Access Everywhere Access Manager Interoperability
Transcript of Access Everywhere Access Manager Interoperability
Access Anywhere!Access Manager™ Interoperability
Gaurav VaidyaSpecialist, Novell [email protected]
2 © 2011 NetIQ Corporation. All rights reserved.
About Speaker
PAST10+ years in IT industry (With Novell® from past 8.5 years.)
PRESENTSpecialist with Corporate Interoperability Team (3+ years)
PUBLICATIONHave published 30+ technical articles in Print media (Indian
IT magazines)
TALKSHave presented papers / tutorials in 3 International
conferences.
3 © 2011 NetIQ Corporation. All rights reserved.
Objectives of Session
Overview of different integration points of Access Manager™
Learn how NAM canbe integrated with self service Password Management
Learn how Applications like GroupWise®, Vibe can be deployed with Access Manager
How to use SecretStorefor Shared Secretsand SSO
Basically, Learn interoperability configurations for Access Manager through variety of Use Cases.
4 © 2011 NetIQ Corporation. All rights reserved.
Beyond The Scope of This Session
• Interoperability of Access Manager™ is a vast topic, following popular Access Manager interoperability use cases will not be discussed in this session.
Integration with other Identity Provider (federation relateduse cases)
Interoperability withnon-Novell® productslike Sharepoint, Citrixetc.
Kerberos authentication orother custom authenticationclass.
Access Manager™ InteroperabilityOverview
6 © 2011 NetIQ Corporation. All rights reserved.
Access Manager™ Integration PointsFeatures for Interoperability
1
4
4
2 5
3
6 7
Browser Access Gateway Web ServerWeb page
Identity Provider LDAP Directory
* Password Servlet Config* Config for Federation* Shared Secrets
* Configure Rewriter* Configure Protected Resources
Identity Injection
Integration with Password Management
8 © 2011 NetIQ Corporation. All rights reserved.
Self Service Password ManagementAbout
Self service password management solution reduce Helpdesk cost and provide convenience for end users.Access Manager™ provides capabilities to integrate with self service password management solutions.
Novell®/NetIQ has two self service password management solutions to offer
IDM Role Based Provisioning Module (User Application )
Self Service Password Reset
(SSPR)
9 © 2011 NetIQ Corporation. All rights reserved.
Password Management Use Cases
• Following are probable Self Service Password Management Use cases with Access Manager™:
User wants to pro-actively change the password.
User has forgotten the password OR password is expired with NO Grace logins remaining.
User password is expired with Grace login remaining
10 © 2011 NetIQ Corporation. All rights reserved.
Configure SSPR with Access Manager™ – 1 of 5
Configuring Password Expiration ServletPassword expiration options can be configured for Contract in IDP configuration.(Identity server – Edit > Local > Contracts > [Contract Name] > Password Expiration Servlet).
Example URL for password Expiration (for SSPR):https://intranet.company.com/pwm/private/ChangePassword?passwordExpiration=true&forceAuth=TRUE&logoutURL=<RETURN_URL>
Force Password Servlet to change password
Force users toRe-Authenticate
On returning to IDP
IDP URL ParametersUSERID
STOREIDRETURN_URL
11 © 2011 NetIQ Corporation. All rights reserved.
Configure SSPR with Access Manager™ – 2 of 5
Configuring user interaction optionThe option “Allow User Interaction” can be enabled on page:(Identity server – Edit > Local > Contracts > [Contract Name] > Allow User Interaction - [Checkbox]).
12 © 2011 NetIQ Corporation. All rights reserved.
Configure SSPR with Access Manager™ – 3 of 5
Overview of SSPR Flow
13 © 2011 NetIQ Corporation. All rights reserved.
Configure SSPR with Access Manager™ – 4 of 5
Configuring Options on SSPRConfiguration Value
User Interface > PasswordChange Success Message
Custom Message to notify users about re-login to their portal after password change.
General > Forward URL URL like "/pwm" where the user will beredirected after any operation exceptpassword change.
General > Logout URL NAM logout URL like –intranet.company.com/AGLogout
General > Logout AfterPassword Change
TRUE (recommended to keep this defaultsetting for avoiding issues as mentioned inabove TIP)
14 © 2011 NetIQ Corporation. All rights reserved.
Configure SSPR with Access Manager™ – 5 of 5
Access Gateway configuration for SSPR• Created multihoming resource for SSPR with Path as “/pwm”• Configure protected resource as following:
URL Path Protected Resource - Security Level/pwm/* Public – Authentication is None/pwm/private/* Restricted – Authencitation Configured/pwm/config/* Restricted – Authencitation Configured
(Optional Access Policy)/pwm/admin/* Restricted – Authencitation Configured
(Optional Access Policy)
● Create Identity Injection policy with basic Auth Headers for SSPR
GroupWise® with Access Manager™
16 © 2011 NetIQ Corporation. All rights reserved.
