1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER
  6. Manual

Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

Identity server guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
Identity Server Guide
Novell
®
Access Manager
3.1 SP1
March 17, 2010
www.novell.com
Novell Access Manager 3.1 SP1 Identity Server Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER

Summary of Contents for Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER

  • Page 1 AUTHORIZED DOCUMENTATION Identity Server Guide Novell ® Access Manager 3.1 SP1 March 17, 2010 www.novell.com Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 2: Legal Notices

    Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Configuring an Identity Server Managing a Cluster Configuration ..........13 1.1.1 Creating a Cluster Configuration .
  • Page 6 Managing Metadata ..........156 5.4.5 Configuring an Authentication Request for an Identity Provider ....159 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 7 5.4.6 Configuring an Authentication Response for a Service Provider ....162 5.4.7 Managing the Authentication Card of an Identity Provider ....165 6 Configuring CardSpace Overview of the CardSpace Authentication Process .
  • Page 8 WSF (Web Services Framework) ........266 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 9 11.6.9 Clustering............268 11.6.10 LDAP .
  • Page 10 Writing Data Model Extension XML ..........322 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 11: About This Guide

    This guide is intended to help you understand and configure all of the features provided by the Identity Server, and includes advanced topics. It is recommended that you first become familiar with the information in the Novell Access Manager 3.1 SP1 Setup Guide, which helps you understand how to perform a basic Identity Server configuration, set up a resource protected by an Access Gateway, and configure SSL.

  • Page 12: Additional Documentation

    Novell Access Manager 3.1 SP1 SSL VPN Server Guide Novell Access Manager 3.1 SP1 Event Codes Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ®...

  • Page 13: Configuring An Identity Server

    Configuring an Identity Server After you log in to the Administration Console, click Devices > Identity Servers. The system displays the newly installed server. A newly installed Identity Server is in an unconfigured state and is halted. It remains in this state and cannot function until you create an Identity Server configuration and assign the Identity Server to the new configuration.

  • Page 14: Creating A Cluster Configuration

    Certificates for the Identity Server, identity provider, and identity consumer. Authentication settings, such as whether the identity provider requires signed authentications from service providers. The service domains used for publishing and discovering authentications. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 15 Organizational and contact information for the server, which is published in the metadata of the Liberty and SAML protocols. The LDAP directories (user stores) used to authenticate users, and the trusted root for secure communication between the Identity Server and the user store. To create an Identity Server configuration: 1 In the Administration Console, click Devices >...
  • Page 16 Session Timeout: Specify the session inactivity time allowed before timing out. This is a global setting that applies to any resource that authenticates to this Identity Server or Identity Server cluster. The default setting is 60 minutes. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 17 This is a security setting: Lower it if you want idle sessions to time out with a smaller window of opportunity for someone to take over a session of a user who takes a break, leaving an active session unattended. Increase it if you want to allow idle users to have a longer time period before they are forced to log in again.
  • Page 18 10 Click Next to configure the user store. You must reference your own user store and auto-import the SSL certificate. See Section 2.1.2, “Configuring the User Store,” on page 77 for information about this procedure. Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 19: Assigning An Identity Server To A Cluster Configuration

    11 After you configure the user store, the system displays the new configuration on the Servers page. The status icons for the configuration and the Identity Server should turn green. It might take several seconds for the Identity Server to start and for the system to display a green light. If it does not, it is likely that the Identity Server is not communicating with the user store you set up.

  • Page 20: Removing A Server From A Cluster Configuration

    Removing an Identity Server from a configuration disassociates the Identity Server from the cluster configuration. The configuration, however, remains intact and can be reassigned later or assigned to another server. 1 In the Administration Console, click Devices > Identity Servers. Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 21: Managing A Cluster With Multiple Identity Servers

    (hash/sticky bit), defined at the Real server level. For configuration tips, see “Configuration Tips for the L4 Switch ” in the Novell Access Manager 3.1 SP1 Setup Guide. Persistence (sticky) sessions enabled on the L4 switch. Normally you define this at the virtual server level.
  • Page 22 Setup 1 Install the additional Identity Servers. During installation, choose option 2, Install Novell Identity Server. You run the installation for each new Identity Server you want to add. Specify the IP address and administration credentials of each additional Identity Server. If you are installing on a machine without the Administration Console, the installation asks you for the Administration Console’s IP address.
  • Page 23 The system displays the Cluster Details page, which lets you manage the configuration’s cluster details, health, alerts, and statistics. 4 Click Edit. 5 Fill in the following fields as required: Cluster Communication Backchannel: Specify a communications channel over which the cluster members maintain the integrity of the cluster.

  • Page 24: Enabling And Disabling Protocols

    2 Change the protocol, domain, port, and application settings, as necessary. 3 Click OK. 4 On the Identity Servers page, click Update. This re-creates the trusted Identity Server configuration to use the new Base URL and metadata. Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 25: Customizing Identity Server Messages

    For information about setting up SSL and changing an Identity Server from HTTP to HTTPS, see “Enabling SSL Communication” in the Novell Access Manager 3.1 SP1 Setup Guide. 1.2 Customizing Identity Server Messages Section 1.2.1, “Customizing Messages,” on page 25 Section 1.2.2, “Customizing the Branding of the Error Page,”...
  • Page 26 For example: \u5c71 9 Save the file. 10 Copy the custom properties file to the following directory on all Identity Servers in the cluster: Linux: /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/classes Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\classes Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 27: Customizing The Branding Of The Error Page

    <Error Description>, Attempting to load Custom Properties Files! To create custom error pages for the Access Gateway, see “Customizing Error Pages on the Gateway Appliance” in the Novell Access Manager 3.1 SP1 Access Gateway Guide. 1.2.2 Customizing the Branding of the Error Page The following page ( ) is returned when the Identity Server encounters an error: err.jsp...
  • Page 28 You can customize the following items: The window title and the display title. See “Customizing the Titles” on page The header image and the Novell logo. See “Customizing the Images” on page Background colors. See “Customizing the Colors” on page Customizing the Titles The window title appears in the browser title bar.

  • Page 29: Customizing Tooltip Text For Authentication Contracts

    Replace the value of the attribute with the path and filename of the image you want to use. To replace the Novell logo image, locate the following text in the body of the file. <div id="logo"><img src="/nesp/images/AccessMan31_Nlogo.png"></div> Replace the value of the attribute with the path and filename of the image you want to use.

  • Page 30: Customizing The Identity Server Login Page

    For information on customizing these messages and pages, see the following: “Customizing Identity Server Messages” on page 25 “Customizing Error Pages on the Gateway Appliance” in the Novell Access Manager 3.1 SP1 Access Gateway Guide Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 31: Selecting The Login Page And Modifying It

    The upgrade process overrides any custom changes made to JSP files that use the same filename as those included with the product. During an upgrade, you can select to restore custom login pages, but Novell still recommends that you have your own backup of any customized files.
  • Page 32 2d Click OK. 3 Update the Identity Server. 4 Copy the file and rename it. The JSP files are located on the Identity Server in the login.jsp following directory: Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\jsp Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 33 WEB-INF/classes Server in the cluster. 7e Restart Tomcat on each Identity Server. Linux Identity Server: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows Identity Server: Enter the following commands: net stop Tomcat5 net start Tomcat5 8 To view a sample custom page with these modifications, see Section A.1, “Modified login.jsp...
  • Page 34 Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\jsp 2 Replace the header title that appears in the top frame (“Novell Access Manager” in Figure 1-3): 2a Locate the following string at the top of the file. String hdrTitle = handler.getResource(JSPResDesc.PRODUCT); 2b Replace the value with the title you want to appear. For example: String hdrTitle = "My Company"...
  • Page 35 /custom_images images string would have a value similar to the following: hdrImage String hdrImage = "/custom_images/myapp.png" 5 Replace the Novell logo on the right of the header (see Figure 1-3): 5a Locate the following string: String hdrLogo = "AMHeader_logo.png"; 5b Replace the value of the...
  • Page 36 %EMail_Address% custom login page. For more information on how to use this property, see “Query Property” on page 1f In the Properties section, click New, then specify the following values: Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 37 Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\jsp 4 (Conditional) If you modified the variable, find the string in the file and %Ecom_User_ID% replace it with your variable. 5 (Conditional) If you need to support only one language, modify the prompt in the login.jsp...
  • Page 38 If you need a login page that doesn’t use iframes, you can use the 3.0 login page as the starting file for your custom login page. Figure 1-4 illustrates the default look and feel of this page. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 39 Access Manager 3.0 Default Login Page Figure 1-4 You can change the Novell branding and modify the credential prompts. “Modifying the Branding in the 3.0 Login Page” on page 39 “Modifying the Credentials in the 3.0 Login Page” on page 40 Modifying the Branding in the 3.0 Login Page...
  • Page 40 “Query Property” on page 1f Click OK. 1g Create a contract that uses this method. For information on configuring a contract, see Section 2.4, “Configuring Authentication Contracts,” on page 1h Update the Identity Server. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 41 3e Copy the custom login page to the JSP directory of each Identity Server in the cluster. 3f Restart Tomcat on each Identity Server. Linux Identity Server: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows Identity Server: Enter the following commands: net stop Tomcat5 net start Tomcat5 4 (Optional) To view a customized 3.0 login page, see...

  • Page 42: Configuring The Identity Server To Use Custom Login

    This property custom1 determines which login page is displayed when this method is used. The filename cannot contain as part of its name. nidp Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 43 For more information about setting property values, see Section 2.2.2, “Specifying Common Class Properties,” on page 1f (Conditional) If you created multiple custom login pages, repeat Step 1b through Step 1e for each page. 2 For each method that you modified for a custom login page, create a contract: 2a Click Contracts, then click New.
  • Page 44 1c In the Properties section, add a Query property if the page uses custom credentials. For example, to add an email address to the login prompts, add the following property: Property Name: Query Property Value: (&(objectclass=person)(mail=%Ecom_User_ID%) Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 45 Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\jsp 3b Near the top of the file, add the following line: String strContractURI = hand.getContractURI(); This sets the strtContractURI variable to the value of the contract URI that is being used for authentication. These lines should look similar to the following:...
  • Page 46 ContentHandler hand = new ContentHandler(request,response); String strContractURI = hand.getContractURI(); // Is there a JSP defined on a class definition // or a method definition that should be displayed // as the main jsp here? if (hand.contractDefinesMainJSP()) Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 47: Troubleshooting Tips For Custom Login

    %> <%@ include file="mainRedirect.jsp" %> <% else if(strContractURI != null && strContractURI.equals("login1/ custom1")) %> <%@ include file="custom1.jsp" %> <% else if(strContractURI != null && strContractURI.equals("login2/ custom2")) %> <%@ include file="custom2.jsp" %> else if(strContractURI != null && strContractURI.equals("login3/ custom3")) %> <%@ include file="custom3.jsp" %> <% // This is the jsp used by default else...

