Page 1 AUTHORIZED DOCUMENTATION Identity Server Guide Novell ® Access Manager 3.1 SP2 June 29, 2010 www.novell.com Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 2: Legal Notices
Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 4 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 5: Table Of Contents
Contents About This Guide 1 Configuring an Identity Server Managing a Cluster Configuration ..........15 1.1.1 Creating a Cluster Configuration .
Page 6 Creating the bcsLogin Configuration File....... . . 168 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 7 5.3.5 Verifying the Kerberos Configuration ........169 Configuring the Clients .
Page 8 Managing WS Federation Providers ......... . . 268 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 9 10.3.1 Creating an Identity Provider for WS Federation ......268 10.3.2 Creating a Service Provider for WS Federation......269 10.4 Modifying a WS Federation Identity Provider .
Page 10 Duplicate Set-Cookie Headers ........360 15.4 Problems Reading Keystores after Identity Server Re-installation..... 360 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 11 A About Liberty B Understanding How Access Manager Uses SAML Attribute Mapping with Liberty ..........363 Trusted Provider Reference Metadata .
Page 12 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 13: About This Guide
This guide is intended to help you understand and configure all of the features provided by the Identity Server. It is recommended that you first become familiar with the information in the Novell Access Manager 3.1 SP2 Setup Guide, which helps you understand how to perform a basic Identity Server configuration, set up a resource protected by an Access Gateway, and configure SSL.
Page 14: Additional Documentation
 Novell Access Manager 3.1 SP2 Policy Guide Novell Access Manager 3.1 SP2 J2EE Agent Guide  Novell Access Manager 3.1 SP2 SSL VPN Server Guide   Novell Access Manager 3.1 SP2 Event Codes Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 15: Configuring An Identity Server
Configuring an Identity Server After you log in to the Administration Console, click Devices > Identity Servers. The system displays the Identity Servers that can be managed from this Administration Console. A newly installed Identity Server is in an unconfigured state and is halted. It remains in this state and cannot function until you create a cluster configuration and assign the Identity Server to the new configuration.
Page 16: Creating A Cluster Configuration
CardSpace or WS Federation protocols. These topics are not described in this section. In an Identity Server configuration, you specify the following information: The DNS name for the Identity Server or clustered server site.  Certificates for the Identity Server.  Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 17  Organizational and contact information for the server, which is published in the metadata of the Liberty and SAML protocols. The LDAP directories (user stores) used to authenticate users, and the trusted root for secure  communication between the Identity Server and the user store. To create an Identity Server configuration: 1 In the Administration Console, click Devices >...
Page 18 6 To configure session limits, fill in the following fields: LDAP Access: Specify the maximum number of LDAP connections the Identity Server can create to access the configuration store. You can adjust this amount for system performance. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 19 Default Timeout: Specify the session timeout you want assigned as a default value when you create a contract. This value is also assigned to a session when the Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, the Identity Server cannot always associate a contract with the request.
Page 20 10 Click Next to configure the user store. You must reference your own user store and auto-import the SSL certificate. See Section 3.1, “Configuring Identity User Stores,” on page 104 for information about this procedure. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 21: Assigning An Identity Server To A Cluster Configuration
11 After you configure the user store, the system displays the new configuration on the Servers page. The status icons for the configuration and the Identity Server should turn green. It might take several seconds for the Identity Server to start and for the system to display a green icon. If it does not, it is likely that the Identity Server is not communicating with the user store you set up.
Page 22: Configuring Session Failover
Identity Server can be used for authentication. However, it doesn’t provide session failover. If a user has authenticated to the failed Identity Server, that user is prompted to authenticate and the session information is lost. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 23 When you enable session failover and an Identity Server goes down, the user’s session information is preserved. Another peer server in the cluster re-creates the authoritative session information in the background. The user is not required to log in again and experiences no interruption of services. “Prerequisites”...
Page 24: Editing Cluster Details
However, firewalls must allow the ports specified here plus one to pass through. You need to open two ports for each cluster, for example, 7801 and 7802. Encrypt: Encrypts the content of the messages that are sent between cluster members.  Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 25: Removing A Server From A Cluster Configuration
Level Four Switch Port Translation: Configure the L4 switch to translate the port of the incoming request to a new port when the request is sent to a cluster member. Because the cluster members communicate with each other over the same IP address/port as the L4 switch, the cluster implementation needs to know what that port is.
Page 26: Modifying The Base Url
URL, you must send them the new metadata and have them re-import it. For information about setting up SSL and changing an Identity Server from HTTP to HTTPS, see “Enabling SSL Communication” in the Novell Access Manager 3.1 SP2 Setup Guide. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 27: Enabling Role-Based Access Control
For a complete discussion on creating and configuring role policies, see “Creating Role Policies” in Novell Access Manager 3.1 SP2 Policy Guide. In order for a role to be assigned to users at authentication, you must enable it for the Identity Server configuration.
Page 28: Viewing The Services That Use The Signing Key Pair
The SOAP back channel is the channel that the protocols use to communicate directly with a provider. The SOAP back channel is used for artifact resolutions and attribute queries for the Identity Web Services Framework. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 29: Viewing Services That Use The Encryption Key Pair
To view your current configuration for the SOAP back channel: 1 In the Administration Console, click Devices > Identity Servers > Edit. 2 Select the protocol (Liberty, SAML 1.1, or SAML 2.0), then click the name of an identity provider or service provider. 3 Click Access.
Page 30 Identity Server when it is acting as an identity consumer (service provider). For example, when you click the Provider keystore, the following page appears: Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 31 2b To replace a certificate, click Replace, browse to locate the certificate, then click OK. 2c If prompted to restart Tomcat, click OK. Otherwise, update the Identity Server. 3 To manage trust stores associated with the Identity Server: 3a Click either of the following links on the Security page: NIDP Trust Store: This Identity Server trust store contains the trusted root certificates of all the providers that it trusts.
Page 32: Security Considerations
If both providers support artifacts, you should select this method because it is more secure. For more details, see the Response protocol binding option in Section 7.8, “Configuring an Authentication Request for an Identity Provider,” on page 207. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 33: Authentication Contracts
1 At a command prompt, change to the Tomcat configuration directory: Linux: /var/opt/novell/tomcat5/conf Windows Server 2003: \Program Files\Novell\Tomcat\conf Windows Server 2008: \Program Files (x86)\Novell\Tomcat\conf 2 To the file, add the cipher suites you want to support. For 128-bit encryption, add server.xml the following line: ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"...
Page 34: Securing The Identity Server Cookie
<Context useHttpOnly="true"> </Context> 4 Save the file, then restart Tomcat: Linux: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows: Enter the following commands: net stop Tomcat5 net start Tomcat5 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 35: Configuring The Encryption Method For The Saml Assertion
1 Open the file. web.xml Linux: /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/ Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF/ Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB- INF/ 2 Add the following lines to the file: <context-param> <param-name>EncryptionMethod</param-name> <param-value>TDES</param-value> </context-param> You can set the element to TDES, AES128, or AES256. Because AES128 is <param-value>...
Page 36: Blocking Access To Identity Server
3 In a terminal window, open the file. server.xml Windows Server 2003: \Program Files\Novell\Tomcat\conf Windows Server 2008: \Program Files (x86)\Novell\Tomcat\conf 4 Change the ports from 8080 and 8443 to 80 and 443. 5 Restart the Tomcat service. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 37: Changing The Port On A Linux Identity Server
These sections describe two solutions out of many possibilities. For more information about iptables, see the following:  “Iptable Tutorial 1.2.2” (http://iptables-tutorial.frozentux.net/iptables-tutorial.html) “NAM Filters for iptables Commands” (http://www.novell.com/communities/node/4029/nam-  filters-iptables-commands) A Simple Redirect Script This simple solution works only if you are not using iptables to translate ports of other applications or Access Manager components.
Page 38 # Default-Stop: 0 1 6 # Description: Redirect 8443 to 443 for Novell IDP ### END INIT INFO # # Environment-specific variables. IPT_BIN=/usr/sbin/iptables INTF=eth0 ADDR=10.10.0.1 . /etc/rc.status # First reset status of this service rc_reset case "$1" in start) echo -n "Starting IP Port redirection"...
Page 39 # Environment-specific variables. IPT_BIN=/usr/sbin/iptables INTF=eth0 ADDR=10.10.0.1 6 To ensure that the iptables rule is active after rebooting, start YaST, click System, > System Services (Runlevel), select Expert Mode, select the file you created, enable runlevels boot, 3 and 5 for the file, then start the service. 7 To verify that your script is running, enter the following command: ls /etc/init.d/rc3.d | grep -i AM_IDP_Redirect 8 Reboot the Identity Server machine.
Page 40 2 Add the following lines to the section. fw_custom_before_denyall iptables -A $chain -j ACCEPT -s 10.8.0.0/22 iptables -A $chain -j ACCEPT -d 10.8.0.0/22 The file should look similar to the following: Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 41: Using Nethsm For The Signing Key Pair
fw_custom_before_masq() { iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.1.1.1 true fw_custom_before_denyall() { for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do iptables -A $chain -j ACCEPT -s 10.8.0.0/22 iptables -A $chain -j ACCEPT -d 10.8.0.0/22 done true 3 Save the file.
Page 42: Server
The SOAP back channel is used for artifact resolutions and attribute queries for the Identity Web Services Framework. To view your current configuration for the SOAP back channel: 1 In the Administration Console, click Devices > Identity Servers > Edit. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 43 2 Select the protocol (Liberty, SAML 1.1, or SAML 2.0), then click the name of an identity provider or service provider. 3 Click Access. 4 View the Security section. If the Message Signing option is selected, signing is enabled for the SOAP back channel.
Page 44: Configuring The Identity Server For Nethsm
Windows. It creates an nfast user and group. Check your netHSM documentation for the specific steps. 2 (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, install the netHSM client software on the other Identity Servers in the cluster. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 45 Windows Server 2003: \Program Files\Novell\Tomcat\webapps\roma\WEB- INF\conf Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\roma\ WEB-INF\conf 6b Change the ports from 9000 and 9001 to another value, such as 9010 and 9011. The lines should look similar to the following: <stringParam name="ExecutorPort" value="9010" />...
Page 46 CSR. nCipher also uses a unique keystore of type nCipher.sworld nCipher supports both a Windows and a Linux netHSM client.  If you have a Windows netHSM client, the command is located in the following directory: c:\Program Files\Java\jdk1.5.0_14\jre\bin\java Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 47  If you have Linux netHSM client, the command is located in the following directory: /opt/novell/java/bin/java To create a new key pair for nCipher: 1 On a netHSM client, add the nCipher provider to the provider list of the file: java.security...
Page 48 A name that helps you identify the certificate request. In this sample configuration, the name od93 -file The name to be given to the certificate signing request file. In this sample configuration, the name is cert.csr Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 49 Parameter Description The password for the key. In this sample -keypass configuration, the password is mypwd -keystore A name for the keystore. In this sample configuration, the name is AMstore.jks -storepass The password for the keystore. In this sample configuration, the password is mypwd -storetype The type of keystore.
Page 50 CA you used, and the public certificate of the CA should be there as the owner and the issuer. 11 Copy the keystore to the directory on the Identity Server. Linux: /opt/novell/devman/jcc/certs/idp Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 51 Windows Server 2003: \Program Files\Novell\devman\jcc\certs\idp Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\certs\idp The keystore is found on the netHSM client in the directory specified by the -keystore parameter when you created the keystore. See Step 12 Synchronize the Identity Server with the remote file system server.
Page 52 /var/opt/novell/ directory. tomcat5/webapps/nidp/WEB-INF/classes If you specified a different location for this file in Step 4, use that location. 5b Add the following lines: com.novell.nidp.extern.signing.providerClass=com.ncipher.provider.km. nCipherKM com.novell.nidp.extern.signing.providerName=nCipherKM com.novell.nidp.extern.signing.keystoreType=nCipher.sworld com.novell.nidp.extern.signing.keystoreName=/opt/novell/devman/jcc/ certs/idp/AMstore.jks com.novell.nidp.extern.signing.keystorePwd=mypwd com.novell.nidp.extern.signing.alias=od93 com.novell.nidp.extern.signing.keyPwd=mypwd Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 53 Windows Server 2003: \Program Files\Novell\Tomcat\bin Windows Server 2008: \Program Files (x86)\Novell\Tomcat\bin 2b Click the Java tab. 2c In the Java Classpath text box add the following to the end of the path: ";C:\nfast\java\classes\jcetools.jar;C:\nfast\java\classes\jutils.jar ;C:\nfast\java\classes\keysafe.jar;C:\nfast\java\classes\kmcsp.jar;C: \nfast\java\classes\kmjava.jar;C:\nfast\java\classes\nfjava.jar;C:\nf...
