2.4.9 Configuring the Advanced Authentication Server

To integrate NetIQ Advanced Authentication with Access Manager, you must configure the Advanced Authentication server details in Access Manager.

For step-by-step details for integrating Access Manager with Advanced Authentication, see Multi-Factor Authentication Using Advanced Authentication.

Perform the following steps to configure Advanced Authentication server:

  1. Click Devices > Identity Servers > Shared Settings > Advanced Authentication.

  2. Specify the following details:

    Field

    Description

    Server Domain

    Specify the scheme, domain name or IP address, and port of the Advanced Authentication server.

    Tenant Name

    Specify the name of the tenant that you want to use.

    This field populates the TOP tenant of Advanced Authentication by default. You can specify another tenant name that you want to use.

    NOTE:When using the Plug-in-based methods, skip to Step 5.

  3. (Required only for OAuth-based approach) Select Integrate using OAuth under OAuth Event Configuration.

  4. (Required only for OAuth-based approach) Specify the following details:

    Field

    Description

    Event Name

    Specify an event name. This event name must be identical to the event name specified in the Advanced Authentication administration portal.

    Client ID

    Specify the client ID that was generated while creating the OAuth 2.0 event in the Advanced Authentication administration portal.

    Client Secret

    Specify the client secret that was generated while creating the OAuth 2.0 event in the Advanced Authentication administration portal.

    Webauth Domain

    To use the Virtual Smartcard method, select Use the Advanced Authentication Virtual Smartcard. This populates the Webauth Domain URL.

    For example, if aaserver.domain.com is the DNS name of your web server then webauth.domain.com is populated in the Webauth Domain field.

    When you enable this option, all the requests from Identity Server to OSP are redirected to webauth.domain.com instead of aaserver.domain.com.

    NOTE:The Virtual Smartcard method must be configured in the Advanced Authentication server.

    Access Manager uses the endpoint links to retrieve token and user details from the Advanced Authentication server. These are default endpoint links. If the values of the URIs change because of modification of the Advanced Authentication authorization server, then you can change the values here.

    Field

    Default Value

    Description

    Authorization URL

    /osp/a/TOP/auth/oauth2/grant

    Access Manager uses this URL to retrieve the authorization code from the Advanced Authentication server.

    Token URL

    /osp/a/TOP/auth/oauth2/authcoderesolve

    Access Manager uses this URL to exchange the authorization code with the access token.

    User Info URL

    /osp/a/TOP/auth/oauth2/getattributes

    Access Manager sends the access token to this URL to get the user details from the Advanced Authentication server.

    The fields under Integration URLs are auto-populated after you specify the server domain address.

    IMPORTANT:If the values are not auto-populated then specify the default values as mentioned in the following table.

    Field

    Default Value

    Description

    Enrollment Page URL

    /account/basic

    If a user is not enrolled in Advanced Authentication server, Access Manager uses this URL to redirect the user to the enrollment page.

    Sign Data URL

    /osp/a/TOP/auth/oauth2/sign

    Access Manager uses this URL to retrieve the signed data from Advanced Authentication.

  5. Click Apply.

  6. Proceed with Advanced Authentication to create Advanced Authentication classes.