Sunteți pe pagina 1din 39

Access Anywhere!

Access Manager Interoperability

Gaurav Vaidya
Specialist, Novell Inc. gvaidya@novell.com

About Speaker
PAST
10+ years in IT industry (With Novell from past 8.5 years.)

PRESENT
Specialist with Corporate Interoperability Team (3+ years)

PUBLICATION
Have published 30+ technical articles in Print media (Indian

TALKS
Have presented papers / tutorials in 3 International

2011 NetIQ Corporation. All rights reserved.

Objectives of Session

Overview of different integration points of Access Manager

Learn how NAM can be integrated with self service Password Management

Learn how Applications like GroupWise , Vibe can be deployed with Access Manager

How to use SecretStore for Shared Secrets and SSO

Basically, Learn interoperability configurations for Access Manager through variety of Use Cases.
3 2011 NetIQ Corporation. All rights reserved.

Beyond The Scope of This Session

Interoperability of Access Manager is a vast topic, following popular Access Manager interoperability use cases will not be discussed in this session.

Integration with other Identity Provider (federation related use cases)

Interoperability with non-Novel products like Sharepoint, Citrix etc.


l

Kerberos authentication or other custom authentication class.

2011 NetIQ Corporation. All rights reserved.

Access Manager Interoperability

Overview

Access Manager Integration Points

Features for Interoperability


* Password Servlet Config * Config for Federation * Shared Secrets

Identity Provider
3

LDAP Directory

4 2 5

* Configure Rewriter * Configure Protected Resources

Identity Injection
4 6 1 7

Browser

Access Gateway

Web Server

Web page

2011 NetIQ Corporation. All rights reserved.

Integration with Password Management

Self Service Password Management


About

Self service password management solution reduce Helpdesk cost and provide convenience for end users. Access Manager provides capabilities to integrate with self service password management solutions.

Novell /NetIQ has two self service password management solutions to offer

IDM Role Based Provisioning Module (User Application )

Self Service Password Reset (SSPR)

2011 NetIQ Corporation. All rights reserved.

Password Management Use Cases

Following are probable Self Service Password Management Use cases with Access Manager :

User wants to pro-actively change the password.

User has forgotten the password OR password is expired with NO Grace logins remaining.

User password is expired with Grace login remaining

2011 NetIQ Corporation. All rights reserved.

Configure SSPR with Access Manager


1 of 5

Configuring Password Expiration Servlet Password expiration options can be configured for Contract in IDP configuration.
(Identity server Edit > Local > Contracts > [Contract Name] > Password Expiration Servlet).

Example URL for password Expiration (for SSPR):


https://intranet.company.com/pwm/private/ChangePassword? passwordExpiration=true&forceAuth=TRUE&logoutURL=<RETU RN_URL>
Force users to Re-Authenticate On returning to IDP IDP URL Parameters USERID STOREID RETURN_URL

Force Password Servlet to change password

10

2011 NetIQ Corporation. All rights reserved.

Configure SSPR with Access Manager


2 of 5

Configuring user interaction option The option Allow User Interaction can be enabled on page:
(Identity server Edit > Local > Contracts > [Contract Name] > Allow User Interaction - [Checkbox]).

11

2011 NetIQ Corporation. All rights reserved.

Configure SSPR with Access Manager


3 of 5

Overview of SSPR Flow

12

2011 NetIQ Corporation. All rights reserved.

Configure SSPR with Access Manager


4 of 5

Configuring Options on SSPR


Configuration Value User Interface > Password Custom Message to notify users about reChange Success Message login to their portal after password change. General > Forward URL URL like "/pwm" where the user will be redirected after any operation except password change. NAM logout URL like intranet.company.com/AGLogout TRUE (recommended to keep this default setting for avoiding issues as mentioned in above TIP)

General > Logout URL General > Logout After Password Change

13

2011 NetIQ Corporation. All rights reserved.

Configure SSPR with Access Manager


5 of 5

Access Gateway configuration for SSPR


Created multihoming resource for SSPR with Path as /pwm Configure protected resource as following: URL Path /pwm/* /pwm/private/* /pwm/config/* /pwm/admin/* Protected Resource - Security Level Public Authentication is None Restricted Authencitation Configured Restricted Authencitation Configured (Optional Access Policy) Restricted Authencitation Configured (Optional Access Policy)

Create Identity Injection policy with basic Auth Headers for SSPR
14 2011 NetIQ Corporation. All rights reserved.

