10.3 Using SAML Authentications from Access Manager to Provide Single Sign-On to Identity Governance through the OSP

If you are using OSP with Identity Governance and you have Access Manager installed and configured to provide SAML authentications to other applications, you can allow the SAML authentications from Access Manager to provide single sign-on through OSP to Identity Governance.

  1. Obtain the SAML 2.0 metadata from the Access Manager server by accessing the following default URL:

    https://identity-server-dns-name:port/nidp/saml2/metadata
  2. Configure the SAML 2.0 settings on the OSP server.

    1. Ensure that Apache Tomcat is running on the OSP server.

    2. Launch the Identity Governance Configuration Update utility from the OSP server. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

    3. Click the Authentication tab.

    4. Click Show Advanced Options.

    5. Under Authentication Method > Method select SAML 2.0.

    6. Use the following information to configure OSP to use SAML 2.0:

      Mapping Attribute

      Specify the attribute listed is the one you want to use to map the user accounts to Access Manager. The default value is mail.

      Landing Page

      Select where the landing page for your users is internal, external, or if there is not one. The default value is None.

      Metadata source

      Select URL to use the Access Manager metadata.

      Metadata URL:

      Specify the Access Manager metadata URL in this field.

      https://identity-server-dns-name:port/nidp/saml2/metadata
      Load on save

      Select this option to load the metadata.

      Configure Access Manager on exit

      Select this option to automatically configure Access Manager when you exit the Identity Governance Configuration Update utility.

    7. Under the Identity Governance Bootstrap Administrator heading, ensure that you are using an LDAP-based bootstrap administrator account. For more information, see Section 4.1.1, Using the Bootstrap Administrator.

    8. Click OK to save the changes.

    9. Click Yes to accept the certificate.

    10. When the Access Manager Auto-Configuration appears, restart Apache Tomcat on the OSP server. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  3. Automatically configure the SAML 2.0 settings in Access Manager for OSP.

    1. Access the Administration Console for Access Manager using the full DNS name. For example:

      https://mybusiness.com:8443
    2. In Access Manager Administrator Credentials, specify the user name and password of the Access Manager administrator in LDAP format. For example, cn=admin,o=mybusiness.

    3. Ensure that the Unique Display Name is automatically created as IDM-NAM Trust.

    4. In Authentication Server Administrator Credentials, specify the user name and password of the Identity Governance configuration administrator.

    5. Click OK to save the configuration information.

    6. In the pop-up window, click Yes to update the Access Manager configuration.

    7. Read the Access Manager SAML 2 configuration summary when it appears, then click OK.

  4. Restart Apache Tomcat on the OSP server. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  5. (Conditional) If you configured OSP to utilize multiple keypairs, you might have to import the OSP encryption certificate into the NIPD Trust Store in Access Manager.

    1. Obtain a copy of the OSP encryption certificate from:

      https://osp-server:port/osp/s/idm/encryptionCertificate 
    2. Add the encryption certificate to the NIDP Trust Store in Access Manager. For more information, see Managing Trusted Roots and Trust Stores in the NetIQ Access Manager 5.0 Administration Guide.