Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER User manual
Novell®
www.novell.com
novdocx (en) 19 February 2010
AUTHORIZED DOCUMENTATION
Novell Access Manager 3.1 SP1 Identity Server Guide
Access Manager
3.1 SP1
March 17, 2010
Identity Server Guide
novdocx (en) 19 February 2010
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Copyright © 2006-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
novdocx (en) 19 February 2010
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
4Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
Contents 5
Contents
novdocx (en) 19 February 2010
About This Guide 11
1 Configuring an Identity Server 13
1.1 Managing a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.1.1 Creating a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.1.2 Assigning an Identity Server to a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . 19
1.1.3 Configuring Session Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.1.4 Removing a Server from a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.5 Managing a Cluster with Multiple Identity Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.1.6 Enabling and Disabling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.1.7 Modifying the Base URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.2 Customizing Identity Server Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.1 Customizing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.2 Customizing the Branding of the Error Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.2.3 Customizing Tooltip Text for Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . 29
1.3 Customizing the Identity Server Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.3.1 Selecting the Login Page and Modifying It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.3.2 Configuring the Identity Server to Use Custom Login Pages . . . . . . . . . . . . . . . . . . 42
1.3.3 Troubleshooting Tips for Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.4 Customizing the Identity Server Logout Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.4.1 Rebranding the Logout Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.4.2 Replacing the Logout Page with a Custom Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.5 Enabling Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6 Using netHSM for the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6.1 Understanding How Access Manager Uses Signing and Interacts with the netHSM
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.6.2 Configuring the Identity Server for netHSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.7 Configuring Secure Communication on the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.7.1 Viewing the Services That Use the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . 67
1.7.2 Viewing Services That Use the Encryption Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . 68
1.7.3 Managing the Keys, Certificates, and Trust Stores . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1.8 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
1.8.1 Federation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
1.8.2 Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
1.8.3 Forcing 128-Bit Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2 Configuring Local Authentication 75
2.1 Configuring Identity User Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.1.1 Using More Than One LDAP User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.1.2 Configuring the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.1.3 Configuring an Admin User for the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.1.4 Configuring a User Store for Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.2 Creating Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
2.2.1 Creating Basic or Form-Based Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . 88
2.2.2 Specifying Common Class Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.3 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
2.4 Configuring Authentication Contracts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
2.5 Using a Password Expiration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
2.5.1 URL Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
2.5.2 Forcing Authentication after the Password Has Changed . . . . . . . . . . . . . . . . . . . . . 97
2.5.3 Grace Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.5.4 Federated Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.6 Specifying Authentication Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.7 Managing Direct Access to the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.7.1 Logging In to the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
2.7.2 Specifying a Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.7.3 Blocking Access to the WSDL Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
3 Configuring Advanced Local Authentication Procedures 105
3.1 Configuring for RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.2 Configuring Mutual SSL (X.509) Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.2.1 Setting Up Mutual SSL Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.3 Creating an ORed Credential Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.4 Configuring for Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
3.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.4.2 Configuring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.4.3 Configuring the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.4.4 Configuring the Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
3.4.5 Configuring the Access Gateway for Kerberos Authentication . . . . . . . . . . . . . . . . 124
3.4.6 Upgrading from Access Manager 3.0 SP4 or 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 124
3.5 Configuring Access Manager for NESCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.5.2 Creating a User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.5.3 Creating a Contract for the Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
3.5.4 Assigning the NESCM Contract to a Protected Resource . . . . . . . . . . . . . . . . . . . . 131
3.5.5 Verifying the User’s Experience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
3.5.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
4 Defining Shared Settings 133
4.1 Configuring Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.2 Editing Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.3 Configuring User Matching Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.4 Adding Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.4.1 Creating Shared Secret Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.4.2 Creating LDAP Attribute Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.5 Adding Authentication Card Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5 Configuring SAML and Liberty Trusted Providers 141
