orsifacundo
New Member.
285 views

NAM-IDM Federation and protected resource

Hi, I have an IDM 4.7 and a NAM 4.4.

I managed to use SAML between IDM and NAM but now I want to protect IDM behind the proxy. The documentation outlines this methods as 2 different approaches (SAML vs form fill) but I guess it's possible to do what I want but I cannot get it working.

Did anyone manage to do it?

Regards.
0 Likes
4 Replies
AutomaticReply Absent Member.
Absent Member.

Re: NAM-IDM Federation and protected resource

orsifacundo,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Knowledge Partner
Knowledge Partner

Re: NAM-IDM Federation and protected resource

On 21-05-2019 10:34 PM, orsifacundo wrote:
>
> Hi, I have an IDM 4.7 and a NAM 4.4.
>
> I managed to use SAML between IDM and NAM but now I want to protect IDM
> behind the proxy. The 'documentation'
> (https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_471/data/third-party-authentication-and-single-sign-on.html)
> outlines this methods as 2 different approaches (SAML vs form fill) but
> I guess it's possible to do what I want but I cannot get it working.
>
> Did anyone manage to do it?


So the UA only supports SAML really, not formfill from what I know. You can create a proxy and protect the UA with that but don't enable
authentication on the protected resources. It might be possible to do tho but I reckon there will be URIs you have to leave unauthenticated.


--
Cheers,
Edward
0 Likes
orsifacundo
New Member.

Re: NAM-IDM Federation and protected resource

edmaa;2500286 wrote:
On 21-05-2019 10:34 PM, orsifacundo wrote:
>
> Hi, I have an IDM 4.7 and a NAM 4.4.
>
> I managed to use SAML between IDM and NAM but now I want to protect IDM
> behind the proxy. The 'documentation'
> (https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_471/data/third-party-authentication-and-single-sign-on.html)
> outlines this methods as 2 different approaches (SAML vs form fill) but
> I guess it's possible to do what I want but I cannot get it working.
>
> Did anyone manage to do it?


So the UA only supports SAML really, not formfill from what I know. You can create a proxy and protect the UA with that but don't enable
authentication on the protected resources. It might be possible to do tho but I reckon there will be URIs you have to leave unauthenticated.


--
Cheers,
Edward


Hi Edward,

Ok I undestand that the form fill action is done against the OSP login page and after that you use the OSP access token between the Identity Apps.

Nevertheless what I'm trying to do is protect the Identity Apps and OSP behind the reverse proxy after integrating OSP with NAM via SAML 2.0.

To put an example I have the following scenario:

- IDM 4.7 All-in-one. FQDN: idm47.example.com. IP: 10.0.0.10. Tomcat running on port 8543
- NAM 4.4 Appliance. FQDN: nam.example.com. IP: 10.0.0.9. Tomcat running on port 8443. Reverse proxy listening on port 443.
- Proxy service with a domain-based multi-homing type.

And the sequence is:
- User trying to get to: https://idm47.example.com (resolved to NAM as the external DNS solves to 10.0.0.9)
- NAM ask the user for credentials
- Users gets redirected to idmdash.

My problem is that at some point OSP redirects the browser to https://idm47.example:8543/osp/a/idm/auth/saml2/spassertion_consumer and it fails because the port is wrong.

Without the reverse proxy the SAML 2.0 federation works perfectly.

Regards.


-
0 Likes
Knowledge Partner
Knowledge Partner

Re: NAM-IDM Federation and protected resource

On 30-05-2019 1:34 AM, orsifacundo wrote:
>
> edmaa;2500286 Wrote:
>> On 21-05-2019 10:34 PM, orsifacundo wrote:
>>>
>>> Hi, I have an IDM 4.7 and a NAM 4.4.
>>>
>>> I managed to use SAML between IDM and NAM but now I want to protect

>> IDM
>>> behind the proxy. The 'documentation'
>>>

>> (https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_471/data/third-party-authentication-and-single-sign-on.html)
>>> outlines this methods as 2 different approaches (SAML vs form fill)

>> but
>>> I guess it's possible to do what I want but I cannot get it working.
>>>
>>> Did anyone manage to do it?

>>
>> So the UA only supports SAML really, not formfill from what I know. You
>> can create a proxy and protect the UA with that but don't enable
>> authentication on the protected resources. It might be possible to do
>> tho but I reckon there will be URIs you have to leave unauthenticated.
>>
>>
>> --
>> Cheers,
>> Edward

>
> Hi Edward,
>
> Ok I undestand that the form fill action is done against the OSP login
> page and after that you use the OSP access token between the Identity
> Apps.
>
> Nevertheless what I'm trying to do is protect the Identity Apps and OSP
> behind the reverse proxy after integrating OSP with NAM via SAML 2.0.
>
> To put an example I have the following scenario:
>
> - IDM 4.7 All-in-one. FQDN: idm47.example.com. IP: 10.0.0.10. Tomcat
> running on port 8543
> - NAM 4.4 Appliance. FQDN: nam.example.com. IP: 10.0.0.9. Tomcat running
> on port 8443. Reverse proxy listening on port 443.
> - Proxy service with a domain-based multi-homing type.
>
> And the sequence is:
> - User trying to get to: https://idm47.example.com (resolved to NAM as
> the external DNS solves to 10.0.0.9)
> - NAM ask the user for credentials
> - Users gets redirected to idmdash.
>
> My problem is that at some point OSP redirects the browser to*
> https://idm47.example:8543/osp/a/idm/auth/saml2/spassertion_consumer*
> and it fails because the port is wrong.
>
> Without the reverse proxy the SAML 2.0 federation works perfectly.


yeah, i had tons of fun with that. I never managed to get the rewriter to fix that. In the end i just put an iptables NAT on my UA server in my lab
and configure the UA thinking its listening on port 443 and then the iptables NAT translates inbound traffic from 443 to 8543


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.