  • Page 48: Customizing The Identity Server Logout Page

    <body> element of the file with something similar to the following: <body> <script language="JavaScript"> top.location.href='http://<hostname/path>'; </script> </body> Replace the <hostname/path> string with the location of your customized logout page. Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 49: Enabling Role-Based Access Control

    For a complete discussion on creating and configuring role policies, see “Creating Role Policies” in Novell Access Manager 3.1 SP1 Policy Management Guide. In order for a role to be assigned to users at authentication, you must enable it for the Identity Server configuration.

  • Page 50: Server

    The SOAP back channel is used for artifact resolutions and attribute queries for the Identity Web Services Framework. To view your current configuration for the SOAP back channel: 1 In the Administration Console, click Devices > Identity Servers > Edit. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 51 2 Select the protocol (Liberty, SAML 1.1, or SAML 2.0), then click the name of an identity provider or service provider. 3 Click Access. 4 View the Security section. If the Message Signing option is selected, signing is enabled for the SOAP back channel.

  • Page 52: Configuring The Identity Server For Nethsm

    Server, install the netHSM client software on the other Identity Servers in the cluster. 3 At the netHSM server, configure the server to allow the Identity Server to be a client. Check your netHSM documentation for the specific steps. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 53 Linux: /opt/novell/devman/share/conf Windows: C:\Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf 6b Change the ports from 9000 and 9001 to another value, such as 9010 and 9011. The lines should look similar to the following: <stringParam name="ExecutorPort" value="9010" /> <stringParam name="SchedulerPort" value="9011" />...
  • Page 54 If you have a Windows netHSM client, the command is located in the following directory: c:\Program Files\Java\jdk1.5.0_14\jre\bin\java If you have Linux netHSM client, the command is located in the following directory: /opt/novell/java/bin/java Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 55 To create a new key pair for nCipher: 1 On a netHSM client, add the nCipher provider to the provider list of the file: java.security 1a In a text editor, open the C:\Program Files\Java\jdk1.5.0_14\jre\lib\ file. security\java.security 1b Add the following lines to the top of the list of providers: security.provider.1=com.ncipher.fixup.provider.nCipherRSAPrivateEncry security.provider.2=com.ncipher.provider.km.nCipherKM The provider section should look similar to the following:...
  • Page 56 The name to be given to the certificate signing -file request file. In this sample configuration, the name is cert.csr -keypass The password for the key. In this sample configuration, the password is mypwd. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 57 Parameter Description A name for the keystore. In this sample -keystore configuration, the name is AMstore.jks -storepass The password for the keystore. In this sample configuration, the password is mypwd. -storetype The type of keystore. For nCipher, this must be set to nCipher.sworld -provider...
  • Page 58 Identity Server. Linux: /opt/novell/devman/jcc/certs/idp Windows: C:\Program Files\Novell\devman\jcc\certs\idp The keystore is found on the netHSM client in the directory specified by the -keystore parameter when you created the keystore. See Step Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 59 13a Copy the keystore to the cluster member. Copy it to the following directory: Linux: /opt/novell/devman/jcc/certs/idp Windows: C:\Program Files\Novell\devman\jcc\certs\idp 13b Make sure the user has at least read rights. novlwww 13c Use the netHSM client to synchronize the cluster member with the remote file system server.
  • Page 60 /var/opt/novell/ directory. tomcat5/webapps/nidp/WEB-INF/classes If you specified a different location for this file in Step 4, use that location. 5b Add the following lines: com.novell.nidp.extern.signing.providerClass=com.ncipher.provider.km. nCipherKM com.novell.nidp.extern.signing.providerName=nCipherKM com.novell.nidp.extern.signing.keystoreType=nCipher.sworld com.novell.nidp.extern.signing.keystoreName=/opt/novell/devman/jcc/ certs/idp/AMstore.jks com.novell.nidp.extern.signing.keystorePwd=mypwd com.novell.nidp.extern.signing.alias=od93 com.novell.nidp.extern.signing.keyPwd=mypwd Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 61 When using module-protected keys, the key password must be null. For example: com.novell.nidp.extern.signing.keyPwd= 6 To restart Tomcat, enter the following command: /etc/init.d/novell-tomcat5 restart 7 Continue with “Verifying the Use of the nCipher Key Pair” on page Configuring a Windows Identity Server for the Certificate 1 At the Identity Server, log in as the Windows administrator.
  • Page 62 When using module-protected keys, the keystore password must be null. For example: com.novell.nidp.extern.signing.keystorePwd= The alias you created for the key when you created the key. In this <key_alias> sample configuration, the name is od93 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 63 Variable Value When using module-protected keys, the key password must be null. <key_pwd> For example: com.novell.nidp.extern.signing.keyPwd= 5 To restart Tomcat, enter the following commands: net stop Tomcat5 net start Tomcat5 6 Continue with “Verifying the Use of the nCipher Key Pair” on page...
  • Page 64 Continue with Step 3b Stop Tomcat with the following command: /etc/init.d/novell-tomcat5 stop 3c Stop nfast with the following command: /opt/nfast/sbin/init.d-nfast stop Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 65 /etc/init.d/novell-tomcat5 restart 4f To tail the file, enter the following command: catalina.out tail -f /var/opt/novell/tomcat5/logs/catalina.out 4g Search for a list of providers. When nCipher is working, the file contains entries similar to the following and nCipher entries: Security Providers: SUN: 1.42 SUN (DSA key/parameter generation;...

  • Page 66: Configuring Secure Communication On The Identity Server

    Section 1.7.2, “Viewing Services That Use the Encryption Key Pair,” on page To force the browser connections to the Identity Server to support a specific level of encryption, see Section 1.8.3, “Forcing 128-Bit Encryption,” on page Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 67: Viewing The Services That Use The Signing Key Pair

    If you are going to use introductions in your federation configuration, you need to set up the following key pairs: Identity provider: The test-provider key pair is used when you configure your Identity Server to use introductions with other identity providers and have set up a common domain name for this purpose.

  • Page 68: Viewing Services That Use The Encryption Key Pair

    1 In the Administration Console, click Devices > Identity Servers > Edit > Security. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 69 2 To view or manage keys and certificates: 2a Click any of the following links: Encryption: Displays the NIDP-encryption certificate keystore. The encryption certificate is used to encrypt specific fields or data in the assertions. Click Replace to replace the encryption certificate. Signing: Displays the NIDP-signing certificate keystore.
  • Page 70 OCSP server certificate needs to be added to this trust store. The OCSP server certificate itself is added to the trust store, not the CA certificate. For example, if you click the NIDP Trust Store, the following page appears: Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 71: Security Considerations

    For additional information about managing certificates, see “Security and Certificate Management” in the Novell Access Manager 3.1 SP1 Administration Console Guide. 1.8 Security Considerations By default, all Access Manager components (Identity Server, Access Gateway, SSL VPN, and J2EE* Agents) trust the certificates signed by the local CA. We recommend that you configure the Identity Server to use an SSL certificate signed externally, and that you configure the trusted store of the service provider for each component to trust this new CA.

  • Page 72: Authentication Contracts

    1 At a command prompt, change to the Tomcat configuration directory: Linux: /var/opt/novell/tomcat5/conf Windows: C:\Program Files\Novell\Tomcat\conf 2 To the file, add the cipher suites you want to support. For 128-bit encryption, add server.xml the following line: Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 73 Provider (http://java.sun.com/javase/6/docs/technotes/guides/security/ SunProviders.html#SunJSSEProvider). 3 To activate the cipher list, restart Tomcat. Linux: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows: Enter the following commands: net stop Tomcat5 net start Tomcat5 4 (Conditional) If you have multiple Identity Servers in your cluster configuration, repeat these steps on each Identity Server.
  • Page 74 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 75: Configuring Local Authentication

    Configuring Local Authentication To guard against unauthorized access, Access Manager supports a number of ways for users to authenticate. These include name/password, RADIUS token-based authentication, and X.509 digital certificates. You configure authentication at the Identity Server by creating authentication contracts that the components of Access Manager (such as an Access Gateway) can use to protect a resource.

  • Page 76: Configuring Identity User Stores

    If you add a secondary Administration Console and you have added replicas to the user store of the primary Administration Console, ensure that you also add the replicas to the secondary Administration Console. Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 77: Configuring The User Store

    This ensures read/write access to all objects used by Access Manager. For more information about this user, see Section 2.1.3, “Configuring an Admin User for the User Store,” on page Each directory type uses a slightly different format for the DN: eDirectory: cn=admin,ou=users,o=novell Configuring Local Authentication...
  • Page 78 NMAS method. This method converts the Identity Server credentials to ® a form understood by eDirectory. This method is required if you have installed Novell ® SecretStore on the eDirectory server and you are going to use that SecretStore for Access Manager secrets.
  • Page 79 This option must be enabled if you use this user store as a Novell SecretStore User Store Reference in the Credential Profile details. (See Section 10.4, “Configuring Credential Profile Security and Display Settings,” on page 226.) If you have specified that this user store is a SecretStore User Store Reference, this option is enabled but not editable.

  • Page 80: Configuring An Admin User For The User Store

    “Configuring an LDAP Directory to Store the Secrets” on page If you are willing to extend the schema and add an attribute to your user object on the LDAP directory, you can store the secrets in your LDAP directory. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 81 “Configuring an eDirectory User Store to Use SecretStore” on page If your user store is eDirectory and you have installed Novell SecretStore, you can select to use the SecretStore on your eDirectory server to store the secrets. Configuring the Configuration Datastore to Store the Secrets When you use the configuration datastore of the Administration Console as the secret store, the nidswsfss attribute of the nidsLibertyUserProfile object is used to store the secrets.
  • Page 82 Port is 636 and that Use SSL is enabled. If they aren’t, click the name of the replica and reconfigure it. To configure the LDAP directory: 1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty > Web Service Providers. 2 Click Credential Profile. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 83 3 Scroll to the Local Storage of Secrets section and configure the following options: Encryption Password Hash Key: (Required) Specifies the password that you want to use as a seed to create the encryption algorithm. To increase the security of the secrets, we recommend that you change the default password to a unique alphanumeric value.
  • Page 84 “Troubleshooting the Storing of Secrets” on page Configuring an eDirectory User Store to Use SecretStore For Access Manager to use Novell SecretStore, the user store must be eDirectory and Novell SecretStore must be installed there. When configuring this user store for secrets, Access Manager extends the eDirectory schema for an NMAS method.
  • Page 85 3 Scroll to the Remote Storage of Secrets section. 4 Click New under Novell Secret Store User Store References. This adds a reference to a user store where SecretStore has been installed. 5 Click the user store that you configured for SecretStore.
  • Page 86 “Secrets Aren’t Stored in the LDAP Directory” on page 88 Secrets Aren’t Stored in Novell SecretStore When you use Novell SecretStore to store the secrets, the schema on the eDirectory server must be extended, and specific SAML objects and certificates must be created.
  • Page 87 2 Browse to the Security container. 3 Look for objects similar to the following: eDirectory Tree Security AuthorizedLogin Methods <AffiliateObjectName> Trusted Root SAML Assertion Certificates <SAML_Affiliate_Object> authsamlCertContainerDN authsamlTrustedCertDN authsamlValidAfter authsamlValidBefore If the schema has been extended correctly, you can find a SAML Assertion object in the Authorized Login Methods container.