5.1 Understanding the Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.1.1 Identity Providers and Consumers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.1.2 Embedded Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.1.3 High-Level Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.2 Configuring General Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.2.1 Configuring the General Identity Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.2.2 Configuring the General Identity Consumer Options . . . . . . . . . . . . . . . . . . . . . . . . 145
5.3 Creating a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
5.4 Modifying a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
5.4.1 Configuring Communication Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
5.4.2 Using the Intersite Transfer Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.4.3 Selecting Attributes for a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
5.4.4 Managing Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5.4.5 Configuring an Authentication Request for an Identity Provider . . . . . . . . . . . . . . . 159
Contents 7
novdocx (en) 19 February 2010
5.4.6 Configuring an Authentication Response for a Service Provider. . . . . . . . . . . . . . . 162
5.4.7 Managing the Authentication Card of an Identity Provider . . . . . . . . . . . . . . . . . . . 165
6 Configuring CardSpace 167
6.1 Overview of the CardSpace Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
6.2 Prerequisites for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
6.2.1 Enabling High Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.2.2 Configuring the Client Machines for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.3 Authenticating with a Personal Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.4 Authenticating with a Managed Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.4.1 Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.4.2 Configuring a CardSpace Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.4.3 Creating and Installing a Managed Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
6.4.4 Configuring the Relying Party to Trust an Identity Provider. . . . . . . . . . . . . . . . . . . 176
6.4.5 Logging In with the Managed Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
6.5 Authenticating with a Managed Card Backed by a Personal Card. . . . . . . . . . . . . . . . . . . . . 178
6.6 Configuring the Identity Server as a Relying Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.6.1 Defining an Authentication Card and Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.6.2 Defining a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.6.3 Cleaning Up Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.6.4 Defederating after User Portal Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.7 Configuring the Identity Server as an Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.7.1 Replacing the Signing Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.7.2 Configuring STS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.7.3 Creating a Managed Card Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.8 Using CardSpace Cards for Authentication to Access Gateway Protected Resources . . . . . 186
7 Configuring WS Federation 187
7.1 Using the Identity Server as an Identity Provider for ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.1.1 Configuring the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.1.2 Configuring the ADFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.1.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.1.4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.2 Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource197
7.2.1 Configuring the Identity Server as a Service Provider . . . . . . . . . . . . . . . . . . . . . . . 198
7.2.2 Configuring the ADFS Server to Be an Identity Provider. . . . . . . . . . . . . . . . . . . . . 201
7.2.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
7.2.4 Additional WS Federation Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3 Modifying a WS Federation Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3.1 Renaming the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3.2 Configuring the Attributes Obtained at Authentication . . . . . . . . . . . . . . . . . . . . . . . 203
7.3.3 Modifying the User Identification Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.3.4 Managing the Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
7.3.5 Modifying the Authentication Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4 Modifying a WS Federation Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4.1 Renaming the Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4.2 Configuring the Attributes Sent with Authentication. . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4.3 Modifying the Authentication Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
7.4.4 Managing the Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8 Configuring User Identification Methods for Federation 209
8.1 Selecting a User Identification Method for Liberty or SAML 2.0. . . . . . . . . . . . . . . . . . . . . . . 209
8.2 Selecting a User Identification Method for SAML 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
8Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
8.3 Configuring the Attribute Matching Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4 Defining the User Provisioning Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.5 User Provisioning Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
9 Configuring Communication Profiles 219
9.1 Configuring a Liberty Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
9.2 Configuring a SAML 1.1 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
9.3 Configuring a SAML 2.0 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
10 Configuring Liberty Web Services 223
10.1 Configuring the Web Services Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
10.2 Enabling Web Services and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
10.3 Editing Web Service Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
10.4 Configuring Credential Profile Security and Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . 226
10.5 Configuring Service and Profile Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
10.6 Customizing Attribute Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
10.7 Editing Web Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
10.8 Configuring the Web Service Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
10.9 Mapping LDAP and Liberty Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
10.9.1 Configuring One-to-One Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
10.9.2 Configuring Employee Type Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
10.9.3 Configuring Employee Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
10.9.4 Configuring Postal Address Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
10.9.5 Configuring Contact Method Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
10.9.6 Configuring Gender Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
