NAM’s Custom IDP Discovery Service Implementation
IDP Selection and discovery helps your Service Provider determine which Identity Provider should be used for authentication of the current user. Access Manager supports IDP discovery through “Use Introductions”. When Introductions are configured, it allows users to select an identity provider from a list of introducible identity providers. https://www.netiq.com/documentation/access-manager-42/admin/data/b1ax6f15.html#bmpx02e In some cases this approach might not be viable, in those scenarios custom IDP discovery service might be useful.
When common domain and introductions are not viable User has to select authentication cards, but every time user has to select his IDP external authentication contract it is not a user friendly approach in some of the scenarios. Showing a list of IDPs and remember user selection might be a good and easy way to solve this issue.
NAM will present a list of available IDPs the user can select and save that selection to the client browser, next the user will not see this IDP selection page, the user will be redirected to his/her choice of IDP. The following solution is based on NAM 4.2 and above.
Broker IDP configuration:
- Build a JSP which list all IDPs Download sample using HTML5 local storage
- Prepare inter-site transfer URLs and add to list
- Copy the JSP file to NAM IDP JSP folder location /opt/novell/nam/idp/webapps/nidp/jsp
- Login to middle IDP/SP Admin Console
- Create authentication method using existing class for example name/password class
- Navigate to Local - Methods - New
- Select class and fill required configuration as per NAM documentation
- Add custom JSP property as JSP=<JSPNAME without JSP extension created above> g, JSP =idp_discover.jsp
- Create contract based on method created above.
- Make this as default contract. Assumption, remain all AG protected will have contract as authentication.
- Update IDP
Destination IDP configuration:
- Login to destination IDP’s Admin Console login
- At final target application modify SAML2 federation SAML2 à SP config à Intersite Transfer Service à allow any target or add IDP URL
- Update IDP
Test NAM’s Custom IDP discovery service
- Create test setup installing multiple NAM IDP instances or any other IDP’s
- IDP2 IDP1/SP1 SP2
- Access SP2 (service provider) SAML request will be sent to middle IDP where IDP custom discovery service will show up.
- Select destination IDP, and select remember me check box and submit request, This will redirect request to destination IDP2
- Authenticate test user at IDP2 and request will follow to IDP1/SP1, authenticated session is created at middle IDP and it posts the saml2 response to SP2.
To make non-HTML5 browser compatibility download another zip file IDP discover by cookie (works with nam 4.2 and above)
modifications added from old jsp:
- IDP list is added dynamically no need to construct idpsend url.
- User selection of IDP is stored to cookie on browser
- User selection of IDP value available in cookie, it shows redirect to IDP for authentication with time delay of 5 seconds, user has option to cancel this auto redirection and select new IDP
- User can erase cookie value by clicking cancel on auto redirection message and deselect remember me, select IDP and submit.
Please share your comments!!