Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Knowledge Partner
Knowledge Partner

Re: NetIQ AM SSO for web application

DICGC;2427263 wrote:
kjhurni;267246 Wrote:
> DICGC;2427157 Wrote:
> > Will Schneider;267219 Wrote:
> > > On 4/25/2016 12:24 AM, DICGC wrote:
> > > > Hi Edward,
> > > >
> > > > Now I have to do SSO with 6 web application which is deployed on
> > > > different web server but in the same domain so can I use one

> Access
> > > > gateway to achieve my SSO and how I can configure all this.
> > > > thanks
> > > > Sarita
> > >
> > > The answer is likely yes. Obviously it depends on the specifics.

> > You
> > > can tie lots of servers into a single MAG without much
> > > trouble. Just depends on how you want to do it.
> > >
> > > So I would go about it this way:
> > > 1. Work on the Kerberos config between your IDP and your AD. That

> > way
> > > you don't have to create accounts in the NAM tree and
> > > can utilize your users' existing passwords. After you read the

> docs
> > on
> > > that if you need help that would be a good new post
> > > to start.
> > >
> > > 2. Map out your web apps in how you want them to work. So for
> > > instance:
> > > company.com -> Main web server
> > > company.com/app1/ -> app1 web server
> > > company.com/hr/ -> hr web server
> > > company.com/finance/ -> finance web app
> > >
> > > Once you have that we can help you craft the NAM layout.
> > > Does that make sense?
> > >
> > > --
> > >

> >

> -----------------------------------------------------------------------
> > > Will Schneider
> > > Knowledge Partner

> > http://forums.netiq.com
> > >
> > > If you find this post helpful, please click on the star below.

> >
> >
> >
> > Thanks,
> >
> > Yes I have created Reverse proxy name for company.in and then i

> created
> > proxy entry Domain based for my web application "core.company.in" and
> > give Basic authentication scheme but getting BAD request 400 error.

> I
> > am using same LDAP which is coming by default with IDP and AD full
> > installation of NAM. I don't have different LDAP. Where I have to
> > provide LDAP details while configuring SSO. I am using Identity
> > injection and add rule for header.
> >
> > "Bad Request
> >
> > Your browser sent a request that this server could not understand.
> > Size of a request header field exceeds server limit."
> >
> >
> > --
> > DICGC
> >

> ------------------------------------------------------------------------
> > DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
> > View this thread: https://forums.netiq.com/showthread.php?t=55691

>
> You have no Active Directory or eDirectory in your environment?
>
> --Kevin
>
>
> iew this thread:
> https://forums.netiq.com/showthread.php?t=55691

>
> --
> The opinions expressed are my own.
> Check out my OES2 Guides:
> Installing OES2 SP2:
> http://tinyurl.com/6pezrv7
> Upgrading to OES2 with ID Transfer:
> http://tinyurl.com/82a8ufn
> GroupWise Migration with OES2 ID Transfer:
> http://tinyurl.com/6oj94q8
> ------------------------------------------------------------------------
> kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> View this thread: https://forums.novell.com/showthread.php?t=497799


Client have AD but they don't allow us to make it as directory but I am
using the same default edirectory which I get while installing AD and
IDP.

thanks,
sarita

> DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
> V



--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691


I think you're misunderstanding. Prior to installing NAM, do you have any Windows 2000 or higher servers that were installed as Active Directory Domain Controllers (or whatever the roles are called)?

Or

Prior to installing NAM, do you have any Novell OES servers installed?

When your client pc's bootup and the person does a CTRL-ALT-DEL to login, is there a Novell Client on the workstation? If not, then are they logging into the workstation only or are they logging into a Windows server running Active Directory?

NAM only supports the following directories:



A server configured with an LDAP directory (eDirectory, Sun ONE, or Active Directory) that contains your system users. The Identity Server uses the LDAP directory to authenticate users to the system.


This is from the Network Requirements section of the documentation:
https://www.netiq.com/documentation/access-manager-42/install_upgrade/data/b1candrb.html

I don't think that NetIQ supports or intends for you to use the Internal eDirectory that NAM itself uses, as part of regular client-authentication eDirectory. At least not the way I read the requirements documentation.

--Kevin
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:

>


> Client have AD but they don't allow us to make it as directory but I
> am using the same default edirectory which I get while installing AD
> and IDP.


NAM is not related to AD. All the configuration is stored in the
embedded eDirectory that comes with the admin console which is a
required component of a NAM deployment as that is your administration
point.