Page 54 The type of keystore. For nCipher, this must be set to <keystore_type> nCipher.sworld The name you specified when you created the keystore. In this <keystore_name> sample configuration, the name is AMstore.jks Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 55 Variable Value When using module-protected keys, the keystore password must be <keystore_pwd> null. For example: com.novell.nidp.extern.signing.keystorePwd= <key_alias> The alias you created for the key when you created the key. In this sample configuration, the name is od93 When using module-protected keys, the key password must be null.
Page 56 Continue with Step 3b Stop Tomcat with the following command: /etc/init.d/novell-tomcat5 stop 3c Stop nfast with the following command: /opt/nfast/sbin/init.d-nfast stop Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 57 /etc/init.d/novell-tomcat5 restart 4f To tail the file, enter the following command: catalina.out tail -f /var/opt/novell/tomcat5/logs/catalina.out 4g Search for a list of providers. When nCipher is working, the file contains entries similar to the following nCipher entries: Security Providers: SUN: 1.42 SUN (DSA key/parameter generation;...
Page 58 /var/opt/novell/tomcat5/conf following line: JAVA_OPTS="${JAVA_OPTS} -DJCECSP_DEBUG=255 -DJCECSP_DEBUGFILE=/var/ opt/novell/tomcat5/logs/nCipher_jcecsp.debug" 5b Restart Tomcat by entering the following command: /etc/init.d/novell-tomcat5 restart 5c Look for clues in the file. nCipher_jcecsp.debug Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 59: Customizing Login Pages, Logout Pages, And Messages
Server. There are a multitude of reasons for customizing the login page. You might want to remove the Novell branding and replace it with your company’s brands. You might need to authenticate users with non-default attributes (such as an e-mail address rather than a username). You also might be fronting several protected resources with an Access Gateway, and you need to create a unique login page for each resource.
Page 60: Selecting The Login Page And Modifying It
The upgrade process overrides any custom changes made to JSP files that use the same filename as those included with the product. During an upgrade, you can select to restore custom login pages, but Novell still recommends that you have your own backup of any customized files.
Page 61 Customizing the Default Login Page to Prompt for Different Credentials This section explains how to prompt the users for an identifier other than the user’s name. Figure 2- displays the default login page with the username prompt. Modifying the Credential Prompts Figure 2-1 login.jsp This section explains how to modify the content of the...
Page 62 7 (Conditional) If you need to localize the prompt for multiple languages, create a custom message properties file for the login prompt. (For more information on how to create a custom message properties file, see Section 2.3.1, “Customizing Messages,” on page 80.) Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 63 WEB-INF/classes Server in the cluster. 7e Restart Tomcat on each Identity Server. Linux Identity Server: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows Identity Server: Enter the following commands: net stop Tomcat5 net start Tomcat5 8 To view a sample custom page with these modifications, see Section 2.4.1, “Modified login.jsp...
Page 64 Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\jsp Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp 2 Replace the header title that appears in the top frame (“Novell Access Manager” in Figure 2-2): 2a Locate the following string at the top of the file. String hdrTitle = handler.getResource(JSPResDesc.PRODUCT);...
Page 65 /custom_images images string would have a value similar to the following: hdrImage String hdrImage = "/custom_images/myapp.png" 5 Replace the Novell logo on the right of the header (see Figure 2-2): 5a Locate the following string: String hdrLogo = "AMHeader_logo.png"; 5b Replace the value of the...
Page 66 1a In the Administration Console, click Devices > Identity Servers > Edit > Local > Methods. 1b Click New, then specify a Display Name. 1c In the drop-down menu for classes, select a class that is a username/password class. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 67 Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\jsp Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp 4 (Conditional) If you modified the variable, find the string in the file and %Ecom_User_ID% replace it with your variable. Customizing Login Pages, Logout Pages, and Messages...
Page 68 1 Copy the file and rename it. The JSP files are located on the Identity Server in the login.jsp following directory: Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\jsp Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 69 Access Manager 3.0 Default Login Page Figure 2-3 You can change the Novell branding and modify the credential prompts.  “Modifying the Branding in the 3.0 Login Page” on page 69 “Modifying the Credentials in the 3.0 Login Page”...
Page 70 1c In the drop-down menu for classes, select a class that is a username/password class. 1d Leave the Identifies User option enabled, and configure the user store option according to your needs. 1e In the Properties section, click New, then specify the following values: Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 71 3e Copy the custom login page to the JSP directory of each Identity Server in the cluster. 3f Restart Tomcat on each Identity Server. Linux Identity Server: Enter the following command: /etc/init.d/novell-tomcat5 restart Customizing Login Pages, Logout Pages, and Messages...
Page 72: Configuring The Identity Server To Use Custom Login
Property names and values are case sensitive. 1d Click OK. 1e (Conditional) If the Properties section does not contain a JSP property, click New, specify the following: Property Name: Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 73 Property Value: custom1 The property value for the JSP property is the name of the custom login file without the extension. Replace with the name of your custom login file. This property custom1 determines which login page is displayed when this method is used. The filename cannot contain as part of its name.
Page 74 Class: Select a name/password class. Configure the other fields to match your requirements. 1c In the Properties section, add a Query property if the page uses custom credentials. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 75 The file is located in the following directory: main.jsp Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\jsp Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp \jsp 3b Near the top of the file, add the following line: String strContractURI = hand.getContractURI(); Customizing Login Pages, Logout Pages, and Messages...
Page 76 <%@ page import="com.novell.nidp.ui.*" %> <%@ page import="com.novell.nidp.common.util.*" %> <%@ page import="com.novell.nidp.liberty.wsf.idsis.apservice.schema.*" %> <% ContentHandler hand = new ContentHandler(request,response); String strContractURI = hand.getContractURI(); // Is there a JSP defined on a class definition Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 77: Troubleshooting Tips For Custom Login
// or a method definition that should be displayed // as the main jsp here? if (hand.contractDefinesMainJSP()) %> <%@ include file="mainRedirect.jsp" %> <% else if(strContractURI != null && strContractURI.equals("login1/ custom1")) %> <%@ include file="custom1.jsp" %> <% else if(strContractURI != null && strContractURI.equals("login2/ custom2")) %>...
Page 78: Customizing The Identity Server Logout
You can create your own logout page and configure the Identity Server to use it. To do this, you need to modify the file on the Identity Server. It is located in the following logoutSuccess.jsp directory: Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 79: Configuring For Local Rather Than Global Logout
Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\jsp Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp file is called in a frame from the file. You can modify the file logoutSuccess.jsp nidp.jsp to display what you want or you can modify it to redirect the user to your custom page. One way to provide redirection is to replace the information in the <body>...
Page 80: Customizing Identity Server Messages
4 Unzip the file in your working directory. nidp.jar 5 In your working directory, locate the files in the following directories. .properties com/novell/nidp/resource/strings com/novell/nidp/resource/logging com/novell/nidp/resource/jsp com/novell/nidp/resource/jcc com/novell/nidp/resource/noxlate com/novell/nidp/liberty/wsf/idsis/ppservice/model com/novell/nidp/liberty/wsf/idsis/epservice/model com/novell/nidp/liberty/wsf/idsis/opservice/model com/novell/nidp/liberty/wsf/idsis/apservice/model com/novell/nidp/liberty/wsf/interaction Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 81 Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\WEB- INF\classes Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB- INF\classes 11 (Optional) To enable messages about the loading of the custom properties files, enable debug logging: 11a In the Administration Console, click Devices > Identity Servers > Edit > Logging.
Page 82: Customizing The Branding Of The Error Page
Appliance” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 2.3.2 Customizing the Branding of the Error Page The following page ( ) is returned when the Identity Server encounters an error: err.jsp Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 83 Replace the value of the attribute with the path and filename of the image you want to use. To replace the Novell logo image, locate the following text in the body of the file. <div id="logo"><img src="/nesp/images/AccessMan31_Nlogo.png"></div> Replace the value of the attribute with the path and filename of the image you want to use.
Page 84: Customizing Tooltip Text For Authentication Contracts
For example: CUSTOM_NamePwdFormToolTip=Forma de Nombre/Clave 7d Repeat Step 7c for each supported language file. 8 Restart Tomcat. Linux Identity Server: Enter the following command:  /etc/init.d/novell-tomcat5 restart Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 85: Sample Custom Login
 Windows Identity Server: Enter the following commands: net stop Tomcat5 net start Tomcat5 2.4 Sample Custom Login Pages  Section 2.4.1, “Modified login.jsp File for Credential Prompts,” on page 85 Section 2.4.2, “Custom nidp.jsp File with Custom Credentials,” on page 88 ...
Page 86 (String) request.getAttribute("url") %>" AUTOCOMPLETE="off"> <input type="hidden" name="option" value="credential"> <% if (target != null) { %> <input type="hidden" name="target" value="<%=target%>"> <% } %> <table border=0 style="margin-top: 1em" width="100%" cellspacing="0" cellpadding="0"> <tr> <td style="padding: 0px"> Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 87 <table border=0> <tr> <td align=left> <label><%=handler.getResource(JSPResDesc.USERNAME)%></label> </td> <td align=left> <input type="text" class="smalltext" name="Ecom_User_ID" size="30"> </td> </tr> <tr> <td align=left> <label>Email Address:</label> </td> <td align=left> <input type="text" class="smalltext" name="Ecom_User_Mail" size="30"> </td> </tr> <tr> <td align=left> <label><%=handler.getResource(JSPResDesc.PASSWORD)%></label> </td> <td align=left> <input type="password" class="smalltext" name="Ecom_Password" size="30">...
Page 88: Custom Nidp.jsp File With Custom Credentials
“The Method and the Contract” on page 95  The Modified nidp.jsp File The background, menu, and border colors are set to black. These colors are specified in the following lines in the sample file: Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 89 Header Image Figure 2-7 Figure 2-8 illustrates the image ( ) that this custom page uses to replace the Novell hhbimages.jpeg company logo on the right of the header frame. Company Logo Figure 2-8 The following lines define what appears as the title for the browser window: <title>HHB WORLD</title>...
Page 90 { position: absolute; font-size: 1.2em; color: white; top: 18px; left: 85px; } #subtitle { position: relative; font-size: .9em; color: black; white- space: nowrap; top: 0px; left: 0px; text-align: right; } #mcontent { position: relative; padding: 5px; background-color: Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 91 <%=bgcolor%>; } #content { width: 100%; border: 0; margin: 0; padding: 0; overflow: none; height: 376px; background-color: <%=bgcolor%>;} #logoutbut { position: absolute; top: 25px; right: 35px; #helpbutlogin { position: absolute; color: yellow; top: 25px; right: 10px; #loggingbut { position: absolute; color: blue; top: 25px; right: 65px; .NLtab .tab1s { background-color: <%=menucolor%>;...
Page 92 (g_curSubtab.id == "loginsubtab") helpURL = "<%=handler.getHelp("userlogin.html")%>"; else if (g_curSubtab.id == "newcardsubtab") helpURL = "<%=handler.getHelp("newcard.html")%>"; else if (g_curSubtab.id == "logTicketsubtab") helpURL = "<%=handler.getHelp("logticket.html")%>"; var w; w = window.open(helpURL, "nidsPopupHelp", "toolbar=no,location=no,directories=no,menubar=no,scrollbars=yes,resizable=ye s,width=500,height=500"); Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 93 if (w != null) w.focus(); </script> </head> <body onload="onloadhandler()"> <table width=100% border=0 cellpadding=0 cellspacing=0 bgcolor=<%=bgcolor%> > <tr> <td> <table cellspacing=0 width=100% border=0> <tr> <td width=100%> <div id="header"><img src="<%=handler.getImage(hdrImage,false)%>"></div> <div id="logo"><img src="<%=handler.getImage(hdrLogo,false)%>"></div> <div id="title"><%=hdrTitle%></div> </td> </tr> </table> </td> </tr> <tr> <td> <table cellspacing=5 width=100%>...
Page 94 <%@ include file="mainRedirect.jsp" %> <% else if(strContractURI != null && strContractURI.equals("login/custom")) %> <%@ include file="custom.jsp" %> <% // This is the jsp used by default else %> <%@ include file="nidp.jsp" %> <% %> Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 95: Custom 3.1 Login.jsp File
The Method and the Contract After modifying the two files, you still need to create a method and a contract. The method needs to use a name/password class and have the following properties defined:  Query property values: Property Name: Query Property Value: (&(objectclass=person)(mail=%Ecom_User_Mail%))
Page 96 (i == 0) i = 1; document.IDPLogin.submit(); return false; </script> </head> <body text="lightcyan" style="background-color:Black" marginwidth="300" marginheight="100" leftmargin="350" topmargin="0" rightmargin="0" onLoad="document.IDPLogin.Ecom_User_ID.focus();" > <br> <h1><u> IT’S A NEW WORLD</u></h1> <form name="IDPLogin" enctype="application/x-www-form-urlencoded" Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 97 method="POST" action="<%= (String) request.getAttribute("url") %>" AUTOCOMPLETE="off"> <input type="hidden" name="option" value="credential"> <% if (target != null) { %> <input type="hidden" name="target" value="<%=target%>"> <% } %> <table border=0 style="margin-top: 1em" width="20" cellspacing="0" cellpadding="0"> <tr> <div id="headimage"><img src="<%=handler.getImage(hdrImage,false)%>" alt="" height="80" width="150" border="0"></div> </tr> <tr>...
Page 98: Custom 3.0 Login.jsp File
