Anonymous_User Absent Member.
Absent Member.
319 views

Validate NAM Session??


I have an internal site that would like to utilize NAM for
authentication, however they don't want to utilize the reverse proxy. I
was thinking of just setting up a RP for them to redirect users to when
authentication is needed. The question is how can they check the user
has a valid session? I'm assuming there's some information in the
cookie or headers they could use, but how would they be able to confirm
it's validity and that it came from NAM? I don't work with NAM
extensively, so this may be something really simple and I'm just
overlooking or over thinking it.

Any insight would be greatly appreciated!!


JK


--
jkinney
------------------------------------------------------------------------
jkinney's Profile: https://forums.netiq.com/member.php?userid=296
View this thread: https://forums.netiq.com/showthread.php?t=47751

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Validate NAM Session??


jkinney;229501 Wrote:
> I have an internal site that would like to utilize NAM for
> authentication, however they don't want to utilize the reverse proxy. I
> was thinking of just setting up a RP for them to redirect users to when
> authentication is needed. The question is how can they check the user
> has a valid session? I'm assuming there's some information in the
> cookie or headers they could use, but how would they be able to confirm
> it's validity and that it came from NAM? I don't work with NAM
> extensively, so this may be something really simple and I'm just
> overlooking or over thinking it.
>
> Any insight would be greatly appreciated!!
>
>
> JK


the one way I know of is to use SAML. Have the NAM IDP be an IDP and
the origin web server configured to function as a SAML SP that trusts
the NAM IDP. Then no reverse proxy needed for the origin web server.

At least that's the only way I've ever done it.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=47751

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Validate NAM Session??


The problem is most of these internal apps are home grown and don't have
SAML support. It's something they could potentially add at a later
time, but the immediate need is to provide valid session authentication
and a way for their app to know whether the user is authenticated via
NAM & if so, if the session is valid. I would assume there's something
in the cookie or header they could use to validate.

Thanks for the feedback!!


JK


--
jkinney
------------------------------------------------------------------------
jkinney's Profile: https://forums.netiq.com/member.php?userid=296
View this thread: https://forums.netiq.com/showthread.php?t=47751

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Validate NAM Session??


jkinney;229574 Wrote:
> The problem is most of these internal apps are home grown and don't have
> SAML support. It's something they could potentially add at a later
> time, but the immediate need is to provide valid session authentication
> and a way for their app to know whether the user is authenticated via
> NAM & if so, if the session is valid. I would assume there's something
> in the cookie or header they could use to validate.
>
> Thanks for the feedback!!
>
>
> JK


There is a NAM cookie, but to my knowledge, the only time I've ever used
it is when:
a) You have a product that's capable of reading/interpreting the NAM
cookie (the NetIQ IDM UserApp is the only thing I'm aware of currently
other than NAM itself)
b) You still have to reverse proxy the IDM UserApp with the NAM AG
because you have to create an Identity Injection Policy that injects the
cookie into the header to send to the origin web server.

Someone else may know if it's possible without using the AG at all, but
other than SAML, I'm not aware of how to do that.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=47751

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Validate NAM Session??


jkinney;229574 Wrote:
> The problem is most of these internal apps are home grown and don't have
> SAML support. It's something they could potentially add at a later
> time, but the immediate need is to provide valid session authentication
> and a way for their app to know whether the user is authenticated via
> NAM & if so, if the session is valid. I would assume there's something
> in the cookie or header they could use to validate.
>
> Thanks for the feedback!!
>
>
> JK


As mentioned, you're best best it to use SAML--that's what it's designed
for. Trying to base authentication on a cookie like that is not safe.
If you don't want to retrofit your applications, and cannot use the
native NAM Agent, then I'd suggest installing a third-party SP package
like Shibboleth SP, which just speaks SAML. Access Manager can
interface with that, and all your applications have to do is read the
Shibboleth-Session-ID environment variable to ensure you have a valid
session.


--
adamdn01
------------------------------------------------------------------------
adamdn01's Profile: https://forums.netiq.com/member.php?userid=2226
View this thread: https://forums.netiq.com/showthread.php?t=47751

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.