NAM can utilise AD as a authentication store. This means when you
configure the IDP cluster and you would use a default contract like
username/password all authentication attempts will be validated against
AD. This doesn't make any changes in AD. You merely need a proxy
account that allows the IDP to lookup the user. This is non-invasive.

Once you have a proxy account setup and username/password contracts are
working you can deploy Kerberos authentication. This is slightly more
work. I'd focus on setting username/password first. Once you've
established that we can help you setting up Kerberos authentication.

--
Cheers,
Edward
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


Hi,

I have configure SSO now and I am facing following error. When I hit the
url of Access gateway publish DNS name. I got following error.

" Bad Request

Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Via

I will explain steps what I have did to achieve SSO

1. I create Reverse Proxy provide PDNS name and AG ip of server


2. I creatte Proxy Services for web application named as 'core'
Web server ip


3. Protected Resource
URL
Authentication
Authorization

so where I am going wrong why I am getting 'BAD Request Error' while
hitting the URL of AG PDNS.

thanks
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

On 5/2/2016 2:24 AM, DICGC wrote:
> I have configure SSO now and I am facing following error. When I hit the
> url of Access gateway publish DNS name. I got following error.
>
> " Bad Request
>
> Your browser sent a request that this server could not understand.
> Size of a request header field exceeds server limit.


There is not an obvious answer without digging a little more. On the surface, your back end web server is saying the packet
it recieved has a header that is too big to process. That is likely because of the authorization policy that is injecting
something into the header. To test this idea out, set the proxy so that the protected resource is public and there are no
authorization policies or form fill policies. If that resolves the error then we've found the cause.

Also, is the resource publicly available? Or internal only?

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


hi will,

This SSO client using for internal purpose only. I have removed all
authorization policy still facing BAD request error.

but while clicking on AG and reverse proxy on Dashboard of NAM i will
get 'Error connection to DATABASE' and it goes immediately and all
health server is proper.


thanks,
sarita khamkar


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:

>
> hi will,
>
> This SSO client using for internal purpose only. I have removed all
> authorization policy still facing BAD request error.
>
> but while clicking on AG and reverse proxy on Dashboard of NAM i will
> get 'Error connection to DATABASE' and it goes immediately and all
> health server is proper.
>
>
> thanks,
> sarita khamkar


