NetIQ Access Manager Appliance 5.0 Administration Guide
- NetIQ Access Manager Appliance 5.0 Administration Guide
- Configuring Access Manager
- Configuring Administration Console
- Configuring the Default View
- Changing the View
- Setting a Permanent Default View
- Managing Administration Console Session Timeout
- Managing Administrators
- Creating Multiple Admin Accounts
- Managing Policy View Administrators
- Managing Delegated Administrators
- Access Gateway Administrators
- Policy Container Administrators
- Delegated Administrators of Identity Servers
- Creating Users
- Changing Administrator’s Password
- Changing the Password of Administration Console Administrator
- Changing the Administration Password of the User Store Administrator
- Changing the IP Address of Access Manager Appliance
- Changing the IP Address of Administration Console
- Changing the DNS Name of Access Manager Appliance
- Setting Up a Basic Access Manager Appliance Configuration
- Prerequisites for a Basic Access Manager Setup
- Configuring Identity User Stores
- Using More Than One LDAP User Store
- Configuring the User Store
- Configuring an Admin User for the User Store
- Configuring a User Store for Secrets
- Configuring the Configuration Datastore to Store Secrets
- Configuring an LDAP Directory to Store the Secrets
- Configuring an eDirectory User Store to Use SecretStore
- Troubleshooting Secrets Storage
- Configuring Identity Servers Clusters
- Managing a Cluster of Identity Servers
- Editing a Cluster Configuration
- Configuring a Cluster with Multiple Identity Servers
- Configuring Session Failover
- Editing Cluster Details
- Enabling and Disabling Protocols
- Identity Server Authentication APIs
- Configuring Identity Server Global Options
- Configuring Identity Server Shared Settings
- Configuring Attribute Sets
- Editing Attribute Sets
- Adding Custom Attributes
- Creating Shared Secret Names
- Creating LDAP Attribute Names
- User Attribute Retrieval and Transformation
- How User Attribute Retrieval and Transformation Helps
- Managing a Data Source
- Managing an Attribute Source
- Managing a Virtual Attribute
- Retrieving Attributes from a REST Web Service
- Sample JavaScripts with Examples
- Troubleshooting User Attribute Retrieval and Transformation
- User Attribute Retrieval and Transformation Limitations
- Adding Authentication Card Images
- Creating an Image Set
- Metadata Repositories
- Creating Metadata Repositories
- Reimporting Metadata Repositories
- Configuring User Matching Expressions
- Configuring the Advanced Authentication Server
- Configuring Self Service Password Reset Server Details in Identity Server
- Configuring Access Gateway
- Configuring a Reverse Proxy
- Configuring a Public Protected Resource
- Setting Up Policies
- Access Gateways Clusters
- Managing Access Gateway Cluster Configuration
- Managing Cluster Details
- Editing Cluster Details
- Applying Changes to Access Gateway Cluster Members
- Protecting Web Resources Through Access Gateway
- Configuration Options
- WebSocket Support
- Scaling WebSocket
- Accessing WebSocket Resources
- Verifying a WebSocket Connection
- Managing Reverse Proxies and Authentication
- Creating a Proxy Service
- Configuring a Proxy Service
- Modifying the DNS Setting for a Proxy Service
- Configuring ESP Global Options
- Configuring Web Servers of a Proxy Service
- Configuring Protected Resources
- Setting Up a Protected Resource
- Configuring an Authentication Procedure for Non-Redirected Login
- Assigning an Authorization Policy to a Protected Resource
- Assigning an Identity Injection Policy to a Protected Resource
- Assigning a Form Fill Policy to a Protected Resource
- Assigning a Timeout Per Protected Resource
- Assigning a Policy to Multiple Protected Resources
- Configuring HTML Rewriting
- Understanding the Rewriting Process
- Specifying DNS Names to Rewrite
- Defining the Requirements for the Rewriter Profile
- Configuring the HTML Rewriter and Profile
- Creating or Modifying a Rewriter Profile
- Disabling the Rewriter
- Configuring Connection and Session Limits
- Configuring TCP Listen Options for Clients
- Configuring TCP Connect Options for Web Servers
- Configuring Connection and Session Persistence
- Configuring Web Servers
- Protecting Multiple Resources
- Using Multi-Homing to Access Multiple Resources
- Setting Up a Group of Web Servers
- Managing Multiple Reverse Proxies
- Configuring Trusted Providers for Single Sign-On
- Understanding the Trust Model
- Identity Providers and Consumers
- Embedded Service Providers
- Configuration Overview
- Configuring General Provider Settings
- Configuring the General Identity Provider Settings
- Configuring the General Identity Consumer Settings
- Configuring the Introductions Class
- Configuring IDP Select Class
- Configuring the Trust Levels Class
- Managing Trusted Providers
- Creating a Trusted Identity Provider
- Creating a Trusted Service Provider
- Modifying a Trusted Provider
- Communication Security
- Selecting Attributes for a Trusted Provider
- Configuring the Attributes Obtained at Authentication
- Configuring the Attributes Set with Authentication
- Sending Attributes to the Embedded Service Provider
- Managing Metadata
- Viewing and Reimporting a Trusted Provider’s Metadata
- Viewing Trusted Provider Certificates
- Editing a SAML 2.0 Service Provider’s Metadata
- Editing a SAML 1.1 Identity Provider’s Metadata
- Editing a SAML 1.1 Service Provider’s Metadata
- Configuring User Identification Methods for Federation
- Defining User Identification for Liberty and SAML 2.0
- Defining User Identification for SAML 1.1
- Defining the User Provisioning Method
- User Provisioning Error Messages
- Configuring an Authentication Response for a Service Provider
- Routing to an External Identity Provider Automatically
- Configuring Options for Trusted Service Providers
- Using the Intersite Transfer Service
- Understanding the Intersite Transfer Service URL
- Specifying the Intersite Transfer Service URL for the Login URL Option
- Using Intersite Transfer Service Links on Web Pages
- Configuring an Intersite Transfer Service Target for a Service Provider
- Configuring Whitelist of Target URLs
- Validating Incoming Authentication Request for Assertion Consumer Service URL
- Federation Entries Management
- Step up Authentication Example for an Identity Provider Initiated Single Sign-On Request
- URL Query String Parameters
- Configuring Single Sign-On to Specific Applications
- Configuring SSO to SharePoint Server
- Configuring WS Federation Claims-based Authentication between Access Manager and SharePoint Server
- Configuring SharePoint Server as a Protected Resource
- Enabling Advanced Options for the Proxy Service
- Enabling Global Advanced Options
- Modifying the WS Federation Assertion Validity Time
- Configuring the Trusted Site in Internet Explorer
- Configuring Logout
- Configuring a Protected Resource for Outlook Web Access
- Configuring a Protected Resource for Outlook Web Access
- Configuring an Authentication Procedure
- Configuring a Rewriter Profile
- Configuring Identity Injection
- Configuring Form Fill
- Configuring a Protected Resource for a Novell Vibe 3.3 Server
- Configuring the Novell Vibe Server to Trust Access Gateway
- Configuring a Domain-Based Multi-Homing Service for Novell Vibe
- Creating a Pin List
- Configuring Access to the Filr Site through Access Manager