  • Page 88: Creating Authentication Classes

    Section 3.5, “Configuring Access Manager for NESCM,” on page 125 2.2.1 Creating Basic or Form-Based Authentication Classes 1 In the Administration Console, click Devices > Identity Server > Servers > Edit > Local > Classes. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 89 RADIUS Authentication,” on page 105 for configuration steps. NMASAuthClass: The authentication class used for Novell Modular Authentication Services (NMAS), which uses fingerprint and other technology as a means to authenticate a user. For instructions on using the NMAS NESCM method, see Section 3.5, “Configuring Access...

  • Page 90: Specifying Common Class Properties

    Query property. This property determines the username value for authentication. The default Query string prompts the users for the value of the CN attribute. You can modify this by requesting a different attribute in the LDAP query. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 91 The Query property can be used by the following classes or methods derived from these classes: BasicClass PasswordClass ProtectedBasicClass ProtectedPasswordClass When you specify a Query property, you must also modify the login page to prompt the user for the correct information. If you want users to enter their email address instead of the username, you need to modify the login form to prompt the user for an email address.

  • Page 92: Configuring Authentication Methods

    (name/value pairs) that override those of the authentication class. To configure a method for an authentication class: 1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > Local > Methods. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 93 2 Click one of the predefined authentication methods, or click New to create one. 3 Fill in the following fields: Display Name: The name to be used to refer to the new method. Class: The authentication class to use for this method. See Section 2.2, “Creating Authentication Classes,”...

  • Page 94: Configuring Authentication Contracts

    A single contract can be specified for local logins. 1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > Local > Contracts 2 Click New. Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 95 3 Fill in the following fields: Display name: Specifies the name of the authentication contract. URI: Specifies a value that uniquely identifies the contract from all other contracts. For example, as an identity provider, you might want to publish the details of a contract. In this case, you can use a URL so that the link resolves to a page.

  • Page 96: Using A Password Expiration Service

    Section 2.5.1, “URL Parameters,” on page 97 Section 2.5.2, “Forcing Authentication after the Password Has Changed,” on page 97 Section 2.5.3, “Grace Logins,” on page 98 Section 2.5.4, “Federated Accounts,” on page 98 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 97: Url Parameters

    This eliminates the possibility of an old password being used in an Identity Injection policy. The following example sends this parameter with as the https://testnidp.novell.com:8443 base URL of the Identity Server. <form id="externalForm" action='https://testnidp.novell.com:8443/nidp/idff/ sso?sid=0&id=117&forceAuth=TRUE' method="post"> Configuring Local Authentication...

  • Page 98: Grace Logins

    These contracts are executed when a request for a specific authentication type comes from a service provider. 1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > Local > Defaults Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 99: Managing Direct Access To The Identity Server

    Gateway configuration if it has protected resources configured to use Any Contract. See “Configuring Protected Resources” in the Novell Access Manager 3.1 SP1 Access Gateway Guide. Authentication Type: Specifies the default authentication contracts to be used for each authentication type. When a service provider requests a specific authentication type, rather than a contract, the identity provider uses the authentication contract specified here for the requested authentication type.

  • Page 100: Logging In To The User Portal

    Users can log directly in to the Identity Server when they enter the Base URL of the Identity Server in their browsers. For example, if your base URL is http://doc.provo.novell.com:8080/nidp, entering this URL prompts the user to authenticate with the credentials required for the default contract.

  • Page 101: Specifying A Target

    Users can access the WSDL services page when they enter the base URL of the Identity Server in their browsers with the path to the Services page. For example, if your base URL is http:// bfrei.provo.novell.com:8080/nidp, the users can access the services page with the following URL: http://bfrei.provo.novell.com:8080/nidp/services...
  • Page 102 Near the top of the file, in the context initialization parameters section, add the following lines: <context-param> <param-name>wsfServicesList</param-name> <param-value>full</param-value> </context-param> When has a value of , users can access the Services page. To modify this <param-value> full behavior, replace with one of the following values: full 102 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 103 , and users have access to the page. full You need to restart Tomcat for your modifications to take effect: Linux: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows: Enter the following commands: net stop Tomcat5 net start Tomcat5 Configuring Local Authentication 103...
  • Page 104 104 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 105: Configuring Advanced Local Authentication Procedures

    3.1 Configuring for RADIUS Authentication RADIUS enables communication between remote access servers and a central server. Secure token authentication through RADIUS is possible because Access Manager works with Novell Modular ® Authentication Service (NMAS) RADIUS software that can run on an existing NetWare server.

  • Page 106: Configuring Mutual Ssl (X.509) Authentication

    The Identity Server must trust the Certificate authority that created the user certificates. 3 To create the X.509 authentication class, click Devices > Identity Servers > Edit > Local > Classes. 4 Click New. 106 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 107 5 Specify a display name, then select X509Class from the drop-down menu. 6 Click Next. 7 Configure the validation options: Validations: The validation type. Trust validation occurs if the certificate chain is verified in the NIDP Trust Store. In addition to usual certificate validations, the Identity Server supports CRL (certificate revocation list) and OCSP (Online Certificate Status Protocol) validations for each authentication request.
  • Page 108 SSL session is still active. If another user has access to the machine, that user can use the existing session. To prevent this from happening, enable the Force browser restart on logout option. 10 Click Next. 11 Configure attribute mappings. 108 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 109 Use this page to specify attribute mappings for the X.509 authentication class. Subject name is the default map. Show certificate errors: Displays an error page when a certificate error occurs. This option is disabled by default. Auto Provision X509: Enables using X.509 authentication for automatic provisioning of users.
  • Page 110 Subject name of the client certificate. The sasAllowableSubjectNames attribute must contain values that are comma-delimited, with a space after the comma. (For example, O=CURLY, OU=Organization CA or OU=Organization CA, O=CURLY.) 12 Click Finish. 110 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 111: Setting Up Mutual Ssl Authentication

    94.) 5 Update any associated Access Gateways to read the new authentication contract. (See “Configuring Protected Resources” in the Novell Access Manager 3.1 SP1 Access Gateway Guide.) 6 Update the Identity Server cluster configuration. (See Section 11.1.1, “Updating an Identity Server Configuration,”...
  • Page 112 92 Section 2.4, “Configuring Authentication Contracts,” on page If the contract allows the user to select from the three types of credentials, the login page looks similar to the following: 112 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 113: Configuring For Kerberos Authentication

    The Radius class prompts the user for a token instead of a password. The user can use the drop- down menu to select between the password and the token. If the user selects to send a certificate, the username and password/token options become unavailable. 3.4 Configuring for Kerberos Authentication Kerberos* is an authentication method that allows users to log in to an Active Directory domain.

  • Page 114: Prerequisites

    Explorer 6. To make Kerberos work with Internet Explorer 6, you need to enable integrated Windows authentication. For information on how to enable this feature, see “Authentication Uses NTLM instead of Kerberos” (http://technet.microsoft.com/en-us/library/cc779070.aspx). Windows Vista* with the latest version of Internet Explorer. 114 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 115: Configuring Active Directory

    . For this example HTTP/<Identity_Server_Base_URL> configuration, your Identity Server has a base URL of , and you amser.provo.novell.com would specify the following for the User Logon Name: HTTP/amser.provo.novell.com The realm is displayed next to the User logon name. Configuring Advanced Local Authentication Procedures 115...
  • Page 116 Active Directory domain name in all capitals. The Kerberos realm value is case sensitive. /mapuser <identityServerUser>@<AD_DOM Specify the username of the Identity Server AIN> user and the Active Directory domain to which the user belongs. 116 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 117: Configuring The Identity Server

    Identity Server cluster configuration. If you have not, see the Novell Access Manager 3.1 SP1 Installation Guide and the Novell Access Manager 3.1 SP1 Setup Guide. This section covers the following tasks: “Enabling Logging for Kerberos Transactions” on page 118 “Configuring the Identity Server for Active Directory”...
  • Page 118 Identity Server to use when communicating with the Active Directory server. 5b Configure the other fields to fit your security model. 5c Click OK. 6 (Optional) Specify values for the other configuration options. 118 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 119 Service Principal Name (SPN): Specify the value of the servicePrincipalName attribute of the Identity Server user. For this example configuration, this is HTTP/amser.provo.novell.com Kerberos Realm: Specify the name of the Kerberos realm. The default value for this realm is the domain name of the Active Directory server, entered in all capitals. The value in this field is case sensitive.
  • Page 120 Active Directory user store configured as the default user store. See Step You do not need to configure properties for this method. 9 Click Finish. 10 In the Local page, click Contracts > New. 120 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 121 11 Fill in the following fields: Display name: Specify a name that you can use to identify this method. URI: Specify a value that uniquely identifies the contract from all other contracts. The URI cannot begin with a slash, and it must uniquely identity the contract. For example: kerberos/contract Methods: From the list of Available methods, move your Kerberos method to the Methods list.
  • Page 122 Tomcat. bcsLogin.conf 7 If the cluster contains multiple Identity Servers, copy the file to each member bcsLogin.conf of the cluster, then restart Tomcat on that member. 122 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 123: Configuring The Clients

    For the configuration example, the lines look similar to the following: principal's key obtained from the keytab principal is HTTP/amser.provo.novell.com@AD.NOVELL.COM Added server's keyKerberos Principal HTTP/ amser.provo.novell.com@AD.NOVELL.COMKey Version 3key EncryptionKey: keyType=3 keyBytes (hex dump)=0000: CB 0E 91 FB 7A 4C 64 FE [Krb5LoginModule] added Krb5Principal HTTP/ amser.provo.novell.com@AD.NOVELL.COM to Subject Commit Succeeded 5 If the file does not contain any lines similar to these, verify that you have enabled logging.

  • Page 124: Configuring The Access Gateway For Kerberos Authentication

    When using Kerberos for authentication, the LDAP credentials are not available. If you need LDAP credentials to provide single sign-on to some resources, see Access Management Authentication Class Extension to Retrieve Password for Single Sign-on (http://www.novell.com/communities/ node/4556) for a possible solution.