Please supply the error log from:
/var/log/novell-apache/error-log



--
Cheers,
Edward
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


hi Edward,

please find attached below std out log file
creating the fileappender that send audit events to log file: C:\Program
Files (x86)\Novell\Syslog\audit_common.log
succedded in creating log file C:\Program Files
(x86)\Novell\Syslog\audit_common.log
Succedded in creating file appender
Audit logger configured to send events to local file at C:\Program Files
(x86)\Novell\Syslog\audit.log with queuemode and audit events will be in
JSON format
Attribute Source config is not configured yet.
Data sources are not configured yet.
NIDPMeEntity.commonInitialize(): Complete! Config Name: DICGCIDP
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.liberty.LibertyMeDescriptor:liberty12
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.saml.SAMLMeDescriptor:saml
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.saml2.SAML2MeDescriptor:saml2
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.liberty.LibertyMeDescriptor:liberty12
NIDPSettings.NIDPSettings(): Completed loading settings from
configuration!
NIDPContext.doInit(): Cache initialized!
NIDPServletContext.doCommand(): Start successful.
NetIQ JClient 2.08.0704-2.8.704. (c) 2013 NetIQ Corporation and its
affiliates. All Rights Reserved.
Protected Resource JSP: AuthProcedure is none - element not found:
Services/HTTP/ServiceList/ReverseList/HTTP_Reverse[@ServiceID='svhttp_1459940135857']/HTTP_ReverseSubservice/HTTP_HostSubserviceList/HTTP_HostSubservice[@SubserviceID='sshost_1461648825675']/ProtectedResourceList/ProtectedResource[@ProtectedResourceID='ProtectedResourceID_svhttp_1459940135857_sshost_1461648825675_1461663971362']/AuthenticationProcedureRef
Reconfigure appDN:
cn=idp-esp-9284268443115441,cn=server,cn=nids,ou=accessManagerContainer,o=novell
appname: idp-esp-9284268443115441
Invoking customfiles handler
Error : java.lang.NullPointerException
Protected Resource JSP: AuthProcedure is none - element not found:
Services/HTTP/ServiceList/ReverseList/HTTP_Reverse[@ServiceID='svhttp_1459940135857']/HTTP_ReverseSubservice/HTTP_HostSubserviceList/HTTP_HostSubservice[@SubserviceID='sshost_1459942254392']/ProtectedResourceList/ProtectedResource[@ProtectedResourceID='ProtectedResourceID_svhttp_1459940135857_sshost_1459942254392_1461648302559']/AuthenticationProcedureRef
Reconfigure appDN:
cn=idp-esp-9284268443115441,cn=server,cn=nids,ou=accessManagerContainer,o=novell
appname: idp-esp-9284268443115441
Invoking customfiles handler
Error : java.lang.NullPointerException
Protected Resource JSP: AuthProcedure is none - element not found:
Services/HTTP/ServiceList/ReverseList/HTTP_Reverse[@ServiceID='svhttp_1459940135857']/HTTP_ReverseSubservice/HTTP_HostSubserviceList/HTTP_HostSubservice[@SubserviceID='sshost_1459942254392']/ProtectedResourceList/ProtectedResource[@ProtectedResourceID='ProtectedResourceID_svhttp_1459940135857_sshost_1459942254392_1461648302559']/AuthenticationProcedureRef
Protected Resource JSP: AuthProcedure is none - element not found:
Services/HTTP/ServiceList/ReverseList/HTTP_Reverse[@ServiceID='svhttp_1459940135857']/HTTP_ReverseSubservice/HTTP_HostSubserviceList/HTTP_HostSubservice[@SubserviceID='sshost_1459942254392']/ProtectedResourceList/ProtectedResource[@ProtectedResourceID='ProtectedResourceID_svhttp_1459940135857_sshost_1459942254392_1461648302559']/AuthenticationProcedureRef
Reconfigure appDN:
cn=idp-esp-9284268443115441,cn=server,cn=nids,ou=accessManagerContainer,o=novell
appname: idp-esp-9284268443115441
Invoking customfiles handler
Error : java.lang.NullPointerException
Protected Resource JSP: AuthProcedure is none - element not found:
Services/HTTP/ServiceList/ReverseList/HTTP_Reverse[@ServiceID='svhttp_1459940135857']/HTTP_ReverseSubservice/HTTP_HostSubserviceList/HTTP_HostSubservice[@SubserviceID='sshost_1459942254392']/ProtectedResourceList/ProtectedResource[@ProtectedResourceID='ProtectedResourceID_svhttp_1459940135857_sshost_1459942254392_1461648302559']/AuthenticationProcedureRef
Reconfigure appDN:
cn=idp-esp-9284268443115441,cn=server,cn=nids,ou=accessManagerContainer,o=novell
appname: idp-esp-9284268443115441
Invoking customfiles handler
Error : java.lang.NullPointerException


====================================

stderr log file


java.io.IOException: Cannot run program "rpm": CreateProcess error=2,
The system cannot find the file specified
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)
at java.lang.Runtime.exec(Runtime.java:620)
at java.lang.Runtime.exec(Runtime.java:450)
at java.lang.Runtime.exec(Runtime.java:347)
at
com.microfocus.amapi.v1.resources.AdminConsoleAPI.getQualifiedAdminConsole(AdminConsoleAPI.java:290)
at
com.microfocus.amapi.v1.resources.AdminConsolesAPI.getAdminConsoles(AdminConsolesAPI.java:135)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:164)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:181)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:158)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:101)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)
at
org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:305)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
at
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:288)
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1110)
at
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:401)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:386)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:335)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:222)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
com.microfocus.amapi.filters.ApiOriginFilter.doFilter(ApiOriginFilter.java:29)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at com.novell.accessmanager.tomcat.SynchronizationValve.invoke(y:2259)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: CreateProcess error=2, The system cannot
find the file specified
at java.lang.ProcessImpl.create(Native Method)
at java.lang.ProcessImpl.<init>(ProcessImpl.java:386)
at java.lang.ProcessImpl.start(ProcessImpl.java:137)
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)
... 53 more


thanks
sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:

>
> hi Edward,
>
> please find attached below std out log file
> creating the fileappender that send audit events to log file:
> C:\Program Files (x86)\Novell\Syslog\audit_common.log
> succedded in creating log file C:\Program Files
> (x86)\Novell\Syslog\audit_common.log
>



Sorry for the late reply. I wasn't aware you are running it on Windows
(i've never dealt with NAM on Windows but so be it). The logs you
posted don't look like the access gateway logs. They look like the esp
and jcc logs. Can you see if you can dig up the apache logs?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:


> First of all thanks for your help. But in my case I have application
> with ip based like http://10.28.2.89/dicgc/account/frmlogin.aspx. so
> how can i protect this application. I am confused for publish DNS name
> because all applications are ip based.
>
> thanks
> Sarita


Kevin is right, NAM works based on DNS names. Honestly, it doesn't make
much sense that all your applications are based on IP addresses. How do
your users access your websites? Surely they don't type in
10.28.2.89/whatever to access something right?