10.9.7 Configuring Marital Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
11 Maintaining an Identity Server 247
11.1 Managing an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
11.1.1 Updating an Identity Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
11.1.2 Restarting the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
11.2 Editing Server Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.3 Configuring Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.3.1 Enabling Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.3.2 Managing Log File Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
11.4 Configuring Session-Based Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
11.4.1 Creating the Administrator Class, Method, and Contract . . . . . . . . . . . . . . . . . . . . 253
11.4.2 Creating the Logging Session Class, Method, and Contract . . . . . . . . . . . . . . . . . . 255
11.4.3 Enabling Basic Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
11.4.4 Responding to an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
11.5 Monitoring the Health of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.5.1 Health States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.5.2 Viewing the Health Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.6 Monitoring Identity Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
11.6.1 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
11.6.2 Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
11.6.3 Incoming HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
11.6.4 Outgoing HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
11.6.5 Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
11.6.6 SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
11.6.7 SAML 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
11.6.8 WSF (Web Services Framework) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Contents 9
novdocx (en) 19 February 2010
11.6.9 Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
11.6.10 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
11.7 Enabling Identity Server Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
11.8 Monitoring Identity Server Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
11.9 Viewing the Command Status of the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
12 Troubleshooting the Identity Server and Authentication 275
12.1 Useful Networking Tools for the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
12.2 Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors . . . . . . . . . . . . . 275
12.2.1 The Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
12.2.2 DNS Name Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
12.2.3 Certificate Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
12.2.4 Certificates in the Required Trust Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
12.2.5 Certificates in the Correct Certificate Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
12.2.6 Enabling Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
12.2.7 Testing Whether the Provider Can Access the Metadata . . . . . . . . . . . . . . . . . . . . 283
12.2.8 Manually Creating Any Auto-Generated Certificates . . . . . . . . . . . . . . . . . . . . . . . 283
12.3 Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
12.3.1 Authentication Classes and Duplicate Common Names . . . . . . . . . . . . . . . . . . . . . 284
12.3.2 General Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
12.3.3 Slow Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.3.4 Basic Authentication Fails with an eDirectory User Store . . . . . . . . . . . . . . . . . . . . 285
12.3.5 Federation Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.3.6 Mutual Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.3.7 Browser Hangs in an Authentication Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.4 Translating the Identity Server Configuration Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.4.1 A Simple Redirect Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
12.4.2 Configuring iptables for Multiple Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
12.5 Problems Reading Keystores after Identity Server Re-installation. . . . . . . . . . . . . . . . . . . . . 291
A Sample Custom Login Pages 293
A.1 Modified login.jsp File for Credential Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
A.2 Custom nidp.jsp File with Custom Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
A.2.1 The Modified nidp.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
A.2.2 The Modified main.jsp File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
A.2.3 The Method and the Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
A.3 Custom 3.1 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
A.3.1 The Modified login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
A.3.2 The Method and the Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
A.4 Custom 3.0 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
A.4.1 Modifying the File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
A.4.2 The Method and the Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
B About Liberty 311
C Understanding How Access Manager Uses SAML 313
C.1 Attribute Mapping with Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
C.2 Trusted Provider Reference Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.3 Identity Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.4 Authorization Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.5 What's New in SAML 2.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.6 Identity Provider Process Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
10 Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
C.7 SAML Service Provider Process Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
D Data Model Extension XML 319
D.1 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
D.2 Writing Data Model Extension XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
About This Guide 11
novdocx (en) 19 February 2010
About This Guide
This guide describes the following features of the Access Manager Identity Server:
Chapter 1, “Configuring an Identity Server,” on page 13
Chapter 2, “Configuring Local Authentication,” on page 75
Chapter 3, “Configuring Advanced Local Authentication Procedures,” on page 105
Chapter 4, “Defining Shared Settings,” on page 133
Chapter 5, “Configuring SAML and Liberty Trusted Providers,” on page 141
Chapter 6, “Configuring CardSpace,” on page 167
Chapter 7, “Configuring WS Federation,” on page 187
Chapter 8, “Configuring User Identification Methods for Federation,” on page 209
Chapter 9, “Configuring Communication Profiles,” on page 219
Chapter 10, “Configuring Liberty Web Services,” on page 223
Chapter 11, “Maintaining an Identity Server,” on page 247
Chapter 12, “Troubleshooting the Identity Server and Authentication,” on page 275
This guide is intended to help you understand and configure all of the features provided by the
Identity Server, and includes advanced topics.
