Cloud Identity Manager 3.5 Integration...
Transcript of Cloud Identity Manager 3.5 Integration...
Integration Guide
McAfee Cloud Identity Managerversion 3.5
2 McAfee Cloud Identity Manager 3.5 Integration Guide
COPYRIGHTCopyright © 2013 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONSMcAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.
LICENSE INFORMATION
License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Contents
1.0 Introduction to McAfee Cloud Identity Manager ........................................................ 51.1 Supported environments...................................................................................... 61.2 Supported browsers ............................................................................................ 6
1.2.1 Application portal..................................................................................... 61.2.2 Management Console ............................................................................... 6
1.3 Available documentation...................................................................................... 71.4 Technical support ............................................................................................... 7
2.0 Integrating .NET Web Applications with Cloud Identity Manager .............................. 92.1 SSO and SLO for .NET Web Applications ...............................................................102.2 How to Integrate .NET Web Applications ...............................................................11
2.2.1 The .NET Web Application Integration Toolkit..............................................112.3 Customizing your Authentication Module ...............................................................11
2.3.1 Set Up Files ...........................................................................................112.3.2 Modifying the web.config File....................................................................122.3.3 .NET Web Application Parameters .............................................................14
2.4 Configuring your .NET Web Application .................................................................16
3.0 Integrating Java-based Web Applications with Cloud Identity Manager ...................173.1 Java Integration Toolkit ......................................................................................173.2 Java Integration SDK .........................................................................................183.3 Java Servlet Filter ..............................................................................................18
3.3.1 Sample web.xml File Configuration............................................................183.3.2 Java Servlet Filter Parameters ..................................................................20
McAfee Cloud Identity Manager 3.5 Integration Guide 3
4 McAfee Cloud Identity Manager 3.5 Integration Guide
1.0 Introduction to McAfee Cloud Identity Manager
McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) simplifies the management and secures the use of cloud, Software as a Service (SaaS), and web applications for companies and large organizations. Service and application providers can also use Cloud Identity Manager to simplify and improve the authentication process for their customers.
Cloud Identity Manager provides support for the following features:• Extensible framework• Web single sign on (SSO)• Multiple authentication methods• Credential mapping and user provisioning• Authorization policies and access control enforcement• Event auditing and monitoring• Connectors for popular cloud services and applications• Web-based Management Console
Cloud Identity Manager runs as a stand-alone server and is configured by an administrator using a web-based Management Console accessible from a web browser. For information about installing Cloud Identity Manager as a standalone server or as a cluster of servers, see McAfee Cloud Identity Manager Installation Guide. For information about configuring Cloud Identity Manager in the Management Console, see McAfee Cloud Identity Manager Product Guide.
Cloud Identity Manager provides connectors for many popular cloud services and applications, including Google Apps and Salesforce.com. These connectors are built in to Cloud Identity Manager and simplify the deployment of the cloud service or application in an organization. Web SSO requires configuration in the Management Console and in the cloud application’s user interface. Instructions for configuring SSO on the cloud application side are included in the documentation set.
For customers who have Java-based or .NET web applications that do not support SAML2 authentication, Cloud Identity Manager provides a custom connector. For information about integrating Java-based and .NET web applications with Cloud Identity Manager, see this guide.
For software developers who want to write their own cloud service connectors or authentication modules, Cloud Identity Manager provides an SDK. For more information about the SDK, see McAfee Cloud Identity Manager Developer’s Guide.
McAfee Cloud Identity Manager 3.5 Integration Guide 5
1.1 Supported environmentsCloud Identity Manager supports these environments.
1.2 Supported browsersCloud Identity Manager supports different browsers for the application portal and the Management Console.
1.2.1 Application portal
For end users who seek access to SaaS and web applications through a portal using Cloud Identity Manager identity services, Cloud Identity Manager supports the following desktop and mobile web browsers. Note that Cloud Identity Manager services are running in the background and are not visible to the end user.
• Desktop browsers— Google Chrome 16— Mozilla Firefox 9— Microsoft Internet Explorer 7, 8, and 9— Safari 5.1.2
• Mobile browsers— Android 2.0 devices and WebKit browser— iOS devices and Safari browser
1.2.2 Management Console
The Cloud Identity Manager Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, Cloud Identity Manager supports the following desktop and mobile web browsers.
• Desktop browsers— Firefox 9— Internet Explorer 7, 8, and 9
• Mobile browsers — None are currently supported.