So, as per Kevin's comment, on the access gateway you create a new
proxy. Call it AppA. On the proxy page you configure what listening IP
address is being used on the Access Gateway, what certificate to be
used if you want to use SSL etc. Then at the bottom of the page you can
configure proxy services. These contain the config of what the
published DNS name is, what webservers are being used etc. There's also
at least one proxy service on a proxy. Any additional ones are either
path based multi-homed (/appA; /appB; /appC etc), domain-based
multihomed (appA.site.com; appB.site.com; appC.site.com etc) or virtual
(appA.siteA.com; appB.siteB.com; appC.siteC.com).

Once you've configured a proxy service you'll have to configure
protected resources. A protected resource can either be public (no
authentication) or 'private' (require authentication). On a protected
resource you can also configure authorization policies, injection
policies and formfill policies.

With injection policies you can achieve single sign-on by for example
injecting credentials into the authorization header. Formfill policies
can fill fields in html forms that are used very frequently for
authentication. It also auto submits the forms though this is actually
done through the browser but NAM does some smarts with javascript.

To setup NAM without any knowledge can be a bit of a challenge
especially if you have not worked with any access management solution.
Most AM solutions work roughly the same, things are just called
different.




--
Cheers,
Edward
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


Edward van der Maas;266988 Wrote:
> DICGC wrote:
>
>
> > First of all thanks for your help. But in my case I have application
> > with ip based like http://10.28.2.89/dicgc/account/frmlogin.aspx. so
> > how can i protect this application. I am confused for publish DNS

> name
> > because all applications are ip based.
> >
> > thanks
> > Sarita

>
> Kevin is right, NAM works based on DNS names. Honestly, it doesn't make
> much sense that all your applications are based on IP addresses. How do
> your users access your websites? Surely they don't type in
> 10.28.2.89/whatever to access something right?
>
> So, as per Kevin's comment, on the access gateway you create a new
> proxy. Call it AppA. On the proxy page you configure what listening IP
> address is being used on the Access Gateway, what certificate to be
> used if you want to use SSL etc. Then at the bottom of the page you can
> configure proxy services. These contain the config of what the
> published DNS name is, what webservers are being used etc. There's also
> at least one proxy service on a proxy. Any additional ones are either
> path based multi-homed (/appA; /appB; /appC etc), domain-based
> multihomed (appA.site.com; appB.site.com; appC.site.com etc) or virtual
> (appA.siteA.com; appB.siteB.com; appC.siteC.com).
>
> Once you've configured a proxy service you'll have to configure
> protected resources. A protected resource can either be public (no
> authentication) or 'private' (require authentication). On a protected
> resource you can also configure authorization policies, injection
> policies and formfill policies.
>
> With injection policies you can achieve single sign-on by for example
> injecting credentials into the authorization header. Formfill policies
> can fill fields in html forms that are used very frequently for
> authentication. It also auto submits the forms though this is actually
> done through the browser but NAM does some smarts with javascript.
>
> To setup NAM without any knowledge can be a bit of a challenge
> especially if you have not worked with any access management solution.
> Most AM solutions work roughly the same, things are just called
> different.
>
>
>
>
> --
> Cheers,
> Edward





Hi Edward,

Thanks your valuable feedback. I have successfully protect one web
application with NAM. Now I want to know the next steps I already tell
to application team they has to change their application code to accept
user id header value from Session.

is the userid goes to application in encrypted form. I want to know the
whole process about how this userid will get accepted by application
team so i will explain them to skip their login page and directly to
show their home page.

Thanks & Regards,
Sarita Khamkar


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:


> is the userid goes to application in encrypted form. I want to know
> the whole process about how this userid will get accepted by
> application team so i will explain them to skip their login page and
> directly to show their home page.


NAM itself doesn't encrypt any values that it sends to the backend
application. It just relies on the fact that the administrator enables
SSL/TLS between NAM and the Webapplication.

--
Cheers,
Edward
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


Edward van der Maas;268289 Wrote:
> DICGC wrote:
>
>
> > is the userid goes to application in encrypted form. I want to know
> > the whole process about how this userid will get accepted by
> > application team so i will explain them to skip their login page and
> > directly to show their home page.