  • Page 125: Configuring Access Manager For Nescm

    To use a smart card with Access Manager, you need to configure Access Manager to use the eDirectory server where you have installed the Novell Enhanced Smart Card Login Method for NMAS (NESCM). You then need to create a contract that knows how to prompt the user for the smart card credentials.
  • Page 126 8 Specify an alias, then click OK. An alias is a name you use to identify the certificate used by Access Manager. 9 Click Close, then click OK. 10 Under Server Replicas, verify the Validation Status. 126 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 127: Creating A Contract For The Smart Card

    The system displays a green check mark if the connection is valid. 11 (Optional) Set up a search context. 12 Click Finish to save the information. 13 Continue with Section 3.5.3, “Creating a Contract for the Smart Card,” on page 127 3.5.3 Creating a Contract for the Smart Card You need to create a contract that uses the NESCM method.
  • Page 128 For a smart card method, you need to ensure that the user store or stores specified for the method have NESCM installed. 1 On the Local page for the Identity Server, click Methods > New. 128 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 129 2 Specify a Display name (for example, Method-NMAS-NESCM 3 From the Class selection list, select the class created in “Creating an NMAS Class for NESCM” on page 127. 4 In the Available user stores list, select the user store created in Section 3.5.2, “Creating a User Store,”...
  • Page 130 6 Click Finish, then click OK. 7 Update the Identity Server. 8 Update the Access Gateway. 9 Continue with Section 3.5.4, “Assigning the NESCM Contract to a Protected Resource,” on page 131 130 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 131: Assigning The Nescm Contract To A Protected Resource

    NESCM contract to an existing protected resource. If you have not created a protected resource, see the Novell Access Manager 3.1 SP1 Setup Guide. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

  • Page 132: Troubleshooting

    Method to Use the NMAS Class” on page 128 Certificate validation fails Verify that a trusted root object created for the signing CA of the certificate on the smart card exists in the eDirectory trusted root container 132 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 133: Defining Shared Settings

    Defining Shared Settings You can define shared settings so that they can be reused and are available in any Identity Server cluster configuration. The settings include: Attribute sets: Sets of attributes that are exchangeable between identity and service providers. User matching expressions: The logic of the query to the user store for identification when an assertion is received from an identity provider.
  • Page 134 An attribute set with a constant is usually set up when the Identity Server is acting as an identity provider for a SAML or Liberty service provider. The name must match the attribute name that the service provider is using. 134 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 135: Editing Attribute Sets

    Remote namespace: Specify the namespace defined for the attribute by the remote system: If you are defining an attribute set for LDAP, select none. If you want a service provider to accept any namespace specified by an identity provider, select none. If you want an identity provider to use a default namespace, select none.

  • Page 136: Configuring User Matching Expressions

    Name: The name of the user lookup expression. 3 Click the Add Attributes icon (plus sign), then select attributes to add to the logic group. (Use the Shift key to select several attributes.) 4 Click OK. 136 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 137: Adding Custom Attributes

    For more information on how to use shared secrets with policies, see “Creating and Managing Shared Secrets” in the Novell Access Manager 3.1 SP1 Policy Management Guide. Shared secret names can be created either on this page or in the associated policy that consumes them.

  • Page 138: Creating Ldap Attribute Names

    The X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the person’s full name. departmentNumber: Identifies a department within an organization. 138 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 139 displayName: The preferred name of a person to be used when displaying entries. Identifies a name to be used. When displaying an entry, especially within a one-line summary list, it is useful to use this value. Because other attribute types such as cn are multivalued, an additional attribute type is needed.

  • Page 140: Adding Authentication Card Images

    File: Click Browse, locate the image file, then click Open. Locale: From the drop-down menu, select the language for the card or select All Locales if the card can be used with all languages. 3 Click OK. 140 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 141: Configuring Saml And Liberty Trusted Providers

    Configuring SAML and Liberty Trusted Providers This section discusses configuring trust so that two user accounts can be associated with each other without the sites exchanging data. It explains how to use the Liberty, SAML 1.1, and SAML 2.0 protocols to set up the trust with internal and external identity providers, service providers, and Embedded Service Providers (ESPs).

  • Page 142: Embedded Service Providers

    Payroll Identity Server (IDP) Trusted ESP Protected Application Access Gateway The components in this example reside in the same trust store and represent a typical Access Manager configuration used within an enterprise. 142 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 143: High-Level Steps

    You must manually configure this setting. “Specifying the Intersite Transfer Service URL for the Login URL Option” on page 151. NOTE: For a tutorial that explains all the steps for setting up federation between two Novell Identity Servers, see “Setting Up Federation”...

  • Page 144: Configuring General Provider Options

    The Identity Server comes with a test-provider certificate that you must replace for your production environment. This certificate is used for identity provider introductions. You can replace the test certificate now or after you have configured the Identity Server. If you create 144 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 145: Configuring The General Identity Consumer Options

    5.3 Creating a Trusted Provider The procedure for establishing trust between providers begins with obtaining metadata for the trusted provider. If you are using the Novell Identity Server, protocol-specific metadata is available via a URL. Examples of metadata URLs for server 10.1.1.1 would be: Liberty: http://10.1.1.1:8080/nidp/idff/metadata...
  • Page 146 URL. If you copy metadata text from a Web browser, you must copy the text from the page source. 146 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 147 Login URL: (Conditional) If you are configuring an authentication card for SAML 1.1, specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider and idp.siteb.novell.com is the name of the service provider: https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://...

  • Page 148: Modifying A Trusted Provider

    1 In the Administration Console, click Devices > Identity Servers > Edit > [Protocol]. For the protocol, select Liberty, SAML 1.1, or SAML 2.0. 2 Click the name of a provider. 148 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 149 3 On the Trust page, fill in the following fields: Name: Specify the display name for this trusted provider. The default name is the name you entered when creating the trusted provider. The Security section specifies how to validate messages received from trusted providers over the SOAP back channel.

  • Page 150: Using The Intersite Transfer Service

    The URLs for accessing the Intersite Transfer Service are different for each supported protocol (Liberty, SAML 1.1, and SAML 2.0). The Novell Access Manager identity and service provider components use the following format of the Intersite Transfer Service URL: SAML 1.1: <identity_provider_base_URL>/saml/idpsend?
  • Page 151 The Intersite Transfer Service URLs of third-party identity and service provider implementations are different than those shown above for the Novell providers. Check the third party documentation for the URL information. Specifying the Intersite Transfer Service URL for the Login URL Option Liberty and SAML 2.0 support a single sign-on URL.
  • Page 152 Administration Console, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use. Text: Specify the text that is displayed on the card to the user. 152 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 153 Login URL: Specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider and idp.siteb.novell.com is the name of the service provider: https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https:// idp.siteb.novell.com:8443/nidp/saml/metadata&TARGET=https:// idp.siteb.novell.com:8443/nidp/app Image: Specify the image to be displayed on the card. Select the image from the drop down list.
  • Page 154 Intersite Transfer URL. If this option is not selected, the target value in the Intersite Transfer URL is ignored and the user is sent to URL specified in the Target option. 3 Click OK twice. 4 Update the Identity Server. 154 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 155: Selecting Attributes For A Trusted Provider

    5.4.3 Selecting Attributes for a Trusted Provider You can select attributes that an identity provider sends and a service provider receives in an authentication. You can also create attribute sets or select attribute sets that you created globally in Section 4.1, “Configuring Attribute Sets,” on page 133.

  • Page 156: Managing Metadata

    Provider] > Metadata. You can reimport the metadata (see Step 2) or edit it (see Step 2 To reimport the metadata from a URL or text, click Reimport on the View page. 156 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 157 The system displays the Create Trusted Identity Provider Wizard that lets you obtain the metadata. Follow the on-screen instructions to complete the steps in the wizard. 3 Select either Metadata URL or Metadata Text, then fill in the field for the metadata on the page. 4 To edit the metadata manually, click Edit.
  • Page 158 Provider ID: (Required) Specifies the SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider. Metadata expiration: Specifies the date upon which the metadata is no longer valid. 158 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 159: Configuring An Authentication Request For An Identity Provider

    Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed. Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider. Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml/spassertion_consumer.
  • Page 160 This process creates an account association between the identity provider and service provider that enables single sign-on and single log-out. 160 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 161 Allow Federation: Determines whether federation is allowed. The federation options that control when and how federation occurs can only be configured if the identity provider has been configured to allow federation. After authentication: Specifies that the federation request can be sent after the user has authenticated (logged in) to the service provider.

  • Page 162: Configuring An Authentication Response For A Service Provider

    3 Specify the identity formats that the Identity Server can send in its response. Select the Use box to choose one or more of the following: Persistent Identifier Format: Specifies that a persistent identifier, which is written to the directory and remains intact between sessions, can be sent. 162 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 163 Transient Identifier Format: Specifies that a transient identifier, which expires between sessions, can be sent. If the request from the service provider requests a format that is not enabled, the user cannot authenticate. 4 Use the Default button to specify whether a persistent or transient identifier is sent when the request from the service provider does not specify a format.
  • Page 164 Persistent: Specifies that a persistent identifier, which is written to the directory and remains intact between sessions, can be sent. Transient: Specifies that a transient identifier, which expires between sessions, can be sent. 164 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 165: Managing The Authentication Card Of An Identity Provider

    Login URL: (Conditional) If you are configuring an authentication card for SAML 1.1, specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider, idp.siteb.novell.com is the name of the service provider, and idp.siteb.novell.com:8443/nidp/app specifies the URL that you want to users to access after a successful login: https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://...
  • Page 166 If this option is not selected, the card is only used when a service provider makes a request for the card. 3 Click OK twice, then update the Identity Server. 166 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 167: Configuring Cardspace

    CardSpace puts the user in control of managing cards that they can use to provide identity information and credentials. Using a CardSpace client, the users can create managed cards and ® personal cards for authentication to the Novell Identity Server. Figure 6-1 illustrates this process.

  • Page 168: Prerequisites For Cardspace

    4. The CardSpace client software presents the token to the relying party, and if it matches the requirements, the user is granted access. The Novell Identity Server can be configured to act as relying party or as an identity provider. 6.2 Prerequisites for CardSpace Your Identity Server cluster configuration must be configured for HTTPS.

  • Page 169: Enabling High Encryption

    JRE. They should replace the existing files: Linux Identity Server: /opt/novell/java/jre/lib/security Windows Identity Server: C:\Program Files\Novell\jre\lib\security 4 Restart Tomcat. Linux Identity Server: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows Identity Server: Enter the following commands: net stop Tomcat5...
  • Page 170 Identity Server. 1 Verify that you have updated Firefox to 2.x. DigitalMe does not work with Firefox 1.5.x. 2 In Firefox, access the Bandit Card site by entering the following URL: http://cards.bandit-project.org 170 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 171: Authenticating With A Personal Card

    ® 3 Click Download a selector, then select to download the selector for OpenSuse 10.2 and SUSE Linux Enterprise Desktop (SLED) 10. 4 Scroll to the bottom of the page, and install the Firefox add-on. 4a Click Download DigitalMe add-on for Firefox (All Platforms). 4b If you haven’t enabled the Bandit site to install plug-ins, click Edit Options, then enable the site and install the add-on.
  • Page 172 Text: Specify the text that is displayed on the card to the user for this profile, such as Personal Card. Issuer: From the drop-down list, select Personal Card. Token Type: SAML 1.1 is displayed as the token type for the assertion. 172 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 173 5 Click Next, then specify the attributes for the personal card. Attribute set: Select the CardSpace attribute set. Required attributes: From the Available attribute list, move the attributes that you want the card to return to the Required attribute list. For this scenario, move Common First Name and Personal Private Identifier to the Required attribute list.