Guide. Figure 2-10 illustrates a page that has been modified to remove the Novell branding and logo. It has also been modified to prompt the user for an e-mail address in addition to a username and password. Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 99 The bold lines in the following sample file are the lines that have been modified to change the branding and the login prompts. <%@ page language="java" %> <%@ page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%> <%@ page import="com.novell.nidp.common.provider.*" %> <%@ page import="java.util.*" %> <%@ page import="com.novell.nidp.ui.*" %> <%@ page import="com.novell.nidp.*" %>...
Page 100 String err = (String) request.getAttribute(NIDPConstants.ATTR_LOGIN_ERROR); if (err != null) %> <div><label><%=err%></label></div> <% // Determine if this login page is being used for account identification // purposes %> <span id="login2" style="display: block;"> 100 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 101 <table> <tr> <td nowrap="nowrap"> <div> <label style="width: 100px"><%=handler.getResource(JSPResDesc.USERNAME)%></label></label> </div> </td> <td width="100%" nowrap="nowrap"> <div> <input type="text" class="smalltext" name="Ecom_User_ID" size="30"> </div> </td> </tr> <tr> <td nowrap="nowrap"> <div> <label style="width: 100px">Email Address:</label></label> </div> </td> <td width="100%" nowrap="nowrap"> <div> <input type="text" class="smalltext" name="Ecom_User_Mail" size="30">...
Page 102  MainJSP property values: Property Name: MainJSP Property Value: true You then need to create a contract that uses this method and assign it to a protected resource. 102 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 103: Configuring Local Authentication
Configuring Local Authentication To guard against unauthorized access, Access Manager supports a number of ways for users to authenticate. These include name/password, RADIUS token-based authentication, and X.509 digital certificates. You configure authentication at the Identity Server by creating authentication contracts that the components of Access Manager (such as an Access Gateway) can use to protect a resource.
Page 104: Configuring Identity User Stores
You can configure the Identity Server to search more than one user store during authentication. Figure 3-2 illustrates this type of configuration. Multiple LDAP Directories Figure 3-2 LDAP User Store (1) Lynn Identity Server LDAP User Store (2) Kelly Paulo 104 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 105: Configuring The User Store
Ensure that you also delete those objects from the configuration store. See “Orphaned Objects in the Trust/Configuration Store” in the Novell Access Manager 3.1 SP2 Administration Console Guide. If you add a secondary Administration Console and you have added replicas to the user store of the primary Administration Console, ensure that you also add the replicas to the secondary Administration Console.
Page 106 Each directory type uses a slightly different format for the DN: eDirectory: cn=admin,ou=users,o=novell  Active Directory: cn=Administrator,cn=users,dc=domeh,dc=test,dc=com  or cn=john smith,cn=users,dc=domeh,dc=test,dc=com  Sun ONE: cn=admin,cn=users,dc=novell,dc=com Admin Password and Confirm Password: Specify the password for the admin user and confirm it. 106 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 107 LDAP server in a production environment. If you use port 389, usernames and passwords are sent in clear text on the wire. This option must be enabled if you use this user store as a Novell SecretStore User Store Reference in the Credential Profile details. (See Section 13.3, “Configuring Credential Profile...
Page 108 Subtree. This setting can cause serious performance problems. It is recommended that you set multiple search contexts, one for each top-level organizational unit. 14 Click Finish. 15 If prompted to restart Tomcat, click OK. Otherwise, update the Identity Server. 108 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 109: Configuring An Admin User For The User Store
3.1.3 Configuring an Admin User for the User Store The Identity Server must log in to each configured user store. It searches for users, and when a user is found, it reads the user’s attributes values. When you configure a user store, you must supply the distinguished name of the user you want the Identity Server to use for logging in.
Page 110 “Configuring an eDirectory User Store to Use SecretStore” on page 113. If your user store is eDirectory and you have installed Novell SecretStore, you can select to use the SecretStore on your eDirectory server to store the secrets. For some troubleshooting tips, see “Troubleshooting the Storing of Secrets”...
Page 111 6 To use the secret store to store policy secrets, see “Creating and Managing Shared Secrets” in Novell Access Manager 3.1 SP2 Policy Guide. Configuring an LDAP Directory to Store the Secrets When you use an LDAP directory to store the secrets, you need to enable the user store for the secrets.
Page 112 DES: Data Encryption Standard (DES) is a widely used method of data encryption that  uses a private key. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. 112 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 113  The eDirectory server must have Novell SecretStore installed. When you configure a user store to use Novell SecretStore, the admin user that you have  configured for the user store must have sufficient rights to extend the schema on the eDirectory server, to install the SAML NMAS method, and set up the required certificates and objects.
Page 114 5 Click Credential Profile. 6 Scroll to the Remote Storage of Secrets section. 7 Click New under Novell Secret Store User Store References. This adds a reference to a user store where SecretStore has been installed. 8 Click the user store that you configured for SecretStore.
Page 115 115. Determining a Strategy for Unlocking the SecretStore When an administrator resets a user's password, secrets written to the Novell SecretStore with an enhanced security flag become locked. The Identity Server does not write the secrets that it creates with this flag, but other applications might: If Access Manager is not sharing secrets with other applications, the secrets it is using are never ...
Page 116  Secrets Aren’t Stored in Novell SecretStore When you use Novell SecretStore to store the secrets, the schema on the eDirectory server must be extended, and specific SAML objects and certificates must be created. To verify that the schema was extended and the objects were created on the eDirectory server: 1 Open an LDAP browser and connect to the eDirectory server.
Page 117: Creating Authentication Classes
(Linux) Verify that you have installed the required packages. See “Administration  Console Requirements” in the Novell Access Manager 3.1 SP2 Installation Guide. If the objects exist, check for time synchronization problems. For more information, see  “Users Are Receiving Invalid Credential Messages” on page 117.
Page 118 “Configuring for OpenID Authentication” on page 147   “Configuring Password Retrieval” on page 148 “Configuring Access Manager for NESCM” on page 149  “Configuring for Kerberos Authentication” on page 159  118 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 119: Creating Basic Or Form-Based Authentication Classes
Authentication,” on page 159 for configuration steps. NMASAuthClass: The authentication class used for Novell Modular Authentication Services (NMAS), which uses fingerprint and other technology as a means to authenticate a user. For instructions on using the NMAS NESCM method, see Section 4.6,...
Page 120: Specifying Common Class Properties
PasswordClass ProtectedBasicClass  ProtectedPasswordClass  For example, to query for the user’s UID attribute to use for the username, you would specify the following query: Property Name: Query Property Value: (&(objectclass=person)(uid=%Ecom_User_ID%)) 120 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 121 The values are case sensitive. The name of the property must be Query with an initial capital. The variable is used in the default for the username in the four classes that %Ecom_User_ID% login.jsp support the Query property. The variable is replaced with the value the user enters for his or her username, and the LDAP query is sent to the user store to see if the user’s attribute value matches the entered value.
Page 122: Configuring Authentication Methods
2 To delete a method, select the method, then click Delete. A method cannot be deleted if a contract is using it. 3 To modify an authentication method, click its name, or to create one, click New. 122 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 123 4 Fill in the following fields: Display Name: The name to be used to refer to the new method. Class: The authentication class to use for this method. See Section 3.2, “Creating Authentication Classes,” on page 117. Identifies User: Specifies whether this authentication method should be used to identify the user.
Page 124: Configuring Authentication Contracts
2 To delete a contract, select the contract, then click Delete. You cannot delete a contract if it is in use by an Access Gateway or J2EE agent. 3 To create a new contract, click New. 124 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 125 4 Fill in the following fields: Display name: Specifies the name of the authentication contract. URI: Specifies a value that uniquely identifies the contract from all other contracts. It is used to identify this contract for external providers and is a unique path value that you create. No spaces can exist in the URI field.
Page 126 When you choose a secure method, such as Secure Name/Password, ensure that you have enabled security for the Identity Server configuration by setting the protocol to HTTPS. See “Configuring Secure Communication on the Identity Server” in the Novell Access Manager 3.1 SP2 Setup Guide. 126 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 127: Using A Password Expiration Service
You can configure a protected resource to use it. See “Configuring Protected Resources” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. 3.4.1 Using a Password Expiration Service Access Manager works with any password management service that works with your user store. For...
Page 128 If you specify a password service and do not specify a value for the number of grace logins in eDirectory, the contract redirects to the password management service only when the grace login count has reached 0 and the password has expired. 128 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 129: Using Activity Realms
If restricting grace logins is not important to your security model, enable grace logins and set the maximum to 9999 (the equivalent of infinite in most environments). For more information, see TID 3465171 (http://www.novell.com/support/php/ search.do?cmd=displayKC&docType=kc&externalId=3465171&sliceId=2&docTypeID=DT_TID_ 1_1&dialogID=131458644&stateId=0%200%20131454892).
Page 130: Specifying Authentication Defaults
These contracts are executed when a request for a specific authentication type comes from a service provider. 1 In the Administration Console, click Devices > Identity Servers > Edit > Local > Defaults. 130 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 131: Specifying Authentication Types
Gateway configuration if it has protected resources configured to use Any Contract. See “Configuring Protected Resources” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. Authentication Type: Specifies the default authentication contracts to be used for each authentication type. When a service provider requests a specific authentication type, rather than a contract, the identity provider uses the authentication contract specified here for the requested authentication type.
Page 132: Creating A Contract For A Specific Authentication Type
5 Configure an authentication card for the contract. For information about these fields, see Section 3.4, “Configuring Authentication Contracts,” on page 124. 6 Click Finish, then OK. 7 Update the Identity Server. 132 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 133: Managing Direct Access To The Identity Server
Users can log directly in to the Identity Server when they enter the Base URL of the Identity Server in their browsers. For example, if your base URL is http://doc.provo.novell.com:8080/nidp users can log in directly to the Identity Server by entering the following URL: http://doc.provo.novell.com:8080/nidp/app...
Page 134: Specifying A Target
<domain.com> is the DNS name of your Identity Server. In this example, the users would see the Novell Web site after logging in. Specify a Hidden Target on your Form: If you have your own login form to collect ...
Page 135: Blocking Access To The User Portal Page
1 Open the file for editing. This file is located in the following directory: main.jsp Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\jsp Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\jsp 2 Locate the following line: ContentHandler hand = new ContentHandler(request,response); Configuring Local Authentication 135...
Page 136: Blocking Access To The Wsdl Services Page
Users can access the WSDL services page when they enter the base URL of the Identity Server in their browsers with the path to the Services page. For example, if your base URL is http:// , the users can access the services page with the following bfrei.provo.novell.com:8080/nidp URL: 136 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 137 Linux: /opt/novell/nids/lib/webapp/WEB-INF Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB- 3 Near the top of the file, in the context initialization parameters section, add the following lines: <context-param> <param-name>wsfServicesList</param-name> <param-value>full</param-value> </context-param> When has a value of , users can access the Services page.
Page 138 , and users have access to the page. full 4 Restart Tomcat for your modifications to take effect: Linux: Enter the following command: /etc/init.d/novell-tomcat5 restart Windows: Enter the following commands: net stop Tomcat5 net start Tomcat5 138 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 139: Configuring Advanced Local Authentication Procedures
4.1 Configuring for RADIUS Authentication RADIUS enables communication between remote access servers and a central server. Secure token authentication through RADIUS is possible because Access Manager works with Novell Modular Authentication Service (NMAS) RADIUS software that can run on an existing NetWare server.
Page 140: Configuring Mutual Ssl (X.509) Authentication
The Identity Server must trust the Certificate authority that created the user certificates. 3 To create the X.509 authentication class, click Devices > Identity Servers > Edit > Local > Classes. 140 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 141 4 Click New. 5 Specify a display name, then select X509Class from the drop-down menu. 6 Click Next. 7 Configure the validation options: Validations: The validation type. Trust validation occurs if the certificate chain is verified in the NIDP Trust Store. In addition to usual certificate validations, the Identity Server supports CRL (certificate revocation list) and OCSP (Online Certificate Status Protocol) validations for each authentication request.
Page 142: Configuring Attribute Mappings
1 Step 3 of the wizard or click Devices > Identity Servers > Edit > Local > Classes > [Name of X.509 class] > Properties > Attributes. 2 Configure attribute mappings. 142 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 143 Show certificate errors: Displays an error page when a certificate error occurs. This option is disabled by default. Auto Provision X509: Enables using X.509 authentication for automatic provisioning of users. This option allows you to activate X.509 for increased security, while using a less secure way of authentication, such as username/password.