>
> NAM itself doesn't encrypt any values that it sends to the backend
> application. It just relies on the fact that the administrator enables
> SSL/TLS between NAM and the Webapplication.
>
> --
> Cheers,
> Edward




Hi Edward,

I am using Identity Injection policy to achieve SSO with web
application. I am injecting user name in to header and now web
application has to change the code to accept this header value.

So what application team has to change in their code so they will accept
this header. Means how NAM send the header to web application.

Thanks
Sarita Khamkar


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Knowledge Partner
Knowledge Partner

Re: NetIQ AM SSO for web application

DICGC;2430219 wrote:
Edward van der Maas;268289 Wrote:
> DICGC wrote:
>
>
> > is the userid goes to application in encrypted form. I want to know
> > the whole process about how this userid will get accepted by
> > application team so i will explain them to skip their login page and
> > directly to show their home page.

>
> NAM itself doesn't encrypt any values that it sends to the backend
> application. It just relies on the fact that the administrator enables
> SSL/TLS between NAM and the Webapplication.
>
> --
> Cheers,
> Edward




Hi Edward,

I am using Identity Injection policy to achieve SSO with web
application. I am injecting user name in to header and now web
application has to change the code to accept this header value.

So what application team has to change in their code so they will accept
this header. Means how NAM send the header to web application.

Thanks
Sarita Khamkar


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691


If you setup your NAM II policy to send the data in the header, then that's all the web application team should need to know.

AFAIK, "it's in the header" is standard and understood (at least the several times we've worked with outside vendors and our internal web application development team).

Wireshark, or Firefox plugin: livehttpheaders can easily show what's being sent.
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


kjhurni;268316 Wrote:
> DICGC;2430219 Wrote:
> > Edward van der Maas;268289 Wrote:
> > > DICGC wrote:
> > >
> > >
> > > > is the userid goes to application in encrypted form. I want to

> know
> > > > the whole process about how this userid will get accepted by
> > > > application team so i will explain them to skip their login page

> > and
> > > > directly to show their home page.
> > >
> > > NAM itself doesn't encrypt any values that it sends to the backend
> > > application. It just relies on the fact that the administrator

> > enables
> > > SSL/TLS between NAM and the Webapplication.
> > >
> > > --
> > > Cheers,
> > > Edward

> >
> >
> >
> > Hi Edward,
> >
> > I am using Identity Injection policy to achieve SSO with web
> > application. I am injecting user name in to header and now web
> > application has to change the code to accept this header value.
> >
> > So what application team has to change in their code so they will
> > accept
> > this header. Means how NAM send the header to web application.
> >
> > Thanks
> > Sarita Khamkar
> >
> >
> > --
> > DICGC
> >

> ------------------------------------------------------------------------
> > DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
> > View this thread: https://forums.netiq.com/showthread.php?t=55691

>
> If you setup your NAM II policy to send the data in the header, then
> that's all the web application team should need to know.
>
> AFAIK, "it's in the header" is standard and understood (at least the
> several times we've worked with outside vendors and our internal web
> application development team).
>
> Wireshark, or Firefox plugin: livehttpheaders can easily show what's
> being sent.
>
>
> --
> The opinions expressed are my own.
> Check out my OES2 Guides:
> Installing OES2 SP2:
> http://tinyurl.com/6pezrv7
> Upgrading to OES2 with ID Transfer:
> http://tinyurl.com/82a8ufn
> GroupWise Migration with OES2 ID Transfer:
> http://tinyurl.com/6oj94q8
> ------------------------------------------------------------------------
> kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> View this thread: https://forums.novell.com/showthread.php?t=497799



Hi Edward,

Thanks for information. I have already shared query string that I found
in my fiddler app

The URL is like this
option=credential&target=http%3A%2F%2Fcore.rbi1.rbi.org.in%2FDICGC%2F&Ecom_User_ID=DSCSL-12&Ecom_Password=Newuser%40123

I want to know in my Identity Injection policy I have added only
username as header but here in query string it is passing password as
well. I have check all the possibility but i didnt find why password is
also getting passed in session.

Thanks
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:


> I want to know in my Identity Injection policy I have added only
> username as header but here in query string it is passing password as
> well. I have check all the possibility but i didnt find why password
> is also getting passed in session.


Are you sure you have the right type of policy? You should be using
'Inject into custom header'.

Give the header a name and then selec thte value. If you for example
want to inject the username from the authentication you can select the
'Credential Profile | LDAP Credentials: LDAP Username'

Hopefully this helps.



--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.