  • Page 174: Authenticating With A Managed Card

    Description: Specify the text to be displayed on the card. This can contain information about how the card can be used or the type of resource that can be accessed with the card. 174 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 175: Creating And Installing A Managed Card

    Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click Select local image. The default image is the Novell Card. Require Identification of Relying Party in Security Token: Select this option to require the relying party to provide identification when it requests a security token.

  • Page 176: Configuring The Relying Party To Trust An Identity Provider

    Provider ID: Specify the issuer ID of the trusted provider. For an Identity Server cluster configuration, the issuer ID is the base URL of the Identity Server plus the following path: /sts/services/Trust For example, if the base URL is https://test.lab.novell.com:8443/nidp, the Provider ID is the following value: https://test.lab.novell.com:8443/nidp/sts/services/Trust Identity Provider: Click Browse to browse for and find the certificate that you exported for the identity provider.

  • Page 177: Logging In With The Managed Card

    Text: Specify the text that is displayed on the card to the user for this profile. If the user knows about the identity provider, this should help the user identify the provider. Issuer: From the drop-down list, select the name of the trusted provider. Token Type: SAML 1.1 is displayed as the token type for the assertion.

  • Page 178: Authenticating With A Managed Card Backed By A Personal Card

    The managed card backed by a personal card is installed. 9 Log out and close the browser. 10 In the browser, enter the base URL of the Identity Server acting as the relying party. 11 Select the CardSpace card. 178 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 179: Configuring The Identity Server As A Relying Party

    12 In your card selector, select the managed card that is backed by a personal card, then click Send. 13 When prompted, enter the username and password, and log in. 14 Click the Federation tab. It displays the name of the card that you used to log in with and allows you to break the federation with the personal card.
  • Page 180 Select one of the following methods: Do nothing: Select this option to allow the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled. 180 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 181: Defining A Trusted Provider

    Authenticate: Select this option when you want to use login credentials. This option prompts the user to log in to the service provider. Allow ‘Provisioning’: Select this option to allow users to create an account when they have no account on the service provider. This option requires that you specify a user provisioning method, which defines the required attributes for setting up a user account.
  • Page 182 For example, if the base URL is https://test.lab.novell.com:8443/nidp, the Provider ID is the following value: https://test.lab.novell.com:8443/nidp/sts/services/Trust This section explains the following: “Creating a Trusted Provider Configuration” on page 182 “Managing the Trusted Provider Configuration” on page 182 Creating a Trusted Provider Configuration 1 In the Administration Console, click Devices >...

  • Page 183: Cleaning Up Identities

    6.6.3 Cleaning Up Identities When acting as a relying party, you can set limits for how long an identity can remain unused before the identity is automatically defederated. The default value is 90 days. You can specify a value from 0 to 365 days.

  • Page 184: Configuring Sts

    If no attributes are listed for the value type, you need to set up an attribute set. See Step None: Indicates that the SAML assertion does not contain a name identifier. 184 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 185: Creating A Managed Card Template

    Unspecified: Specifies that the SAML assertion contains an unspecified name identifier. For the value, select the attribute that the relying party and the identity provider have agreed to use. E-mail: Specifies that the SAML assertion contains the user’s e-mail address for the name identifier.

  • Page 186: Using Cardspace Cards For Authentication To Access Gateway Protected Resources

    7 Click OK twice, then update the Identity Server. 8 (Optional) Verify the configuration by requesting access to a protected resource configured to use the contract you have enabled for CardSpace. 186 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 187: Configuring Ws Federation

    Configuring WS Federation The first two topics in this section describe two different methods for setting up federation with a SharePoint server. The next two topics describe how you can modify this basic configuration and customize it for your network. Section 7.1, “Using the Identity Server as an Identity Provider for ADFS,”...

  • Page 188: Configuring The Identity Server

    XP client as described in the ADFS guide from Microsoft. See Step-by-Step Guide for Active Directory Federation Services (http://go.microsoft.com/fwlink/ ?linkid=49531). You have set up the Novell Access Manager 3.1 system with a site configuration that is using SSL in the Identity Server's base URL. See “Enabling SSL Communication” in the Novell Access Manager 3.1 SP1 Setup...
  • Page 189 To create a new authentication contract: 1 Log in to the Administration Console. 2 Click Devices > Identity Servers > Edit > Local > Contracts. 3 Click New, and fill in the following fields: Display name: Specify a name, for example WS-Fed Contract. URI: Specify a URI, for example https://idp-50.amlab.net:8443/nidp/name/password/uri.
  • Page 190 Trey Research is the default name for the ADFS resource server. If you have used another name, substitute it when following these instructions. To create a service provider, you need to know the following about the ADFS resource server. 190 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 191 This is the value that the identity provider redirects the user to after login. Although it is listed as optional, and is optional between two Novell Identity Servers, the ADFS server doesn't send this value to the identity provider. It is required when setting up a trusted relationship between an ADFS server and a Novell Identity Server.
  • Page 192 Importing the ADFS Signing Certificate into the NIDP-Truststore The Novell Identity Provider (NIDP) must have the trusted root of the ADFS signing certificate (or the certificate itself) listed in its Trust Store, as well as specified in the relationship. This is because most ADFS signing certificates are part of a certificate chain, and the certificate that goes into the metadata is not the same as the trusted root of that certificate.

  • Page 193: Configuring The Adfs Server

    7.1.2 Configuring the ADFS Server The following tasks must be completed on the Trey Research server (adfsresouce.treyresearch.net) ® to establish trust with the Novell Identity Server. “Enabling E-mail as a Claim Type” on page 193 “Creating an Account Partners Configuration” on page 194 “Enabling ClaimApp and TokenApp Claims”...
  • Page 194 Add the suffix that you will be using for your e-mail address. You need to have the e-mail end in what the ADFS server is expecting, such as @novell.com, which grants access to any user with that e-mail suffix. 4 Enable this account partner.

  • Page 195: Logging In

    2 Select the IDP from the drop down list of home realm and submit. If you are not prompted for the realm, clear all cookies in the browser and try again. 3 Log in with a user at the Novell Identity Provider Configuring WS Federation 195...

  • Page 196: Troubleshooting

    [ERROR] Saml contains an unknown NameIdentifierFormat: Issuer=https://idp-51.amlab.net:8443/nidp/wsfed/; Format=urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified Cause: the name identifier format is set to unspecified, but it needs to be E-mail [ERROR] Saml contains an unknown Claim name/namespace: Issuer=https://idp-51.amlab.net:8443/nidp/wsfed/; Namespace=urn:oasis:names:tc:SAML:1.0:assertion; Name=emailaddress 196 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 197: Using The Adfs Server As An Identity Provider For An Access Manager Protected Resource197

    Cause: the emailAddress attribute is not in the correct namespace for WSFed. CRL Errors 2008-08-01T19:56:55 [WARNING] VerifyCertChain: Cert chain did not verify - error code was 0x80092012 2008-08-01T19:56:55 [ERROR] KeyInfo processing failed because the trusted certificate does not have a a valid certificate chain. Thumbprint = 09667EB26101A98F44034A3EBAAF9A3A09A0F327 2008-08-01T19:56:55 [WARNING] Failing signature verification because the KeyInfo section failed to produce a key.

  • Page 198: Configuring The Identity Server As A Service Provider

    XP client as described in the ADFS guide from Microsoft. See Step-by-Step Guide for Active Directory Federation Services (http://go.microsoft.com/fwlink/ ?linkid=49531). You have set up the Novell Access Manager 3.1 system with a site configuration that is using SSL in the Identity Server's base URL. See “Enabling SSL Communication” in the Novell Access Manager 3.1 SP1 Setup...
  • Page 199 The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login and logout URL. Access Manager has separate URLs for login and logout, but from a Novell Identity Server to an ADFS server, they are the same.
  • Page 200 Importing the ADFS Signing Certificate into the NIDP-Truststore The Novell Identity Provider (NIDP) must have the trusted root of the ADFS signing certificate (or the certificate itself) listed in its trust store, as well as specified in the relationship. This is because most ADFS signing certificates have a chain, and the certificate that goes into the metadata is not the same as the trusted root of that certificate.

  • Page 201: Configuring The Adfs Server To Be An Identity Provider

    2 Click Add. 3 Next to the Trusted Root(s) field, click the Select Trusted Root(s) icon. This adds the trusted root of the ADFS signing certificate to the Trust Store. 4 On the Select Trusted Roots page, select the trusted root or certificate that you want to import, then click Add Trusted Roots to Trust Stores.

  • Page 202: Logging In

    Adatum domain. If you are using the client that is joined to the Adatum domain, the card uses a Kerberos ticket to authenticate to the ADFS identity provider (resource partner). 202 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 203: Additional Ws Federation Configuration Options

    4 When you are directed back to the Identity Server for Federation User Identification, log in to the Identity Server with a username and password that is valid for the Identity Server (the service provider). 5 Verify that you are authenticated. 6 Close the browser.

  • Page 204: Modifying The User Identification Method

    Authenticate: Allows the user to authenticate using a local account. Allow ‘Provisioning’: Provides a button that the user can click to create an account when the authentication credentials do not match an existing account. 204 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 205: Managing The Metadata

    Provision account: Allows a new account to be created for the user when the authenticating credentials do not match an existing user. When federation is enabled, the new account is associated with the user and used with subsequent logins. When federation is not enabled, a new account is created every time the user logs in.

  • Page 206: Modifying The Authentication Card

    The response needs to contain the attributes that the service provider requires. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate 206 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 207: Modifying The Authentication Response

    which attributes you need to send in the response. The service provider can then use these attributes to identify the user, to create policies, to match user accounts, or if it allows provisioning, to create a user accounts on the service provider. 1 In the Administration Console, click Devices >...

  • Page 208: Managing The Metadata

    4 If you need to import a new signing certificate, click the Browse button and follow the prompts. 5 To view information about the signing certificate, click Certificates. 6 Click OK twice, then update the Identity Server. 208 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 209: Configuring User Identification Methods For Federation

    Configuring User Identification Methods for Federation Configuring authentication involves determining how the service provider interacts with the identity provider during user authentication and federation. Three methods exist for you to identify users from a trusted identity provider: You can identify users by matching their authentication credentials You can match selected attributes and then prompt for a password to verify the match, or you can use just the attributes for the match.
  • Page 210 If you have not created one, continue with Section 8.4, “Defining the User Provisioning Method,” on page 214. If you selected the Authenticate option with the Allow Provisioning option, select a method, then click OK. 210 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 211: Selecting A User Identification Method For Saml 1.1

    If you have not created one, continue with Section 8.4, “Defining the User Provisioning Method,” on page 214. If you selected the Authenticate option without the Allow Provisioning option, click OK. 4 Click OK, then update the Identity Server. 8.2 Selecting a User Identification Method for SAML 1.1 Two methods exist for identifying users from an identity provider when using the SAML 1.1 protocol.
  • Page 212 Select User Stores to search: Select and order the user stores you want to use in the search. User Matching Expression: Select a matching expression, or click New User Matching Expression to create one. 212 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 213: Configuring The Attribute Matching Method

    A user matching expression is a set of logic groups with attributes that uniquely identify a user. User matching expressions enable you to map the Liberty attributes to the correct LDAP attributes during searches. You must know the LDAP attributes that can be used to identify unique users in the user store.