- Setting Up an Advanced Access Manager Configuration
- Identity Server Advanced Configuration
- Managing an Identity Server
- Updating Identity Server Configuration
- Restarting Identity Server
- Editing Server Details
- Configuring the Custom Response Header for an Identity Server Cluster
- Customizing User Portal
- Getting Started
- Understanding JSP Files
- Types of JSP Files
- Detecting the Correct Mode for Java and JavaScript
- Enabling Impersonation in the Login Page
- Customizing the Identity Server Login Page
- Customizing the User Portal Page Title
- Customizing the Default Login Page to Prompt for Different Credentials
- Modifying the login.jsp File
- Customizing JSP Files
- Customizing the nidp_latest.jsp file
- Configuring Identity Server to Use Custom Login Pages
- Troubleshooting Tips for Custom Login Pages
- Customizing the Identity Server Logout Page
- Rebranding the Logout Page
- Replacing the Logout Page with a Custom Page
- Configuring for Local Rather Than Global Logout
- Customizing Logout Pages to Redirect Based on Parameters
- Customizing Identity Server Messages
- To Customize Identity Server Messages
- Customizing the Branding of the Error Page
- Customizing Tooltip Text for Authentication Contracts
- Maintaining Customized Identity Server
- Examples for Customizing the User Portal Page Using Configuration Files
- Example 1
- Example 2
- Example 3
- Example 4
- Access Gateway Server Advanced Configuration
- Configuration Overview
- Saving, Applying, or Canceling Configuration Changes
- Managing Access Gateways Settings
- Viewing and Modifying Gateway Settings
- Status Options
- Scheduling a Command
- Managing General Details of Access Gateway
- Changing the Name of Access Gateway and Modifying Other Server Details
- Exporting and Importing an Access Gateway Configuration
- Setting Up a Tunnel
- Setting the Date and Time
- Configuring Network Settings
- Viewing and Modifying Adapter Settings
- (Access Gateway Appliance) Viewing and Modifying Gateway Settings
- (Access Gateway Appliance) Viewing and Modifying DNS Settings
- (Access Gateway Appliance) Configuring Hosts
- Adding a New IP Address to Access Gateway
- Enabling Access Gateway to Display Post-Authentication Message
- Customizing Access Gateway
- Maintaining a Customized Access Gateway
- Customizing Error Messages and Error Pages on Access Gateway
- Customizing and Localizing Access Gateway Error Messages
- Customizing the Error Pages
- Customizing Logout Requests
- Customizing Applications to Use Access Gateway Logout Page
- Customizing Access Gateway Logout Page
- Configuring the Logout Disconnect Interval
- Access Gateway Content Settings
- Configuring Cache Options
- Controlling Browser Caching
- Configuring a Pin List
- Configuring a Purge List
- Purging Cached Content
- Apache htcacheclean Tool
- Access Gateway Advanced Options
- Configuring Global Advanced Options
- Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service
- Cookie Mangling
- Configuring the HTTP/2 Protocol
- URL Attribute Filter
- Analytics Server Configuration
- Managing Analytics Server
- Managing General Details of Analytics Server
- Changing the Name of Analytics Server and Modifying Other Server Details
- Changing the IP Address and Applying Changes
- Managing Details of a Cluster
- Configuring Analytics Server
- Importing Analytics Server
- Email Server Configuration
- Managing User Portal
- Logging in to the Default User Portal
- Logging in with the Legacy Customized Portal
- Logging in to User Portal from a Web Application
- Managing Authentication Cards
- Specifying a Target
- Blocking Access to the Legacy User Portal Page
- Blocking Access to the WSDL Services Page
- Advanced File Configurator
- Managing Files: Older Approach versus Using Advanced File Configurator
- Managing Configuration Files
- Adding Configurations to a Cluster
- Exporting and Importing Configurations
- Exporting Configurations from a Cluster
- Importing Configurations
- Comparing Configuration Files
- Modifying Configurations
- Applying Configurations to Devices
- Downloading Files from a Server
- Untracking Configurations
- Removing Configurations
- Post-Upgrade Considerations
- Access Manager Configuration Files and Folders
- Example Configuration: Modifying web.xml to Manage Administration Console Session Timeout
- Example: Modifying server.xml to Configure the Encryption Level
- Configuring Authentication
- Authentication Framework
- Creating Authentication Classes
- Creating Custom Authentication Class to Obtain Unstored Transitional Data
- Configuring Authentication Methods
- Configuring Authentication Contracts
- Configuring Options for an Authentication Contract
- Using a Password Expiration Service
- Using Login Redirect URL Parameters
- Using Activity Realms
- Specifying Authentication Defaults
- Specifying Authentication Types
- Creating a Contract for a Specific Authentication Type
- Basic or Form-Based Authentication
- Configuring Basic or Form-Based Authentication
- Specifying Common Class Properties
- Query Property
- JSP Property
- MainJSP Property
- Enabling reCAPTCHA
- Kerberos Authentication
- Kerberos Privileged Attribute Certificate
- Prerequisites for Configuring Kerberos Authentication
- Configuring Active Directory
- Creating and Configuring the User Account for Identity Server
- Configuring the Keytab File
- Adding Identity Server to the Forward Lookup Zone
- Configuring Identity Server
- Enabling Logging for Kerberos Transactions
- Configuring Identity Server for Active Directory
- Creating the Authentication Class, Method, and Contract
- Creating the bcsLogin Configuration File
- Verifying the Kerberos Configuration
- (Optional) Excluding Kerberos Authentication for Specific IP Addresses
- (Optional) Configuring the Fall Back Authentication Class
- (Optional) Modifying the LDAP Query Parameter of the Kerberos Method
- Configuring the Clients
- Configuring Access Gateway for Kerberos Authentication
- RADIUS Authentication
- Mutual SSL (X.509) Authentication
- Configuring X.509 Authentication
- Configuring Attribute Mappings
- Restricting the X.509 Authentication to a Specific Certificate Authority
- Regular Expression for Extracting the Partial String from DN
- Setting Up Mutual SSL Authentication
- Customizing Certificate Errors
- Configuring X.509 Authentication to Display the Access Manager Error Message
- Configuring a Dual Connector Setup in a Single-Node Identity Server Environment
- Configuring a Dual Connector Setup in a Multi-Node Identity Server Environment
- Passwordless Authentication
- Social Authentication
- Why and When to Use Social Authentication
- Prerequisites for Social Authentication
- Configuring the Social Authentication Class
- How Social Authentication Works With Access Manager
- Adding Images for Social Authentication Providers
- Changing the Default Icons of Social Authentication Providers
- Configuring Supported Social Authentication Providers for API Keys and API Secrets
- Integrating Access Manager with Facebook
- Integrating Access Manager with LinkedIn
- Integrating Access Manager with Twitter
- Integrating Access Manager with Google+
- Integrating Access Manager with Itsme
- Risk-based Authentication
- Introduction to Risk-Based Authentication
- Why Risk-based Authentication
- Features of Risk-based Authentication
- Risk-Based Authentication Key Terms
- How Risk-based Authentication Works
- Understanding Risk Score Calculation
