Access Everywhere Access Manager Interoperability

Access Anywhere!Access Manager™ Interoperability

Gaurav VaidyaSpecialist, Novell [email protected]

2 © 2011 NetIQ Corporation. All rights reserved.

About Speaker

PAST10+ years in IT industry (With Novell® from past 8.5 years.)

PRESENTSpecialist with Corporate Interoperability Team (3+ years)

PUBLICATIONHave published 30+ technical articles in Print media (Indian

IT magazines)

TALKSHave presented papers / tutorials in 3 International

conferences.


Objectives of Session

Overview of different integration points of Access Manager™

Learn how NAM canbe integrated with self service Password Management

Learn how Applications like GroupWise®, Vibe can be deployed with Access Manager

How to use SecretStorefor Shared Secretsand SSO

Basically, Learn interoperability configurations for Access Manager through variety of Use Cases.


Beyond The Scope of This Session

• Interoperability of Access Manager™ is a vast topic, following popular Access Manager interoperability use cases will not be discussed in this session.

Integration with other Identity Provider (federation relateduse cases)

Interoperability withnon-Novell® productslike Sharepoint, Citrixetc.

Kerberos authentication orother custom authenticationclass.

Access Manager™ InteroperabilityOverview


Access Manager™ Integration PointsFeatures for Interoperability

1

4

4

2 5

3

6 7

Browser Access Gateway Web ServerWeb page

Identity Provider LDAP Directory

* Password Servlet Config* Config for Federation* Shared Secrets

* Configure Rewriter* Configure Protected Resources

Identity Injection

Integration with Password Management


Self Service Password ManagementAbout

Self service password management solution reduce Helpdesk cost and provide convenience for end users.Access Manager™ provides capabilities to integrate with self service password management solutions.

Novell®/NetIQ has two self service password management solutions to offer

IDM Role Based Provisioning Module (User Application )

Self Service Password Reset

(SSPR)


Password Management Use Cases

• Following are probable Self Service Password Management Use cases with Access Manager™:

User wants to pro-actively change the password.

User has forgotten the password OR password is expired with NO Grace logins remaining.

User password is expired with Grace login remaining


Configure SSPR with Access Manager™ – 1 of 5

Configuring Password Expiration ServletPassword expiration options can be configured for Contract in IDP configuration.(Identity server – Edit > Local > Contracts > [Contract Name] > Password Expiration Servlet).

Example URL for password Expiration (for SSPR):https://intranet.company.com/pwm/private/ChangePassword?passwordExpiration=true&forceAuth=TRUE&logoutURL=<RETURN_URL>

Force Password Servlet to change password

Force users toRe-Authenticate

On returning to IDP

IDP URL ParametersUSERID

STOREIDRETURN_URL



Configuring user interaction optionThe option “Allow User Interaction” can be enabled on page:(Identity server – Edit > Local > Contracts > [Contract Name] > Allow User Interaction - [Checkbox]).



Overview of SSPR Flow



Configuring Options on SSPRConfiguration Value

User Interface > PasswordChange Success Message

Custom Message to notify users about re-login to their portal after password change.

General > Forward URL URL like "/pwm" where the user will beredirected after any operation exceptpassword change.

General > Logout URL NAM logout URL like –intranet.company.com/AGLogout

General > Logout AfterPassword Change

TRUE (recommended to keep this defaultsetting for avoiding issues as mentioned inabove TIP)



Access Gateway configuration for SSPR• Created multihoming resource for SSPR with Path as “/pwm”• Configure protected resource as following:

URL Path Protected Resource - Security Level/pwm/* Public – Authentication is None/pwm/private/* Restricted – Authencitation Configured/pwm/config/* Restricted – Authencitation Configured

(Optional Access Policy)/pwm/admin/* Restricted – Authencitation Configured

(Optional Access Policy)

● Create Identity Injection policy with basic Auth Headers for SSPR

GroupWise® with Access Manager™


GroupWiseClient

and VibeIntegration

GroupWiseCalender

Publishing

GroupWise®

Web Access

Integrating GroupWise® Overview


GroupWise® With Access Manager™-1of 5Configure GroupWise for Access Manager

Configure GroupWise to Trust Access Gateway by adding IP of access gateway in (GroupWise Domain Object → GroupWiseWebAccess Object → Application → Security → Single Sign On)

Configure Simultaneous Logout with Access Manager by configuring path “/AGLogout” under the section “Logout URL”.