GroupWise with Access Manager

Integrating GroupWise Overview

GroupWise Web Access

GroupWise Calender Publishing

GroupWise Client and Vibe Integration

16

2011 NetIQ Corporation. All rights reserved.

GroupWise With Access Manager -1of 5


Configure GroupWise for Access Manager

Configure GroupWise to Trust Access Gateway by adding IP of access gateway in (GroupWise Domain
Object GroupWiseWebAccess Object Application Security Single Sign On)

Configure Simultaneous Logout with Access Manager by configuring path /AGLogout under the section Logout URL. Restart WebAccess on GroupWise.

17

2011 NetIQ Corporation. All rights reserved.

GroupWise With Access Manager -2 of 5


GroupWise Calender Publishing and Access Manager


1) GroupWise System is enabled to publish calender from Console One.

Calender Publishing

2) User create & publish calender from GroupWise Client. 3) Anyone can access http(s)://host/gwcal/calender

(1) User access webcal URL & authenticates to Access Manager basic auth.

Access Manager User Actions

(2) User gets Access Manager Calender page with Download & Subscribe links (webcal://<PublishedHost>/...). (3) Clicking Subscribe link opens GroupWise Client (8.0.0.5+).

18

2011 NetIQ Corporation. All rights reserved.

GroupWise With Access Manager -3 of 5


Configure Access Manager Proxy Server for GroupWise

Access Manager Proxy Service

(1) Multi-homing Path List /gw & /gwcal (2) TCP Connect Option > Data Read Timeout 360 sec

Rewriter Config

For /gwcal: Character type rewriter profile with all default settings except one Search/Replace Search = webcal://<internal Web Server Host Name> Replace = webcal://<Published DNS Name>

19

2011 NetIQ Corporation. All rights reserved.

GroupWise With Access Manager - 4 of 5


Configure Access Manager Protected Resources URL Path


/gw/webacc/* & /gw/webacc? /gw/com/* & /gw/webaccess/* /gw/webacc? User.context*

Protected Resource - Security Level


Contract Secure Name Password Form Policy Simple Identity Injection (LDAP / Password) Contract None (Public) Contract Secure Name Password Form Non-Redirected Login Enabled Realm Gwise Redirect to Identity Server.... Disabled Policy Simple Identity Injection (LDAP / Password) Contract Secure Name Password Form Non-Redirected Login Enabled Realm Gwise Redirect to Identity Server.... Disabled Policy None

/gwcal/*

20

2011 NetIQ Corporation. All rights reserved.

GroupWise With Access Manager -5 of 5


GroupWise-Vibe Integration and Access Manager


The URL configured for GroupWise client connection to Vibe in ConsoleOne must be set to published DNS name of configured Vibe Proxy Service.(GroupWise domain object->Tools-> GroupWise Utilities->Client Options->Environment->Teaming tab)

Configure GroupWise

Configure Vibe

Teaming generates URL based on <schema> & <hostname> configured during initial configuration. This shall match the schema and hostname of configured Access Manager Proxy service.(Details in Vibe Section)

Configure Access Manager

Access Manager configuration is same as discussion in Vibe section, except Additional protected resource for path /ssf/ws/TeamingServiceV1* This is the path for Teaming Web service used by GW Client.

21

2011 NetIQ Corporation. All rights reserved.

Vibe (Teaming) with Access Manager

Integrating Vibe Overview


Typical Browser URL is http(s)://<DNS>/teaming. Vibe URLs HTML content are located under path /ssf, while webDAV content is under /ssfs.

Integration Considerations

Various applications access Vibe data (files, docs etc) (1) Office Applications through WebDAV (2) Web Folders through Web DAV (3) Integration with GroupWise Client

23

2011 NetIQ Corporation. All rights reserved.

Vibe With Access Manager - 1 of 3


Configure Vibe settings

While installing or Reconfiguring Setting in teaming following must be configured


Access Gateway IP for allowing Identity Injection and Access. (This may be single IP, comma separated List or Wild Card IP Address) Access Gateway logout URL to enable Simultaneous logout with Access Gateway

24

2011 NetIQ Corporation. All rights reserved.

Vibe With Access Manager - 2 of 3


Configure Access Manager Proxy Service
(1) Multi-homing Path List /ssf, /ssfs & /teaming (2) TCP Connect Option > Data Read Timeout 1200 sec

Access Manager Proxy Service

(1) Configure additional content type applicatoin/rss+xml

Rewriter Config

(2) Add value to Variable or Attribute Name to Search for is List.