Version Architecture
IA-32 Intel® 64
Linux Operating System
Red Hat Enterprise Linux Serverand Advanced Platform 5.0
Yes Yes
Windows Operating System
Windows Server 2003 Standard Edition Yes Yes
Windows Server 2003 DataCenter Edition Yes Yes
Windows Server 2003 Enterprise Edition Yes Yes
Windows Server 2008 Yes Yes
6 McAfee Cloud Identity Manager 3.5 Integration Guide
1.3 Available documentationThe Cloud Identity Manager documentation set includes the following guides:
• McAfee Cloud Identity Manager Product Guide — A complete guide to the Management Console and the configuration tasks needed to administer Cloud Identity Manager
• McAfee Cloud Identity Manager Developer’s Guide — Provides information for software developers who want to write custom Java code that extends Cloud Identity Manager functionality
• McAfee Cloud Identity Manager Installation Guide — Includes the tasks and procedures that you need to install and remove Cloud Identity Manager as a standalone server on Microsoft Windows and Linux operating system platforms
• this guide — Provides instructions on how to integrate Java-based and .NET web applications that do not support SAML2 authentication with Cloud Identity Manager
Note: In addition to these guides, there are separate guides that document how to configure the different Cloud Connectors. For more information, see the McAfee Cloud Identity Manager Product Guide.
1.4 Technical supportFor technical assistance, contact McAfee support by one of the following options:
Support portal: https://mysupport.mcafee.com
Phone number: 1-800-937-2237
McAfee Cloud Identity Manager 3.5 Integration Guide 7
8 McAfee Cloud Identity Manager 3.5 Integration Guide
2.0 Integrating .NET Web Applications with Cloud Identity Manager
McAfee® Cloud Identity Manager (Cloud Identity Manager) allows you to configure SSO and Single Logout SLO for both SaaS applications, such as Google Apps and Salesforce.com, and for web applications running on a cloud computing platform, such as Amazon Web Services (AWS). Some applications require a custom connector to integrate with Cloud Identity Manager. For these Service Providers, Cloud Identity Manager provides a custom security token and authentication service that replaces SAML2.
Note: The Cloud Identity Manager custom security token and authentication service are also referred to as the ICE token and authentication service.
McAfee Cloud Identity Manager 3.5 Integration Guide 9
2.1 SSO and SLO for .NET Web ApplicationsThe following section illustrates how Cloud Identity Manager federates SSO and SLO across web services using the custom security token and authentication service.
Figure 1. SSO and SLO Federation Across Web Services
The following steps detail how the custom security token and authentication service federate SSO across web applications for one enterprise user:1. The user requests access to a web application (Premier Service 1).2. Service 1 redirects the user’s request to Cloud Identity Manager.3. Cloud Identity Manager presents a login page to the user, collects the user’s credentials, and
authenticates the user’s credentials against the identity store. Cloud Identity Manager then issues a custom security token and redirects the user back to Service 1.
4. Service 1 locates the custom security token, determines that it is valid, retrieves the authenticated user information from the token, grants the user access, and establishes an authenticated session with the user’s browser.
5. The user requests access to a second web application (Premier Service 2).6. Service 2 locates the custom security token cookie, determines that the user’s session is
authenticated, and grants the user access to the service without repeating the authentication step.
Cloud Identity Manager also federates SLO across web applications:1. The user requests to log off a web application.2. The Service terminates the authenticated session and redirects the request to Cloud Identity
Manager.3. Cloud Identity Manager manages the user’s sessions and the SLO process.
10 McAfee Cloud Identity Manager 3.5 Integration Guide
2.2 How to Integrate .NET Web ApplicationsIntegrating Cloud Identity Manager with your .NET web application consists of the following steps:
• Configuring SSO and SLO Federation in Cloud Identity Manager• Customizing your Authentication Module• Configuring your .NET web application
Note: Integrating Cloud Identity Manager with your .NET web application requires .NET Framework 2.0. For detailed information about how to configure federated SSO and SLO on the Cloud Identity Manager side, see the McAfee Cloud Identity Manager Product Guide.
