fp_idmworks Super Contributor.
Super Contributor.
1048 views

3.5 -- IG configuration with Access Manager

Where is the metadata URL for IG?
I'm needing a Destination URL, EntityID, Logout response URL and Logout URL when I attempt to create a new SAML application within Access Manager 4.4.4 appliance.


A customer is already implementing Identity Application with Access Manager

We are installing IG 3.5 into their environment. My thoughts are to configure OSP with SAML so that it would be somewhat similar to their Identity Application configuration.
I may be missing the mark completely on this. Can someone point me in the right direction?
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: 3.5 -- IG configuration with Access Manager

On 3/13/2019 1:04 PM, fp IDMWORKS wrote:
>
> Where is the metadata URL for IG?
> I'm needing a Destination URL, EntityID, Logout response URL and Logout
> URL when I attempt to create a new SAML application within Access
> Manager 4.4.4 appliance.
>
>
> A customer is already implementing Identity Application with Access
> Manager
>
> We are installing IG 3.5 into their environment. My thoughts are to
> configure OSP with SAML so that it would be somewhat similar to their
> Identity Application configuration.
> I may be missing the mark completely on this. Can someone point me in
> the right direction?


Yes. OSP is the SAML endpoint for IDG.

In theory you could configure NAM to provide OAuth services to IDG. But
the supported out of the box model is IDG does OAuth to OSP. OSP does
logins via Name/Password, file, SAML, or Kerb direct.


0 Likes
fp_idmworks Super Contributor.
Super Contributor.

Re: 3.5 -- IG configuration with Access Manager

The documentation for 3.5 states:

Understanding Authentication with Single Sign-On
Identity Governance allows the following authentication service configurations to achieve single signon in your environment:
 OSP
 Access Manager
 Access Manager connecting to OSP with SAML


So I'm assuming that a metadata url or xml would be available for IG.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 3.5 -- IG configuration with Access Manager

On 3/13/19 1:44 PM, fp IDMWORKS wrote:
>
> The documentation for 3.5 states:
>
> Understanding Authentication with Single Sign-On
> Identity Governance allows the following authentication service
> configurations to achieve single signon in your environment:
>  OSP
>  Access Manager
>  Access Manager connecting to OSP with SAML
>
>
> So I'm assuming that a metadata url or xml would be available for IG.
>
>

Greetings,
No. I answered something similar here in the forums. With ID Gov
3.5 and ID Reporting 6.5 one can have

client --> OSP ==OAUTH==> ID Gov/ ID reporting

client --> NAM ==SAML==> OSP ==OAUTH==> ID Gov/ ID reporting

client --> NAM ==OAUTH==> ID Gov/ ID reporting


In the case where NAM provides the OAUTH you do not install OSP. If you
did install osp then there are steps that one can do via configupdate
post install so that OSP will not be utilized.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: 3.5 -- IG configuration with Access Manager

>>  Access Manager

>    No.  I answered something similar here in the forums.  With ID Gov
> 3.5 and ID Reporting 6.5 one can have


>
> client --> NAM ==OAUTH==> ID Gov/ ID reporting


Oh goodie, I did not know that was officially supported now. Great.


> In the case where NAM provides the OAUTH you do not install OSP.  If you
> did install osp then there are steps that one can do via configupdate
> post install so that OSP will not be utilized.
>


0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 3.5 -- IG configuration with Access Manager

On 3/13/19 2:30 PM, Geoffrey Carman wrote:
>>>  Access Manager

>
>>     No.  I answered something similar here in the forums.  With ID Gov
>> 3.5 and ID Reporting 6.5 one can have

>
>>
>> client --> NAM ==OAUTH==> ID Gov/ ID reporting

>
> Oh goodie, I did not know that was officially supported now. Great.
>
>
>> In the case where NAM provides the OAUTH you do not install OSP.  If
>> you did install osp then there are steps that one can do via
>> configupdate post install so that OSP will not be utilized.
>>

>

Greetings,
Keep in mind that the

client --> NAM ==OAUTH==> ID Gov/ ID Reporting

can not be used if you want to SSO into the ID Apps. The current
versions (4.6.x and 4.7.x) do not support this yet. So you would have
to stay with

client --> NAM ==SAML==> OSP ==OAUTH==> ID Gov/ ID reporting



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: 3.5 -- IG configuration with Access Manager

On 3/13/2019 3:55 PM, Steven Williams wrote:
> On 3/13/19 2:30 PM, Geoffrey Carman wrote:
>>>>  Access Manager

>>
>>>     No.  I answered something similar here in the forums.  With ID
>>> Gov 3.5 and ID Reporting 6.5 one can have

>>
>>>
>>> client --> NAM ==OAUTH==> ID Gov/ ID reporting

>>
>> Oh goodie, I did not know that was officially supported now. Great.
>>
>>
>>> In the case where NAM provides the OAUTH you do not install OSP.  If
>>> you did install osp then there are steps that one can do via
>>> configupdate post install so that OSP will not be utilized.
>>>

>>

> Greetings,
>    Keep in mind that the
>
> client --> NAM ==OAUTH==> ID Gov/ ID Reporting
>
> can not be used if you want to SSO into the ID Apps.  The current
> versions (4.6.x and 4.7.x) do not support this yet.  So you would have
> to stay with
>
> client --> NAM ==SAML==> OSP ==OAUTH==> ID Gov/ ID reporting


Is that an Identity Apps side issue or an OSP side issue? Even as I ask
that, since the goal is to remove OSP, it must be Identity Apps side.