Restart WebAccess on GroupWise.


GroupWise® With Access Manager™-2 of 5GroupWise Calender Publishing and Access Manager

CalenderPublishing

1) GroupWise System is enabled to publish calender from Console One.

2) User create & publish calender from GroupWise Client.

3) Anyone can access http(s)://host/gwcal/calender

Access Manager

UserActions

(1) User access webcal URL & authenticates to Access Manager basic auth.

(2) User gets Access Manager Calender page with Download & Subscribe links (webcal://<PublishedHost>/...).

(3) Clicking Subscribe link opens GroupWise Client (8.0.0.5+).


GroupWise® With Access Manager™-3 of 5Configure Access Manager Proxy Server for GroupWise

Access Manager

ProxyService

(1) Multi-homing Path List → /gw & /gwcal

(2) TCP Connect Option > Data Read Timeout → 360 sec

RewriterConfig

For /gwcal: Character type rewriter profile with all default settingsexcept one Search/Replace

Search = webcal://<internal Web Server Host Name>Replace = webcal://<Published DNS Name>


GroupWise® With Access Manager™- 4 of 5Configure Access Manager Protected Resources

URL Path Protected Resource - Security Level/gw/webacc/* &/gw/webacc?

Contract → Secure Name Password Form Policy→ Simple Identity Injection (LDAP / Password)

/gw/com/* &/gw/webaccess/*

Contract → None (Public)

/gw/webacc?User.context*

Contract → Secure Name Password FormNon-Redirected Login → EnabledRealm → GwiseRedirect to Identity Server.... → DisabledPolicy→ Simple Identity Injection (LDAP / Password)

/gwcal/* Contract → Secure Name Password FormNon-Redirected Login → EnabledRealm → GwiseRedirect to Identity Server.... → DisabledPolicy→ None


GroupWise® With Access Manager™-5 of 5GroupWise-Vibe Integration and Access Manager

ConfigureGroupWise

The URL configured for GroupWise client connection to Vibe in ConsoleOne must be set to published DNS name of configuredVibe Proxy Service.(GroupWise domain object->Tools->GroupWise Utilities->Client Options->Environment->Teaming tab)

ConfigureVibe

Teaming generates URL based on <schema> & <hostname>configured during initial configuration. This shall match the schemaand hostname of configured Access Manager Proxy service.(Details in VibeSection)

ConfigureAccess

Manager

Access Manager configuration is same as discussion in Vibe section, exceptAdditional protected resource for path /ssf/ws/TeamingServiceV1*This is the path for Teaming Web service used by GW Client.

Vibe (Teaming) with Access Manager™


Integrating Vibe Overview

Typical Browser URL is http(s)://<DNS>/teaming.

HTML content are located under path /ssf, while webDAV content is under /ssfs.

Various applications access Vibe data (files, docs etc)(1) Office Applications through WebDAV(2) Web Folders through Web DAV(3) Integration with GroupWise Client

VibeURLs

IntegrationConsiderations


Vibe With Access Manager - 1 of 3 Configure Vibe settings

• While installing or “Reconfiguring Setting” in teaming following must be configured

Access Gateway IP for allowing Identity Injection and Access. (This may be single IP, comma separated List or Wild Card IP Address)

Access Gateway logout URL to enable Simultaneous logout with Access Gateway


Vibe With Access Manager - 2 of 3 Configure Access Manager Proxy Service

Access Manager

ProxyService

(1) Multi-homing Path List → /ssf, /ssfs & /teaming

(2) TCP Connect Option > Data Read Timeout → 1200 sec

RewriterConfig

(1) Configure additional content type “applicatoin/rss+xml”

(2) Add value” to “Variable or Attribute Name to Search for is” List.