  • Page 214: Defining The User Provisioning Method

    If you have select Provision account as the user identification method or have created an attribute matching setting that allows for provisioning when no match is found, you need to create a provision method. 2 Click the Provisioning settings icon. 214 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 215 3 Select the required attributes from the Available Attributes list and move them to the Attributes list. Required attributes are those used in the creation of a user name, or that are required when creating the account. 4 Click Next. 5 Select optional attributes from the Available Attributes list and move them to the Attributes list.
  • Page 216 If no attributes are provided, or the lengths for them are 0, and this option is selected, the system creates a unique name. 8 Click Next. 9 Specify password settings. 216 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 217: User Provisioning Error Messages

    Use this page to specify whether to prompt the user for a password or to create a password automatically. Min. password length: The minimum length of the password. Max. password length: The maximum length of the password. Prompt for password: Prompts the user for a password. Automatically create password: Specifies whether to automatically create passwords.
  • Page 218 636, and that the user’s password conforms to the complexity policy. If you encounter this error, you must reset the password on the Windows machine. 218 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 219: Configuring Communication Profiles

    Configuring Communication Profiles You can configure the methods of communication that are available at the server for requests and responses sent between providers. These settings affect the metadata for the server and should be determined prior to publishing to other sites. Section 9.1, “Configuring a Liberty Profile,”...

  • Page 220: Configuring A Saml 1.1 Profile

    You also use this when the responder requires user interaction in order to fulfill the request, such as when the user must authenticate to it. 4 Specify the communication methods for Single Logout and for Name Management. 220 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 221 The Single Logout channel is used when the user logs out. The Name Management channel is used to the share the common identifiers for a user between identity and service providers. When an identity provider has exchanged a persistent identifier for the user with a service provider, the providers share the common identifier for a length of time.
  • Page 222 222 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 223: Configuring Liberty Web Services

    Configuring Liberty Web Services A Web service uses Internet protocols to provide a service. It is an XML-based protocol transported over SOAP, or a service whose instances and data objects are addressable via URIs. Access Manager consists of several elements that comprise Web services: Web Service Framework: Manages all Web services.

  • Page 224: Configuring The Web Services Framework

    A company address book that provides names, phones, office locations, and so on, is an example of an employee profile. LDAP Profile: Allows you to use LDAP attributes for authorization and general use. 224 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 225: Editing Web Service Descriptions

    Personal Profile: Allows you to manage personal information and to determine how to share that information with others. A shopping portal that manages the user’s account number is an example of a personal profile. User Interaction: Allows you to set up a trusted user interaction service, used for identity services that must interact with the resource owner to get information or permission to share data with another Web service consumer.

  • Page 226: Configuring Credential Profile Security And Display Settings

    Novell Access Manager 3.1 SP1 Policy Management Guide. To configure the Credential Profile: 1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Web Service Providers. 2 Click Credential Profile. 226 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 227 3 On the Credential Profile Details page, fill in the following fields as necessary: Display name: The name you want to display for the Web service. Have Discovery Encrypt This Service’s Resource Ids: Specify whether the Discovery Service encrypts resource IDs. A resource ID is an identifier used by Web services to identify a user.

  • Page 228: Configuring Service And Profile Details

    This attribute should be a single-valued case ignore string that you have defined and assigned to the user object in the schema. To use Novell SecretStore to remotely store secrets, click New under Novell Secret Store User Store References. Click the user store that you have configured for SecretStore.
  • Page 229 Display Name: The Web service name. This specifies how the profile is displayed in the Administration Console. Have Discovery Encrypt This Service’s Resource Ids: Specifies whether the Discovery Service encrypts resource IDs. A resource ID is an identifier used by Web services to identify a user.
  • Page 230 Appendix D, “Data Model Extension XML,” on page 319 for more information. 7 Click OK, then click OK on the Web Service Provider page. 8 Update the Identity Server configuration on the Servers page. 230 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 231: Customizing Attribute Names

    10.6 Customizing Attribute Names You can change the display names of the attributes for the Credential, Custom, Employee, and Personal profiles. The customized names are displayed on the My Profile page in the User Portal. The users see the custom names applicable to their language. Custom Attributes are displayed on the My Profile page in the User Portal in place of the corresponding English attribute name when the language in the drop-down list is the accepted language of the browser.
  • Page 232 Query Policy: Allows the service provider to query for the data on a particular attribute. This is similar to read access to a particular piece of data. 232 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 233 Modify Policy: Allows the service provider to modify a particular attribute. This is similar to write access to a particular piece of data. Query and Modify: Allows you to set both options at once. 5 To edit child attributes of the parent, click the policy. In the following example, child attributes are inheriting Ask Me permission from the parent Entire Personal Identity attribute.

  • Page 234: Configuring The Web Service Consumer

    4 Under Security Settings, fill in the following fields: WSS Security Token Type: Instructs the Web service consumer/requestor how to place the token in the security header as outlined in the Liberty ID-WSF Security Mechanisms. 234 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 235: Mapping Ldap And Liberty Attributes

    Signature Algorithm: The signature algorithm to use for signing the payload. 5 Click OK, then update the Identity Server configuration as prompted. 10.9 Mapping LDAP and Liberty Attributes You can create an LDAP attribute map or edit an existing one. Attribute mapping involves specifying how single-value and multi-value data items map to single-value and multi-value LDAP attributes.

  • Page 236: Configuring One-To-One Attribute Maps

    Mapping Personal Profile Single-Value Data Items to LDAP Attributes The data items displayed are single-value Liberty Personal Profile attributes that you can map to the single-valued LDAP attributes that you have defined for your directory. 236 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 237 Mapping Personal Profile Multiple-Value Data Items to LDAP Attributes Use the fields on this page to map multiple-value attributes from the Liberty Personal Profile to the multiple-value LDAP attributes you have defined for your directory. For example, you can map the Liberty attribute Alternate Every Day Name (AltCN) to the LDAP attribute you have defined for this purpose in your directory.

  • Page 238: Configuring Employee Type Attribute Maps

    Contractor Part Time, Contractor Full Time, Full Time Regular, and so on. 1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > LDAP Attribute Mapping > New > Employee Type. 238 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 239: Configuring Employee Status Attribute Maps

    2 Specify a name and description for the map. 3 Choose the type of access rights you want. Select Read/Write for any attributes used in user provisioning. 4 In the LDAP Attribute Name field, type the LDAP attribute name that you want to map to the Liberty Employee Type attribute.

  • Page 240: Configuring Postal Address Attribute Maps

    This is a Personal Profile attribute. 1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > LDAP Attribute Mapping > New > Postal Address. 240 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 241 2 Specify a name and description for the map. 3 Choose the type of access rights you want. Select Read/Write for any attributes used in user provisioning. 4 In the Mode drop-down menu, select either Multiple LDAP Attributes or Single Delimited LDAP Attributes.

  • Page 242: Configuring Contact Method Attribute Maps

    4 Under Contact Method to LDAP Attributes, fill in the following fields to map to the Liberty Contact Method attribute: Provider LDAP Attribute: Maps to the Liberty attribute MsgProvider, which is the service provider or domain that provides the messaging service. 242 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 243: Configuring Gender Attribute Maps

    Account LDAP Attribute: Maps to the Liberty attribute MsgAccount, which is the account or address information within the messaging provider. SubAccount LDAP Attribute: Maps to the Liberty MsgSubaccount, which is the subaccount within a messaging account, such as the voice mail box associated with a phone number. 5 Under Contact Method Template Data, specify the settings for the Liberty attribute values of: Nickname: Maps to the Liberty attribute Nick, which is an informal name for the contact.

  • Page 244: Configuring Marital Status Attribute Maps

    4 In the LDAP Attribute Name field, type the LDAP attribute name that you want to map to the Liberty element Marital Status (MaritalStatus). 5 In the LDAP Attribute Value fields, type your predefined LDAP attribute values that you want to map to the MaritalStatus values. 244 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 245 These are the values that you want to store in the LDAP attribute for each given Liberty attribute value. The LDAP attribute map then maps the actual Liberty URI value, back and forth, to this supplied value. 6 Click Finish. 7 On the LDAP Attribute Mapping page, click OK.
  • Page 246 246 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 247: Maintaining An Identity Server

    Maintaining an Identity Server Server maintenance involves tasks that you perform after you have configured the server. Maintenance includes monitoring server and statistics, configuring Identity Server logging, replacing certificates, and so on. Section 11.1, “Managing an Identity Server,” on page 247 Section 11.2, “Editing Server Details,”...

  • Page 248: Updating An Identity Server Configuration

    Whenever you change an Identity Server configuration, the system prompts you to update the configuration. An Update Servers status is displayed under the Status column on the Servers page. You must click Update Servers to update the configuration so that your changes take effect. 248 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 249: Restarting The Identity Server

    When it is clicked, this link sends a reconfigure command to all servers that use the configuration. The servers then begin the reconfiguration process. This process occurs without interruption of service to users who are currently logged in. When you update a configuration, the system blocks inbound requests until the update is complete. The server checks for any current requests being processed.

  • Page 250: Editing Server Details

    1 In the Administration Console, click Devices > Identity Servers > Edit > Logging. 250 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 251 Enabled: Enables file logging for this server and its associated Embedded Service Providers. Echo To Console: Copies the Identity Server XML log file to /var/opt/novell/ . You can download the file from Auditing > General tomcat5/logs/catalina.out Logging. If you want to view Identity Server logs mixed with logs from other application devices, you use catalina.out...

  • Page 252: Managing Log File Size

    If you want to modify this behavior, see the following files in the directory: /etc/logrotate.d novell-tomcat5 novell-devman For information about the parameters in these files, see the documentation for the logrotate daemon. 252 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 253: Configuring Session-Based Logging

    2. The help desk operator questions the users and concludes that the problem is caused by either a Novell Identity Server or an Embedded Service Provider. 3. The operator has been granted the rights to create logging tickets, and uses the User Portal to create a logging ticket for the user.
  • Page 254 Image: Select an image from the list, such as the IDP Administrator image that was created for this type of contract. Show Card: Deselect this option. 4d Click Finish. 5 Continue with “Creating the Logging Session Class, Method, and Contract” on page 255. 254 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 255: Creating The Logging Session Class, Method, And Contract

    2a Click Classes. 2b Click New, then specify the following values: Display name: Logging Session Java class: Other Java class path: com.novell.nidp.authentication.local.LogTicketClass 2c Click Next, then click Finish. 3 To create the method: 3a Click Methods. 3b Click New, then specify the following values:...