- Setting Up Localhost for Risk Service
- Configuring Risk-based Authentication
- Configuring a Risk Policy
- Configuring a Method for an Authentication Class
- Configuring a Contract for an Authentication Class
- Configuring Rules
- Configuring User History
- Configuring an External Database to Store User History
- Enabling User History
- Configuring Geolocation Profiling
- Configuring Behavioral Analytics
- Configuring NAT Settings
- Configuring an Authorization Policy to Protect a Resource
- Understanding Risk-based Authentication through Scenarios
- Scenario: Calculating Risk Based on the Device Type
- Scenario: Calculating Risk Based on the Location from Where an Access Request Originates
- Scenario: Calculating Risk Based on the HTTP Header Value
- Scenario: Evaluating the Grant Permissions using the Historical Access Data
- Scenario: Calculating Risk Using Device Fingerprinting
- Scenario: Determining an Improbable Travel Event
- Risk-Based Authentication: Sample Configuration
- Troubleshooting Risk-based Authentication
- Enabling Logging for Risk-based Authentication
- Enabling Auditing for Risk-Based Authentication Events
- Troubleshooting Risk Rule Configuration
- Audit Events Supported for Behavioral Analytics
- Device Fingerprinting
- How It Works
- Understanding Device Fingerprint Parameters
- Configuring a Device Fingerprint Rule
- Configuring an Example Device Fingerprint Policy
- Advanced Authentication
- Prerequisites
- Configuring Advanced Authentication
- SAML 2.0
- Understanding How Access Manager Uses SAML
- Attribute Mapping with Liberty
- Trusted Provider Reference Metadata
- Authorization Services
- Identity Provider Process Flow
- SAML Service Provider Process Flow
- Configuring a SAML 2.0 Profile
- Managing a SAML 2.0 Service Provider
- Creating a SAML 2.0 Service Provider
- Configuring Multiple Instances of a SAML 2.0 Service Provider in an Identity Server Cluster
- Minimizing Service Interruption of SAML 2.0 Service Providers
- Contracts Assigned to a SAML 2.0 Service Provider
- Configuring a SAML 2.0 Authentication Response
- Executing an Authorization-based Role Policy During SAML 2.0 Service Provider Initiated Request
- Editing a SAML 2.0 Service Provider’s Metadata
- Configuring Communication Security for a SAML 2.0 Service Provider
- Managing a SAML 2.0 Identity Provider
- Creating a SAML 2.0 Identity Provider
- Configuring a SAML 2.0 Authentication Request
- Configuring Communication Security for a SAML 2.0 Identity Provider
- Defining Session Synchronization for A-Select SAML 2.0 Identity Provider
- Defining Options for SAML 2.0
- Defining Options for a SAML 2.0 Identity Provider
- Defining Options for a SAML 2.0 Service Provider
- Configuring Liberty or SAML 2.0 Session Timeout
- OIOSAML 3 Compliance
- OIOSAML 3 Metadata Samples
- Enabling OIOSAML Compliance
- Modifying An Authentication Card for Liberty or SAML 2.0
- Configuring Multiple SAML 2.0 Service Providers on the Same Host for a Single SAML Identity Provider
- Configuring Active Directory Federation Services with SAML 2.0 for Single Sign-On
- Prerequisites for Configuring AD FS with SAML 2.0
- Configuring Access Manager as a Claims or Identity Provider and AD FS 2.0 as a Relying Party or Service Provider
- Configuring AD FS 2.0 as the Claims or Identity Provider and Access Manager as the Relying Party or Service Provider
- AD FS 2.0 Basics
- Debugging AD FS 2.0
- WS Federation
- Using Identity Server as an Identity Provider for ADFS
- Configuring Identity Server as an Identity Provider for ADFS
- Configuring the ADFS Server
- Logging In
- Troubleshooting
- Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource
- Configuring Identity Server as a Service Provider
- Configuring the ADFS Server as an Identity Provider
- Logging In
- Additional WS Federation Configuration Options
- Managing WS Federation Providers
- Creating an Identity Provider for WS Federation
- Creating a Service Provider for WS Federation
- Contracts Assigned to a WS Federation Service Provider
- Modifying a WS Federation Identity Provider
- Renaming the Trusted Provider
- Configuring the Attributes Obtained at Authentication
- Modifying the User Identification Method
- Viewing the WS Identity Provider Metadata
- Editing the WS Identity Provider Metadata
- Modifying the Authentication Card
- Assertion Validity Window
- Defining Options for WS Federation Service Provider Service Provider
- Modifying a WS Federation Service Provider
- Renaming the Service Provider
- Configuring the Attributes Sent with Authentication
- Modifying the Authentication Response
- Viewing the WS Federation Service Provider Metadata
- Editing the WS Federation Service Provider Metadata
- Configuring STS Attribute Sets
- Configuring STS Authentication Methods
- Configuring STS Authentication Request
- WS-Trust Security Token Service
- Basic Scenarios Supported by WS-Trust STS
- Web Service Client Communicating with Token Protected Web Service Provider
- Web Single Sign-On and STS
- Identity Delegation and Impersonation
- Renewing a Token
- Authentication by Using SAML Tokens
- Configuring WS-Trust STS
- Enabling WS-Trust
- Configuring Access Manager for WS-Trust STS
- Viewing STS Service Details
- Configuring Service Providers
- Adding a Domain and Assigning WS-Trust Operations
- Adding Web Service Providers
- Managing Service Provider Domains
- Managing Service Providers
- Modifying Service Providers
- A Sample WS-Policy for Web Service Providers
- Configuring Web Service Clients
- Configuring Apache CXF-based Web Service Clients
- Configuring Metro-based Web Service Clients
- Renew Token - Sample Request and Response
- Renew Token - Sample Request
- Renew Token - Sample Response
- OAuth and OpenID Connect
- How OAuth and OpenID Connect Helps
- OAuth Keywords and Their Usage in Access Manager
- Implementing OAuth in Access Manager
- OIDC Front-Channel Logout
- Configuring OAuth and OpenID Connect
- Enabling OAuth and OpenID Connect
- Extending a User Store for OAuth 2.0 Authorization Grant Information
- Defining Global Settings
- Configuring a Resource Server
- Defining Scopes for a Resource Server
- Managing OAuth Client Applications
- Using Access Gateway in the OAuth Flow
- Configuring Access Gateway for OAuth
- Enabling OAuth in Access Gateway
- Configuring an Authorization Policy based on OAuth Scopes
- Configuring an Identity Injection Policy for OAuth Claims
- Configuring an Identity Injection Policy for User Passwords
- Configuring Access Gateway to Inject OAuth Tokens
- OAuth Scenarios
- Web applications (Resource Server) validate an access token before allowing a client application to access resources
- Access Gateway validates the Access token on behalf of web applications
- Access Gateway injects the Access token on behalf of web applications
- Mobile Authentication
- Exchanging SAML 2.0 Assertions with Access Token
- Configuring Assertion Issuers
- Encrypting Access Token
- Encrypting the Token with the Access Manager Key
- Encrypting the Token with the Resource server Key
- Configuring Multi-Factor Authentication for Resource Owner Credentials Grant
- Viewing Endpoint Details
- OAuth and OpenID Connect Audit Events
- Enabling Logging for OAuth and OpenID Connect
- Managing Client Applications by Using REST API
- Managing OAuth 2.0 Resource Server and Scope by Using REST API
- Revoking Refresh Tokens and the Associated Access Tokens