Vibe With Access Manager - 3 of 3 Protected Resource Configuration

URL Path Protected Resource - Security Level/ssf/* & /teaming/* Contract → Secure Name Password Form

Policy→ Identity Injection (LDAP Name / Password)/ssf/ws/* Contract → Name Password - Basic

Non-Redirected Login → EnabledRealm → TeamingRedirect to Identity Server.... → DisabledPolicy→ Identity Injection (LDAP Name / Password)

/ssfs/* (webDAV)/ssf/rss/*(RSS reader)/ssf/atom/* (atom)/ssf/ical/* (ical)

Contract → Secure Name Password FormNon-Redirected Login → EnabledRealm → TeamingRedirect to Identity Server.... → DisabledPolicy→ Simple Identity Injection (LDAP / Password)

/ssf/css/*, /ssf/ext/*/ssf/help/*, /ssf/help_doc/*,/ssf/i/*, /ssf/images/*/ssf/js/*, /ssf/themes/*

Contract → None (Public)Policy→ None


Access Manager™, Vibe and eMailsVibe URL in mail notifications through Access Manager™

• There are 3 different options to generate mail through Vibe which requires attention during Access Manager ™ integration:

"Send E-Mail" - from "E-mail Contributors..." link on entry view

"Share this Folder..." or "Share this Workspace..."

e-Mail Notification - This can be set up on a folder or on individual entries via subscription

Integrating with Secret Store and NSL


Use Cases For Shared Secret

• Following are probable Use cases for configuring Shared Secrets with Access Manager™:

If HTML form has fields apart from username and password.

If Web Server requires some name/value pair to be injected in header.

If there is a need to share SSO credentials between NSL and Access Manager.


Access Manager™ Shared Secrets

• Access Manager supports creating and using secrets through:

In the local configuration store

In eDirectory™ user stores that are running SecretStore

In a user store that has been configured with a custom attribute for secrets


Configuring Shared SecretsConfiguring Access Manager to use Shared Secrets

• Enable user store with “Use SSL” option.• Go to “Devices → Identity Server → edit → Liberty → Web

Service Providers” and Click “Credential Profile”• Depending on where to store secret – Configure “Extended

Schema” or “Secret Store” User Store References.• Create new shared secret entry – specify entry name and

shared secret name.

Notes: ‒ In case of SecretStore, secret name should match already

configured name/value pair.

Access Manager™ and Data Synchronizer


Data Synchronizer and Access Manager™ Overview

REQUEST FROM BROWSERhttps://www.mynam.com/datasync/

REQUEST TO WEB ADMINhttps://<webadmin.ip.addr>:8120/

REQUEST TO MOBILITY CONNECTORhttps://<mobility.ip.addr>/Microsoft-Active-Sync?..

REQUEST FROM MOBILE DEVICEhttps://www.mynam.com/Microsoft-Active-Sync?..

Data SyncWeb Admin

Data SyncEngine

MobilityCannector

NAM

Internet

MobileDevice

(ActiveSync)

NAM - AGt


Configuring Access Manager™ for Data Synchronizer

Configure basic Path based multi-homing service with path/Microsoft-Server-ActiveSync

Web admin uses 5 different paths in its web application: /login, /admin, /post, /style, /common Custom rewriter profile is required with (1) additional content Type “text/x-js” (2) replace /post & /admin with $path

(1) Secure /login, /admin, /post with secure contract

(2) Keep /common & /style public

ConfigureActiveSync

ConfigureWeb Admin

ConfigureProtectedResource

Summary and Recap


Summary/Recap

Three basic configurations for integrating applications‒ Multi-homing host and Rewriter‒ Single Sing On‒ Simultaneous Logout and Session Timeout

Integrating Password Management‒ Expired password Servlet‒ Action after password change

Shared Secrets‒ Additional Attributes ‒ Share SSO credential with NSL

Thank you.


Questions and Answers

+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]

Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA

http://community.netiq.com


mailto:[email protected]

http://www.netiq.com/

http://community.netiq.com/

http://www.facebook.com/netiq

http://www.twitter.com/netiq

http://www.linkedin.com/groups?gid=2745833

http://community.netiq.com/

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

Copyright © 2011 NetIQ Corporation. All rights reserved.

ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.

Documents

Access Everywhere Access Manager Interoperability