It is recommended that you first become familiar with the information in the Novell Access Manager
3.1 SP1 Setup Guide, which helps you understand how to perform a basic Identity Server
configuration, set up a resource protected by an Access Gateway, and configure SSL.
The setup guide and this guide are designed to work together, and important information and setup
steps are not always repeated in both places.
Audience
This guide is intended for Access Manager administrators. It is assumed that you have knowledge of
evolving Internet protocols, such as:
Extensible Markup Language (XML)
Simple Object Access Protocol (SOAP)
Security Assertion Markup Language (SAML)
Public Key Infrastructure (PKI) digital signature concepts and Internet security
Secure Socket Layer/Transport Layer Security (SSL/TSL)
Hypertext Transfer Protocol (HTTP and HTTPS)
Uniform Resource Identifiers (URIs)
Domain Name System (DNS)
Web Services Description Language (WSDL)
12 Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
Feedback
We want to hear your comments and suggestions about this guide and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/
feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there.
Documentation Updates
For the most recent version of the Access Manager Identity Server Guide, visit the Novell Access
Manager Documentation Web site (http://www.novell.com/documentation/novellaccessmanager31/
).
Additional Documentation
Before proceeding, you should be familiar with the Novell Access Manager 3.1 SP1 Installation
Guide and the Novell Access Manager 3.1 SP1 Setup Guide, which provides information about
setting up the Access Manager system.
If you are unfamiliar with SAML 1.1, see “SAML Overview” (http://www.novell.com/
documentation/saml/saml/data/ag8qdk7.html) on the Documentation Web site (http://
www.novell.com/documentation/a-z.html).
For conceptual information about Liberty, and to learn about what is new for SAML 2.0, see
Appendix B, “About Liberty,” on page 311 and Appendix C, “Understanding How Access Manager
Uses SAML,” on page 313.
For information about the other Access Manager devices and features, see the following:
Novell Access Manager 3.1 SP1 Administration Console Guide
Novell Access Manager 3.1 SP1 Access Gateway Guide
Novell Access Manager 3.1 SP1 Policy Management Guide
Novell Access Manager 3.1 SP1 Agent Guide
Novell Access Manager 3.1 SP1 SSL VPN Server Guide
Novell Access Manager 3.1 SP1 Event Codes
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
Configuring an Identity Server
1
13
novdocx (en) 19 February 2010
1
Configuring an Identity Server
After you log in to the Administration Console, click Devices > Identity Servers. The system
displays the newly installed server.
A newly installed Identity Server is in an unconfigured state and is halted. It remains in this state and
cannot function until you create an Identity Server configuration and assign the Identity Server to
the new configuration. The configuration defines how the Identity Server functions in an Access
Manager configuration. In an Identity Server cluster, multiple servers use the same configuration
and provide failover and load balancing services.
Section 1.1, “Managing a Cluster Configuration,” on page 13
Section 1.2, “Customizing Identity Server Messages,” on page 25
Section 1.3, “Customizing the Identity Server Login Page,” on page 30
Section 1.4, “Customizing the Identity Server Logout Page,” on page 48
Section 1.5, “Enabling Role-Based Access Control,” on page 49
Section 1.6, “Using netHSM for the Signing Key Pair,” on page 49
Section 1.7, “Configuring Secure Communication on the Identity Server,” on page 66
Section 1.8, “Security Considerations,” on page 71
For information on configuring local authentication options, see the following:
Chapter 2, “Configuring Local Authentication,” on page 75
Chapter 3, “Configuring Advanced Local Authentication Procedures,” on page 105
Chapter 4, “Defining Shared Settings,” on page 133
Chapter 10, “Configuring Liberty Web Services,” on page 223
1.1 Managing a Cluster Configuration
After you install an Identity Server, you must create a cluster configuration in order to configure the
Identity Server. Even if you have only one Identity Server, you must assign it to a cluster
configuration to configure it. If you have multiple Identity Servers, you can create multiple
configurations and assign different Identity Servers to them as shown in Figure 1-1.