- Configuring the Demo OAuth Application
- Federated Authentication for Specific Providers
- Setting Up Google Applications
- Integrating Amazon Web Services with Access Manager
- Enabling Web Single Sign-On in the AWS Console
- Configuring AWS as a Service Provider in Access Manager
- Integrating Amazon CloudTrail with Access Manager
- Configuring Single Sign-On for Office 365 Services
- Passive and Active Authentication
- Configuring Active and Passive Authentication through WS-Trust and WS-Federation
- Configuring Federation with Office 365 Services for Multiple Domains
- Configuring an Office 365 Domain That Supports Passive Federation by using SAML 2.0
- Troubleshooting Scenarios
- Sample Tokens
- Integrating Salesforce With Access Manager By Using SAML 2.0
- Integrating Shibboleth Identity Provider With Access Manager
- Other Authentication Types
- Persistent Authentication
- Frequent Re-authentication Using Password
- Persistence Auth Class Properties
- Customizing the Login Page For Persistent Authentication
- Configuring the Persistent Authenticator Class
- Logging Out of the Persistent Sessions
- Limitations of Using Persistent Authentication Class
- ORed Credential Class
- OpenID Authentication
- Password Retrieval
- Smart Card Authentication with NMAS
- Prerequisites for Configuring Smart card Authentication with NMAS
- Creating a User Store for the NESCM Method
- Creating a Contract for the Smart Card
- Assigning the NESCM Contract to a Protected Resource
- Verifying the User’s Experience
- Troubleshooting
- Two-Factor Authentication Using Time-Based One-Time Password
- Why Two-Factor Authentication
- Prerequisites for TOTP
- Configuring TOTP Class, Method, and Contract
- Registering with TOTP
- Verifying the TOTP Configuration
- Service Provider Brokering
- SP Brokering Functionalities
- Brokering Flow
- SP Brokering Deployment Scenarios
- Configuring a Brokering for Authorization of Service Providers
- Creating and Viewing Brokering Groups
- Generating the Brokering URLs by Using an ID and Target in the Intersite Transfer Service
- Transient Federation within SAML 2.0
- Assigning the Roles for the Origin IDP users in SP Broker Using the Transient Federation Attributes
- Assigning the Local Roles Based on Remote Roles and Attributes
- SP Brokering Example
- Configuring SAML 1.1
- Configuring a SAML 1.1 Profile
- Creating a SAML 1.1 Service Provider
- Creating a SAML 1.1 Identity Provider
- Configuring Communication Security for SAML 1.1
- Editing a SAML 1.1 Identity Provider’s Metadata
- Editing a SAML 1.1 Service Provider’s Metadata
- Configuring the SAML 1.1 Authentication Response
- Defining Options for SAML 1.1 Service Provider
- Modifying the Authentication Card for SAML 1.1
- Configuring Liberty
- Configuring a Liberty Profile
- Creating a Liberty Service Provider
- Creating a Liberty Identity Provider
- Configuring Communication Security for Liberty
- Configuring a Liberty Authentication Request
- Configuring the Liberty Authentication Response
- Defining Options for Liberty Service Provider
- Defining Options for Liberty Identity Provider
- Configuring the Session Timeout
- Modifying the Authentication Card
- Configuring Liberty Web Services
- Web Services Framework
- Managing Web Services and Profiles
- Configuring Credential Profile Security and Display Settings
- Customizing Attribute Names
- Configuring the Web Service Consumer
- Mapping LDAP and Liberty Attributes
- Access Manager Policies
- Understanding Policies
- Selecting a Policy Type
- Tuning the Policy Performance
- Managing Policies
- Creating Policies
- Sorting Policies
- Deleting Policies
- Renaming or Copying a Policy
- Importing and Exporting Policies
- Refreshing Policy Assignments
- Viewing Policy Information
- Managing Policy Containers
- Managing a Rule List
- Rule Evaluation for Role Policies
- Rule Evaluation for Authorization Policies
- Rule Evaluation for Identity Injection and Form Fill Policies
- Viewing Rules
- Adding Policy Extensions
- Installing the Extension on Administration Console
- Distributing a Policy Extension
- Managing a Policy Extension Configuration
- Viewing Extension Details
- Enabling Policy Logging
- Role Policies
- Understanding RBAC in Access Manager
- Assigning All Authenticated Users to a Role
- Using a Role to Create an Authorization
- Using Prioritized Rules in an Authorization Policy
- Enabling Role-Based Access Control
- Creating Roles
- Selecting Conditions
- Using Multiple Conditions
- Selecting an Action
- Example Role Policies
- Creating an Employee Role
- Creating a Manager Role
- Creating a Rule for a Contract with ORed Credentials
- Creating Access Manager Roles in an Existing Role-Based Policy System
- Activating Roles from External Sources
- Using Conditions to Assign Roles
- Mapping Roles between Trusted Providers
- Prerequisites for Mapping Roles between Trusted Providers
- To Map Roles between Trusted Providers
- Enabling and Disabling Role Policies
- Importing and Exporting Role Policies
- Authorization Policies
- Designing an Authorization Policy
- Controlling Access with a Deny Rule and a Negative Condition
- Configuring the Result on Condition Error Option
- Many Rules or Many Conditions
- Using Multiple Conditions
- Controlling Access with Multiple Conditions
- Using Permit Rules with a Deny Rule
- Using Deny Rules with a General Permit Rule
- Public Policies
- General Design Principles
- Using the Refresh Data Option
- Assigning Policies to Resources
- Creating Access Gateway Authorization Policies
- Sample Access Gateway Authorization Policies
- Sample Policies Based on Organizational Rules
- Sample Workflow Policy
- Conditions
- Authentication Contract Condition
- Client IP Condition
- Credential Profile Condition
- Current Date Condition
- Day of Week Condition
- Current Day of Month Condition
- Current Time of Day Condition
- HTTP Request Method Condition
- LDAP Attribute Condition
- LDAP OU Condition
- Liberty User Profile Condition
- Roles Condition
- Risk Score
- OAuth Scopes
- URL Condition
- URL Scheme Condition
- URL Host Condition
- URL Path Condition
- URL File Name Condition
- URL File Extension Condition
- Virtual Attribute Condition
- X-Forwarded-For IP Condition
- Condition Extension
- Data Extension
- Using the URL Dredge Option
- Edit Button
- Importing and Exporting Authorization Policies
- Identity Injection Policies
- Designing an Identity Injection Policy
- Using the Refresh Data Option
- Configuring an Identity Injection Policy
- Configuring an Authentication Header Policy
- Configuring a Custom Header Policy
- Configuring a Custom Header with Tags
- Specifying a Query String for Injection
- Injecting into the Cookie Header
- Configuring an Inject Kerberos Ticket Policy
- Configuring an OAuth Token Inject Policy
- Importing and Exporting Identity Injection Policies
- Form Fill Policies
- Understanding an HTML Form
- Implementing Form Fill Policies
- Designing a Form Fill Policy
- Creating a Form Fill Policy
- Creating a Login Failure Policy
- Creating an Inject JavaScript Policy
- Troubleshooting a Form Fill Policy
- Creating and Managing Shared Secrets
- Naming Conventions for Shared Secrets
- Creating a Shared Secret Independent of a Policy
- Modifying and Deleting a Shared Secret
- Importing and Exporting Form Fill Policies
- Configuring a Form Fill Policy for Forms With Scripts
- Why Does Form Fill Fail with the Default Policy?