Page 144 For more information about this class and method, see Section 4.5, “Configuring Password Retrieval,” on page 148. 6 Update the Identity Server. 144 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 145: Setting Up Mutual Ssl Authentication
1 Set up Access Manager certificates for security, and import them into the Access Manager system. (See “Creating Certificates” in the Novell Access Manager 3.1 SP2 Administration Console Guide.) 2 Create an X.509 authentication class. (See Section 4.2, “Configuring Mutual SSL (X.509) Authentication,”...
Page 146 122 Section 3.4, “Configuring Authentication Contracts,” on page 124. If the contract allows the user to select from the three types of credentials, the login page looks similar to the following: 146 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 147: Configuring For Openid Authentication
The Radius class prompts the user for a token instead of a password. The user can use the drop- down menu to select between the password and the token. If the user selects to send a certificate, the username and password/token options become unavailable. 4.4 Configuring for OpenID Authentication OpenID is an open, decentralized method for identifying users which allows users to use the same digital identity for logging in to multiple services.
Page 148: Configuring Password Retrieval
IMPORTANT: The PasswordFetchClass only works with eDirectory user stores. 1 In the Administration Console, click Devices > Identity Servers > Edit > Local > Classes. 2 Click New, then fill in the following fields: 148 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 149: Configuring Access Manager For Nescm
To use a smart card with Access Manager, you need to configure Access Manager to use the eDirectory server where you have installed the Novell Enhanced Smart Card Login Method for NMAS (NESCM). You then need to create a contract that knows how to prompt the user for the smart card credentials.
Page 150: Prerequisites
“Configuring the Server” (http://  www.novell.com/documentation/iasclient30x/nescm_install/data/b7tf2gi.html) in the Novell Enhanced Smart Card Method Installation and Administration Guide (http:// www.novell.com/documentation/iasclient30x/nescm_install/data/bookinfo.html). Provision your smart card according to your company policy.  Make sure you have a basic Access Gateway configuration with a protected resource that you ...
Page 151 2 On the Create User Store page, fill the following fields: Name: A display name for the eDirectory replica (for example, nescm_replica Admin Name: The distinguished name of the admin user of the directory. Administrator-level rights are required for setting up a user store. Admin Password and Confirm Password: The password for the admin user and the confirmation for the password.
Page 152: Creating A Contract For The Smart Card
2 Specify a display name for the class (for example, Class-NMAS-NESCM 3 For the Java class, select NMASAuthClass from the selection list. 4 Click Next. 5 On the Specify Properties page, click New. 152 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 153 6 Specify the following values for the property: Property Name: Specify NMAS_LOGIN_SEQUENCE Property Value: Specify Enhanced Smart Card The Property Value matches the method name as displayed in the NMAS task > NMAS Login Methods. 7 Click OK, then click Finish. 8 Continue with “Creating a Method to Use the NMAS Class”...
Page 154 Creating an Authentication Contract to Use the Method Contracts are the element you can assign to a protect a resource. 1 On the Local page for the Identity Server, click Contracts > New. 154 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 155 2 Specify a Display name (for example, Contract-NMAS-NESCM-UserStore1 3 Enter a URI (for example, nescm/test/uri The URI is used to identify this contract for external providers and is a unique path value that you create. 4 In the Available methods list, select the method created in “Creating a Method to Use the NMAS Class”...
Page 156: Assigning The Nescm Contract To A Protected Resource
If the Smart Card contains a certificate that meets the defined criteria (in this example, a matching Subject name and trusted signing CA), the user is now successfully authenticated to the IDP and is connected through the Access Gateway to the protected resource. 156 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 157: Troubleshooting
4.6.6 Troubleshooting Error Resolution Authentication fails without Verify that you have configured the class and method correctly. See prompting the user for the “Creating an NMAS Class for NESCM” on page 152 “Creating a token Method to Use the NMAS Class” on page 153.
Page 158 158 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 159: Configuring For Kerberos Authentication
Configuring for Kerberos Authentication Kerberos is an authentication method that allows users to log in to an Active Directory domain. This authentication method provides them with a token, which an Identity Server can be configured to use as a contract. This provides single sign-on for the user between Active Directory and the Identity Server.
Page 160: Prerequisites
Explorer 6. To make Kerberos work with Internet Explorer 6, you need to enable integrated Windows authentication. For information on how to enable this feature, see “Authentication Uses NTLM instead of Kerberos” (http://technet.microsoft.com/en-us/library/cc779070.aspx). Windows Vista with the latest version of Internet Explorer. 160 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 161: Configuring Active Directory
Section 5.2.3, “Configuring the Keytab File,” on page 163. For more information on these issues, see TID 7006036 (http://www.novell.com/support/ viewContent.do?externalId=7006036&sliceId=1).  Active Directory must be configured to contain entries for both the users and their machines. Active Directory must be running on Windows Server 2003 Enterprise SP2 or Windows Server 2008 SP2 or higher.
Page 162: Creating And Configuring The User Account For The Identity Server
7 (Optional) Verify that the user has the required servicePrincipalName attribute with a valid value. Enter the following command: setspn -L <userName> For this configuration example, you would enter the following command: setspn -L amser 162 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 163: Configuring The Keytab File
For this configuration example, you would enter the following command to create a keytab file named nidpkey ktpass /out nidpkey.keytab /princ HTTP/amser.provo.novell.com@AD. NOVELL.COM /mapuser amser@AD.NOVELL.COM /pass novell 2 Copy the keytab file to the Identity Server. Copy the file to the default location on the Identity Server:...
Page 164: Configuring The Identity Server
4 For a new user store, fill in the following fields. For an existing Active Directory user store, verify the values. Name: Specify a name of the user store for reference. 164 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 165: Creating The Authentication Class, Method, And Contract
Admin name: Specify the name of the administrator of the Active Directory server. Administrator-level rights are required for setting up a user store. This ensures read/write access to all objects used by Access Manager. Admin password and Confirm password: Specify the password for the administrator of the Active Directory server and confirm the password.
Page 166 7 On the Local page, click Methods > New. 8 Fill in the following fields: Display name: Specify a name that you can use to identify this method. Class: Select the class that you created for Kerberos. 166 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 167 User stores: Move the Active Directory user store to the list of User stores. If you have only one installed user store, <Default User Store> can be used. If you have multiple user stores, the Active Directory user store must be in this list (or if it is configured to be the default user store, <Default User Store>...
Page 168: Creating The Bcslogin Configuration File
Windows Server 2008: The path in the keyTab line should be C:\\Program Files (x86)\\Novell\\jre\\lib\\security\\nidpkey.keytab The path in the ticketCache line should be C:\\Program Files (x86)\\Novell\\jre\\lib\\security\\spnegoTicket.cache 3 Save this file with a name of bcsLogin.conf 168 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 169: Verifying The Kerberos Configuration
For the configuration example, the lines look similar to the following: principal's key obtained from the keytab principal is HTTP/amser.provo.novell.com@AD.NOVELL.COM Added server's keyKerberos Principal HTTP/ amser.provo.novell.com@AD.NOVELL.COMKey Version 3key EncryptionKey: keyType=3 keyBytes (hex dump)=0000: CB 0E 91 FB 7A 4C 64 FE [Krb5LoginModule] added Krb5Principal HTTP/ amser.provo.novell.com@AD.NOVELL.COM to Subject Commit Succeeded 5 If the file does not contain any lines similar to these, verify that you have enabled logging.
Page 170  Kerberos Configuration” on page 169. If you make any modifications to the configuration, either in the Administration Console  or to the file, restart Tomcat on the Identity Server. bcsLogin 170 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 171: Configuring The Access Gateway For Kerberos Authentication
Kerberos contract for the authentication procedure. For instructions, see “Configuring Protected Resources” in the Novell Access Manager 3.1 SP2 Access Gateway Guide. When using Kerberos for authentication, the LDAP credentials are not available. If you need LDAP credentials to provide single sign-on to some resources, see Section 4.5, “Configuring Password...
Page 172 172 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 173: Defining Shared Settings
Defining Shared Settings You can define shared settings so that they can be reused and are available in any Identity Server cluster configuration. The settings include: Attribute sets: Sets of attributes that are exchangeable between identity and service providers.  ...
Page 174 Constant: Specify a value that is constant for all users of this attribute set. The name of the attribute that is associated with this value is specified in the Remote Attribute field. 174 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 175 Remote Attribute: Specify the name of the attribute defined at the external provider. The text for this field is case sensitive. A value is optional if you are mapping a local attribute. If you leave this field blank, the  system sends an internal value that is recognized between Identity Servers.
Page 176: Editing Attribute Sets
The user matching expression defines the logic of the query. You must know the LDAP attributes that are used to name the users in the user store in order to create the user’s distinguished name and uniquely identify the users. 176 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 177 For example, if the service provider user store uses the email attribute to identify users, the identity provider should be configured to send the email attribute. The service provider would use this attribute in a user matching expression to find the user in the user store. If a match is found, the user is granted access.
Page 178: Adding Custom Attributes
Shared secret names can be created either on the Custom Attributes page or in the associated policy that consumes them. 1 In the Administration Console, click Devices > Identity Servers > Shared Settings > Custom Attributes. 2 To create shared secret names, click New. 178 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 179: Creating Ldap Attribute Names
3 Enter a new shared secret name and, optionally, a secret entry name. 4 Click OK. 5 (Optional) To create additional entries for the secret, click the name of the secret, click New, specify an entry name, then click OK. WARNING: The Identity Server currently has no mechanism to determine whether a secret is being used by a policy.
Page 180: Adding Authentication Card Images
2 Click New. 3 Fill in the following fields. Name: Specify a name for the image. Description: Describe the image and its purpose. File: Click Browse, locate the image file, then click Open. 180 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 181: Creating An Image Set
Locale: From the drop-down menu, select the language for the card or select All Locales if the card can be used with all languages. 4 Click OK. 5 If you did not specify All Locales for the Locale, continue with Section 6.6, “Creating an Image Set,”...
Page 182 182 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 183: Configuring Saml And Liberty Trusted Providers
Configuring SAML and Liberty Trusted Providers This section discusses configuring trust so that two user accounts can be associated with each other without the sites exchanging user data. It explains how to use the Liberty, SAML 1.1, and SAML 2.0 protocols to set up the trust with internal and external identity providers, service providers, and Embedded Service Providers (ESPs).
Page 184: Embedded Service Providers
Access Manager and is embedded in the Access Gateways, the J2EE agents, and a version of the SSL VPN server. The ESP facilitates authentication between the Identity Server and the resource protected by the device, as shown in as shown in Figure 7-2. 184 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 185: Configuration Overview
Section 1.1.1, “Creating a Cluster Configuration,” on page 16. (You should already be familiar with the Novell Access Manager 3.1 SP2 Installation Guide.) 2. Administrators at each company must import the trusted root certificate of the other Identity Server into the NIDP trust store.
Page 186: Configuring General Provider Options
You must manually configure this setting. “Specifying the Intersite Transfer Service URL for the Login URL Option” on page 219. NOTE: For a tutorial that explains all the steps for setting up federation between two Novell Identity Servers, see “Setting Up Federation”...
Page 187: Configuring The General Identity Consumer Options
user. The service provider determines whether any of these identity providers can authenticate a user without credentials. The service domain must resolve to the same IP address as the base URL domain. For example, if an agreed-upon common domain is xyz.com, the service provider can specify a service domain of sp.xyz.com, and the identity provider can specify a service domain of idp.xyz.com.
Page 188: Configuring The Introductions Class
1 In the Administration Console, click Devices > Identity Server > Servers > Edit > Local > Classes > Introductions. 2 Click Properties > New, then specify the following values. Property Name: Specify ShowUser Property Value: Specify true 3 Click OK. 188 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 189: Configuring The Trust Levels Class
7.3 Managing Trusted Providers The procedure for establishing trust between providers begins with obtaining metadata for the trusted provider. If you are using the Novell Identity Server, protocol-specific metadata is available via a URL. 1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > [Protocol].
Page 190: Creating A Trusted Provider For Liberty Or Saml 2.0
Enabled Protocols section has been enabled. Procedure 1 In the Administration Console, click Devices > Identity Servers > Edit > [Protocol]. For the protocol, click Liberty or SAML 2.0. 190 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 191 \Program Files\Novell\jre\lib\security Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata.