14 Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
Figure 1-1 Identity Server Configurations
When you assign multiple Identity Servers to the same configuration, you need to install a load
balancer that supports either Layer 4 or Layer 7. This device is referred to as an L4 switch in this
manual. The L4 switch allows the work load to be balanced among the machines.
Whether you have one machine or multiple machines in a cluster, the Access Manager software
configuration process is the same. This section describes the following cluster management tasks:
Section 1.1.1, “Creating a Cluster Configuration,” on page 14
Section 1.1.2, “Assigning an Identity Server to a Cluster Configuration,” on page 19
Section 1.1.3, “Configuring Session Failover,” on page 19
Section 1.1.4, “Removing a Server from a Cluster Configuration,” on page 20
Section 1.1.5, “Managing a Cluster with Multiple Identity Servers,” on page 21
Section 1.1.6, “Enabling and Disabling Protocols,” on page 24
Section 1.1.7, “Modifying the Base URL,” on page 24
1.1.1 Creating a Cluster Configuration
This section discusses the settings available for an Identity Server configuration, such as importing
SSL certificates, enabling introductions, and configuring identity consumer settings. You should be
familiar with “Creating a Basic Identity Server Configuration” in the Novell Access Manager 3.1
SP1 Setup Guide before proceeding.
An Identity Server always operates as an identity provider and can optionally be configured to run as
an identity consumer (also known as a service provider), using Liberty, SAML 1.1, SAML 2.0,
CardSpace or WS Federation protocols. In an Identity Server cluster, multiple servers use the same
configuration.
In an Identity Server configuration, you specify the following information:
The base URL for the server or clustered server site.
Certificates for the Identity Server, identity provider, and identity consumer.
Authentication settings, such as whether the identity provider requires signed authentications
from service providers.
The service domains used for publishing and discovering authentications.
Identity Server 1
Configuration A
Identity Server 2
Configuration A Configuration B
Identity Server 1
Identity Server 2
Configuring an Identity Server 15
novdocx (en) 19 February 2010
Organizational and contact information for the server, which is published in the metadata of the
Liberty and SAML protocols.
The LDAP directories (user stores) used to authenticate users, and the trusted root for secure
communication between the Identity Server and the user store.
To create an Identity Server configuration:
1In the Administration Console, click Devices > Identity Servers.
2Select the Identity Server’s check box, then click New Cluster.
Selecting the server is one way to assign it to the cluster configuration.
3In the New Cluster dialog box, specify a name for the cluster configuration.
If you did not select the server in the previous step, you can now select the server or servers that
you want to assign to this configuration.
For more information about assigning servers to a configuration, see Section 1.1.2, “Assigning
an Identity Server to a Cluster Configuration,” on page 19.
4Click OK.
5Fill in the following fields to specify the Base URL for your Identity Server configuration:
16 Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
Name: Specify a name by which you want to refer to the configuration. This field is populated
with the name you provided in the New Cluster dialog box. You can change this name here, if
necessary.
IMPORTANT: Carefully determine your settings for the base URL, protocol, and domain.
After you have configured trust relationships between providers, changing these settings
invalidates the trust model and requires a reimport of the provider’s metadata.
Modifying the base URL also invalidates the trust between the Embedded Service Provider of
Access Manager devices. To re-establish the trust after modifying the base URL, you must
restart the Embedded Service Provider on each device.
Base URL: Specify the application path for the Identity Server. The Identity Server protocols
rely on this base URL to generate URL endpoints for each protocol.
Protocol: Select the communication protocol. Specify HTTPS in order to run securely (in
SSL mode) and for provisioning. Use HTTP only if you do not require security.
Domain: Specify the DNS name assigned to the Identity Server. When you are using an
L4 switch, this DNS name should resolve to the virtual IP address set up on the L4 switch
for the Identity Servers. Using an IP address is not recommended.