2.2.1 The .NET Web Application Integration Toolkit
To help you integrate your .NET web application, Cloud Identity Manager provides a toolkit. The toolkit, which is available after Cloud Identity Manager is installed on a Windows platform, includes two DLL files and API documentation. The DLL files and API documentation are located in the following directory:
${ICE_INSTALL_DIR}/current/clientlib/DotNet/
• DLL Files — The DLL files implement the custom security token interfaces and SSO/SLO protocols. You need these to develop your Authentication Module. They are located in the DotNet folder:DotNetICEClient.dll
Newtonsoft.Json.Net20.dll
• API Documentation — The API documentation (SDK) is available in Compiled HTML Help format. The file is located in the DotNet folder and has the following name:DotNetICEClientSDK.CHM
2.3 Customizing your Authentication ModuleTo integrate your .NET web application with Cloud Identity Manager, customize your Authentication Module. Customizing the Authentication Module consists of the following steps:1. Setting up folders2. Modifying the web.config file
2.3.1 Set Up Files
You need to make two .dll files in the DotNet folder available to the .NET application on the web. The DotNet folder, which contains the .dll files and the .NET Integration SDK, is located here: $INSTALL_DIR/current/clientlib/DotNet/
Copy the following two .dll files from the DotNet folder to $WEB_APP_PATH/bin:DotNetIceClient.dll
Newtonsoft.Json.Net20.dll
$WEB_APP_PATHSpecifies the location of the .NET application on the web.
McAfee Cloud Identity Manager 3.5 Integration Guide 11
2.3.2 Modifying the web.config File
To integrate a .NET web application with Cloud Identity Manager, you can customize the web.config XML file which contains all the configuration information for the .NET application. Modifying the web.config file for Cloud Identity Manager involves three steps:1. To configure IIS and ASP.NET to expect the Authentication Module, add a custom <httpModules>
section named “IceAuthenticationModule” to the <system.web> section of the web.config file.2. To configure a custom .NET interface, add a custom <configSections> section named
“spClientConfig” to the web.config file.3. To specify the details of the custom .NET interface, add the custom <spClientConfig> section to the
web.config file.
Note: For more information about the parameters in the <spClientConfig> section, see section 2.3.3 .NET Web Application Parameters.
2.3.2.1 Add a Custom <httpModules> Section
To configure IIS and ASP.NET to expect a Authentication Module, add a custom <httpModules> section named “IceAuthenticationModule” to the <system.web> section of the web.config file.
Example:<system.web>
<!-- other sections for system.web
…
…
-->
<httpModules>
<add name="IceAuthenticationModule" type="DotNetIceClient.IceAuthenticationModule, DotNetIceClient"/>
</httpModules>
</system.web>
2.3.2.2 Add a Custom <configSections> Section
To configure a custom .NET interface, add a custom <configSections> section named “spClientConfig” to the web.config file.
Example:<configSections>
<!-- other possible customized configSections
…
…
-->
<section name="spClientConfig" type="DotNetIceClient.Configuration.IceClientConfiguration"/>
</configSections>
12 McAfee Cloud Identity Manager 3.5 Integration Guide
2.3.2.3 Add the Custom <spClientConfig> Section
To specify the details of the custom .NET interface, add the custom <spClientConfig> section to the web.config file. For each parameter in this section, specify a value by substituting the value for the “XXXX” string. For more information about the parameters, see section 2.3.3 .NET Web Application Parameters.
Example:<spClientConfig
iceServerSSOUrl="XXXX"
iceServerSLOUrl="XXXX"
serviceUrl="XXXX"
authenticationFailedUrl="XXXX"
varNameForSLO="XXXX"
certificatePathForIceToken="XXXX"
issuerForIceToken="XXXX"
audienceForIceToken="XXXX"
lifeTimeForServerToken="XXXX""
clockSkewForServerToken="XXXX"
udfCookieName="XXXX"
bTokenAsCookie="XXXX"
passwordForTokenEncryptKey="XXXX"
udfCookieDomain="XXXX"
udfCookiePath="XXXX"
udfCookieSecure="XXXX"
tokenManager="XXXX"
/>
McAfee Cloud Identity Manager 3.5 Integration Guide 13
2.3.3 .NET Web Application Parameters
The following list contains detailed information about how to customize each parameter in the <spClientConfig> section of the web.config file.
