access Governance Suite system receives this HTTP request, and the Authenticator applies the SSO Authentication Rule to the request.

 

    1. The SSO Authentication Rule reads the user token from the HTTP request and validates it against account information in the AGS user store according to the rule's logic.

 

    1. The Identity is returned to the authenticator and the user is seamlessly logged in to AGS and forwarded to the AGS dashboard.



SSO using Form-Fill

As an alternative, NetIQ Access ManagerTMhas a form-fill feature that provides a single sign-on cabability in situations where you do not wish to modify the targeted application. In this situation, we can avoid writing a custom SSO Authentication Rule in AGS and allow Access Manager to provide SSO via form-fill. A form-fill policy must be created which will post the user's credentials to the AGS login page. So whenever a user tries to access the AGS protected resource via the Access Gateway, the user is redirected to the Identity Server for authentication to Access Manager. Once authenticated, the Access Gateway will invoke the Form-Fill policy before redirecting to the targeted application (i.e. AGS.) The policy will automatically post the user's credentials to the AGS login form allowing a seamless SSO user experience.

Solution Details using Identity Injection



To perform single sign-on (SSO) using this solution method, configurations are necessary in both NetIQ Access ManagerTM and NetIQ Access Governance SuiteTM. The following solution details will guide you through the configuration implementation steps.

Access Manager Configuration

Before Access Manager forwards a request to AGS, it will invoke a specific Identity Injection policy and store the following information into a custom header. Setup an Identity Injection policy to inject the following data into the Custom Header of the AGS request:

    • ssousercn - Provides the user's CN.

 

    • ssoauthdirname - Provides a keyword used to match the appropriate pass-through application defined in AGS.

 

    • cookie - Provides the NAM proxy session cookie.



Note: If the user store for Access Manager is the same user store used by AGS, then you may want to send the full user DN. Otherwise, just send the CN and then specify the user container used by AGS in the SSO Authentication Rule.

Use the following steps to configure Access Manager.

    1. Define a secured protected resource path for AGS. This protected resource path allows access to any page on the AGS web server.

      7245.Image

 

    1. Define an Identity Injection policy to be added to the secured protected resource defined in Step 1 above (See available downloads).

      2438.Image

 

    1. After all configurations have been applied, click "Update All" from the Configuration Update page in the Administration Console.



The final Access Manager configuration should look like the following:

0268.Image
 

Access Governance Suite Configuration

The remaining configuration steps are for AGS. Here you will setup a custom SSO Authentication Rule in AGS. The rule is configured to retrieve the Custom Header data that was injected from Access Manager. If the rule executes successfully, it will return an Identity object used by the authenticator service to seamlessly authenticate the user. Use the following steps to configure the SSO Authentication Rule in AGS.

    1. Log into AGS as an administrator and navigate to System Setup | Login Configuration page. Next, click on the button next to the drop-down of the Single Sign-On Rule:

      0702.Image


 

    1. In the Rule Editor, enter "Access Manager SSO" for the Rule Name and then copy the following JAVA code into the editor (See available downloads):





        import sailpoint.object.Application;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.tools.GeneralException;
import sailpoint.api.Correlator;
import sailpoint.api.SailPointContext;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

private String COOKIE = "cookie";
private String AUTHDIR_NAME = "ssoauthdirname";
// private String USER_DN = "ssouserdn";
private String USER_CN = "ssousercn";

private String[] HEADER_ATTRS = { AUTHDIR_NAME, USER_CN, COOKIE };

private String TEST_AUTHDIR ="idvault";
private String USER_CONTAINER = "ou=employee,ou=users,o=novell";
private String TEST_IIQ_APP ="NetIQ IDM Application";


/**
* Make sure the values are correct.. this may vary with
* various versions of Access Manager.
*/

private void validateHeader() {
for ( String header : HEADER_ATTRS ) {
String value = httpRequest.getHeader(header);
if ( value == null ) {
throw new GeneralException("Invalid Access Manager session."+
" Missing variable [" +header+"]");
}
}
}


/**
* Use the authorization directory that Access Manager put in
* the header. Attempt to map the authdir to a SailPoint Application
* where accounts for the authdir have been aggregated.
*/
private Application mapAuthDirToApp(SailPointContext context,
String authDir)
throws GeneralException {

Application app = null;
if ( authDir.compareTo(TEST_AUTHDIR) == 0 ) {
app = context.getObject(Application.class,TEST_IIQ_APP);
} else {
throw new GeneralException("Unable to map ["+authDir+
"] to an application defined in IdentityIQ.");
}
return app;
}