Port: Specify the port value for the protocol. Default ports are 8080 for HTTP or 8443 for
HTTPS. If you want to use port 80 or 433, specify the port here.
If you are configuring a Linux Identity Server, you must also configure the operating
system to translate the port. See Section 12.4, “Translating the Identity Server
Configuration Port,” on page 286.
If you are configuring a Windows Identity Server, you must also modify the Tomcat
server.xml
file located in the
\Program Files\Novell\Tomcat\conf
directory.
Change the ports from 8080 and 8443 to 80 and 443, then restart the Tomcat service.
Application: Specify the Identity Server application. Leave the default value nidp.
SSL Certificate: Displays the currently assigned SSL certificate.
The Identity Server comes with a test-connector certificate that you must replace to use SSL in
your production environment. You can replace the test certificate now or after you configure
the Identity Server. If you create the certificate and replace the test-connector now, you can
save some time by restarting Tomcat only once. Tomcat must be restarted whenever you assign
an Identity Server to a configuration and whenever you update a certificate key store. See
Section 1.7.3, “Managing the Keys, Certificates, and Trust Stores,” on page 68.
For information on how to replace the test-connector certificate, see “Enabling SSL
Communication” in the Novell Access Manager 3.1 SP1 Setup Guide.
6To configure session limits, fill in the following fields:
LDAP Access: Specify the maximum number of LDAP connections the Identity Server can
create to access the configuration store. You can adjust this amount for system performance.
Session Timeout: Specify the session inactivity time allowed before timing out. This is a
global setting that applies to any resource that authenticates to this Identity Server or Identity
Server cluster. The default setting is 60 minutes.
Configuring an Identity Server 17
novdocx (en) 19 February 2010
This is a security setting:
Lower it if you want idle sessions to time out with a smaller window of opportunity for
someone to take over a session of a user who takes a break, leaving an active session
unattended.
Increase it if you want to allow idle users to have a longer time period before they are
forced to log in again.
If the resource is configured to use Basic authentication, the session times out, but the browser
must be closed to terminate the session.
Limit User Sessions: Specify whether user sessions are limited. If selected, you can specify
the maximum number of concurrent sessions a user is allowed to authenticate.
If you decide to limit user sessions, you should also give close consideration to the session
timeout value (the default is 60 minutes). If the user closes the browser without logging out (or
an error causes the browser to close), the session is not cleared until the session timeout
expires. If the user session limit is reached and those sessions have not been cleared with a
logout, the user cannot log in again until the session timeout expires for one of the sessions.
When enabled, this option affects performance in a cluster with multiple Identity Servers.
When a user is limited to a specific number of sessions, the Identity Servers must check with
the other servers before establishing a new session.
Allow multiple browser session logout: Specify whether a user with more than one session to
the server is presented with an option to log out of all sessions. If you do not select this option,
only the current session can be logged out. Deselect this option in instances where multiple
users log in as guests. Then, when one user logs out, none of the other guests are logged out.
When you enable this option, you must also restart any Embedded Service Providers that use
this Identity Server configuration.
7To configure TCP timeouts, fill in the following fields:
LDAP: Specify how long an LDAP request to the user store can take before timing out.
Proxy: Specify how long a request to another cluster member can take before timing out.
When a member of a cluster receives a request from a user who has authenticated with another
cluster member, the member sends a request to the authenticating member for information
about the user.
Request: Specify how long an HTTP request to another device can take before timing out.
8To control which protocols can be used for authentication, select one or more of the following
protocols:
Liberty: Uses a structured version of SAML to exchange authentication and authorization data
between trusted identity providers and service providers and provides the framework for user
federation.
IMPORTANT: If you are using other Access Manager devices such as the Access Gateway,
SSL VPN, or the J2EE Agents, you need to enable the Liberty protocol. The Access Manager
devices use an Embedded Service Provider. If you disable the Liberty protocol, you disable the
trusted relationships these devices have with the Identity Server, and authentication fails.