Page 192: Creating A Trusted Service Provider For Saml 1.1
Obtained the metadata URL from the service provider, an XML file with the metadata, or the information required for manual entry. For more information about the manual entry option, Section 7.7.4, “Editing a SAML 1.1 Service Provider’s Metadata,” on page 205. 192 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 193 \Program Files\Novell\jre\lib\security Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata.
Page 194: Creating A Trusted Identity Provider For Saml 1.1
URL. If you copy metadata text from a Web browser, you must copy the text from the page source. 194 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 195: Modifying A Trusted Provider
Text: Specify the text that is displayed on the card to the user. Login URL: Specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider and idp.siteb.novell.com is the name of the service provider: https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://...
Page 196: Configuring Communication Security
Section 7.5.1, “Configuring Communication Security for Liberty and SAML 1.1,” on page 197 Section 7.5.2, “Configuring Communication Security for a SAML 2.0 Identity Provider,” on  page 197  Section 7.5.3, “Configuring Communication Security for a SAML 2.0 Service Provider,” on page 199 196 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 197: Configuring Communication Security For Liberty And Saml 1.1
7.5.1 Configuring Communication Security for Liberty and SAML 1.1 Liberty and SAML 1.1 have the same security options for the SOAP back channel for both identity and service providers. You cannot configure the trust relationship of the SOAP back channel for the Identity Server and its Embedded Service Providers.
Page 198 SOAP back-channel requests, which means that the name and password must be agreed upon. Verify: The name and password used to verify data that the trusted provider sends. 198 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 199: Configuring Communication Security For A Saml 2.0 Service Provider
4 Click OK twice. 5 Update the Identity Server. 7.5.3 Configuring Communication Security for a SAML 2.0 Service Provider The security settings control the direct communication between the Identity Server and the service provider across the SOAP back channel. 1 In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0. 2 Click the name of a service provider.
Page 200: Configuring The Attributes Obtained At Authentication
For more information on this process, see Section 6.1, “Configuring Attribute Sets,” on page 173. 2f To add other attributes to the set, repeat Step 2b through Step 2g Click Finish. 200 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 201: Configuring The Attributes Sent With Authentication
3 Select an attribute set 4 Select attributes from the Available list, and move them to the left side of the page. The attributes that you move to the left side of the page are the attributes you want to be obtained during authentication.
Page 202: Sending Attributes To The Embedded Service Provider
9 For the attribute set, select the set you created for the Embedded Service Provider. 10 Select attributes from the Available list, then move them to the left side of the page. 11 Click OK, then update the Identity Server. 202 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 203: Managing Metadata
7.7 Managing Metadata The Liberty, SAML 1.1, and SAML 2.0 protocols contain pages for viewing and reimporting the metadata of the trusted providers. Only the SAML 1.1 protocol allows you to edit the metadata. Section 7.7.1, “Viewing and Reimporting a Trusted Provider’s Metadata,” on page 203 ...
Page 204: Editing A Saml 1.1 Identity Provider's Metadata
Provider ID: (Required) The SAML 1.1 metadata unique identifier for the provider. For example, . Replace <dns> with the DNS name https://<dns>:8443/nidp/saml/metadata of the provider. In the metadata, this is the entityID value. 204 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 205: Editing A Saml 1.1 Service Provider's Metadata
Source ID: The SAML Source ID for the trusted provider. The Source ID is a 20-byte value that is used as part of the Browser/Artifact profile. It allows the receiving site to determine the source of received SAML artifacts. If none is specified, the Source ID is auto-generated by using a SHA-1 hash of the site provider ID.
Page 206 In the metadata, this URL value is found in the AssertionConsumerService section of the metadata. Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate. 5 Click Finish. 206 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 207: Configuring An Authentication Request For An Identity Provider
7.8 Configuring an Authentication Request for an Identity Provider When you are configuring the Identity Server to trust an identity provider and to use that identity provider for authentication, you can specify the conditions under which the Identity Server accepts the authentication credentials of the identity provider.
Page 208 This option should be enabled only when you know the identity provider is available 99.999% of the time or when the service provider is dependent upon this identity provider for authentication. 5 Click OK twice, then update the Identity Server. 208 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 209: Configuring A Saml 2.0 Authentication Request
7.8.2 Configuring a SAML 2.0 Authentication Request You can configure how an authentication request is federated. When users authenticate to a service provider, they can be given the option to federate their account identities with the preferred identity provider. This process creates an account association between the identity provider and service provider that enables single sign-on and single log-out.
Page 210 If the server is down and does not respond to the authentication request, the user gets a page-cannot-be-displayed error. Local authentication is disabled because the browser is never redirected to the login page. 210 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 211  authentication statement. If the identity provider is a Novell Identity Server, the Identity Server first finds the specified class or type and its assigned authentication level. It then uses this information to find a contract that matches the conditions. For example if the authentication level is set to 1 for the class or type, the identity provider looks for a contract with an authentication level that is higher than 1.
Page 212: Configuring An Authentication Response For A Service Provider
1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > [Service Provider] > Authentication Response. 2 Select the binding method. 212 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 213: Configuring The Saml 2.0 Authentication Response
If the request from the service provider does not specify a response binding, you need to specify a binding method to use in the response. Select Artifact to provide an increased level of security by using a back-channel means of communication between the two servers. Select Post to use HTTP redirection for the communication channel between the two servers.
Page 214 To view the identity provider configuration, see “Defining User Identification for Liberty and SAML 2.0” on page 277. 5 Specify the value for the name identifier. 214 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 215: Configuring The Saml 1.1 Authentication Response
The persistent and transient formats are generated automatically. For the others, you can select an attribute. The available attributes depend upon the attributes that you have selected to send with authentication (see Section 7.6.1, “Configuring the Attributes Obtained at Authentication,” on page 200).
Page 216: Managing The Authentication Card Of An Identity Provider
When you create an identity provider, you must also configure an authentication card. After it is created, you can modify it. 1 In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > Authentication Card. 216 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 217: Using The Intersite Transfer Service
“Specifying the Intersite Transfer Service URL for the Login URL Option” on page 219. If your identity provider is a Novell Identity Server and you know the ID specified for the target, you can use the following simplified format for the Login URL: <URL for site a>?id=<ID of target>...
Page 218 <entityID> must match what is configured for the <identity_consumer_URL>. For SAML 1.1 and SAML 2.0, search the metadata for its entityID value. For Liberty, search the metadata for its providerID value. Novell Identity Servers acting as service providers have the following types of values: SAML 1.1:...
Page 219: Specifying The Intersite Transfer Service Url For The Login Url Option
Identity Server Identity Server Site A Site B Access Gateway Identity Provider: A Identity Provider: B DNS: idp.sitea.novell.com Service Provider: 1 DNS: idp.siteb.novell.com Service Provider: 2 DNS: eng.provo.novell.com Web Server URL: https://eng.provo.novell.com/myapp If you want a card to appear that allows the user to log in to Site A (as shown in...
Page 220: Using Intersite Transfer Service Links On Web
<a href="https://idp.sitea.novell.com:8443/nidp/saml/ idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml/ metadata&TARGET=https://eng.provo.novell.com/saml1/myapp">SAML1 example</a> SAML 2.0: <a href="https://idp.sitea.novell.com:8443/nidp/saml2/ idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml2/ metadata&TARGET=https://eng.provo.novell.com/saml2/myapp">SAML2 example</a> Liberty: <a href="https://idp.sitea.cit.novell.com:8443/nidp/idff/ idpsend?PID=https://idp.siteb.novell.com:8443/nidp/idff/ metadata&TARGET=https://eng.provo.novell.com/liberty/myapp">Liberty example</ a> Figure 7-5 illustrates a network configuration that could use these sample links. 220 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 221: Configuring An Intersite Transfer Service Target For A Service Provider
Using the Intersite Transfer Service URL Figure 7-5 Identity Server Identity Server Site A Site B Identity Provider: A Access Gateway Identity Provider: B DNS: idp.sitea.novell.com Service Provider: 1 DNS: idp.siteb.novell.com Service Provider: 2 DNS: eng.provo.novell.com Third-Party Server Site Z Web Server URL: https://eng.provo.novell.com/myapp In this example, Site Z places links on its Web page, using the Intersite Transfer Service URL of Site A.
Page 222 Intersite Transfer URL. If this option is not selected, the target value in the Intersite Transfer URL is ignored and the user is sent to the URL specified in the Target option. 3 Click OK twice. 4 Update the Identity Server. 222 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 223: Configuring Cardspace
CardSpace puts the users in control of managing the cards that they want to use for identity information and credentials. With a CardSpace client, the users can create managed cards and personal cards for authentication to the Novell Identity Server. Figure 8-1 illustrates this process.
Page 224 2. The relying party returns the security token requirements, which include the issuer ID, the required attributes, and the token type to CardSpace. 3. The CardSpace client software highlights the cards that meet the requirements, and the user selects the card to use. 224 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 225: Prerequisites For Cardspace
5. The CardSpace client software presents the token to the relying party, and if it matches the requirements, the user is granted access. The Novell Identity Server can be configured to act as relying party or as an identity provider. It can be configured to accept the following types of cards for authentication: personal cards, managed cards, and managed cards backed by personal cards.
Page 226: Configuring The Client Machines For Cardspace
2f Select Place all certificates in the following store, then click Browse. 2g Select to Show physical stores, scroll to the Trusted Root Certification Authorities, open it, select Local Computer, then click OK. 226 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 227 2h Click Next > Finish > OK. 2i Close the browser. 2j To verify that the correct certificate was installed, open the browser, then enter the base URL of the Identity Server. The certificate error should not appear in the URL line. Configuring Linux Clients for CardSpace The following instructions are for Linux clients running SUSE Linux Enterprise Server (SLES) 10.
Page 228: Cardspace Configuration Scenarios
2. The user selects an authentication card that requires a personal card. 3. From the available cards in CardSpace, the user selects the card that meets the security requirements, and the CardSpace client software sends it to the Identity Server. 228 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 229 To configure this scenario: 1 In the Administration Console, click Devices > Identity Servers > Edit. 2 In the Enabled Protocols section, enable STS and CardSpace. 3 Click CardSpace > Authentication Card, then fill in the following fields: ID: (Optional) Leave this field blank. Text: Specify the text that is displayed on the card to the user, for example, CardSpace Image: Select the image from the drop-down list.
Page 230: Authenticating With A Managed Card
DNS name of the Identity Server as the subject name. 1 In the Administration Console, click Devices > Identity Servers > Edit > Security. 2 In the Keys and Certificate section, click Signing. 3 Click Replace. 230 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 231 Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click Select local image. The default image is the Novell Card. Require Identification of Relying Party in Security Token: Select this option to require the relying party to provide identification when it requests a security token.
Page 232 ID is the base URL of the Identity Server plus the following path: /sts/services/Trust For example, if the base URL is , the https://test.lab.novell.com:8443/nidp Provider ID is the following value: 232 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 233 Identity Provider: Click Browse to browse for and select the certificate that you exported for the identity provider. 2d Click Next > Finish. 3 To create a profile that allows this trusted provider to be an issuer of security tokens, click Authentication Card.
Page 234: Authenticating With A Managed Card Backed By A Personal Card
3 Click New Card, then click the Managed Card Template. 4 Specify a name for the card, then enable the Use Personal Card For Authentication option. 5 When CardSpace opens, select a personal card, then click Send. 234 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 235: Configuring The Identity Server As A Relying Party
6 On the New Card page, click Create Card. 7 Click Open. CardSpace opens. 8 Click Install and Exit. The managed card backed by a personal card is installed. 9 Log out and close the browser. 10 In the browser, enter the base URL of the Identity Server acting as the relying party. 11 Select the CardSpace card.
Page 236 Satisfied contract list. Allow federation: Allows the CardSpace card to be linked with a user account. If you do not select this option, the user is always prompted for credentials. 236 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 237: Defining A Trusted Provider
User Identification Methods: If you enable federation, the user identification method determines how the card is linked to a user account and allows the association to be saved. If you do not enable federation, a user identification method allows the card to be linked with an account, but the association is not saved.
