Highlighted
Absent Member.
Absent Member.
472 views

Access Manager and Novell Identity Manager


Hello,

Our company purchased Access Manager several months ago and I was
interested in trying to help my colleague bring up a test environment.

I don't think Access Manager requires an existing copy of Novell
Identity Manager installed (IDM) to work for SAML-2 authentication, but
he wanted to ask that. Does it require IDM to be installed (we have it
installed already)?

We are running IDM 3.5.1 on Netware 6.5SP8 and on OES2 SLES 10 SP3
(Meta-tree) in production.

Can we use the latest Access Manager with IDM 3.5.1 to provide SAML-2
authentication (against eDirectory) or do we need to bring up an
instance of IDM 4.01? Any guidance in this area would be appreciated.

Also, what is actually needed for our configuration? I know that the
Access Manager states that you need to setup an Identity Server, an
Admin console,
an SSL VPN, an Access Gateway Appliance and a Linux Access Gateway
Service. I was thinking that we could put Access Manager (and possibly
IDM 3.5.1/4.01) on VMs for testing.

Thanks in Advance,
Russell Labay
Texas Department of Transportation


--
RLABAY
------------------------------------------------------------------------
RLABAY's Profile: http://forums.novell.com/member.php?userid=119970
View this thread: http://forums.novell.com/showthread.php?t=450386

0 Likes
7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager


IDM is not required for NAM to use SAML.

The only case that I'm aware of where NAM uses SAML to talk to eDir is
when you want to do Single Sign On to the IDM UserApplication (that uses
a SAML method). But NAM doesn't require IDM for the purposes of SAML.

Yes, you can certainly use VM (Vmware or XEN) for testing NAM. I
STRONGLY recommend separate components on each. I wouldn't really both
with the SSLVPN just yet. Meaning, setup 3 VM. One with your Admin
Console, one for the IDS/IDP, and one for the LAG. You can always add
the SSLVPN later (if you do, I prefer the esp-enabled one I think).

Anyway, you would probably configure NAM to point to eDirectory as your
user source (authentication) and test the userid/password method. I'm
not sure why you'd use SAML in that particular case (ie, the person
enters their userid/password--voila).

SAML comes useful if like you want people to use say, Google or some
other "trusted" ID provider so that they can use THOSE credentials to
authenticate vs. your eDirectory credentials.

OR maybe you have Shiboleth or salesforce you want to use SAML with?
Neil's got some nice communities articles on that.

www.novell.com/communities and search for SAML in the Identity section
and there should be a few hits with NAM setup for that.


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=450386

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager

kjhurni wrote:


> Anyway, you would probably configure NAM to point to eDirectory as
> your user source (authentication) and test the userid/password
> method. I'm not sure why you'd use SAML in that particular case (ie,
> the person enters their userid/password--voila).


Technically it is safer as there is no password travelling over the
wire between the Access Gateway and the UserApp. It could also be that
they authenticate against a source where you can't extract a password
from and use something like X509 or something.




--
Cheers,
Edward
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager


Good point about the SAML (Which, BTW is why we're having to use it)--we
have a federated identity from a third-party IDP and we do NOT get
passwords from them, but they may need to get access to "our" stuff, but
since our application is using an Oracle database, and we don't store
passwords, they have to authenticate to NAM via SAML.

Although I think I was meaning more along the lines of: NAM points to
a user source somehow, so for THOSE users, you have userid/password, not
sure how you'd go about setting up a SAML authentication in that
scenario. (ie, if your NAM setup doesn't use some other trusted
provider, and you only have AD or eDir, then you're going to have to
authenticate to eDir/AD and THEN you can use SAML to get to "other"
stuff, but why would you setup SAML with JUST eDir an NAM--ie, how/what
are you going to use to authenticate to the IDP unless you setup a SAML
provider somewhere and that's a bit overkill JUST for that, IMO).


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=450386

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager

kjhurni wrote:


> Although I think I was meaning more along the lines of: NAM points to
> a user source somehow, so for THOSE users, you have userid/password,
> not sure how you'd go about setting up a SAML authentication in that
> scenario. (ie, if your NAM setup doesn't use some other trusted
> provider, and you only have AD or eDir, then you're going to have to
> authenticate to eDir/AD and THEN you can use SAML to get to "other"
> stuff, but why would you setup SAML with JUST eDir an NAM--ie,
> how/what are you going to use to authenticate to the IDP unless you
> setup a SAML provider somewhere and that's a bit overkill JUST for
> that, IMO).


It depends, if you use SAML between your userapp and AG then the
password only has to traverse across the line once (between the IDP and
browser) so theoratically it safer but then again, the network between
your AG and Userapp is a trusted network so my theory is kinda flawed I
guess.....

--
Cheers,
Edward
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager


No, you had some good points. What if you have an app that doesn't "do"
passwords or LDAP or something.

Very useful stuff to have multiple authentication methods.


--
The opinions expressed are my own.
Check out my OES2 Guides:
Installing OES2 SP2:
http://www.novell.com/communities/node/11600/oes2-sp2-installation-guide
Upgrading to OES2 with ID Transfer:
http://www.novell.com/communities/node/11601/oes2-sp2-migration-guide-transfer-id-scenarios
GroupWise Migration with OES2 ID Transfer:
http://www.novell.com/communities/node/11602/groupwise-migration-netware-oes2-sp2-transfer-id
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=450386

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager

kjhurni wrote:

>
> No, you had some good points. What if you have an app that doesn't
> "do" passwords or LDAP or something.


Well, my experience is that most apps do LDAP auth rather than being
able to accept a SAML assertion

> Very useful stuff to have multiple authentication methods.


True


--
Cheers,
Edward
0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Access Manager and Novell Identity Manager

RLABAY wrote:

>
> Hello,
>
> Our company purchased Access Manager several months ago and I was
> interested in trying to help my colleague bring up a test environment.
>
> I don't think Access Manager requires an existing copy of Novell
> Identity Manager installed (IDM) to work for SAML-2 authentication,
> but he wanted to ask that. Does it require IDM to be installed (we
> have it installed already)?
>
> We are running IDM 3.5.1 on Netware 6.5SP8 and on OES2 SLES 10 SP3
> (Meta-tree) in production.
>
> Can we use the latest Access Manager with IDM 3.5.1 to provide SAML-2
> authentication (against eDirectory) or do we need to bring up an
> instance of IDM 4.01? Any guidance in this area would be appreciated.


> Also, what is actually needed for our configuration? I know that the
> Access Manager states that you need to setup an Identity Server, an
> Admin console,
> an SSL VPN, an Access Gateway Appliance and a Linux Access Gateway
> Service. I was thinking that we could put Access Manager (and possibly
> IDM 3.5.1/4.01) on VMs for testing.


As Kevin already explained, you'd need a Identity Server, Admin console
and Access Gateway (either the service or appliance). I don't agree for
running each component on its own server tho for a simple lab. The
admin console and identity provider can run on the same server if this
would be a internal (non-internet facing) lab only. If you do want to
put it in production then yes, i would not put the AMC and IDP on one
server. Labs generally have limited resources so hence why it would do
this way.

You would need a lab for IDM's userapp in order to do your SSO testing
tho. This can be 3.5.1, if that supports SSO through SAML. NAM does not
require IDM tho.



--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.