GroupWiseClient
and VibeIntegration
GroupWiseCalender
Publishing
GroupWise®
Web Access
Integrating GroupWise® Overview
17 © 2011 NetIQ Corporation. All rights reserved.
GroupWise® With Access Manager™-1of 5Configure GroupWise for Access Manager
Configure GroupWise to Trust Access Gateway by adding IP of access gateway in (GroupWise Domain Object → GroupWiseWebAccess Object → Application → Security → Single Sign On)
Configure Simultaneous Logout with Access Manager by configuring path “/AGLogout” under the section “Logout URL”.
Restart WebAccess on GroupWise.
18 © 2011 NetIQ Corporation. All rights reserved.
GroupWise® With Access Manager™-2 of 5GroupWise Calender Publishing and Access Manager
CalenderPublishing
1) GroupWise System is enabled to publish calender from Console One.
2) User create & publish calender from GroupWise Client.
3) Anyone can access http(s)://host/gwcal/calender
Access Manager
UserActions
(1) User access webcal URL & authenticates to Access Manager basic auth.
(2) User gets Access Manager Calender page with Download & Subscribe links (webcal://<PublishedHost>/...).
(3) Clicking Subscribe link opens GroupWise Client (8.0.0.5+).
19 © 2011 NetIQ Corporation. All rights reserved.
GroupWise® With Access Manager™-3 of 5Configure Access Manager Proxy Server for GroupWise
Access Manager
ProxyService
(1) Multi-homing Path List → /gw & /gwcal
(2) TCP Connect Option > Data Read Timeout → 360 sec
RewriterConfig
For /gwcal: Character type rewriter profile with all default settingsexcept one Search/Replace
Search = webcal://<internal Web Server Host Name>Replace = webcal://<Published DNS Name>
20 © 2011 NetIQ Corporation. All rights reserved.
GroupWise® With Access Manager™- 4 of 5Configure Access Manager Protected Resources
URL Path Protected Resource - Security Level/gw/webacc/* &/gw/webacc?
Contract → Secure Name Password Form Policy→ Simple Identity Injection (LDAP / Password)
/gw/com/* &/gw/webaccess/*
Contract → None (Public)
/gw/webacc?User.context*
Contract → Secure Name Password FormNon-Redirected Login → EnabledRealm → GwiseRedirect to Identity Server.... → DisabledPolicy→ Simple Identity Injection (LDAP / Password)
/gwcal/* Contract → Secure Name Password FormNon-Redirected Login → EnabledRealm → GwiseRedirect to Identity Server.... → DisabledPolicy→ None
21 © 2011 NetIQ Corporation. All rights reserved.
GroupWise® With Access Manager™-5 of 5GroupWise-Vibe Integration and Access Manager
ConfigureGroupWise
The URL configured for GroupWise client connection to Vibe in ConsoleOne must be set to published DNS name of configuredVibe Proxy Service.(GroupWise domain object->Tools->GroupWise Utilities->Client Options->Environment->Teaming tab)
ConfigureVibe
Teaming generates URL based on <schema> & <hostname>configured during initial configuration. This shall match the schemaand hostname of configured Access Manager Proxy service.(Details in VibeSection)
ConfigureAccess
Manager
Access Manager configuration is same as discussion in Vibe section, exceptAdditional protected resource for path /ssf/ws/TeamingServiceV1*This is the path for Teaming Web service used by GW Client.
Vibe (Teaming) with Access Manager™
23 © 2011 NetIQ Corporation. All rights reserved.
Integrating Vibe Overview
Typical Browser URL is http(s)://<DNS>/teaming.
HTML content are located under path /ssf, while webDAV content is under /ssfs.
Various applications access Vibe data (files, docs etc)(1) Office Applications through WebDAV(2) Web Folders through Web DAV(3) Integration with GroupWise Client
VibeURLs
IntegrationConsiderations
24 © 2011 NetIQ Corporation. All rights reserved.
Vibe With Access Manager - 1 of 3 Configure Vibe settings
• While installing or “Reconfiguring Setting” in teaming following must be configured
Access Gateway IP for allowing Identity Injection and Access. (This may be single IP, comma separated List or Wild Card IP Address)
Access Gateway logout URL to enable Simultaneous logout with Access Gateway
25 © 2011 NetIQ Corporation. All rights reserved.
Vibe With Access Manager - 2 of 3 Configure Access Manager Proxy Service
Access Manager
ProxyService
(1) Multi-homing Path List → /ssf, /ssfs & /teaming
(2) TCP Connect Option > Data Read Timeout → 1200 sec
RewriterConfig
(1) Configure additional content type “applicatoin/rss+xml”
(2) Add value” to “Variable or Attribute Name to Search for is” List.