  • Page 256: Enabling Basic Logging

    Ticket: Specify a name for ticket. You must share this name with the user who reported the problem. Ticket Good For: Select a time limit for the ticket, from one minute through one year. 256 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 257 When selecting a time limit, consider the following: When a ticket expires, logging is automatically stopped. If you know that user is experiencing a problem that prevents the user from logging out, you might want to create a ticket with a short time limit. If the user does not log out (just closes the browser window or the problem closes it), the session remains in the list of logged sessions.
  • Page 258 After 10 minutes of inactivity, the session is closed and the lock on the logging file is cleared. As long as the file is locked, no other application can read the file. 258 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 259: Monitoring The Health Of An Identity Server

    Tomcat log directory on the device: Linux: /var/opt/novell/tomcat5/webapps/nesp/WEB-INF/logs Windows: C\Program Files\Novell\Tomcat\webapps\nesp\WEB-INF\logs 4 Open the file with the same user identifier and session ID. 5 After solving the problem, delete the file from each Identity Server in the cluster and each Access Gateway in the cluster.
  • Page 260 This can take a few minutes. 3 Examine the Services Detail section that displays the status of each service. For an Identity Server, this includes information such as the following: 260 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 261 If you want to convert a secondary console to your primary console, see “Converting a Secondary Console into a Primary Console” in Novell Access Manager 3.1 SP1 Administration Console Guide. User Datastores: Indicates whether the Identity Ensure that the user store is operating and Server can communicate with the user stores, configured correctly.

  • Page 262: Monitoring Identity Server Statistics

    You can specify the intervals for the refresh rate and, where allowed, view graphic representations of the activity. 1 In the Administration Console, choose Devices > Identity Servers. 2 In the Statistics column, click View. 3 Click either of the following options: 262 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 263: Application

    Statistics: Select this option to view the statistics as currently gathered. The page is static and the statistics are not updated until you click Live Statistics Monitoring. Live Statistics Monitoring: Select this option to view the statistics as currently gathered and to have them refreshed at the rate specified in the Refresh Rate field.

  • Page 264: Incoming Http Requests

    The age of the oldest currently active incoming HTTP request. (Milliseconds) Last Interval Maximum The age of the longest incoming HTTP request that was processed during Request Duration the last 60-second interval. (Milliseconds) 264 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 265: Outgoing Http Requests

    Statistic Description Last Interval Mean Request The mean age of all incoming HTTP request that were processed during Duration (Milliseconds) the last 60-second interval. Historical Maximum Request The age of the longest incoming HTTP request that was processed since Duration (Milliseconds) the Identity Server was started.

  • Page 266: Saml 1.1

    The number of Liberty IDSIS Employee Profile Web Service modifies Modifies performed since the Identity Server was started. Custom Profile Service The number of Novell Custom Profile Web Service queries performed Queries since the Identity Server was started. Custom Profile Service...
  • Page 267 The number of Novell Authentication Profile Web Service modifies Service Modifies performed since the Identity Server was started. LDAP Profile Service The number of Novell LDAP Profile Web Service queries performed since Queries the Identity Server was started. LDAP Profile Service...

  • Page 268: Clustering

    The total number of authoritative servers identified using the HTTP cookie Obtained from Cookie since the Identity Server was started. Payload Examinations The total number of attempted payload examinations to identify the authoritative server since the Identity Server was started. 268 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 269: Ldap

    Statistic Description Successful Payload The total number of successful payload examinations to identify the Examinations authoritative server since the Identity Server was started. Identity ID Broadcasts The total number of attempted Identity ID Broadcasts to identify the authoritative server since the Identity Server was started. Successful Identity ID The total number of successful Identity ID Broadcasts to identify the Broadcasts...

  • Page 270: Enabling Identity Server Audit Events

    11.7 Enabling Identity Server Audit Events All user and administrator actions can be logged to Novell Audit. You can generate a Novell Audit logging event to indicate whether authentications are successful or unsuccessful. The following steps assume that you have already set up Novell Audit on your network. For more information, see “Enabling...
  • Page 271 Logged for all component messages with level of Severe. Component Log Warning Messages Logged for all component messages with level of Warning. 4 Click Apply, then OK. 5 Click Servers > Update Servers. Restart the Novell Audit server. Maintaining an Identity Server 271...

  • Page 272: Monitoring Identity Server Alerts

    Lists the Identity Server name. Status Lists the status of each server. Type Displays type of command issued to the server. Admin Displays the credentials of the administrator who performed the command. 272 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 273 Column Name Description Date & Time The date and time that the command was issued. Date and time entries are specified in the local time. Maintaining an Identity Server 273...
  • Page 274 274 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 275: Troubleshooting The Identity Server And Authentication

    Troubleshooting the Identity Server and Authentication This section discusses the following topics: Section 12.1, “Useful Networking Tools for the Linux Identity Server,” on page 275 Section 12.2, “Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors,” on page 275 Section 12.3, “Authentication Issues,” on page 283 Section 12.4, “Translating the Identity Server Configuration Port,”...

  • Page 276: The Metadata

    1 In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxies/ Authentication. 2 Select None for the Identity Server Cluster option, click OK twice, then update the Access Gateway. 276 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 277: Dns Name Resolution

    URL configuration of the Identity Server. The base URL in the Identity Server configuration is used to build all the metadata end points. To view the metadata of the Identity Server with a DNS name of idpcluster.lab.novell.com, enter the following URL: https://idpcluster.lab.novell.com:8443/nidp/idff/metadata...

  • Page 278: Certificate Names

    To verify the certificate name of the Identity Server certificate: 1 In the Administration Console, click Devices > Identity Servers > Edit. 2 Click the SSL Certificate icon. The NIDP-connector keystore is displayed 278 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 279: Certificates In The Required Trust Stores

    For information on how to create an Access Gateways certificate, see “Configuring the Access Gateway for SSL ” in the Novell Access Manager 3.1 SP1 Access Gateway Guide. To view sample log entries that are logged to the file when the certificate has an catalina.out...

  • Page 280: Certificates In The Correct Certificate Store

    Identity Server certificate must be added to the NIDP-connector store, and the Embedded Service Provider certificate must be added to the Proxy Key Store. 1 In the Administration Console, click Security > Certificates. 2 Click NIDP-connector. 280 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 281: Enabling Debug Logging

    When the Embedded Service Provider cannot resolve the DNS name of the Identity Server, the metadata cannot be loaded and a hostname error is logged. In the following entries, the Embedded Service Provider cannot resolve the idpcluster.lab.novell.com name of the Identity Server. <amLogEntry> 2007-08-06T16:24:56Z INFO NIDS Application: AM#500105024:...
  • Page 282 AMDEVICEID#esp-09C720981EEE4EB4: AMAUTHID#D983B08C28D35221D139D33 E5324F98F: ESP is requesting metadata from IDP https://idpcluster.lab.novell.com/nidp/idff/metadata </amLogEntry> <amLogEntry> 2007-07-05T16:07:53Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-09C720981EEE4EB4: Unable to load metadata for Embedded Service Provider: https://idpcluster.lab.novell.com/nidp/idff/metadata, error: Received fatal alert: handshake_failure </amLogEntry> 282 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 283: Testing Whether The Provider Can Access The Metadata

    12.2.7 Testing Whether the Provider Can Access the Metadata To test whether the metadata is available for download, enter the metadata URL of the identity provider and service provider. If the DNS name of the identity provider is idpcluster.lab.novell.com, open a browser and enter the following URL: https://idpcluster.lab.novell.com:8443/nidp/idff/metadata...

  • Page 284: Authentication Classes And Duplicate Common Names

    Enable authentication logging options (click Identity Servers > Edit > Logging). Ensure that the authentication contract matches the base URL scheme. For example, check to see if SSL is used across all components. 284 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 285: Slow Authentication

    Access Manager components, see “Setting Up Firewalls” in the Novell Access Manager 3.1 SP1 Setup Guide. 12.3.4 Basic Authentication Fails with an eDirectory User Store You are not required to specify a search context with eDirectory .

  • Page 286: Browser Hangs In An Authentication Redirect

    If you have configured the SLES 10 firewall or have installed other Access Manager components on the Identity Server, you use a custom rule script that allows for multiple port translations. See Section 12.4.2, “Configuring iptables for Multiple Components,” on page 289. 286 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 287: A Simple Redirect Script

    # ### BEGIN INIT INFO # Provides: idp_8443_redirect # Required-Start: # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: Redirect 8443 to 443 for Novell IDP ### END INIT INFO # # Environment-specific variables. IPT_BIN=/usr/sbin/iptables INTF=eth0 ADDR=10.10.0.1 .
  • Page 288 This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1. 10 (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster. 288 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 289: Configuring Iptables For Multiple Components

    12.4.2 Configuring iptables for Multiple Components If you need to use iptables for multiple components (the host machine, the Identity Server, or the SSL VPN server), you need to centralize the commands into one manageable location. The following sections explain how to use the SuSEFirewall2 option in YaST to centralize the commands.
  • Page 290 You should see information similar to the following if the filters have been registered correctly: Chain POSTROUTING (policy ACCEPT 20987 packets, 1266K bytes) pkts bytes target prot opt in source destination SNAT 10.8.0.0/16 0.0.0.0/0 to:10.1.1.1 290 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 291: Problems Reading Keystores After Identity Server Re-Installation

    This can occur if you replace a hard drive and incorrectly reinstall the Identity Server. See “Reinstalling an Identity Server to a New Hard Drive” in the Novell Access Manager 3.1 SP1 Installation Guide for the correct procedure. Troubleshooting the Identity Server and Authentication 291...
  • Page 292 292 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 293: A Sample Custom Login Pages

    Sample Custom Login Pages Section A.1, “Modified login.jsp File for Credential Prompts,” on page 293 Section A.2, “Custom nidp.jsp File with Custom Credentials,” on page 296 Section A.3, “Custom 3.1 login.jsp File,” on page 303 Section A.4, “Custom 3.0 login.jsp File,” on page 306 A.1 Modified login.jsp File for Credential Prompts The following code is a modified version of the 3.1...
  • Page 294 (String) request.getAttribute("url") %>" AUTOCOMPLETE="off"> <input type="hidden" name="option" value="credential"> <% if (target != null) { %> <input type="hidden" name="target" value="<%=target%>"> <% } %> <table border=0 style="margin-top: 1em" width="100%" cellspacing="0" cellpadding="0"> <tr> <td style="padding: 0px"> 294 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 295 <table border=0> <tr> <td align=left> <label><%=handler.getResource(JSPResDesc.USERNAME)%></label> </td> <td align=left> <input type="text" class="smalltext" name="Ecom_User_ID" size="30"> </td> </tr> <tr> <td align=left> <label>Email Address:</label> </td> <td align=left> <input type="text" class="smalltext" name="Ecom_User_Mail" size="30"> </td> </tr> <tr> <td align=left> <label><%=handler.getResource(JSPResDesc.PASSWORD)%></label> </td> <td align=left> <input type="password" class="smalltext" name="Ecom_Password" size="30">...