Thus the question is, do the apps require changes to use the OAUth as
offered by NAM vs OSP?

Can NAM be configured to make it work?

Put another way, what is the issue, perhaps it is fixble on the NAM
Oauth provider side?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 3.5 -- IG configuration with Access Manager

On 3/13/19 4:59 PM, Geoffrey Carman wrote:
> On 3/13/2019 3:55 PM, Steven Williams wrote:
>> On 3/13/19 2:30 PM, Geoffrey Carman wrote:
>>>>>  Access Manager
>>>
>>>>     No.  I answered something similar here in the forums.  With ID
>>>> Gov 3.5 and ID Reporting 6.5 one can have
>>>
>>>>
>>>> client --> NAM ==OAUTH==> ID Gov/ ID reporting
>>>
>>> Oh goodie, I did not know that was officially supported now. Great.
>>>
>>>
>>>> In the case where NAM provides the OAUTH you do not install OSP.  If
>>>> you did install osp then there are steps that one can do via
>>>> configupdate post install so that OSP will not be utilized.
>>>>
>>>

>> Greetings,
>>     Keep in mind that the
>>
>> client --> NAM ==OAUTH==> ID Gov/ ID Reporting
>>
>> can not be used if you want to SSO into the ID Apps.  The current
>> versions (4.6.x and 4.7.x) do not support this yet.  So you would have
>> to stay with
>>
>> client --> NAM ==SAML==> OSP ==OAUTH==> ID Gov/ ID reporting

>
> Is that an Identity Apps side issue or an OSP side issue?  Even as I ask
> that, since the goal is to remove OSP, it must be Identity Apps side.
>
> Thus the question is, do the apps require changes to use the OAUth as
> offered by NAM vs OSP?
>
> Can NAM be configured to make it work?
>
> Put another way, what is the issue, perhaps it is fixble on the NAM
> Oauth provider side?
>

Greetings,

1) Changes are required within the ID Apps to support/work with OAuth
from NAM

2) NAM can not be configured to "work around it" in this situation.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 3.5 -- IG configuration with Access Manager

On 3/13/19 1:04 PM, fp IDMWORKS wrote:
>
> Where is the metadata URL for IG?
> I'm needing a Destination URL, EntityID, Logout response URL and Logout
> URL when I attempt to create a new SAML application within Access
> Manager 4.4.4 appliance.
>
>
> A customer is already implementing Identity Application with Access
> Manager
>
> We are installing IG 3.5 into their environment. My thoughts are to
> configure OSP with SAML so that it would be somewhat similar to their
> Identity Application configuration.
> I may be missing the mark completely on this. Can someone point me in
> the right direction?
>
>

Greetings,
If you run configupdate, from the ID Gov set-up it will create the
necessary within NAM for the SAML integration.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
fp_idmworks Super Contributor.
Super Contributor.

Re: 3.5 -- IG configuration with Access Manager

So when running the configupdate.sh, I choose to use Access Manager as the Authentication source and I put in the data to have it configure and it came back with an exception:

Caused by: java.security.cert.certificateException: No name matching am4.example.com

I made sure that nslookup is showing the dns return right on the IG server. The certificate associated looks right as well on the AM server. I tried rebooting my dns server and other servers just in case, but still have the same error.

The certificate looks right as the cn value shows am4.example.com as well.

How is the best way to turn this checking off on the IG server? Not recommended, but just wanting to get it up and working in my lab.

I'm assuming if I needed a certificate imported from the AM server to the IG server's cacerts or other keystore, it would have given a different error.

thanks,
Fred
0 Likes
fp_idmworks Super Contributor.
Super Contributor.

Re: 3.5 -- IG configuration with Access Manager

Trying to work through this document: https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/saml-authentication-for-single-sign-on.html

it appears to make the most sense so far. I'm assuming it can be used in conjunction to the OSP version that comes with IG. Anything that should be considered differently?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 3.5 -- IG configuration with Access Manager

On 3/15/19 2:04 PM, fp IDMWORKS wrote:
>
> Trying to work through this document:
> https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/saml-authentication-for-single-sign-on.html
>
> it appears to make the most sense so far. I'm assuming it can be used in
> conjunction to the OSP version that comes with IG. Anything that should
> be considered differently?
>
>

Greetings,
The version of configupdate that comes with ID Gov 3.5 has more
functionality. You can follow those steps for the configuration of
"auto" SAML set-up in NAM. I was pretty sure they were in the ID Gov
doc as well. Will have to review the public doc again.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
fp_idmworks Super Contributor.
Super Contributor.

Re: 3.5 -- IG configuration with Access Manager

As an update for anybody following this, see the forum post: https://forums.novell.com/showthread.php/511804-IG-3-5-authenctiction-to-to-NAM-4-4-4-using-OATH

Documentation will be coming. I will try to remember to post here the link when it is available. I have an open ticket on it as well.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.