26 © 2011 NetIQ Corporation. All rights reserved.
Vibe With Access Manager - 3 of 3 Protected Resource Configuration
URL Path Protected Resource - Security Level/ssf/* & /teaming/* Contract → Secure Name Password Form
Policy→ Identity Injection (LDAP Name / Password)/ssf/ws/* Contract → Name Password - Basic
Non-Redirected Login → EnabledRealm → TeamingRedirect to Identity Server.... → DisabledPolicy→ Identity Injection (LDAP Name / Password)
/ssfs/* (webDAV)/ssf/rss/*(RSS reader)/ssf/atom/* (atom)/ssf/ical/* (ical)
Contract → Secure Name Password FormNon-Redirected Login → EnabledRealm → TeamingRedirect to Identity Server.... → DisabledPolicy→ Simple Identity Injection (LDAP / Password)
/ssf/css/*, /ssf/ext/*/ssf/help/*, /ssf/help_doc/*,/ssf/i/*, /ssf/images/*/ssf/js/*, /ssf/themes/*
Contract → None (Public)Policy→ None
27 © 2011 NetIQ Corporation. All rights reserved.
Access Manager™, Vibe and eMailsVibe URL in mail notifications through Access Manager™
• There are 3 different options to generate mail through Vibe which requires attention during Access Manager ™ integration:
"Send E-Mail" - from "E-mail Contributors..." link on entry view
"Share this Folder..." or "Share this Workspace..."
e-Mail Notification - This can be set up on a folder or on individual entries via subscription
Integrating with Secret Store and NSL
29 © 2011 NetIQ Corporation. All rights reserved.
Use Cases For Shared Secret
• Following are probable Use cases for configuring Shared Secrets with Access Manager™:
If HTML form has fields apart from username and password.
If Web Server requires some name/value pair to be injected in header.
If there is a need to share SSO credentials between NSL and Access Manager.
30 © 2011 NetIQ Corporation. All rights reserved.
Access Manager™ Shared Secrets
• Access Manager supports creating and using secrets through:
In the local configuration store
In eDirectory™ user stores that are running SecretStore
In a user store that has been configured with a custom attribute for secrets
31 © 2011 NetIQ Corporation. All rights reserved.
Configuring Shared SecretsConfiguring Access Manager to use Shared Secrets
• Enable user store with “Use SSL” option.• Go to “Devices → Identity Server → edit → Liberty → Web
Service Providers” and Click “Credential Profile”• Depending on where to store secret – Configure “Extended
Schema” or “Secret Store” User Store References.• Create new shared secret entry – specify entry name and
shared secret name.
Notes: ‒ In case of SecretStore, secret name should match already
configured name/value pair.
Access Manager™ and Data Synchronizer
33 © 2011 NetIQ Corporation. All rights reserved.
Data Synchronizer and Access Manager™ Overview
REQUEST FROM BROWSERhttps://www.mynam.com/datasync/
REQUEST TO WEB ADMINhttps://<webadmin.ip.addr>:8120/
REQUEST TO MOBILITY CONNECTORhttps://<mobility.ip.addr>/Microsoft-Active-Sync?..
REQUEST FROM MOBILE DEVICEhttps://www.mynam.com/Microsoft-Active-Sync?..
Data SyncWeb Admin
Data SyncEngine
MobilityCannector
NAM
Internet
MobileDevice
(ActiveSync)
NAM - AGt
34 © 2011 NetIQ Corporation. All rights reserved.
Configuring Access Manager™ for Data Synchronizer
Configure basic Path based multi-homing service with path/Microsoft-Server-ActiveSync
Web admin uses 5 different paths in its web application: /login, /admin, /post, /style, /common Custom rewriter profile is required with (1) additional content Type “text/x-js” (2) replace /post & /admin with $path
(1) Secure /login, /admin, /post with secure contract
(2) Keep /common & /style public
ConfigureActiveSync
ConfigureWeb Admin
ConfigureProtectedResource
Summary and Recap
36 © 2011 NetIQ Corporation. All rights reserved.
Summary/Recap
Three basic configurations for integrating applications‒ Multi-homing host and Rewriter‒ Single Sing On‒ Simultaneous Logout and Session Timeout
Integrating Password Management‒ Expired password Servlet‒ Action after password change
Shared Secrets‒ Additional Attributes ‒ Share SSO credential with NSL
Thank you.
37 © 2011 NetIQ Corporation. All rights reserved.
Questions and Answers
+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]
Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA
http://community.netiq.com
38 © 2011 NetIQ Corporation. All rights reserved.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
Copyright © 2011 NetIQ Corporation. All rights reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.