iceServerSSOUrlSpecifies the URL of the Cloud Identity Manager SSO Service.Note: This parameter is configured when Cloud Identity Manager is deployed.Required: yes
iceServerSLOUrlSpecifies the URL of the Cloud Identity Manager SLO Service.Note: This parameter is configured when Cloud Identity Manager is deployed.Required: yes
serviceURLSpecifies the URL of the .NET web application.Required: yes
authenticationFailedUrlSpecifies the URL of the webpage where users are redirected when an authentication failure error takes place.Required: yes
varNameForSLOSpecifies the name of an HTTP request parameter whose value is a string that indicates whether the current HTTP request is an SLO request. A value of TRUE indicates that the HTTP request is an SLO request. Any other value indicates that the HTTP request is not an SLO request.Required: yesDefault Value: logoutRequest
certificatePathForIceTokenSpecifies the location of the X.509 certificate file used to verify the custom security token.Required: yes
issuerForIceTokenSpecifies a string value for the custom security token issuer.Required: noDefault Value: “”
audienceForIceTokenSpecifies a string value for the custom security token audience.Required: noDefault Value: “”
14 McAfee Cloud Identity Manager 3.5 Integration Guide
lifeTimeForServerTokenSpecifies a maximum lifetime to allow the custom session token.Required: yesDefault value: 600Units: secondsNote: The effective_time of the custom session token is equal to the creation_time minus the time value specified by the clockSkewForServerToken parameter. The expiration_time is set to the effective_time plus the value of the lifeTimeForServerToken. Subtracting the clockSkewForServerToken value from the creation_time extends the range of valid values for the effective_time and reduces the likelihood that the effective_time is too early by another computer’s clock.
clockSkewForServerTokenSpecifies a value to use when calculating the lifetime of the custom session token. This value is designed to offset small differences between clocks on different computer systems.Required: yesDefault Value: 10Units: seconds
udfCookieNameSpecifies the name of the user-defined cookie which is used by the web browser to identify and maintain the custom security token.Required: yesDefault value: IceCookie
bTokenAsCookieSpecifies whether the entire custom security token is used as the cookie value by the web browser and can have one of two values:— TRUE — The custom security token is stored and maintained by the web browser.
Note: When the custom token is stored and maintained by the web browser, the user must ensure that the length of the HTTP request header, including the cookie field, does not exceed the 4K byte limit.
— FALSE — The custom security token is stored and maintained by a TokenManager in a CookieValue-to-ICEToken mapping table on the web server. In this case, CookieValue is used to retrieve the custom token.
Required: yesDefault value: FALSE
passwordForTokenEncryptKeyWhen bTokenAsCookie is TRUE, passwordForTokenEncryptKey specifies a string value that defines whether CookieValue is encrypted. The string can have one of two values:— Empty string — Specifies that CookieValue is not encrypted.— Non-empty string — Specifies that CookieValue is encrypted and provides the password that is
used to encrypt and decrypt CookieValue.Required: noDefault value: Udf@Pass#PhraseNote: When bTokenAsCookie is FALSE, passwordForTokenEncryptKey is invalid.
McAfee Cloud Identity Manager 3.5 Integration Guide 15
udfCookieDomainSpecifies the Domain field in the user-defined cookie.Required: noDefault value: “”
udfCookiePathSpecifies the Path field in the user-defined cookie.Required: noDefault value: /
udfCookieSecureSpecifies the Secure field in the user-defined cookie.Required: noDefault value: FALSE
tokenManagerWhen bTokenAsCookie is FALSE, the web server uses the TokenManager to maintain a CookieValue-to-ICEToken mapping table. CacheTokenManager is an implementation of TokenManager that uses the ASP.NET caching model for the custom token storage locally on the web server.Required: noDefault value: CacheTokenManagerNote: Specifying an empty string is the same as specifying CacheTokenManager.
2.4 Configuring your .NET Web ApplicationConfiguring the .NET web application for SSO and SLO includes the following steps:1. Create a webpage to handle authentication failure errors. The URL of this page has the same value
as the authenticationFailedUrl parameter that is specified in the <spClientConfig> section of the web.config file.
2. Add a logout button to the webpages. When the logout button is clicked, update the value of the varNameForSLO parameter to TRUE. The varNameForSLO parameter is specified in the <spClientConfig> section of the web.config file.
3. Start the web application and test the configuration of the SSO and SLO features.
Note: Before you can test the configuration of your .NET web application, you must configure the custom security token and authentication service in the Cloud Identity Manager Management Console. For more information, see the Cloud Identity Manager Administrator’s Guide.
16 McAfee Cloud Identity Manager 3.5 Integration Guide
3.0 Integrating Java-based Web Applications with Cloud Identity Manager
To configure SSO and SLO for a Java-based web application, you first integrate the application with Cloud Identity Manager. After integration is complete, you can configure SSO and SLO on the Cloud Identity Manager side in the Management Console. For more information, see the McAfee Cloud Identity Manager Product Guide.