  • Page 296: Custom Nidp.jsp File With Custom Credentials

    Section A.2.3, “The Method and the Contract,” on page 303 A.2.1 The Modified nidp.jsp File The background, menu, and border colors are set to black. These colors are specified in the following lines in the sample file: 296 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 297 Header Image Figure A-4 Figure A-5 illustrates the image ( ) that this custom page uses to replace the Novell hhbimages.jpeg company logo on the right of the header frame. Company Logo Figure A-5 The following lines define what appears as the title for the browser window: <title>HHB WORLD</title>...
  • Page 298 { position: absolute; font-size: 1.2em; color: white; top: 18px; left: 85px; } #subtitle { position: relative; font-size: .9em; color: black; white- space: nowrap; top: 0px; left: 0px; text-align: right; } #mcontent { position: relative; padding: 5px; background-color: 298 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 299 <%=bgcolor%>; } #content { width: 100%; border: 0; margin: 0; padding: 0; overflow: none; height: 376px; background-color: <%=bgcolor%>;} #logoutbut { position: absolute; top: 25px; right: 35px; #helpbutlogin { position: absolute; color: yellow; top: 25px; right: 10px; #loggingbut { position: absolute; color: blue; top: 25px; right: 65px; .NLtab .tab1s { background-color: <%=menucolor%>;...
  • Page 300 (g_curSubtab.id == "loginsubtab") helpURL = "<%=handler.getHelp("userlogin.html")%>"; else if (g_curSubtab.id == "newcardsubtab") helpURL = "<%=handler.getHelp("newcard.html")%>"; else if (g_curSubtab.id == "logTicketsubtab") helpURL = "<%=handler.getHelp("logticket.html")%>"; var w; w = window.open(helpURL, "nidsPopupHelp", "toolbar=no,location=no,directories=no,menubar=no,scrollbars=yes,resizable=ye s,width=500,height=500"); 300 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 301 if (w != null) w.focus(); </script> </head> <body onload="onloadhandler()"> <table width=100% border=0 cellpadding=0 cellspacing=0 bgcolor=<%=bgcolor%> > <tr> <td> <table cellspacing=0 width=100% border=0> <tr> <td width=100%> <div id="header"><img src="<%=handler.getImage(hdrImage,false)%>"></div> <div id="logo"><img src="<%=handler.getImage(hdrLogo,false)%>"></div> <div id="title"><%=hdrTitle%></div> </td> </tr> </table> </td> </tr> <tr> <td> <table cellspacing=5 width=100%>...

  • Page 302: The Modified Main.jsp File

    <%@ include file="mainRedirect.jsp" %> <% else if(strContractURI != null && strContractURI.equals("login/custom")) %> <%@ include file="custom.jsp" %> <% // This is the jsp used by default else %> <%@ include file="nidp.jsp" %> <% %> 302 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 303: The Method And The Contract

    A.2.3 The Method and the Contract After modifying the two files, you still need to create a method and a contract. The method needs to use a name/password class and have the following properties defined: Query property values: Property Name: Query Property Value: (&(objectclass=person)(mail=%Ecom_User_Mail%)) JSP property values: Property Name: JSP...
  • Page 304 (i == 0) i = 1; document.IDPLogin.submit(); return false; </script> </head> <body text="lightcyan" style="background-color:Black" marginwidth="300" marginheight="100" leftmargin="350" topmargin="0" rightmargin="0" onLoad="document.IDPLogin.Ecom_User_ID.focus();" > <br> <h1><u> IT’S A NEW WORLD</u></h1> <form name="IDPLogin" enctype="application/x-www-form-urlencoded" 304 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 305 method="POST" action="<%= (String) request.getAttribute("url") %>" AUTOCOMPLETE="off"> <input type="hidden" name="option" value="credential"> <% if (target != null) { %> <input type="hidden" name="target" value="<%=target%>"> <% } %> <table border=0 style="margin-top: 1em" width="20" cellspacing="0" cellpadding="0"> <tr> <div id="headimage"><img src="<%=handler.getImage(hdrImage,false)%>" alt="" height="80" width="150" border="0"></div> </tr> <tr>...

  • Page 306: The Method And The Contract

    Novell Access Manager 3.1 SP1 Installation Guide. Figure A-7 illustrates such a page which has been modified to remove the Novell branding and logo. It has also been modified to prompt the user for an email address in addition to a username and password.

  • Page 307: Modifying The File

    The bold lines in the following sample file are the lines that have been modified to change the branding and the login prompts. <%@ page language="java" %> <%@ page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%> <%@ page import="com.novell.nidp.common.provider.*" %> <%@ page import="java.util.*" %> <%@ page import="com.novell.nidp.ui.*" %> <%@ page import="com.novell.nidp.*" %>...
  • Page 308 <td style="background-color: #efeee9; padding: 10px" colspan="2"> <% String err = (String) request.getAttribute(NIDPConstants.ATTR_LOGIN_ERROR); if (err != null) %> <div><label><%=err%></label></div> <% // Determine if this login page is being used for account identification // purposes %> 308 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 309 <span id="login2" style="display: block;"> <table> <tr> <td nowrap="nowrap"> <div> <label style="width: 100px"><%=handler.getResource(JSPResDesc.USERNAME)%></label></label> </div> </td> <td width="100%" nowrap="nowrap"> <div> <input type="text" class="smalltext" name="Ecom_User_ID" size="30"> </div> </td> </tr> <tr> <td nowrap="nowrap"> <div> <label style="width: 100px">Email Address:</label></label> </div> </td> <td width="100%" nowrap="nowrap"> <div> <input type="text"...

  • Page 310: The Method And The Contract

    MainJSP property values: Property Name: MainJSP Property Value: true You then need to create a contract that uses this method and assign it to a protected resource. 310 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 311: B About Liberty

    About Liberty The Liberty Alliance is a consortium of business leaders with a vision to enable a networked world in which individuals and businesses can more easily conduct transactions while protecting the privacy and security of vital identity information. To accomplish its vision, the Liberty Alliance established an open standard for federated network identity through open technical specifications.
  • Page 312 312 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 313: C Understanding How Access Manager Uses Saml

    Understanding How Access Manager Uses SAML Security Assertions Markup Language (SAML) is an XML-based framework for communicating security assertions (user authentication, entitlement, and attribute information) between identity providers and trusted service providers. For example, an airline company can make assertions to authenticate a user to a partner company or another enterprise application, such as a car rental company or hotel.

  • Page 314: Trusted Provider Reference Metadata

    Policy Enforcement Point (PEP). The PEP checks for user access to the desired resource. The user is either granted or denied access to the resource. SAML is used as the communication mechanism between the PEP and a Policy Decision Point (PDP). In Novell product terminology, a PEP could be ®...

  • Page 315: Identity Provider Process Flow

    Attribute profiles: Profiles simplify how you configure and deploy systems that exchange attribute data. They include: Basic attribute profile: Supports string attribute names and attribute values drawn from XML schema primitive type definitions. X.500/LDAP: Supports canonical X.500/LDAP attribute names and values. UUID attribute profile: Supports using UUIDs as attribute names.

  • Page 316: C.7 Saml Service Provider Process Flow

    SAML service provider (xyz.com) in order to begin an authentication session with an identity provider (such as abc.com). PP indicates a Personal Profile Service as defined by the Liberty specification. 316 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 317 SAML Consumer Process Flow Figure C-2 SAML Servicer Provider xyz.com User/Browser Liberty/LDAP Local Attributes for Assertion PP: sn PP: ph# Target Resource Mapped Attributes to SAML Service Provider PP: sn = lastname PP: ph# = phonenumber User Authentication Web Service Personal Profile (PP) Identity Server abc.com PP: sn = Jones...
  • Page 318 Server, and the user is authenticated. 4. The user’s DN is returned to the Identity Server, and the user is authenticated. 5. The user is redirected to the target resource at xyz.com. 318 Novell Access Manager 3.1 SP1 Identity Server Guide...

  • Page 319: D Data Model Extension Xml

    Data Model Extension XML The data model for some Web services is extensible. You can enter XML definitions of data model extensions in a custom profile (for more information, see Section 10.5, “Configuring Service and Profile Details,” on page 228). Data model extensions hook into the existing Web service data model at predefined locations.
  • Page 320 The resource ID of the description of the group. This resource ID is assumed to be a key in the resource bundle supplied by the resource description class file associated with the containing root. 320 Novell Access Manager 3.1 SP1 Identity Server Guide...
  • Page 321 Extension Element name (required): The name of the data model extension. This name must be the name of the XML element that will be used in the data model. class (optional): The Java class name of the data model instance class. Because data model instance class files are assumed to reside in the root’s package, only the filename is needed.

  • Page 322: D.2 Writing Data Model Extension Xml

    D.2 Writing Data Model Extension XML Data model extension XML must be defined in the namespace novell:liberty:wsf:config:1:0:0 and that namespace must be defined on the SchemaExtensions element. Normally, the namespace prefix wsfc is used. An example of data model extension XML is: <wsfc:SchemaExtensions xmlns:wsfc="novell:liberty:wsf:config:1:0:0">...
  • Page 323 <wsfc:Value resourceId="PP.EXT.DM.HC.Brown" value="urn:pp:dm:brown"/> <wsfc:Value resourceId="PP.EXT.DM.HC.Green" value="urn:pp:dm:green"/> <wsfc:Value resourceId="PP.EXT.DM.HC.Gray" value="urn:pp:dm:gray"/> <wsfc:Value resourceId="PP.EXT.DM.HC.Hazel" value="urn:pp:dm:hazel"/> </wsfc:ValueSet> </wsfc:Extension> </wsfc:Group> </wsfc:Root> <wsfc:Root parent="/pp:PP/pp:Extension" package="com.novell.nidp.liberty.wsf.idsis.ppservice.extensions" resourceClass="PPExtensionsResDesc"> <wsfc:Group resourceId="PP.EXT.AU.GROUP" descriptionResourceId="PP.EXT.AU.GROUP.DESC"> <wsfc:Extension name="Automobile" class="Automobile" syntax="Container" resourceId="PP.EXT.Automobile" min="0" max="UNBOUNDED" namingClass="AutomobileLicensePlate"> <wsfc:Group resourceId="PP.EXT.AU.DETAILS.GROUP" descriptionResourceId="PP.EXT.AU.DETAILS.GROUP.DESC"> <wsfc:Extension name="AutomobileModel" class="AutomobileModel" syntax="String" resourceId="PP.EXT.AU.Model" min="0"...
  • Page 324 324 Novell Access Manager 3.1 SP1 Identity Server Guide...

This manual is also suitable for:

Access manager 3.1 sp1

Table of Contents