liamr Absent Member.
Absent Member.
1694 views

SAML NMAS authentication for LDAP?


We are changing web SSO technologies, need to move some of our LDAP
backed web applications away from using GSSAPI-based authentication.
The apps in question are provided kerberos TGTs by our SSO, which the
applications then use to bind (as the user), accessing the LDAP backend
with the user's credentials.

We're using the Shibboleth Identity Provider (v3.x) - which provides
SAML2 based authentication. We do not use NAM in our environment.
I'm not sure how this would be feasible... but is is possible to use a
SAML authn response when binding over LDAP?

Liam


--
liamr
------------------------------------------------------------------------
liamr's Profile: https://forums.netiq.com/member.php?userid=1044
View this thread: https://forums.netiq.com/showthread.php?t=57358

Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: SAML NMAS authentication for LDAP?

eDirectory has a NMAS login method that supports SAML.
I'm not sure if it is SAML 2.0 or 1.0.

NetIQ's own products use it for LDAP binding with SAML, for example
Identity Manager User Application/One SSO Provider.

The nice thing is that they setup everything for you (certificates and
trusted roots).

If you use IDM I'm sure you can figure out how it is used.

The latest SAML login method for eDirectory is available in the IDM
4.5.5 Engine Patch.


On 2017-02-13 19:57, liamr wrote:
>
> We are changing web SSO technologies, need to move some of our LDAP
> backed web applications away from using GSSAPI-based authentication.
> The apps in question are provided kerberos TGTs by our SSO, which the
> applications then use to bind (as the user), accessing the LDAP backend
> with the user's credentials.
>
> We're using the Shibboleth Identity Provider (v3.x) - which provides
> SAML2 based authentication. We do not use NAM in our environment.
> I'm not sure how this would be feasible... but is is possible to use a
> SAML authn response when binding over LDAP?
>
> Liam
>
>

0 Likes
Knowledge Partner
Knowledge Partner

Re: SAML NMAS authentication for LDAP?

On 2/15/2017 2:54 AM, alekz wrote:
> eDirectory has a NMAS login method that supports SAML.
> I'm not sure if it is SAML 2.0 or 1.0.
>
> NetIQ's own products use it for LDAP binding with SAML, for example
> Identity Manager User Application/One SSO Provider.
>
> The nice thing is that they setup everything for you (certificates and
> trusted roots).
>
> If you use IDM I'm sure you can figure out how it is used.
>
> The latest SAML login method for eDirectory is available in the IDM
> 4.5.5 Engine Patch.


I was going to ask you how we know it makes an LDAP bind over SAML, I
know it uses SAML, but of course to what end, other than an LDAP bind...
Since UA does all its query over LDAP.

My guess is you need to specify an LDAP extension/control when binding
for it to work. Not sure how you pass the assertion, but clearly UA is
doing it.

0 Likes
liamr Absent Member.
Absent Member.

Re: SAML NMAS authentication for LDAP?


Apparently Novell / NetIQ has implemented a SAML SASL mechanism.
I went poking around the UserApp war file at Geoff's suggestion, and
I found a samlsasl.jar in the userapp WEB-INF/lib directory.

2379591644:novell liamr$ ldapsearch -h localhost -x -b "" -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: NMAS_LOGIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: SAML

I knew there was an RFC for a such a mechanism...

https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-09

....but never found any evidence that it had been implemented.

Our IDM 4.5 servers are the only ones advertising the "SAML" mechanism,
so I wonder if this is recent-ish?

Liam


--
liamr
------------------------------------------------------------------------
liamr's Profile: https://forums.netiq.com/member.php?userid=1044
View this thread: https://forums.netiq.com/showthread.php?t=57358

0 Likes
Knowledge Partner
Knowledge Partner

Re: SAML NMAS authentication for LDAP?

liamr wrote:

> Our IDM 4.5 servers are the only ones advertising the "SAML" mechanism,
> so I wonder if this is recent-ish?


I'm pretty sure it was added when moving to OSP for UA authentication.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
0 Likes
Knowledge Partner
Knowledge Partner

Re: SAML NMAS authentication for LDAP?

On 2/16/2017 2:34 AM, Lothar Haeger wrote:
> liamr wrote:
>
>> Our IDM 4.5 servers are the only ones advertising the "SAML" mechanism,
>> so I wonder if this is recent-ish?

>
> I'm pretty sure it was added when moving to OSP for UA authentication.


I think it predates OSP, and started with the support in 3.7 or 4 for
Kerberos, and SAP LOgon tickets. Basically, any method where you do not
have the password in hand, needs the NMAS SAML method to auth to eDir.
Absolutley OSP requires it, but it was there before.

The funny part is that NMAS modules are stored, as binary streams in the
attributes in the directory, so you actually need one per platform and
there was a time, when certain platforms were supported and this was an
issue.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.