- Understanding How a Form Is Submitted
- Creating a Form Fill Policy for Autosubmission
- Configuring the Advanced Options for Autosubmission
- External Attribute Source Policies
- Enabling External Attributes Policy
- Creating an External Attribute Source Policy
- External Attribute Source Policy Examples
- Scenario 1
- Scenario 2
- Risk-based Policies
- Integrating Access Manager with Microsoft Azure
- Automatic Hybrid Azure AD Join for Windows Devices
- How Automatic Hybrid Azure AD Join Works
- Setting Up Automatic Hybrid Azure AD Join for Windows Devices
- Prerequisites for Automatic Hybrid Azure AD Join
- Preparing Azure AD for Automatic Hybrid Azure AD Join
- Configuring Access Manager for Automatic Hybrid Azure AD Join
- Validating Hybrid Azure AD Join
- Verifying Device Registration Status
- Automatic Hybrid Azure AD Join for Windows Downlevel Devices
- How SSO to Microsoft Azure Applications Work
- Troubleshooting Automatic Hybrid Azure AD Join
- Azure Active Directory Conditional Access with Access Manager
- Registering Devices to Microsoft Intune Mobile Device Management
- Enabling Access Manager with Microsoft Windows Autopilot
- Appmarks
- Creating an Appmark
- Creating Multiple Appmarks for an Application
- Managing Icons
- Enabling Mobile Access
- Requirements for the MobileAccess App
- Configuring the MobileAccess App
- Helping Users Register Their Mobile Devices
- Registering iOS Devices
- Registering Android Devices
- Manual
- HTML Page with Anchor Link
- Installing MobileAccess on a Mobile Device
- Understanding the MobileAccess PIN
- Managing Mobile Devices
- Deregistering Mobile Devices as an Administrator
- Deregistering a Mobile Device as a User
- Deleting and Reinstalling the MobileAccess App on a Device
- Branding of the User Portal Page
- To Customize the Title of the User Portal
- High Availability and Fault Tolerance
- Installing Secondary Access Manager Appliance
- Prerequisites for Installing Secondary Access Manager Appliance
- Configuration Notes
- Installing Secondary Access Manager Appliance
- Understanding How Consoles Interact with Each Other and with Access Manager Devices
- Tasks Requiring the Primary Console
- Tasks Available from the Secondary Console
- Configuration Tips for the L4 Switch
- Sticky Bit
- Network Configuration Requirements
- Health Checks
- Health Checks for Identity Server
- Health Checks for Access Gateway
- Real Server Settings Example
- Virtual Server Settings Example
- Setting up L4 Switch for IPv6 Support
- Web SSO Over IPv6
- Federated SSO over IPv6
- Federated SSO over IPv6 Using Artifact Binding
- Federated SSO over IPv6 using Post Binding
- Limitations
- Using a Software Load Balancer
- Security And Certificates
- Securing Access Manager
- Securing Administration Console
- Protecting the Configuration Store
- Security Considerations for Certificates
- Configuring Secure Communication on Identity Server
- Viewing the Services That Use the Signing
- Protocols
- SOAP Back Channel
- Profiles
- Viewing Services That Use the Encryption
- Enabling Secure Cookies
- Securing the ESP Session Cookie on Access Gateway
- Securing the Proxy Session Cookie
- Setting an Authentication Cookie with a Secure Keyword for HTTP
- Preventing Cross-Site Scripting Vulnerabilities
- Preventing Cross-site Scripting Attacks
- Option 1: HTML Escaping
- Option 2: Filtering
- Option: 3 Understanding Relaxed Query Parameters
- Setting Up Advanced Session Assurance
- Understanding Access Manager Certificates
- Process Flow
- Creating Certificates
- Creating a Locally Signed Certificate
- Editing the Subject Name
- Assigning Alternate Subject Names
- Generating a Certificate Signing Request
- Importing a Signed Certificate
- Managing Certificates and Keystores
- Viewing Certificate Details
- Renewing a Certificate
- Exporting a Private/Public Key Pair
- Exporting a Public Certificate
- Importing a Private/Public Key Pair
- Using Multiple External Signing Certificates
- Assigning Certificates to Access Manager Appliance
- Managing Trusted Roots and Trust Stores
- Managing Trusted Roots
- Importing Public Key Certificates (Trusted Roots)
- Auto-Importing Certificates from Servers
- Exporting a Public Certificate of a Trusted Root
- Viewing Trusted Root Details
- Viewing External Trusted Roots
- Enabling SSL Communication
- Enabling SSL Communication
- Using Access Manager Certificates
- Configuring Access Gateway for SSL
- Using Externally Signed Certificates
- Obtaining Externally Signed Certificates
- Configuring Access Gateway to Use an Externally Signed Certificate
- SSL Renegotiation
- Using SSL on Access Manager Appliance Communication Channels
- Prerequisites for SSL
- Prerequisites for SSL Communication between Identity Server and Access Manager Appliance
- Prerequisites for SSL Communication between Access Gateway and Web Servers
- Configuring SSL Communication with Browsers and Access Gateway
- Configuring SSL between the Proxy Service and the Web Servers
- Configuring the SSL Communication
- Maintaining Access Manager
- Analytics Dashboard
- Advantages of Using Analytics Dashboard
- Architecture of Analytics Dashboard
- Who Can Access Analytics Dashboard
- Getting Started with Analytics Dashboard
- Prerequisites for Viewing Graphs on Analytics Dashboard
- Enabling Events for Each Graph
- Viewing Data in Analytics Dashboard
- Real-time Data
- Historic Data
- Types of Graphs
- Unique Users Logged In
- Active Users
- Access Gateway Active Users
- Geolocation of Users Logged In
- Geo-Maps
- Risky Logins
- Identity Server Accessed Applications
- Most Accessed Access Gateway Applications
- Most Used Browsers
- Most Used Endpoint Devices
- Most Active Users
- Client IP Addresses
- Authentication Methods Used
- Failed Authentications
- Logins
- Access Gateway Logins
- Access Gateway Uptime
- Access Gateway Requests
- Access Gateway Cache Utilization
- Identity Server Devices
- Access Gateway Devices
- Accessing Analytics Dashboard
- Managing Analytics Dashboard
- Managing Layout of a Dashboard
- Exporting and Importing a Customized Dashboard
- Exporting a Customized Dashboard
- Importing a Customized Dashboard
- Filtering Data to View Required Details
- Adding or Modifying Refresh Time for the Real-time Dashboard
- Creating Visualization
- Creating a Custom Dashboard
- Customizing the Views of Graphs
- Use Case: Customizing Unique Users Logged In Graph
- Use Case: Customizing View for Client IP Address Graph
- Discovering Data
- Viewing Index Pattern
- Viewing and Sharing Reports
- Logging Analytics Server Events
- Snapshot and Restore
- What is a Snapshot?
- Setting up a Snapshot Policy
- Executing the Snapshot Policy Manually
- Getting Status of the Snapshot Policy
- Deleting a Snapshot Policy
- Deleting Individual Snapshot Policy
- Restoring the Snapshot
- Sample Queries for Analytics Dashboard
- Sample Analytics Dashboard Snapshot and Restore
- Auditing
- Setting Up Logging Server and Console Events
- Important Points to Consider When Using Syslog
- Limitations of Syslog
- Caching Audit Events
- Debugging Syslog
- Configuring Syslog for Auditing over UDP and TLS
- Auditing using UDP
- Auditing using TLS over TCP
- Configuring Administration Console as a Remote Audit Server
- Enabling Identity Server Audit Events
- Enabling Access Gateway Audit Events
- Logging
- Understanding the Types of Logging
- Component Logging for Troubleshooting Configuration or Network Problems
- HTTP Transaction Logging for Proxy Services
- Understanding the Log Format
- Understanding the Correlation Tags in the Log Files
- Sample Scenario
- Identity Server Logging
- Configuring Logging for Identity Server
- Enabling Component Logging
- Managing Log File Size
- Configuring Session-Based Logging
- Creating Administrator Class, Method, and Contract
- Creating Logging Session Class, Method, and Contract
- Enabling Basic Logging
- Responding to an Incident
- Capturing Stack Traces of Exceptions
- Access Gateway Logging
- Managing Access Gateway Logs
- Configuring the Log Level
- Configuring the Log File
- Configuring Logging for a Proxy Service
- Determining Logging Requirements
- Calculating Rollover Requirements
- Enabling Logging
- Configuring Common Log Options