25

2011 NetIQ Corporation. All rights reserved.

Vibe With Access Manager - 3 of 3


Protected Resource Configuration
URL Path /ssf/* & /teaming/* /ssf/ws/* Protected Resource - Security Level Contract Secure Name Password Form Policy Identity Injection (LDAP Name / Password) Contract Name Password - Basic Non-Redirected Login Enabled Realm Teaming Redirect to Identity Server.... Disabled Policy Identity Injection (LDAP Name / Password) Contract Secure Name Password Form Non-Redirected Login Enabled Realm Teaming Redirect to Identity Server.... Disabled Policy Simple Identity Injection (LDAP / Password) Contract None (Public) Policy None

/ssfs/* (webDAV) /ssf/rss/*(RSS reader) /ssf/atom/* (atom) /ssf/ical/* (ical) /ssf/css/*, /ssf/ext/* /ssf/help/*, /ssf/help_doc/*, /ssf/i/*, /ssf/images/* /ssf/js/*, /ssf/themes/*

26

2011 NetIQ Corporation. All rights reserved.

Access Manager , Vibe and eMails

Vibe URL in mail notifications through Access Manager

There are 3 different options to generate mail through Vibe which requires attention during Access Manager integration:

"Send E-Mail" - from "E-mail Contributors..." link on entry view "Share this Folder..." or "Share this Workspace..." e-Mail Notification - This can be set up on a folder or on individual entries via subscription

27

2011 NetIQ Corporation. All rights reserved.

Integrating with Secret Store and NSL

Use Cases For Shared Secret

Following are probable Use cases for configuring Shared Secrets with Access Manager :

If HTML form has fields apart from username and password.

If Web Server requires some name/value pair to be injected in header.

If there is a need to share SSO credentials between NSL and Access Manager.

29

2011 NetIQ Corporation. All rights reserved.

Access Manager Shared Secrets

Access Manager supports creating and using secrets through: In the local configuration store In eDirectory user stores that are running SecretStore

In a user store that has been configured with a custom attribute for secrets

30

2011 NetIQ Corporation. All rights reserved.

Configuring Shared Secrets


Configuring Access Manager to use Shared Secrets

Enable user store with Use SSL option. Go to Devices Identity Server edit Liberty Web Service Providers and Click Credential Profile Depending on where to store secret Configure Extended Schema or Secret Store User Store References. Create new shared secret entry specify entry name and shared secret name.

Notes:

In case of SecretStore, secret name should match already configured name/value pair.

31

2011 NetIQ Corporation. All rights reserved.

Access Manager and Data Synchronizer

Data Synchronizer and Access Manager


Overview
REQUEST FROM BROWSER https://www.mynam.com/datasync/

REQUEST TO WEB ADMIN https://<webadmin.ip.addr>:8120/

NAM - AGt Data Sync Web Admin

Internet NAM

REQUEST TO MOBILITY CONNECTOR https://<mobility.ip.addr>/Microsoft-Active-Sync?.. Mobile Device (ActiveSync)

Mobility Cannector

REQUEST FROM MOBILE DEVICE https://www.mynam.com/Microsoft-Active-Sync?..

Data Sync Engine

33

2011 NetIQ Corporation. All rights reserved.

Configuring Access Manager for Data

Synchronizer

Configure ActiveSync

Configure basic Path based multi-homing service with path /Microsoft-Server-ActiveSync

Configure Web Admin

Web admin uses 5 different paths in its web application: /login, /admin, /post, /style, /common Custom rewriter profile is required with (1) additional content Type text/x-js (2) replace /post & /admin with $path

Configure Protected Resource

(1) Secure /login, /admin, /post with secure contract (2) Keep /common & /style public

34

2011 NetIQ Corporation. All rights reserved.

Summary and Recap

Summary/Recap
Three basic configurations for integrating applications

Multi-homing host and Rewriter Single Sing On Simultaneous Logout and Session Timeout

Integrating Password Management


Expired password Servlet Action after password change

Shared Secrets

Additional Attributes Share SSO credential with NSL

36

2011 NetIQ Corporation. All rights reserved.

Questions and Answers

Thank you.

37

2011 NetIQ Corporation. All rights reserved.

Worldwide Headquarters 1233 West Loop South Suite 810 Houston, TX 77027 USA

+1 713.548.1700 (Worldwide) 888.323.6768 (Toll-free) info@netiq.com NetIQ.com

http://community.netiq.com

38

2011 NetIQ Corporation. All rights reserved.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2011 NetIQ Corporation. All rights reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.