Page 238 2 On the Trusted Providers page, click the name of a trusted provider. 3 To change the name of the trusted provider, specify a new name on the Configuration page, then click Apply. 4 To view or edit the metadata, click Metadata. 238 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 239: Cleaning Up Identities
5 To modify the Provider ID or to import a new signing certificate, click Edit. 5a (Optional) To change the Provider ID, enter a new value or modify the current value. 5b (Optional) To import a new signing certificate, click Browse, find the certificate file, click Open to import it, then click Apply.
Page 240: Replacing The Signing Certificate
For information on creating a custom authentication class, see Novell Access Manager Developer Tools and Examples (http:/ /developer.novell.com/wiki/index.php/ Novell_Access_Manager_Developer_Tools_and_Examples). 5 Click Apply, then click Authentication Request. 240 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 241: Creating A Managed Card Template
The options displayed allow you to select the format for the name identifier that is returned in the SAML assertion. The selected attribute sets (Identity Servers > Edit > STS > Attribute Sets) determine the values that are available for the formats. 6 Select a format and value.
Page 242: Using Cardspace Cards For Authentication To Access Gateway Protected Resources
New: Launches the Create Trusted Identity Provider Wizard. See Section 8.7.1, “CardSpace Identity Provider Wizard,” on page 243 for more information. Delete: Allows you to delete the selected identity provider. Enable: Enables the selected identity provider. 242 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 243: Cardspace Identity Provider Wizard
ID is the base URL of the Identity Server plus the following path: /sts/services/Trust For example, if the base URL is , the Provider https://test.lab.novell.com:8443/nidp ID is the following value: https://test.lab.novell.com:8443/nidp/sts/services/Trust Identity Provider: Specify the signing certificate of the Identity Server. You need to export the public key certificate to a file and make it available so that you can browse to the location of the file.
Page 244: Managing Card Templates
Require Identification of Relying Party in Security Token: Select this option to require the relying party to provide identification when it requests a security token for the user that is using the card to establish authentication credentials. 244 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 245: Template Attributes
Allow Users to Back a Managed Card Using a Personal Card: When this option is selected, the user is presented with the option to back the managed card with a personal card. When this option is not selected, the option to back the managed card with a personal card is removed from the user interface.
Page 246: Configuring The General Details Of A Card Profile
If you are creating a profile, click Next. Continue with Section 8.9.2, “Configuring  Attribute Claims,” on page 247. If you have finished modifying the profile, click OK twice, then update the Identity Server.  246 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 247: Configuring Attribute Claims
 To modify the profile attributes, click Attributes. Continue with Section 8.9.2, “Configuring Attribute Claims,” on page 247. To modify the user identification methods, click User Identification. Continue with  Section 8.9.3, “Configuring User Identification,” on page 247. 8.9.2 Configuring Attribute Claims Use the Attributes page to specify the attributes (claims) that must have values.
Page 248: Cleaning Up Identities
When this limit is reached, the managed card is deleted. The default limit is 90 days. Specify a value from 0 to 365 days. 3 Click OK, then update the Identity Server if you have changed the configuration. 248 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 249: Configuring Sts
Configuring STS The STS (Security Token Service) is used to process authentication requests received at the Identity Server for both the CardSpace and the WS Federation protocols. Section 9.1, “Configuring STS Attribute Sets,” on page 249   Section 9.2, “Configuring Authentication Methods,” on page 249 Section 9.3, “Configuring the Authentication Request,”...
Page 250: Configuring The Authentication Request
X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier. For the value, select an X.509 attribute. 3 Click OK, then update the Identity Server if you have changed the configuration. 250 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 251: Configuring Ws Federation
Configuring WS Federation The first two topics in this section describe two different methods for setting up federation with a SharePoint server. The next sections describe how you can manage and modify WS Federation providers. Section 10.1, “Using the Identity Server as an Identity Provider for ADFS,” on page 251 ...
Page 252: Configuring The Identity Server
“Step-by-Step Guide for Active Directory Federation Services” (http://go.microsoft.com/fwlink/ ?linkid=49531).  You have set up the Novell Access Manager 3.1 system with a site configuration that is using SSL in the Identity Server's base URL. See “Enabling SSL Communication” in the Novell Access Manager 3.1 SP2 Setup...
Page 253 If the DNS name of your Identity Server is , the URI would have the following idp-50.amlab.net format: https://idp-50.amlab.net:8443/nidp/name/password/uri This URL doesn't resolve to anything because the Identity Server interprets it as a contract URI and not a URL. To create a new authentication contract: 1 In the Administration Console, click Devices >...
Page 254 Because the WS Federation protocol uses STS, you must enable the attribute set for STS in order to use it in an WS Federation relationship. 1 On the Identity Servers page, click Servers > Edit > STS. 254 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 255 This is the value that the identity provider redirects the user to after login. Although it is listed as optional, and is optional between two Novell Identity Servers, the ADFS server doesn't send this value to the identity provider. It is required when setting up a trusted relationship between an ADFS server and a Novell Identity Server.
Page 256 7 In the text box, specify TokenApp. 8 Click OK twice, then click Apply Changes. 9 Click Close. 10 On the Roles page, select the role policy you just created, then click Enable. 256 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 257: Configuring The Adfs Server
Importing the ADFS Signing Certificate into the NIDP-Truststore The Novell Identity Provider (NIDP) must have the trusted root of the ADFS signing certificate (or the certificate itself) listed in its Trust Store, as well as specified in the relationship. This is because most ADFS signing certificates are part of a certificate chain, and the certificate that goes into the metadata is not the same as the trusted root of that certificate.
Page 258 Administration Console. This is the trusted root for the test-signing certificate. Select Federated Web SSO.  The Identity Server is outside of any forest, so do not select Forest Trust.  Select the E-mail claim. 258 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 259 Add the suffix that you will be using for your e-mail address. You need to have the e-mail end in a suffix that the ADFS server is expecting, such as @novell.com, which grants access to any user with that e-mail suffix. 4 Enable this account partner.
Page 260: Logging In
2 Select the IDP from the drop-down list of home realm, then submit the request. If you are not prompted for the realm, clear all cookies in the browser and try again. 3 Log in with a user at the Novell Identity Provider 4 Verify that you can access the SharePoint server.
Page 261 Cause: This is because the contract has the wrong format for its URI. The URI must start with urn: . Change the contract and try again. http:// [ERROR] Saml contains an unknown NameIdentifierFormat: Issuer=https://idp-51.amlab.net:8443/nidp/wsfed/; Format=urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified Cause: The name identifier format is set to unspecified, and it needs to be set to E-mail. [ERROR] Saml contains an unknown Claim name/namespace: Issuer=https://idp-51.amlab.net:8443/nidp/wsfed/;...
Page 262: Configuring The Identity Server Ass As Service Provider
1. The user requests access to a resource protected by an Access Gateway. 2. The resource sends an authentication request to the Novell Identity Server. 3. The Identity Server is configured to trust an Active Directory Federation Services server and gives the user the option of logging in at the Active Directory Federation Services server.
Page 263 ADFS guide from Microsoft. See the “Step-by-Step Guide for Active Directory Federation Services” (http://go.microsoft.com/fwlink/ ?linkid=49531). You have set up the Novell Access Manager 3.1 system with a site configuration that is using  SSL in the Identity Server's base URL. See “Enabling SSL Communication”...
Page 264 Default Value: https://adfsresource.treyresearch.net/adfs/ls/ The ADFS server makes no distinction between the login and logout URL. Access Manager has separate URLs for login and logout, but from a Novell Identity Server to an ADFS server, they are the same. Signing Certificate This is the certificate that the ADFS server uses for signing.
Page 265 on the Access Gateway is satisfied with this identification. If a contract is not specified, the Access Gateway resources must be configured to use the Any Contract option, which is not a typical configuration. 1 On the WS Federation page, click the name of the Adatum identity provider configuration. 2 Click User Identification.
Page 266: Configuring The Adfs Server To Be An Identity Provider
2 Right-click the Partner Organizations, then click New > Resource Partner. 3 Supply the following information in the wizard: You do not have a resource partner policy file to import.  266 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 267: Logging In
 For the display name, specify the DNS name of the Identity Server. For the Federation Services URI, enter the following:  https://<DNS_Name>:8443/nidp/wsfed/ Replace <DNS_Name> with the name of your Identity Server. This is the base URL of your Identity Server with the addition of at the end.
Page 268: Managing Ws Federation Providers
ID: Leave this field blank. Text: Specify a description that is available to the user when the user mouses over the card. Image: Select an image, such as Customizable, or any other image. 268 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 269: Creating A Service Provider For Ws Federation
Show Card: Enable this option so that the card can be presented to the user as a login option. 5 Click Finish. For information about additional configuration steps required to use this identity provider, see Section 10.2, “Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource,”...
Page 270: Configuring The Attributes Obtained At Authentication
WS Federation expects the URI name of the contract to look like a URL, so it rejects all default Access Manager contracts. You must create a contract with a URI that conforms to WS Federation requirements. 270 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 271: Viewing The Ws Identity Provider Metadata
For more information on how to create this contract, see “Creating a New Authentication Contract” on page 252. 3 Specify whether the user can associate (federate) an account at the identity provider (the ADFS server) with an account at Identity Server. Fill in the following field: Allow federation: Indicates whether account federation is allowed.
Page 272: Editing The Ws Identity Provider Metadata
1 In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Identity Provider] > Authentication Card. 2 Modify the values in one or more of the following fields: 272 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 273: Modifying A Ws Federation Service Provider
ID: If you have need to reference this card outside of the Administration Console, specify an alphanumeric value here. If you do not assign a value, the Identity Server creates one for its internal use. The internal value is not persistent. Whenever the Identity Server is rebooted, the value can change.
Page 274: Modifying The Authentication Response
4 To specify that this Identity Server must authenticate the user, disable the Use proxied requests option. When the option is disabled and the Identity Server cannot authenticate the user, the user is denied access. 274 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 275: Viewing The Ws Service Provider Metadata
When this option is enabled, the Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to the Identity Server.
Page 276 3 If you need to import a new signing certificate, click the Browse button and follow the prompts. 4 To view information about the signing certificate, click Certificates. 5 Click OK twice, then update the Identity Server. 276 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 277: Configuring User Identification Methods For Federation
Configuring User Identification Methods for Federation Configuring authentication involves determining how the service provider interacts with the identity provider during user authentication and federation. Three methods exist for you to identify users from a trusted identity provider: You can identify users by matching their authentication credentials ...
Page 278 Section 11.3, “Defining the User Provisioning Method,” on page 282.  If you selected the Authenticate option without the Allow Provisioning option, click OK. 4 Click OK, then update the Identity Server. 278 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 279: Configuring The Attribute Matching Method For Liberty Or Saml 2.0
11.1.2 Configuring the Attribute Matching Method for Liberty or SAML 2.0 If you enabled the Attribute matching option when selecting a user identification method, you must configure a matching method. The Liberty Personal Profile is enabled by default. If you have disabled it, you need to enable it. See Section 13.2, “Managing Web Services and Profiles,”...
Page 280: Defining User Identification For Saml 1.1
Do nothing: Specifies that an identity provider account is not matched with a service  provider account. This option allows the user to authenticate the session without identifying a user account on the service provider. 280 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 281: Configuring The Attribute Matching Method For Saml 1.1
 Attribute matching: Authenticates a user by matching a user account on the identity provider with an account on the service provider. This option requires that you set up the match method. Prompt for password on successful match: Specifies whether to prompt the user ...
Page 282: Defining The User Provisioning Method
Data Location Settings (specified in Liberty > Web Service Provider) and writes the attribute in either LDAP or the configuration store. In order for the 282 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 283 LDAP write to succeed, each attribute must be properly mapped as an LDAP Attribute. Additionally, you must enable the read/write permissions for each attribute in the Liberty/LDAP attribute maps. See Section 13.6, “Mapping LDAP and Liberty Attributes,” on page 304. To configure user provisioning: 1 In the Administration Console, click Devices >...