- Configuring Extended Log Options
- Configuring the Size of the Log Partition
- Downloading Log Files
- Administration Console Logs
- Identity Server Logs
- Access Gateway Logs
- Turning on Logging for Policy Evaluation
- Monitoring Component Statistics
- Identity Server Statistics
- Monitoring Identity Server Statistics
- Application
- Authentications
- Incoming HTTP Requests
- Outgoing HTTP Requests
- Liberty
- SAML 1.1
- SAML 2
- WSF (Web Services Framework)
- Clustering
- LDAP
- SP Brokering
- Risk-Based Authentication
- OAuth
- Monitoring Identity Server Cluster Statistics
- Access Gateway Statistics
- Monitoring Access Gateway Statistics
- Server Activity Statistics
- Server Benefits Statistics
- Service Provider Activity Statistics
- Monitoring Access Gateway Cluster Statistics
- Component Statistics Through REST APIs
- Monitoring API for Identity Server Statistics
- Endpoints of the REST API
- Supported Commands and Their Outputs
- Monitoring API for Access Gateway Statistics
- Access Manager Licensing
- How Licensing Works
- Viewing License Details
- Applying License
- Renewing a Subscription License
- Access Manager Licensing API
- Monitoring Component Command Status
- Viewing the Command Status of Identity Server
- Viewing the Status of Current Commands
- Viewing Detailed Command Information
- Viewing the Command Status of Access Gateway
- Viewing the Status of Current Commands
- Viewing Detailed Command Information
- Viewing the Command Status of the Analytics Server
- Viewing the Status of Current Commands
- Viewing Detailed Command Information
- Reviewing the Command Status for Certificates
- Monitoring Server Health
- Health States
- Monitoring Health by Using the Hardware IP Address
- Monitoring Health of Identity Servers
- Monitoring the Health of an Identity Server
- Monitoring the Health of a Cluster
- Monitoring the Health of Access Gateways
- Monitoring the Health of an Access Gateway
- Service Categories of Access Gateway Service
- Monitoring the Health of an Access Gateway Cluster
- Monitoring Health of Analytics Server
- Monitoring Health of Analytics Server
- Monitoring the Health of Analytics Server Cluster
- Monitoring the Health of Services
- Monitoring Alerts
- Monitoring Identity Server Alerts
- Monitoring Access Gateway Alerts
- Viewing Access Gateway Alerts
- Viewing Access Gateway Cluster Alerts
- Managing Access Gateway Alert Profiles
- Configuring an Alert Profile
- SNMP Profile
- Configuring a Log Profile
- Configuring an Email Profile
- Configuring a Syslog Profile
- Monitoring Analytics Server Alerts
- Viewing Analytics Server Alerts
- Viewing Analytics Server Cluster Alerts
- Monitoring Access Manager By Using Simple Network Management Protocol
- SNMP Architecture in Access Manager
- Features of Monitoring Using SNMP
- Using the Default MIB File with External SNMP Systems
- Querying For SNMP Attributes
- Enabling Monitoring for Access Manager Components
- Impersonation
- Impersonation Terminology
- Prerequisites for Creating an Impersonated Session
- Enabling Impersonation
- Impersonation Flow
- Implementing Impersonation in Custom Portal Pages
- Understanding the Impersonation-Specific JSP Files
- Determining When to Show the Specific JSP Files
- Audit Event for Impersonation
- Troubleshooting
- Back Up and Restore
- How The Backup and Restore Process Works
- Default Parameters
- The Process
- Backing Up the Access Manager Configuration
- Restoring the Access Manager Configuration
- Restoring the Configuration on the Same Appliance for Which Backup Was Taken
- Restoring the Configuration on a Freshly Installed Appliance with Same IP Address and DNS Settings
- Code Promotion
- How Code Promotion Helps
- Sequence of Promoting the Configuration Data
- Prerequisites for Performing Code Promotion
- Viewing Configuration Files Paths
- Exporting the Configuration Data
- Importing the Configuration Data
- Uploading the Configuration File to Import
- Selecting a Component to Import the Configuration Data
- Importing the Identity Server Configuration Data
- Importing Identity Server Clusters
- Importing the Access Gateway Configuration Data
- Selecting Proxy Services and Protected Resources to Import
- Verifying the Component-Specific Configuration Changes
- Updating Identity Server User Store References
- Setting Up New Proxy Services in the Target System after the Import
- Post-Import Configuration Tasks
- Troubleshooting Code Promotion
- Code Promotion Limitations
- Troubleshooting
- Troubleshooting Administration Console
- Global Troubleshooting Options
- Checking for Potential Configuration Problems
- Checking for Version Conflicts
- Checking and Terminating User Sessions
- Checking for Invalid Policies
- Viewing System Alerts
- Diagnostic Configuration Export Utility
- Restoring a Failed Secondary Console
- Converting a Secondary Access Manager Appliance into a Primary Appliance
- Shutting Down Primary Access Manager Appliance
- Changing the Master Replica
- Restoring CA Certificates
- Verifying the vcdn.conf File
- Deleting Objects from the eDirectory Configuration Store
- Performing Component-Specific Procedures
- Repairing the Configuration Datastore
- Session Conflicts
- Unable to Log In to Administration Console
- Exception Processing IdentityService_ServerPage.JSP
- Backup and Restore Fail Because of Special Characters in Passwords
- Unable to Install the NMAS SAML Method
- Incorrect Audit Configuration
- Unable to Update Access Gateway Listening IP Address in Administration Console Reverse Proxy
- During Access Manager Appliance Installation Any Error Message Should Not Display Successful Status
- Incorrect Health Is Reported on Access Gateway
- Administration Console Does Not Refresh the Command Status Automatically
- SSL Communication with Weak Ciphers Fails
- Error: Tomcat did not stop in time. PID file was not removed
- An IP Address for the Other Known Device Manager List Is Missing in the Troubleshooting Page
- Administration Console Shows Malformed Request Error
- Troubleshooting Access Gateway
- Useful Troubleshooting Files
- Apache Logging Options for Gateway Service
- Access Gateway Service Log Files
- Verifying That All Services Are Running
- Troubleshooting SSL Connection Issues
- Enabling Debug Mode and Core Dumps
- Starting Apache in the Debug Mode
- Examining the Debug Information
- Disabling the Debug Mode
- Enabling the Core Dumps in RHEL
- Useful Troubleshooting Tools for Access Gateway Service
- Solving Apache Restart Issues
- Removing an Advanced Configuration Settings
- Viewing the Logged Apache Errors
- Viewing the Errors as Apache Generates Them
- The ActiveMQ Module Fails to Start
- Understanding the Authentication Process of Access Gateway Service
- Issue While Accelerating the Ajax Applications
- Accessing Lotus-iNotes through Access Gateway Asks for Authentication
- Configuration Issues
- Cannot Inject a Photo into HTTP Headers
- Access Gateway Caching Issues
- Issues while Changing the Management IP Address in Access Gateway Appliance
- Issue While Adding Access Gateway in a Cluster
- Troubleshooting Identity Server and Authentication
- Useful Networking Tools for Identity Server
- Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors
- Metadata
- DNS Name Resolution
- Certificates in the Required Trust Stores
- Enabling Debug Logging
- Testing Whether the Provider Can Access the Metadata
- Manually Creating Any Auto-Generated Certificates
- Authentication Issues
- Authentication Classes and Duplicate Common Names
- General Authentication Troubleshooting Tips
- Slow Authentication
- Federation Errors
- Mutual Authentication Troubleshooting Tips
- Browser Hangs in an Authentication Redirect
- Identity Server Does Not Convert Passwords Containing Accents over Letters (åäö) Correctly
- After Setting Up the User Store to Use SecretStore, Users Report 500 Errors
- When Multiple Browser Logout Option Is Enabled, the User Does Not Get Logged Out from Different Sessions
- After Consuming a SAML Response, the Browser Is Redirected to an Incorrect URL
- Configuring SAML 1.1 Identity Provider Without Specifying Port in the Login URL Field
- Attributes Are Not Available Through Form Fill When OIOSAML Is Enabled
