Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 192

Configuring the Name Identifier Format
The Unspecified Name Identifier format is the default for a newly created WS Federation service
provider, but this name identifier format doesn't work with the ADFS federation server.
Additionally, some Group Claims (Adatum ClaimApp Claim and Adatum TokenApp Claim) must
be satisfied in order to gain access to the SharePoint server.
1 On the WS Federation page, click the name of the TreyResearch service provider.
2 Click Attributes, then fill in the following fields:
Attribute set: Select the WS Federation attribute set you created.
Send with authentication: Move the All Roles attribute to the Send with authentication list.
3 Click Apply, then click Authentication Response.
4 Select E-mail for the Name Identifier Format.
5 Select LDAP Attribute:mail [LDAP Attribute Profile] as the value for the E-mail identifier.
6 Click OK twice, then update the Identity Server.
7 Continue with
Setting Up Roles for ClaimApp and TokenApp Claims
When users access resources on the ADFS server, they need to have two roles assigned: a ClaimApp
role and a TokenApp role. The following steps explain how to create these two roles so that they are
assigned to all users that log in to the Identity Server.
1 On the Identity Servers page, click Edit > Roles > Manage Policies.
2 Click New, specify a name for the policy, select Identity Server: Roles, then click OK.
3 On the Rule 1 page, leave Condition Group 1 blank.
With no conditions to match, this rule matches all authenticated users.
4 In the Actions section, click New > Activate Role.
5 In the text box, specify ClaimApp.
6 In the Actions section, click New > Activate Role.
7 In the text box, specify TokenApp.
8 Click OK twice, then click Apply Changes.
9 Click Close.
10 On the Roles page, select the role policy you just created, then click Enable.
11 Click OK, then update the Identity Server.
12 Continue with
page 192.
Importing the ADFS Signing Certificate into the NIDP-Truststore
The Novell Identity Provider (NIDP) must have the trusted root of the ADFS signing certificate (or
the certificate itself) listed in its Trust Store, as well as specified in the relationship. This is because
most ADFS signing certificates are part of a certificate chain, and the certificate that goes into the
metadata is not the same as the trusted root of that certificate. However, because the Active
Directory step-by-step guide uses self-signed certificates for signing, it is the same certificate in both
the Trust Store and in the relationship.
192 Novell Access Manager 3.1 SP1 Identity Server Guide
"Setting Up Roles for ClaimApp and TokenApp Claims" on page
"Importing the ADFS Signing Certificate into the NIDP-Truststore" on
192.