/**
* For debug purposes.
*/
private void dumpHeader() {
Enumeration headerNames = httpRequest.getHeaderNames();
if ( headerNames != null ) {
while ( headerNames.hasMoreElements() ) {
String header = (String)headerNames.nextElement();
String value = httpRequest.getHeader(header);
System.out.println("HEADER["+header+"] VALUE["+ value+"]");
}
}
}

dumpHeader();

// Make sure everything we need is there, along with a few
// other interesting values
// validateHeader();

String userDn = "cn=" + httpRequest.getHeader(USER_CN) + "," + USER_CONTAINER;
String authServer = httpRequest.getHeader(AUTHDIR_NAME);

// Ask the correlator to find us the Link associated with the
// userDn we stripped from the header
Application app = mapAuthDirToApp(ctx,authServer);
Correlator correlator = new Correlator(ctx);

// second argument is instance which is not used in this example
Link link = correlator.findLinkByNativeIdentity(app, null, userDn);

Identity user = null;
if ( link != null ) {
// The Link object has a backref to its Identity
user = link.getIdentity();
} else {
throw new GeneralException("Unable to find Link associated with ["
+userDn+"] on application ["+app.getName()+"]");
}

return user;







    • Click “Save” to save the rule and return back to the “Login Configuration” page.

      1586.Image

 

    • Next, select the new rule from the dropdown list, then click "Save".

 

    • Logout out and restart the AGS tomcat server (/etc/init.d/tomcat6 restart).



 

Testing

To test SSO, be sure the user credentials are the same for both Access Manager and AGS. Try accessing the AGS dashboard from a browser: http://<AG Listening IP>:PORT/ags/dashboard.jsf. If configured correctly, Access Manager will prompt for user authentication via the Identity Server login page. After submitting, the user is seamless logged into AGS.

If SSO did not work, check the log file on the AGS server - /var/log/tomcat6/catalina.out. If you enabled "dumpHeader ()" in the SSO Authentication rule, you should see the headers received in the log, for example:

1602.Image

If you see any java exceptions related to the SSO Authentication Rule, you should see a stack trace like the following:



6052.Image




Solution Details using Form-Fill



As an alternative for AGS Single Sign-on (SSO, setup a Form-Fill policy configured to post the user's CN and Password to the AGS login form. Use the following steps to configure Access Manager using Form-Fill:

    1. Define a public protected resource for AGS. This protected resource path allows access to any page on the AGS web server The protected resource should have the following path defined: /ags/*

      1616.Image

 

    1. Define a secured protected resource path for AGS. We define this protected resource path separately so that we only allow form-fill for the AGS login page. This method is more efficient since only the login page triggers the policy evaluation. The protected resource must be secured with an authentication contract and have the following path defined: /ags/login.jsf

      7608.Image


 

    1. Define a Form-Fill policy to be added to the login page secured protected resource path defined in Step 2 above (See available downloads below).

      3527.Image

      3326.Image


 

    1. After all configurations have been applied, click "Update All" from the Configuration Update page in the Administration Console.



Your final solution should look similar to the following screenshot showing all of the protected resources defined for AGS in Access Manager. The policies can be downloaded from the attachment list at the end of this article.

3716.Image

Testing

To test SSO using form-fill, be sure the user credentials are the same for both Access Manager and AGS. Try accessing the AGS dashboard from a browser - http://<AG Listening IP>:PORT/ags/login.jsf. If configured correctly, Access Manager will prompt for user authentication via the Identity Server login page. After submitting, the user is seamless logged into AGS.

Summary



This solution is only applicable for NetIQ User ApplicationTM 4.0.x and NetIQ Access ManagerTM 3.2.x, however may also work with past and future versions (not tested). Using the above methods for SSO should be thoroughly tested in your test environment prior to releasing into your production environment. The policies can be downloaded from the attachment list below.

NetIQ does not test or validate any software, code or other materials provided in, on or through NetIQ Cool Solutions (collectively, "Materials"), so please use caution when downloading or accessing any Materials from Cool Solutions and ensure that you have reasonable and current security, spyware and anti-virus measures in place on your computer and/or network prior to downloading. Additionally, do not use any Materials downloaded from Cool Solutions in any production environment without first testing the Materials to ensure they are compatible with your version of NetIQ software or any other hardware or software present in your network or environment. Cool Solutions is not a substitute for authorized NetIQ support and should not be used as such. NETIQ COOL SOLUTIONS AND ANY MATERIALS ARE PROVIDED ON AN AS-IS, AS-AVAILABLE BASIS WITHOUT ANY WARRANTY OF ANY KIND. By downloading this file, you are agreeing to these terms of use. To report a problem please contact: coolguys-netiq@netiq.com. Your use of Cool Solutions is governed by the Cool Solutions Terms and Conditions. https://www.netiq.com/communities/coolsolutions/terms-and-conditions/

Labels (2)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-30 14:55
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.