- Issue in Importing Metadata While Configuring Identity Provider or Service Provider Using Metadata URL
- Metadata Mentions Triple Des As Encryption Method
- Issue in Accessing Protected Resources with External Identity Provider When Both Providers Use Same Cookie Domain
- SAML Intersite Transfer URL Setup Does Not Work for Non-brokered Setups after Enabling SP Brokering
- Orphaned Identity Objects
- Users Cannot Log In to Identity Server When They Access Protected Resources with Any Contract Assigned
- An Attribute Query from OIOSAML.SP Java Service Provider Fails with Null Pointer
- Disabling the Certificate Revocation List Checking
- Step Up Authentication for Identity Server Initiated SSO to External Provider Does Not Work Unless It Contains a Matching Local Contract
- Metadata Cannot be Retrieved from the URL
- Authentication Request to a Service Provider Fails
- SAML 2.0 POST Compression Failure Does Not Throw a Specific Error Code
- SAML 1.1 Service Provider Re-requests for Authentication
- Identity Server Statistics Logs Do Not Get Written In Less Than One Minute
- No Error Message Is Written in the Log File When an Expired Certificate Is Used for the X509 Authentication
- Terminating an Existing Authenticated User from Identity Server
- X.509 Authentication Lists the Entire List of Certificates Imported to the Browser
- Clustered Nodes Looping Due to JGroup Issues
- Authentication With Aliases Fails
- nidp/app Does Not Redirect to nidp/portal after Authentication
- Login to Office 365 Fails when WS-Trust MEX Metadata Is Larger than 65 KB
- Unsafe Server Certificate Change in SSL/TLS Renegotiations Is Not Allowed
- Viewing Request and Response Headers of All Protocols in a Log File
- Provisioning of LDAP Attribute for Social Authentication User Failed
- User Authentication Fails When the Advanced Authentication Generic Class Is Used
- Cannot Create an Authentication Class with Advanced Authentication Generic Class - Recreating the Endpoints with Advanced Authentication or Advanced Authentication SaaS
- CORS Request to the Token Introspection Endpoint Fails
- The User Portal Page Does Not Display the Branding
- The SAML Authentication Fails When an Unsigned Request Contains an ACS URL
- Unable to Perform Single Sign-on When Azure Active Directory Is the Identity Provider
- Debug Logs Suppression for WS-Trust Authentication Failure
- Troubleshooting Analytics Server
- Launching Access Manager Dashboard Displays a Blank Page
- Graphs Do Not Display Any Data When You Launch Access Manager Dashboard
- Clearing the Existing Realtime Data to View the Imminent Data on Graphs
- Cannot Launch Access Manager Dashboard After Reimporting Analytics server
- The Analytics Server Health Is Not Reported to Administration Console
- Access Manager Dashboard Does Not Display Graphs, but Displays the Health Status of Devices
- Troubleshooting Certificate Issues
- Resolving the JCC Communication between Devices and Administration Console
- Resolving Certificate Import Issues
- Importing an External Certificate Key Pair
- Resolving a -1226 PKI Error
- When the Full Certificate Chain Is Not Returned During an Automatic Import of the Trusted Root
- Using Internet Explorer to Add a Trusted Root Chain
- Mutual SSL with X.509 Produces Untrusted Chain Messages
- Certificate Command Failure
- A Device Reports Certificate Errors
- Renewing the expired eDirectory certificates
- Certificate Trust Store Objects of the Identity Server Clusters Are Deleted Randomly
- Secondary Administration Console Does Not Reflect the Replaced Certificate
- Troubleshooting Access Manager Policies
- Turning on Logging for Policy Evaluation
- Common Configuration Problems That Prevent a Policy from Being Applied as Expected
- Enabling Roles for Authorization Policies
- LDAP Attribute Condition
- Result on Condition Error Value
- An External Secret Store and Form Fill
- The Policy Is Using Old User Data
- Form Fill and Identity Injection Silently Fail
- Checking for Corrupted Policies
- Policy Page Timeout
- Policy Creation and Storage
- Policy Distribution
- Policy Evaluation: Access Gateway Devices
- Successful Policy Configuration Example
- No Policy Defined Configuration Example
- Deny Access Configuration/Evaluation Example
- Troubleshooting MobileAccess
- Using the Same Mobile Device for Different Users Causes the Expired Session Error
- Simple Authentication with a Pop-up Browser Window Does Not Work for MobileAccess
- Users Fail to Authenticate to MobileAccess when Appmarks Are Launched in the Chrome Browser
- Changes to MobileAccess Do Not Appear in Administration Console
- Facebook Basic SSO Connector Does Not Work from MobileAccess
- Troubleshooting Code Promotion
- Troubleshooting Identity Server Code Promotion
- Exporting Identity Server Configuration Data Fails
- Importing Identity Server Configuration Data Fails
- Troubleshooting Access Gateway Code Promotion
- Exporting Access Gateway Configuration Data Fails
- Importing Access Gateway Configuration Data Fails
- Policy Configuration Is Locked
- Access Gateway Configuration Is Locked
- Access Gateway Cluster Is Not Associated with any Identity Server
- Proxy Service Type Does Not Match
- Policy Type Does Not Match
- Cannot Import a Virtual Proxy Service to SSL enabled Master Proxy
- Cookie Domain and Published DNS Name Do Not Match
- SSL Enabled Web Server Configuration Is Imported to a Non-SSL Proxy Service
- Names of Master Proxy Service Are Different
- Reverse Proxy and Master Proxy Service Do Not Exist
- Proxy Service Does Not Exist in the Target Setup
- DNS Name Is Not Unique
- Revert Process Fails for Access Gateway
- Troubleshooting Device Customization Code Promotion
- Custom Files Are Not Imported
- Troubleshooting the Device Fingerprint Rule
- Enabling the Debug Option for the Device Fingerprint Rule
- Using Logs to Understand How the Device Fingerprint Rule Is Evaluated
- A Fingerprint Does Not Exist
- Fingerprint Matches
- Fingerprint Does Not Match
- When Fingerprint Matches though Some Parameters in the Group Do Not Match
- When Fingerprint Does Not Match as the Evaluation of Group Parameters Fails
- Troubleshooting Advanced Session Assurance
- Troubleshooting Using the Log Files
- Using Logs
- Using debug Logs
- Important Error Messages
- Cookie mismatch. The session might have been hijacked. Logging out session <sessionID>
- Nonce has been used already. Possible replay attack. Logging out the session <sessionID>
- Fingerprint evaluation failed. The session might have been hijacked. Logging out the session <sessionID>
- Checking Session Assurance Configuration Details
- The Advanced Session Assurance Page Does Not Display the Access Gateway Cluster
- Troubleshooting OAuth and OpenID Connect
- The Token Endpoint Returns an Invalid Code Error Message
- OAuth Tokens Are in Binary Format Instead of JWT Format
- Users Cannot Register a Client Application
- Token Exchanges Show Redirect URI Invalid Error
- Users Cannot Register or Modify a Client Application with Specific Options
- A Specific Claim Does Not Come to the UserInfo Endpoint during Claims Request
- Access Gateway OAuth Fails
- After Allowing Consent, 500 Internal Server Error Occurs
- The Access Token Does Not Get Exchanged with Authorization Code When Using a Multi-Node Identity Server Cluster
- No Error Message When a Token Request Contains Repetitive Parameters
- OAuth Token Encryption/Signing Key Is Compromised or Corrupted
- Tracing OAuth Requests
- OAuth Client Registration Fails If a Role Policy Contains a Condition Other than LDAP Attribute, LDAP Group, or LDAP OU
- The Identity Injection Policy Does Not Inject Passwords
- OAuth Apps Fail After Upgrading Access Manager
- Authorization Server Responds with the Service Unavailable Message for a Revocation Request
- Unable to Delete Scopes That Contain Special Characters
- OAuth Client Application Returns an Error Message
- Troubleshooting User Attribute Retrieval and Transformation
- No Value Is Fetched from Attribute Source in Identity Server
- Error Message While Testing a Database Connection
- Regex Replace Error Message
- Troubleshooting Impersonation
- Internet Explorer Caching Error
- Troubleshooting Branding
- Changes to Branding Do Not Appear in Administration Console