There are two ways to integrate a Java-based web application with Cloud Identity Manager:• Java Integration SDK — Using the Java Integration SDK provided with Cloud Identity Manager, you
can write custom integration code.• Java Servlet Filter — You can deploy and configure the default Java Servlet filter provided with
Cloud Identity Manager. This approach does not require writing integration code. However, it does require that the Java-based web application is running on a Java Servlet container.
Note: The Cloud Identity Manager custom security token and authentication service are also referred to as the ICE token and authentication service.
3.1 Java Integration ToolkitTo help you integrate your Java-based web application, Cloud Identity Manager provides a toolkit. The toolkit, available after Cloud Identity Manager is installed on your platform, includes an SDK and API documentation which are located in the following directory:
<install_dir>/current/clientlib/Java/
<install_dir>Specifies the directory where Cloud Identity Manager is installed.
The SDK includes the following .jar files:• JavaE360Client.jar
• commons-lang-2.6.jar
• json_simple-1.1.jar
• bcprov-ext-jdk15-1.40.jar
The API documentation is available in the following .zip file:• JavaE360ClientSDK.zip
Note: The Java integration toolkit is available for all platforms supported by Cloud Identity Manager.
McAfee Cloud Identity Manager 3.5 Integration Guide 17
3.2 Java Integration SDKThe Java integration SDK includes the following three methods:
• redirectToSingleSignOnUrl — Redirects the current request to the Cloud Identity Manager SSO service URL with a service callback URL.
• redirectToServiceAfterSSO — Redirects the browser back to the original service after the Cloud Identity Manager SSO service completes.
• redirectToSingleLogoutUrl — Redirects the current request to the Cloud Identity Manager SLO service URL.
The Java integration SDK also includes utilities that check authentication response status and verify custom security tokens. For more information, see the API documentation.
3.3 Java Servlet FilterYou can use the Java Servlet filter provided with Cloud Identity Manager to integrate a Java-based web application that is running on a Java Servlet container. This approach requires the following steps:1. Copy all Java SDK libraries provided with Cloud Identity Manager to your web application’s library
folder:<web_app_resource_directory>/WEB-INF/lib
<web_app_resource_directory>Specifies the name of your web application’s resource directory.
2. Configure the web.xml file to enable the Java Servlet filter provided with Cloud Identity Manager. For more information, see the following sections:— 3.3.1 Sample web.xml File Configuration — Provides a sample web.xml file showing how to
enable the Java Servlet filter provided with Cloud Identity Manager.— 3.3.2 Java Servlet Filter Parameters — Provides a list of parameters to use when configuring the
web.xml file.
3.3.1 Sample web.xml File Configuration
The following code sample shows how to configure the web.xml file for the Java Servlet filter provided with Cloud Identity Manager.<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>SSO TestApp 1</display-name>
<filter>
<filter-name>ICE Client Filter</filter-name>
<filter-class> com.intel.e360.identityservice.E360AuthenticationFilter</filter-class>
18 McAfee Cloud Identity Manager 3.5 Integration Guide
<init-param>
<param-name>logLevel</param-name>
<param-value>FINEST</param-value>
</init-param>
<init-param>
<param-name>iceServerSSOUrl</param-name>
<param-value>https://127.0.0.1:8443/splat/identityservice/package/idpDEMO/iceauth/SSO?SpEntity=ICEAuth</param-value>
</init-param>
<init-param>
<param-name>iceServerSLOUrl</param-name>
<param-value>https://127.0.0.1:8443/splat/identityservice/package/idpDEMO/SLO?SpEntity=ICEAuth</param-value>
</init-param>
<init-param>
<param-name>authenticationFailedUrl</param-name>
<param-value>http://127.0.0.1:8080/TestApp1/LoginFailed</param-value>
</init-param>
<init-param>
<param-name>serviceLogoutRequestUrl</param-name>
<param-value>http://127.0.0.1:8080/TestApp1/logout.jsp</param-value>
</init-param>
<init-param>
<param-name>issuerForIceToken</param-name>
<param-value>https://127.0.0.1:8443/splat/identityservice</param-value>
</init-param>
<init-param>
<param-name>webAppAlias</param-name>
<param-value>TestApp1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ICE Client Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
McAfee Cloud Identity Manager 3.5 Integration Guide 19
3.3.2 Java Servlet Filter Parameters
Use the parameters in the following list to customize the web.xml file that enables the Java Servlet filter provided with Cloud Identity Manager.