SAML 1.1: Uses XML for exchanging authentication and authorization data between trusted
identity providers and service providers.
SAML 2.0: Uses XML for exchanging encrypted authentication and authorization data
between trusted identity providers and service providers and provides the framework for user
federation.
18 Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
STS: A security token service that creates digital identities from claims, which can then be
used as a card or a token for authentication.
CardSpace: Uses Microsoft* client software that stores a user’s information in a digital
identity or information card, which can then be presented and used as authentication
credentials.
WS Federation: Allows disparate security mechanisms to exchange information about
identities, attributes, and authentication.
9To continue creating the Identity Server configuration, click Next.
The system displays the Organization page.
Use this page to specify organization information for the Identity Server configuration. The
information you specify on this page is published in the metadata for the Liberty 1.2 and
SAML protocols. The metadata is traded with federation partners and supplies various
information regarding contact and organization information located at the Identity Server.
The following fields require information:
Name: The name of the organization.
Display Name: The display name for the organization.
URL: The organization’s URL for contact purposes.
Optional fields include Company, First Name, Last Name, Email, Telephone, and Contact
Type.
10 Click Next to configure the user store.
You must reference your own user store and auto-import the SSL certificate. See Section 2.1.2,
“Configuring the User Store,” on page 77 for information about this procedure.
Configuring an Identity Server 19
novdocx (en) 19 February 2010
11 After you configure the user store, the system displays the new configuration on the Servers
page.
The status icons for the configuration and the Identity Server should turn green. It might take several
seconds for the Identity Server to start and for the system to display a green light. If it does not, it is
likely that the Identity Server is not communicating with the user store you set up. Ensure that you
have entered the user store information correctly, and that you imported the SSL certificate to the
user store. (Edit > Local > [User Store Name].)
1.1.2 Assigning an Identity Server to a Cluster Configuration
After you create a configuration, you must assign an Identity Server to it. For clustering, you can
assign more than one Identity Server to the configuration (see Section 1.1.5, “Managing a Cluster
with Multiple Identity Servers,” on page 21 for the steps to set up a cluster). A configuration uses
any shared settings you have specified, such as attribute sets, user matching expressions, and custom
attributes that are defined for the server.
1In the Administration Console, click Devices > Identity Servers.
2On the Servers page, select the server’s check box, then choose Actions > Assign to Cluster.
You can select all displayed servers by selecting the top-level Server check box.
3Select the configuration’s check box, then click Assign.
You are prompted to restart Tomcat. The status icon for the Identity Server should turn green. It
might take several seconds for the Identity Server to start and for the system to display the
green light.
1.1.3 Configuring Session Failover
When you set up an Identity Server cluster and add more than one Identity Server to the cluster, you
have set up fault tolerance. This ensures that if one of the Identity Servers goes down, users still
have access to your site because the remaining Identity Server can be used for authentication.
However, it doesn’t provide session failover. If a user has authenticated to the failed Identity Server,
that user is prompted to authenticate and the session information is lost.
When you enable session failover and an Identity Server goes down, the user’s session information
is preserved. Another peer server in the cluster re-creates the authoritative session information in the
background. The user is not required to log in again and experiences no interruption of services.
“Prerequisites” on page 20
“Configuring Session Failover” on page 20
“How Fallover Peers Are Selected” on page 20
20 Novell Access Manager 3.1 SP1 Identity Server Guide
novdocx (en) 19 February 2010
Prerequisites
An Identity Server cluster with two or more Identity Servers.
Sufficient memory on the Identity Servers to store additional authentication information. When
an Identity Server is selected to be a failover peer, the Identity Server stores about 1 K of
session information for each user authenticated on the other machine.
Sufficient network bandwidth for the increased login traffic. The Identity Server sends the
session information to all the Identity Servers that have been selected to be its failover peers.
All trusted Embedded Services Providers need to be configured to send the attributes used in
Form Fill and Identity Injection policies at authentication. If you use any attributes other than
the standard credential attributes in your contracts, you need to send these attributes also. To
configure the attributes to send, click Devices > Identity Servers > Edit > Liberty > [Name of
Service Provider] > Attributes.