Page 284 Segment 2: The required attribute to use as the second segment for the user name. The values displayed in this drop-down menu correspond to the required attributes you selected. For example, you might select Common Last Name to use for Segment 2. 284 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 285  Length: The length of the second attribute segment. For example, if you selected Common Last Name for the Segment 2 value, you might set the length to All, so that the full last name is displayed. However, the system does not allow more than 20 characters for the length of segment 2.
Page 286: User Provisioning Error Messages
636, and that the user’s password conforms to the complexity policy. If you encounter this error, you must reset the password on the Windows machine. 286 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 287: Configuring Communication Profiles
Configuring Communication Profiles You can configure the methods of communication that are available at the server for requests and responses sent between providers. These settings affect the metadata for the server and should be determined prior to publishing to other sites. ...
Page 288: Configuring A Saml 1.1 Profile
1 In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > Profiles. 2 Configure the following fields for identity providers and identity consumers (service providers): Artifact Resolution: Specify whether to enable artifact resolution for the identity provider and identity consumer. 288 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 289 The assertion consumer service at the service provider performs a back-channel exchange with the artifact resolution service at the identity provider. Artifacts are small data objects pointing to larger SAML protocol messages. They are designed to be embedded in URLs and conveyed in HTTP messages.
Page 290 290 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 291: Configuring Liberty Web Services
Configuring Liberty Web Services A Web service uses Internet protocols to provide a service. It is an XML-based protocol transported over SOAP, or a service whose instances and data objects are addressable via URIs. Access Manager consists of several elements that comprise Web services: Web Service Framework: Manages all Web services.
Page 292: Managing Web Services And Profiles
Credential Profile: Allows users to define information to keep secret. It uses encryption to store the data in the directory the user profile resides in. Custom Profile: Used to create custom attributes for general use. 292 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 293: Modifying Service And Profile Details For Employee, Custom, And Personal
Discovery: Allows requesters to discover where the resources they need are located. Entities can place resource offerings in a discovery resource, allowing other entities to discover them. Resources might be a personal profile, a calendar, travel preferences, and so on. Employee Profile: Allows you to manage employment-related information and how the information is shared with others.
Page 294 Attributes should always be the last item in this list. Available Read Locations: The list of available locations from which the system can read attributes containing profile data. Locations in this list are currently not being used. 294 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 295: Modifying Details For Authentication, Discovery, Ldap, And User Interaction
Selected Write Locations: The list of selected locations to write attribute data to. If you add multiple entries to this list, the system searches attributes in each location in the order you specify. When a match is found for an attribute, the other locations are not searched. Use the up/down and left/right arrows to control which locations are selected and the order in which they are selected.
Page 296: Editing Web Service Descriptions
Bearer: Based on the presence of the security header of a message. In this case, the bearer token is verified for authenticity rather than proving the authenticity of the message. 6 Under Select Service Access Method, select either Brief Service Access Method or WSDL Service Access Method. 296 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 297: Editing Web Service Policies
Brief Service Access Method: Provides the information necessary to invoke basic SOAP- over-HTTP-based service instances without using WSDL. EndPoint URL: This is the SOAP endpoint location at the service provider to which  Liberty SOAP messages are sent. An example of this for the Employee Profile is [BASEURL]/services/IDSISEmployeeProfile.
Page 298 In the following example, child attributes are inheriting Ask Me permission from the parent Entire Personal Identity attribute. The Postal Address attribute, however, is modified to never allow permission for sharing. 298 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 299 If you click the Postal Address attribute, you can see that all of its child attributes have inherited the Never Allow setting. You can specify different permission attributes for Address Type (for example), but the inherited policy still overrides changes made at the child level, as shown below.
Page 300: Create Web Service Type
You can store and access secrets locally, on remote eDirectory servers that are running Novell SecretStore, or on a user store that has been configured with a custom attribute for secrets.
Page 301 3 On the Credential Profile Details page, fill in the following fields as necessary: Display name: The name you want to display for the Web service. Have Discovery Encrypt This Service’s Resource Ids: Specify whether the Discovery Service encrypts resource IDs. A resource ID is an identifier used by Web services to identify a user.
Page 302: Customizing Attribute Names
This attribute should be a single-valued case ignore string that you have defined and assigned to the user object in the schema. To use Novell SecretStore to remotely store secrets, click New under Novell Secret  Store User Store References.
Page 303: Configuring The Web Service Consumer
2 Click the data item name to view the customized attribute names. 3 Click New to create a new custom name. 4 Type the name and select a language. 5 Click OK. 6 On the Custom Attribute Names page, click OK. 7 On the Web Service Provider page, click OK.
Page 304: Mapping Ldap And Liberty Attributes
Section 13.6.4, “Configuring Postal Address Attribute Maps,” on page 311.  Contact Method: Maps the Contact Method attribute to multiple LDAP attributes. See Section 13.6.5, “Configuring Contact Method Attribute Maps,” on page 312. 304 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 305: Configuring One-To-One Attribute Maps
 Gender: Maps the Gender attribute to an LDAP attribute, then maps the possible Liberty values to LDAP values. See Section 13.6.6, “Configuring Gender Attribute Maps,” on page 314. Marital Status: Maps the Marital Status attribute to an LDAP attribute, then maps the ...
Page 306 LDAP attributes you have defined for your directory. For example, you can map the Liberty attribute Alternate Every Day Name (AltCN) to the LDAP attribute you have defined for this purpose in your directory. 306 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 307 Mapping Employee Profile Single-Value Data Items to LDAP Attributes Map the Liberty Employee Profile single-value attributes to the LDAP attributes you have defined in your directory for entries such as ID, Date of Hire, Job Start Date, Department, and so on. Mapping Employee Profile Multiple-Value Data Items to LDAP Attributes Map the Liberty Employee Profile multiple-value attributes to the LDAP attributes you have defined in your directory.
Page 308: Configuring Employee Type Attribute Maps
Contractor Part Time, Contractor Full Time, Full Time Regular, and so on. 1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > LDAP Attribute Mapping > New > Employee Type. 308 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 309: Configuring Employee Status Attribute Maps
2 Configure the following fields: Name: The name you want to give the map. Description: A description of the map. Access Rights: A drop-down menu that provide the broadest control for the page. If you set this to Read/Write, you can specify rights for individual data items. In order for user provisioning to succeed, you must select Read/Write from the Access Rights drop-down menu for any maps that use an attribute during user provisioning.
Page 310 The LDAP attribute map then maps the actual Liberty URI value, back and forth, to this supplied value. 5 Click Finish. 6 On the LDAP Attribute Mapping page, click OK. 7 Update the Identity Server. 310 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 311: Configuring Postal Address Attribute Maps
13.6.4 Configuring Postal Address Attribute Maps You can map the LDAP attribute name and values to the Liberty profile values for Postal Address. The PostalAddress element refers to the local address, including street or block with a house number, and so on. This is a Personal Profile attribute. 1 In the Administration Console, click Devices >...
Page 312: Configuring Contact Method Attribute Maps
You can map the LDAP attribute you have defined for contact methods to the Liberty attribute Contact Method (MsgContact). 1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > LDAP Attribute Mapping > New > Contact Method. 312 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 313 2 Configure the following fields: Name: The name you want to give the map. Description: A description of the map. Access Rights: A drop-down menu that provide the broadest control for the page. If you set this to Read/Write, you can specify rights for individual data items. In order for user provisioning to succeed, you must select Read/Write from the Access Rights drop-down menu for any maps that use an attribute during user provisioning.
Page 314: Configuring Gender Attribute Maps
These are the values that you want to store in the LDAP attribute for each given Liberty attribute value. The LDAP attribute map then maps the actual Liberty URI value, back and forth, to this supplied value. 314 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 315: Configuring Marital Status Attribute Maps
5 Click Finish. 6 On the LDAP Attribute Mapping page, click OK. 7 Update the Identity Server. 13.6.7 Configuring Marital Status Attribute Maps You can map the LDAP marital status attribute to the Liberty attribute. The Liberty Marital Status (MaritalStatus) element includes appended values such as single, married, divorced, and so on. For example, .
Page 316 The LDAP attribute map then maps the actual Liberty URI value, back and forth, to this supplied value. 5 Click Finish. 6 On the LDAP Attribute Mapping page, click OK. 7 Update the Identity Server. 316 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 317: Maintaining An Identity Server
Maintaining an Identity Server Server maintenance involves tasks that you perform after you have configured the server. Maintenance includes monitoring the health of the servers, configuring logging, replacing certificates, monitoring statistics, and so on. Section 14.1, “Managing an Identity Server,” on page 317 ...
Page 318: Updating An Identity Server Configuration
Whenever you change an Identity Server configuration, the system prompts you to update the configuration. An Update Servers status is displayed under the Status column on the Servers page. You must click Update Servers to update the configuration so that your changes take effect. 318 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 319: Restarting The Identity Server
When you click this link, it sends a reconfigure command to all servers that use the configuration. The servers then begin the reconfiguration process. This process occurs without interruption of service to users who are currently logged in. When you update a configuration, the system blocks inbound requests until the update is complete. The server checks for any current requests being processed.
Page 320: Editing Server Details
1 In the Administration Console, click Devices > Identity Servers > Edit > Logging. 320 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 321 (Linux), to tomcat5/logs/catalina.out /Program Files/Novell/Tomcat/logs/ (Windows Server 2003), or to stdout.log /Program Files (x86)/Novell/Tomcat/ (Windows Server 2008). You can download the file from Auditing > logs/stdout.log General Logging. For the Embedded Service Providers, the log file location depends upon the device: ...
Page 322: Managing Log File Size
4a In the Statistics Logging section, select Enabled. 4b In the Log Interval field, specify the time interval in seconds that statistics are logged. 5 For information on configuring Novell Audit Logging, see Section 14.7, “Enabling Identity Server Audit Events,” on page 341.
Page 323: Configuring Session-Based Logging
2. The help desk operator questions the users and concludes that the problem is caused by either a Novell Identity Server or an Embedded Service Provider. 3. The operator has been granted the rights to create logging tickets, and uses the User Portal to create a logging ticket for the user.
Page 324 Image: Select an image from the list, such as the IDP Administrator image that was created for this type of contract. Show Card: Deselect this option. 4d Click Finish. 5 Continue with “Creating the Logging Session Class, Method, and Contract” on page 325. 324 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 325: Creating The Logging Session Class, Method, And Contract
2b Click New, then specify the following values: Display name: Logging Session Java class: Other Java class path: com.novell.nidp.authentication.local.LogTicketClass 2c Click Next, then click Finish. 3 To create the method: 3a Click Methods. 3b Click New, then specify the following values:...
Page 326: Enabling Basic Logging
Ticket: Specify a name for ticket. You must share this name with the user who reported the problem. Ticket Good For: Select a time limit for the ticket, from one minute through one year. 326 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 327 When selecting a time limit, consider the following: When a ticket expires, logging is automatically stopped. If you know that user is  experiencing a problem that prevents the user from logging out, you might want to create a ticket with a short time limit. If the user does not log out (just closes the browser window or the problem closes it), ...
Page 328 Linux: /var/opt/novell/tomcat5/webapps/nidp/WEB-INF/logs Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\logs Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB- INF\logs 2 Open the file that begins with the user identifier to which a session ID is appended. 328 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 329: Monitoring The Health Of An Identity Server
Windows Server 2003: \Program Files\Novell\Tomcat\webapps\nesp\WEB-INF\logs Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nesp\WEB- INF\logs 4 Open the file with the same user identifier and session ID. 5 After solving the problem, delete the file from each Identity Server in the cluster and each Access Gateway in the cluster.
Page 330: Viewing The Health Details Of An Identity Server
This can take a few minutes. 3 Examine the Services Detail section that displays the status of each service. For an Identity Server, this includes information such as the following: 330 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 331 If you want to convert a secondary console to your primary console, see “Converting a Secondary Console into a Primary Console” in Novell Access Manager 3.1 SP2 Administration Console Guide. User Datastores: Indicates whether the Identity Ensure that the user store is operating and Server can communicate with the user stores, configured correctly.
