Integrating Identity Manager 4.5.4 User Application with Access Manager 4.3 Access Gateway
One of the primary deployment use cases for any IDM customer is to provide a single sign-on access to the User Application for their users from outside the enterprise, mostly for the employees working remotely. In this case, no customer would want to give direct access to IDM URL or keep the IDM in DMZ. This integration document talks about how this use case can be achieved with a very simple approach.
There are mainly two approaches for integrating NetIQ Access Manager with Identity Manager:
- SAML Federation between NetIQ Access Manager’s Identity Server and NetIQ Identity Manager’s OSP.
- Access Gateway Protecting the NetIQ Identity Manager Apps using form fill policies.
The first approach is available at https://www.netiq.com/documentation/idm45/setup_guide/data/b1ciypyj.html
This document highlights how we can configure the second approach where Access Gateway protects the IDM Userapp and other applications using a form fill policy.
How it works
When the user first hits the Access Gateway URL protecting the IDM User Application, the request is redirected for authentication at the Access Manager IDP. On successful authentication at IDP, the browser redirects the request back to the Access Gateway URL protecting the IDM User Application. At this point, Access Gateway will forward the request to backend IDM User Application URL which in turns redirects the request to OSP and OSP brings up the login form.
On detecting the login form, Access Gateway automatically executes the form fill policy and fills the form with the credentials of the logged in user and submits the form to OSP. OSP successfully authenticates the user and redirects the user to the User Application. User Application retrieves the access token from OSP and provides access to the user. This completes the Single sign-on and the user can access any other IDM hosted applications like landing portal, RRA, SSPR etc. henceforth and single sign-on to those applications would be provided by the access token provided by the OSP. So, Access Manager provides single sign-on to OSP using form fill policy and then OSP provides the single sign-on between other IDM hosted applications using OAuth.
This solution is tested with following versions of the product:
- Access Manager 4.3
- Identity Manager 4.5.4
- OSP version 0.0
- SSPR version 126.96.36.199
Access Manager and Identity Manager should be pointing to the same user store for authentication which can be any LDAP store. However, if the customer wants to use a password-less login like Kerberos or X.509, then, the users should also be synced to the eDirectory user store so that form fill policy can retrieve the logged in user’s password and fill the form for single sign-on to OSP.
- The IDM User Application must be configured as a protected resource in Access Gateway and a form fill policy is configured to do the Single sign-on for the OSP.
- The authentication method for IDM User Application has to be configured to use Name and Password.
Configuring IDM User Application as a Resource in Access Gateway
- Create a new domain-based multi-homed proxy service in Access Gateway IDMUserApp with published URL as idm-ag.labs.blr.novell.com.
Figure 1: Access Gateway Proxy Service Creation for IDM User Application
- Configure the Web Server Host Name and also to connect using SSL by importing the IDM Trusted Root Certificate to Reverse Proxy Trust Store.
Note: If IDM is listening on a non-SSL port, ensure that you configure that corresponding port in the “Connect Port“ and the option “Connect Using SSL” is disabled.
Figure 2: Configuring IDM User Application as a Web server
- Create a protected resource under the IDMUserApp Proxy Service with the resource paths to all apps which are configured and configure an authentication procedure.
Figure 3: Configuring IDM User Applications as different protected resources
- Attach a form fill policy to this protected resource. This form fill policy will match to the OSP login form and fill the user credentials. It also has a failure policy which will redirect the IDM Application logout request to also do the Access Gateway logout.
Figure 4: Formfill policy for the SSO to OSP
- Create a custom HTML rewriter profile. Keeping everything as default, only enable the ‘Rewrite Inbound Query String Data’ option in this profile. Move this custom profile above the Default profile and save the configuration.
Figure 5: Custom HTML Rewriter Profile
This completes the Access Gateway configuration for this integration.
Configuring the Authentication Method in IDM User Application
The stand-alone IDM User Application needs only one specific configuration for this scenario to work and that is the authentication method. The authentication method has to be configured as “Name and Password”
Open the configuration utility by performing the following steps:
- Change to the UserApplication directory.
On Linux, use the command: cd /opt/netiq/idm/apps/UserApplication
- Run the following configuration utility: ./configupdate.sh use_console=false
For more information on how to run the Identity Applications Configuration Utility, refer the following: https://www.netiq.com/documentation/idm45/setup_guide/data/b1bkfd5r.html
Figure 6: RBPM Configuration Screen
Testing the Single Sign On
- Open a browser and hit the NAM URL protecting the IDM UserApp
Note: Please ensure that the URLs are resolvable either through the host entries or DNS
- On the authentication prompt, provide the user credentials
- Upon submitting the credentials you should be able to view the UserApp page.