Configuring Session Failover
1In the Administration Console, click Devices > Identity Servers.
2In the list of clusters and Identity Servers, click the name of an Identity Server cluster.
3Click the IDP Failover Peer Server Count, then select the number of failover peers you want
each Identity Server to have.
To disable this feature, select 0.
To enable this feature, select one or two less than the number of servers in your cluster.
For example, if you have 4 servers in your clusters and you want to allow for one server
being down for maintenance, select 3 (4-1=3). If you want to allow for the possibility of
having two down, select 2 (4-2=2).
If you have eight or more servers in your cluster, the formula 8-2=6 gives each server 6
peers. This is probably more peers than you need for session failover. In a larger cluster,
you should probably limit the number of peers to 2 or 3. If you select too many peers, your
machines might require more memory to hold the session data and you might slow down
your network with the additional traffic for session information.
4Click OK.
How Fallover Peers Are Selected
The failover peers for an Identity Server are selected according to their proximity. Access Manager
sorts the members of the cluster by their IP addresses and ranks them according to how close their IP
addresses are to the server who needs to be assigned failover peers. It selects the closest peers for the
assignment. For example, if a cluster member exists on the same subnet, that member is selected to
be a failover peer before a peer that exist on a different subnet.
1.1.4 Removing a Server from a Cluster Configuration
Removing an Identity Server from a configuration disassociates the Identity Server from the cluster
configuration. The configuration, however, remains intact and can be reassigned later or assigned to
another server.
1In the Administration Console, click Devices > Identity Servers.
This manual suits for next models
1
Table of contents
Other Novell Software manuals
Novell
Novell LINUX ENTERPRISE DESKTOP 11 - ADMINISTRATION GUIDE... User guide
Novell
Novell POLICY IN DESIGNER 3.5 - 09-18-2009 User manual
Novell
Novell IMANAGER 2.7.3 Instruction Manual
Novell
Novell CLIENT FOR LINUX 1.1 User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 11 - ADMINISTRATION GUIDE... User manual
Novell
Novell GROUPWISE 8 - INTEROPERABILITY User manual
Novell
Novell CLIENT FOR LINUX 1.2 User manual
Novell
Novell BUSINESS CONTINUITY CLUSTERING 1.1 SP2 -... Instruction Manual
Novell
Novell LINUX ENTERPRISE SERVER 10 - ARCHITECTURE-SPECIFIC INFORMATION... Manual
Novell
Novell GROUPWISE 8 - MONITOR User manual
Novell
Novell QUICKBOOKS - INSTALL User manual
Novell
Novell ZENWORKS 10 CONFIGURATION MANAGEMENT SP3 - COMMAND LINE UTILITIES REFERENCE 10.3... User manual
Novell
Novell BUSINESS CONTINUITY CLUSTERING 1.2.1 -... Instruction Manual
Novell
Novell DATA SYNCHRONIZER - 07-2010 User manual
Novell
Novell GROUPWISE 7 - SECURITY POLICIES User manual
Novell
Novell iFOLDER 3.6 - READ ME 05-2008 User manual
Novell
Novell IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT User manual
Novell
Novell GROUPWISE 8 - LIBRARIES AND DOCUMENTS User manual
Novell
Novell LINUX ENTERPRISE SERVER 10 SP3 - STORAGE ADMINISTRATION GUIDE... Instruction Manual
Novell
Novell ZENWORKS APPLICATION VIRTUALIZATION - V8.0.3 INTEGRATION AND STREAMING... User manual
Popular Software manuals by other brands
Logitech
Logitech HD 200a Install instructions
American Megatrends
American Megatrends StorTrends User's guide user guide
BT
BT Voyager Digital Media Player Installation & user manual
Juniper
Juniper STRM 2008-2 - TECHNICAL NOTE CHANGING NETWORK SETTING... Upgrade guide
Altigen
Altigen AltiServ user guide
COMPRO
COMPRO COMPRODTV user guide