- Troubleshooting Licensing
- Access Manager Continues to Display the Old License Although a New License is Applied
- Using Log Files for Troubleshooting
- Sample Authentication Traces
- Direct Authentication Request to Identity Server
- Protected Resource Authentication Trace
- Understanding Policy Evaluation Traces
- Format
- Policy Result Values
- Role Assignment Traces
- Identity Injection Traces
- Authorization Traces
- Form Fill Traces
- Adding Hashed Cookies into Browsers
- Adding Hashed Identity Server Cookies into Browsers
- Adding Hashed Access Gateway Cookies into Browsers
- Adding Hashed ESP Cookies into Browsers
- Access Manager Audit Events and Data
- Event Codes
- Troubleshooting Social Authentication
- Cases of Alphabets in Consumer Key Fails to Update
- Troubleshooting Issuing of PRT Tokens
- Troubleshooting MessageAuthenticatorAttribute Issues in the Radius Authentication
- Access Manager Audit Events and Data
- JavaScript Object Notation (JSON) Event Format
- NIDS: Sent a Federate Request (002e0001)
- NIDS: Received a Federate Request (002e0002)
- NIDS: Sent a Defederate Request (002e0003)
- NIDS: Received a Defederate Request (002e0004)
- NIDS: Sent a Register Name Request (002e0005)
- NIDS: Received a Register Name Request (002e0006)
- NIDS: Logged Out an Authentication that Was Provided to a Remote Consumer (002e0007)
- NIDS: Logged out a Local Authentication (002e0008)
- NIDS: Provided an Authentication to a Remote Consumer (002e0009)
- NIDS: User Session Was Authenticated (002e000a)
- NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b)
- NIDS: User Session Authentication Failed (002e000c)
- NIDS: Received an Attribute Query Request (002e000d)
- NIDS: User Account Provisioned (002e000e)
- NIDS: Failed to Provision a User Account (002e000f)
- NIDS: Web Service Query (002e0010)
- NIDS: Web Service Modify (002e0011)
- NIDS: Connection to User Store Replica Lost (002e0012)
- NIDS: Connection to User Store Replica Reestablished (002e0013)
- NIDS: Server Started (002e0014)
- NIDS: Server Stopped (002e0015)
- NIDS: Server Refreshed (002e0016)
- NIDS: Intruder Lockout (002e0017)
- NIDS: Severe Component Log Entry (002e0018)
- NIDS: Warning Component Log Entry (002e0019)
- NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider as Identity Provider and Service Provider Are not in Same Group (002E001A)
- NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider Because a Policy Evaluated to Deny (002E001B)
- NIDS: Brokered an Authentication from Identity Provider to Service Provider (002E001C)
- NIDS: Web service Request was authenticated (002e001D)
- NIDS: Web service Request for authentication Failed (002e001E)
- NIDS: OAuth2 Authorization code issued (002e0028)
- NIDS: OAuth2 token issued (002e0029)
- NIDS: OAuth2 Authorization code issue failed (002e0030)
- NIDS: OpenID token issued (002e0031)
- NIDS: OAuth2 refresh token issued (002e0032)
- NIDS: OAuth2 token issue failed (002e0033)
- NIDS: OpenID token issue failed (002e0034)
- NIDS: OAuth2 refresh token issue failed (002e0035)
- NIDS: OAuth2 client has been registered successfully (002e0036)
- NIDS: OAuth2 client has been modified successfully (002e0037)
- NIDS: OAuth2 client has been deleted successfully (002e0038)
- NIDS: OAuth2 user has provided consent (002e0039)
- NIDS: OAuth2 user has revoked consent (002e0040)
- NIDS: OAuth2 token validation success (002e0041)
- NIDS: OAuth2 token validation failed (002e0042)
- NIDS: OAuth2 client registration failed (002e0043)
- NIDS: OAuth2 refresh token revoked success (002e0055)
- NIDS: OAuth2 refresh token revocation failed (002e0056)
- NIDS: OAuth2 Authorization none issued (002e0057)
- NIDS: OAuth2 OIDC Front-Channel Logout Success (002e0058)
- NIDS: OAuth2 AA Authorization Code Exchange (002e0071)
- NIDS: OAuth2 AA Access Token Exchange (002e0072)
- NIDS: Step-up authentication (002e0719)
- NIDS: Roles PEP Configured (002e0300)
- NIDS: Risk-Based Authentication Action for User (002e0045)
- NIDS: Risk-Based Authentication Action for User (002e0046)
- NIDS: Risk-Based Authentication Action for User (002e0047)
- NIDS: Token was Issued to Web Service (002E001F)
- NIDS: Issued a Federation Assertion (002E0102)
- NIDS: Received a Federation Assertion (002E0103)
- NIDS: Assertion Information (002E0104)
- NIDS: Sent a Federation Request (002E0105)
- Access Gateway: PEP Configured (002e0301)
- Roles Assignment Policy Evaluation (002e0320)
- Access Gateway: Authorization Policy Evaluation (002e0321)
- Access Gateway: Form Fill Policy Evaluation (002e0322)
- Access Gateway: Identity Injection Policy Evaluation (002e0323)
- Access Gateway: Access Denied (0x002e0505)
- Access Gateway: URL Not Found (0x002e0508)
- Access Gateway: System Started (0x002e0509)
- Access Gateway: System Shutdown (0x002e050a)
- Access Gateway: Identity Injection Parameters (0x002e050c)
- Access Gateway: Identity Injection Failed (0x002e050d)
- Access Gateway: Form Fill Authentication (0x002e050e)
- Access Gateway: Form Fill Authentication Failed (0x002e050f)
- Access Gateway: URL Accessed (0x002e0512)
- Access Gateway: IP Access Attempted (0x002e0513)
- Access Gateway: Webserver Down (0x002e0515)
- Access Gateway: All WebServers for a Service is Down (0x002e0516)
- Access Gateway: Application Accessed (002E0514)
- Access Gateway: Session Created (002E0525)
- Management Communication Channel: Health Change (0x002e0601)
- Management Communication Channel: Device Imported (0x002e0602)
- Management Communication Channel: Device Deleted (0x002e0603)
- Management Communication Channel: Device Configuration Changed (0x002e0604)
- Management Communication Channel: Device Alert (0x002e0605)
- Management Communication Channel: Statistics (002e0606)
- Risk-Based Authentication Successful (002e0025)
- Risk-Based Authentication Failed (002e0026)
- Risk-Based Authentication for User (002e0027)
- Impersonation Sign in (002E0048)
- Impersonation: Impersonator Logs Out (002E0049)
- Impersonation: Session Started (002E0050)
- Impersonation: Impersonatee Denies (002E0051)
- Impersonation: Impersonatee Approves (002E0052)
- Impersonation: Impersonator Cancels (002E0053)
- Impersonation: Authorization Policy Fails (002E0054)
- Event Codes
- Administration Console (009)
- Identity Server (001)
- Linux Access Gateway Appliance(045)
- Access Gateway Service (046)
- Policy Engine (008)
- SOAP Policy Enforcement Point (011)
- Backup and Restore (010)
- Modular Authentication Class (012)
- Appendix
- What Is Federated Authentication
- Understanding a Simple Federation Scenario
- Configuring Federation
- Prerequisites for Configuring Federation
- Establishing Trust between Providers
- Configuring Site A to Trust Site B as a Service Provider
- Configuring Site B to Trust Site A as an Identity Provider
- Verifying the Trust Relationship
- Configuring User Authentication
- Configuring SAML 1.1 for Account Federation
- Configuring User Account Matching
- Configuring the Default Contract for Single Sign-On
- Verifying the Trust Relationship with SAML 1.1
- Sharing Roles
- Configuring Role Sharing
- Defining a Shared Attribute Set
- Obtaining the Role Assignments
- Configuring Policies to Process Received Roles
- Verifying the Configuration
- Setting Up Federation with Third-Party Providers
- Understanding Liberty
- Data Model Extension XML
- Elements
- Writing Data Model Extension XML
- SOAP versus REST API
- OAuth versus Other Protocols
- OAuth Concepts
- OAuth Terminology
- Why OpenID Connect
- OAuth Authorization Grant
- Authorization Code Grant (Web Server)
- Implicit Grant
- Resource Owner Credential Grant
- Client Credential Grant
- Security Assertion Markup Language (SAML) 2.0 Bearer Grant
- Authentication Flows
- Authentication by Using the Authorization Code Flow
- Authentication by Using the Implicit Flow
- Authentication by Using Hybrid Flow
- End User Operations
- User Authorization
- Revoking Authorizations
- Access Manager Reports Samples
- Application Access Summary Report
- User Application Access Summary Report
- Application Specific User Access Report
- Federation Summary Report
- User Login Contract Summary Report
- User Login Failure Report
- Application Specific Risk based Authentication Report
- Legal Notice