Page 332: Viewing The Health Details Of A Cluster
2 To ensure that the information is current, click Refresh to refresh the page with the latest health available from the Administration Console. 3 To view health details about a specific member of the cluster, click the server’s health icon. 332 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 333: Monitoring Identity Server Statistics
14.6 Monitoring Identity Server Statistics The Statistics page allows you to monitor the amount of data and the type of data the Identity Server is processing. You can specify the intervals for the refresh rate and, where allowed, view graphic representations of the activity.
Page 334: Application
When failover occurs, a new session is created to represent the previous session. The ID of the previous session is called an “ancestral session ID,” and it is retained for subsequent failover operations. 334 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 335: Incoming Http Requests
Statistic Description Cached Subjects The number of current cached subject objects. Conceptually, the cached subjects are identical to the cached principals. Cached Principals The number of current cached principal objects. A principal can be thought of as a single directory user object. Multiple users can log in using a single directory user object, in which case multiple cached sessions would exist sharing a single cached principal.
Page 336: Liberty
The number of Liberty protocol register names performed since the Identity Server was started. 14.6.6 SAML 1.1 Statistic Description SAML1.1 Attribute Queries The number of SAML 1.1 protocol attribute queries performed since the Identity Server was started. 336 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 337: Saml 2
The number of Novell Authentication Profile Web Service changes Service Modifies performed since the Identity Server was started. LDAP Profile Service The number of Novell LDAP Profile Web Service queries performed since Queries the Identity Server was started. LDAP Profile Service...
Page 338 Web Service since the Identity Server was started. An External Service is where the same Web Service exists on an external Service Provider and a call can be made to request data from the service. 338 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 339: Clustering
14.6.9 Clustering An authoritative server is the cluster member that holds the authentication information for a given user session. For a request associated with a given session to be processed, it must be routed (“proxied”) to the authoritative cluster member. If an L4 switch causes a request to go to a non- authoritative cluster member, that cluster member proxies the request to the authoritative cluster member.
Page 340: Ldap
“wait mode” to try again in one minute since the Identity Server was started. Currently Active Connection The current number of user threads waiting for an LDAP connection to Waits become available. 340 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 341: Enabling Identity Server Audit Events
Available error. 14.7 Enabling Identity Server Audit Events All user and administrator actions can be logged to Novell Audit. You can generate a Novell Audit logging event to indicate whether authentications are successful or unsuccessful. The following steps assume that you have already set up Novell Audit on your network. For more information, see “Enabling...
Page 342 Logged for all component messages with level of Severe. Component Log Warning Messages Logged for all component messages with level of Warning. 4 Click Apply, then OK. 5 Click Servers > Update Servers. Restart the Novell Audit server. 342 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 343: Monitoring Identity Server Alerts
14.8 Monitoring Identity Server Alerts The Alerts page allows you to view information about current Java alerts and to clear them. An alert is generated whenever the Identity Server detects a condition that prevents it from performing normal system services. 1 In the Administration Console, click Devices >...
Page 344: Viewing Detailed Command Information
If possible, clustered Identity Servers should be plugged directly into the switch or segmented accordingly. It is also critical that 344 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 345 For tips on how to set up the L4 switch, see “Configuration Tips for the L4 Switch ” in the Novell Access Manager 3.1 SP2 Setup Guide. Enabled Protocols: On the General Configuration page (click Devices > Identity Servers > Edit), you can select which protocols to enable.
Page 346 To discover whether profile objects might be causing a slowdown, open an LDAP browser (or in the Administration Console, select the View Objects task in the menu bar). Expand the following objects: novell > accessManagerContainer > nids > cluster. Expand the SCC objects, and look for objects stored in LibertyUserProfile objects.
Page 347 2 Open the Tomcat configuration utility. Windows Server 2003: /Program Files/Novell/Tomcat/bin/tomcat5w.exe Windows Server 2008: /Program Files (x86)/Novell/Tomcat/bin/tomcat5w.exe 3 Click the Java tab. 4 In the Java options section, find the following line: -Dnids.freemem.threshold=0 If the line does not exist, you need to add it.
Page 348 6 Change the Maximum memory pool size to 2048. This allows Java to use 2 GB of memory. 7 Save your changes, then restart Tomcat. 8 Repeat these steps for each Identity Server in your cluster. 348 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 349: Troubleshooting The Identity Server And Authentication
Troubleshooting the Identity Server and Authentication This section discusses the following topics: Section 15.1, “Useful Networking Tools for the Linux Identity Server,” on page 349  Section 15.2, “Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors,” on  page 349 Section 15.3, “Authentication Issues,”...
Page 350: The Metadata
1 In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxies/ Authentication. 2 Select None for the Identity Server Cluster option, click OK twice, then update the Access Gateway. 350 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 351: Dns Name Resolution
The Embedded Service Provider of the Access Gateway must be able to resolve the hostname of the Identity Server. To test that it is resolvable, send a idpcluster.lab.novell.com command with the hostname of the Identity Server. For example, from the Access Gateway: ping ping idpcluster.lab.novell.com Troubleshooting the Identity Server and Authentication 351...
Page 352: Certificate Names
To verify the certificate name of the Identity Server certificate: 1 In the Administration Console, click Devices > Identity Servers > Edit. 2 Click the SSL Certificate icon. The SSL Connector keystore is displayed 352 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 353: Certificates In The Required Trust Stores
For information on how to create a certificate for the Identity Server, see “Configuring Secure Communication on the Identity Server” in the Novell Access Manager 3.1 SP2 Setup Guide. To verify the certificate name of the Access Gateway certificate: 1 In the Administration Console, click Devices >...
Page 354: Enabling Debug Logging
You can enable Identity Server logging to dump more verbose Liberty information to the file on both the Identity Server and the Embedded Service Provider of the Access catalina.out Gateway. 1 In the Administration Console, click Devices > Identity Servers > Edit > Logging. 354 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 355 On Windows Server 2003, change to the /Program Files/Novell/Tomcat/logs directory. On Windows Server 2008, change to the  /Program Files (x86)/Novell/Tomcat/ directory. logs Below are a few typical entries illustrating the most common problems. They are from the file of the Embedded Service Provider: catalina.out...
Page 356: Testing Whether The Provider Can Access The Metadata
To test whether the metadata is available for download, enter the metadata URL of the identity provider and service provider. If the DNS name of the identity provider is , open a browser at the Identity Server and enter the following URL: idpcluster.lab.novell.com https://idpcluster.lab.novell.com:8443/nidp/idff/metadata 356 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 357: Manually Creating Any Auto-Generated Certificates
Access Gateway machine: curl -k https://idpcluster.lab.novell.com:8443/nidp/idff/metadata To test whether the Identity Server can access the metadata URL of the Access Gateway, open a browser on the Identity Server machine. If the published DNS name of service provider is , enter the following URL: www.aleris.net...
Page 358: General Authentication Troubleshooting Tips
Novell Access Manager 3.1 SP2 Setup Guide. If your LDAP user store is large, make sure that the search contexts are as specific as possible  to avoid searching the entire tree for a user. 358 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 359: Federation Errors
15.3.4 Federation Errors  Most errors that occur during federation occur because of time synchronization problems between servers. Ensure that all of your servers involved with federation have their time synchronized within one minute. When the user denies consent to federate after clicking a Liberty link and logging in at the ...
Page 360: Problems Reading Keystores After Identity Server Re-Installation
This can occur if you replace a hard drive and incorrectly reinstall the Identity Server. See “Reinstalling an Identity Server to a New Hard Drive” in the Novell Access Manager 3.1 SP2 Installation Guide for the correct procedure. 360 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 361: A About Liberty
About Liberty The Liberty Alliance is a consortium of business leaders with a vision to enable a networked world in which individuals and businesses can more easily conduct transactions while protecting the privacy and security of vital identity information. To accomplish its vision, the Liberty Alliance established an open standard for federated network identity through open technical specifications.
Page 362 362 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 363: B Understanding How Access Manager Uses Saml
Understanding How Access Manager Uses SAML Security Assertions Markup Language (SAML) is an XML-based framework for communicating security assertions (user authentication, entitlement, and attribute information) between trusted identity providers and trusted service providers. For example, an airline company can make assertions to authenticate a user to a partner company or another enterprise application, such as a car rental company or hotel.
Page 364: Trusted Provider Reference Metadata
SAML is used as the communication mechanism between the PEP and a Policy Decision Point (PDP). In Novell product terminology, a PEP could be thought of as the Novell Access Gateway, and the PDP as the Novell Identity Server.
Page 365: Identity Provider Process Flow
 Attribute profiles: Profiles simplify how you configure and deploy systems that exchange attribute data. They include: Basic attribute profile: Supports string attribute names and attribute values drawn from  XML schema primitive type definitions. X.500/LDAP: Supports canonical X.500/LDAP attribute names and values. ...
Page 366 The user now has an authenticated session at xyz.com. The xyz.com SAML server redirects the user’s browser to http://xyz.com/index.html, which was referenced in the original HREF in Step 1. 366 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 367: Saml Service Provider Process Flow
B.7 SAML Service Provider Process Flow The following illustration provides an example of the authentication process on the consumer side, when a user clicks a link at the SAML service provider (xyz.com) in order to begin an authentication session with an identity provider (such as abc.com). PP indicates a Personal Profile Service as defined by the Liberty specification.
Page 368 Server, and the user is authenticated. 4. The user’s DN is returned to the Identity Server, and the user is authenticated. 5. The user is redirected to the target resource at xyz.com. 368 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 369: C Data Model Extension Xml
Data Model Extension XML The data model for some Web services is extensible. You can enter XML definitions of data model extensions in a custom profile (for more information, see Section 13.2.1, “Modifying Service and Profile Details for Employee, Custom, and Personal Profiles,” on page 293).
Page 370 The resource ID of the description of the group. This resource ID is assumed to be a key in the resource bundle supplied by the resource description class file associated with the containing root. 370 Novell Access Manager 3.1 SP2 Identity Server Guide...
Page 371 Extension Element name (required): The name of the data model extension. This name must be the name of the XML element that will be used in the data model. class (optional): The Java class name of the data model instance class. Because data model instance class files are assumed to reside in the root’s package, only the filename is needed.
Page 372: Writing Data Model Extension Xml
C.2 Writing Data Model Extension XML Data model extension XML must be defined in the namespace novell:liberty:wsf:config:1:0:0 and that namespace must be defined on the SchemaExtensions element. Normally, the namespace prefix wsfc is used. An example of data model extension XML is: <wsfc:SchemaExtensions xmlns:wsfc="novell:liberty:wsf:config:1:0:0">...
Page 373 <wsfc:Value resourceId="PP.EXT.DM.HC.Brown" value="urn:pp:dm:brown"/> <wsfc:Value resourceId="PP.EXT.DM.HC.Green" value="urn:pp:dm:green"/> <wsfc:Value resourceId="PP.EXT.DM.HC.Gray" value="urn:pp:dm:gray"/> <wsfc:Value resourceId="PP.EXT.DM.HC.Hazel" value="urn:pp:dm:hazel"/> </wsfc:ValueSet> </wsfc:Extension> </wsfc:Group> </wsfc:Root> <wsfc:Root parent="/pp:PP/pp:Extension" package="com.novell.nidp.liberty.wsf.idsis.ppservice.extensions" resourceClass="PPExtensionsResDesc"> <wsfc:Group resourceId="PP.EXT.AU.GROUP" descriptionResourceId="PP.EXT.AU.GROUP.DESC"> <wsfc:Extension name="Automobile" class="Automobile" syntax="Container" resourceId="PP.EXT.Automobile" min="0" max="UNBOUNDED" namingClass="AutomobileLicensePlate"> <wsfc:Group resourceId="PP.EXT.AU.DETAILS.GROUP" descriptionResourceId="PP.EXT.AU.DETAILS.GROUP.DESC"> <wsfc:Extension name="AutomobileModel" class="AutomobileModel" syntax="String" resourceId="PP.EXT.AU.Model" min="0"...
Page 374 374 Novell Access Manager 3.1 SP2 Identity Server Guide...

Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

About this Guide

1 Configuring an Identity Server

2 Customizing Login Pages, Logout Pages, and Messages

3 Configuring Local Authentication

4 Configuring Advanced Local Authentication Procedures

5 Configuring for Kerberos Authentication

6 Defining Shared Settings

7 Configuring SAML and Liberty Trusted Providers

8 Configuring Cardspace

9 Configuring STS

10 Configuring WS Federation

11 Configuring User Identification Methods for Federation

12 Configuring Communication Profiles

13 Configuring Liberty Web Services

14 Maintaining an Identity Server

15 Troubleshooting the Identity Server and Authentication

Quick Links

Troubleshooting

Related Manuals for Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010

Summary of Contents for Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010