logLevelSpecifies how much information to log.The values from highest to lowest are:— SEVERE— WARNING— INFO— CONFIG— FINE— FINER— FINEST
Note: In addition, the log level can be set to OFF or ALL.Required: no
iceServerSSOUrlSpecifies the URL of the Cloud Identity Manager SSO service.Note: This parameter is configured when Cloud Identity Manager is deployed.Required: yes
iceServerSLOUrlSpecifies the URL of the Cloud Identity Manager SLO service.Note: This parameter is configured when Cloud Identity Manager is deployed.Required: yes
serviceURLSpecifies the URL of the .NET Web application.Required: yes
authenticationFailedUrlSpecifies the URL of the webpage where users are redirected when an authentication failure error takes place.Required: yes
varNameForSLOSpecifies the name of an HTTP request parameter whose value is a string that indicates whether the current HTTP request is an SLO request. A value of TRUE indicates that the HTTP request is an SLO request. Any other value indicates that the HTTP request is not an SLO request.Required: yesDefault Value: logoutRequest
certificatePathForIceTokenSpecifies the location of the X.509 certificate file used to verify the custom security token.Required: yes
20 McAfee Cloud Identity Manager 3.5 Integration Guide
issuerForIceTokenSpecifies a string value for the custom security token issuer.Required: noDefault Value: “”
audienceForIceTokenSpecifies a string value for the custom security token audience.Required: noDefault Value: “”
LifeTimeForServerTokenSpecifies a maximum lifetime allowed for the custom session token.Required: yesDefault value: 600Units: secondsNote: The effective_time of the custom session token is equal to the creation_time minus the time value specified by the clockSkewForServerToken parameter. The expiration_time is set to the effective_time plus the value of the lifeTimeForServerToken. Subtracting the clockSkewForServerToken value from the creation_time extends the range of valid values for the effective_time and reduces the likelihood that the effective_time is too early by another computer’s clock.
clockSkewForServerTokenSpecifies a value to use when calculating the lifetime of the custom session token. This value is designed to offset small differences between clocks on different computer systems.Required: yesDefault Value: 10Units: seconds
udfCookieNameSpecifies the name of the user-defined cookie which is used by the web browser to identify and maintain the custom security token.Required: yesDefault value: IceCookie
bTokenAsCookieSpecifies whether the entire custom security token is used as the cookie value by the web browser and can have one of two values:— TRUE — The custom security token is stored and maintained by the web browser.
Note: When the custom token is stored and maintained by the web browser, the user must ensure that the length of the HTTP request header, including the cookie field, does not exceed the 4K byte limit.
— FALSE — The custom security token is stored and maintained by a TokenManager in a CookieValue-to-ICEToken mapping table on the web server. In this case, CookieValue is used to retrieve the custom token.
Required: yesDefault value: FALSE
McAfee Cloud Identity Manager 3.5 Integration Guide 21
passwordForTokenEncryptKeyWhen bTokenAsCookie is TRUE, passwordForTokenEncryptKey specifies a string value that defines whether CookieValue is encrypted. The string can have one of two values:— Empty string — Specifies that CookieValue is not encrypted.— Non-empty string — Specifies that CookieValue is encrypted and provides the password that is
used to encrypt and decrypt CookieValue.Required: noDefault value: Udf@Pass#PhraseNote: When bTokenAsCookie is FALSE, passwordForTokenEncryptKey is invalid.
udfCookieDomainSpecifies the Domain field in the user-defined cookie.Required: noDefault value: “”
udfCookiePathSpecifies the Path field in the user-defined cookie.Required: noDefault value: /
udfCookieSecureSpecifies the Secure field in the user-defined cookie.Required: noDefault value: FALSE
tokenManagerWhen bTokenAsCookie is FALSE, the web server uses the TokenManager to maintain a CookieValue-to-ICEToken mapping table. CacheTokenManager is an implementation of TokenManager that uses the ASP.NET caching model for the custom token storage locally on the web server.Required: noDefault value: CacheTokenManagerNote: Specifying an empty string is the same as specifying CacheTokenManager.
22 McAfee Cloud Identity Manager 3.5 Integration Guide
Order Number: 324999-011US[Revision A]