Identity Server Guide
Novell®
Access Manager
novdocx (en) 19 February 2010
AUTHORIZED DOCUMENTATION
3.1 SP1
March 17, 2010
www.novell.com
Novell Access Manager 3.1 SP1 Identity Server Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 19 February 2010
Copyright © 2006-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 19 February 2010
novdocx (en) 19 February 2010
4 Novell Access Manager 3.1 SP1 Identity Server Guide
Contents
About This Guide 11
1 Configuring an Identity Server 13
1.1 Managing a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.1.1 Creating a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.1.2 Assigning an Identity Server to a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . 19
1.1.3 Configuring Session Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.1.4 Removing a Server from a Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.1.5 Managing a Cluster with Multiple Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.1.6 Enabling and Disabling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.1.7 Modifying the Base URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.2 Customizing Identity Server Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.1 Customizing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.2 Customizing the Branding of the Error Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.2.3 Customizing Tooltip Text for Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . 29
1.3 Customizing the Identity Server Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.3.1 Selecting the Login Page and Modifying It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.3.2 Configuring the Identity Server to Use Custom Login Pages . . . . . . . . . . . . . . . . . . 42
1.3.3 Troubleshooting Tips for Custom Login Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.4 Customizing the Identity Server Logout Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.4.1 Rebranding the Logout Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.4.2 Replacing the Logout Page with a Custom Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.5 Enabling Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6 Using netHSM for the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6.1 Understanding How Access Manager Uses Signing and Interacts with the netHSM
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.6.2 Configuring the Identity Server for netHSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.7 Configuring Secure Communication on the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.7.1 Viewing the Services That Use the Signing Key Pair . . . . . . . . . . . . . . . . . . . . . . . . 67
1.7.2 Viewing Services That Use the Encryption Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . 68
1.7.3 Managing the Keys, Certificates, and Trust Stores . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1.8 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
1.8.1 Federation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
1.8.2 Authentication Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
1.8.3 Forcing 128-Bit Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
novdocx (en) 19 February 2010
2 Configuring Local Authentication 75
2.1 Configuring Identity User Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.1.1 Using More Than One LDAP User Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.1.2 Configuring the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.1.3 Configuring an Admin User for the User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.1.4 Configuring a User Store for Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.2 Creating Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
2.2.1 Creating Basic or Form-Based Authentication Classes . . . . . . . . . . . . . . . . . . . . . . . 88
2.2.2 Specifying Common Class Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.3 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
2.4 Configuring Authentication Contracts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
2.5 Using a Password Expiration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
2.5.1 URL Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Contents 5
2.5.2 Forcing Authentication after the Password Has Changed . . . . . . . . . . . . . . . . . . . . . 97
2.5.3 Grace Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.5.4 Federated Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.6 Specifying Authentication Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.7 Managing Direct Access to the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.7.1 Logging In to the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
2.7.2 Specifying a Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.7.3 Blocking Access to the WSDL Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
3 Configuring Advanced Local Authentication Procedures 105
3.1 Configuring for RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.2 Configuring Mutual SSL (X.509) Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.2.1 Setting Up Mutual SSL Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.3 Creating an ORed Credential Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
3.4 Configuring for Kerberos Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
3.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.4.2 Configuring Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.4.3 Configuring the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.4.4 Configuring the Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
3.4.5 Configuring the Access Gateway for Kerberos Authentication . . . . . . . . . . . . . . . . 124
3.4.6 Upgrading from Access Manager 3.0 SP4 or 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 124
3.5 Configuring Access Manager for NESCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.5.2 Creating a User Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.5.3 Creating a Contract for the Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
3.5.4 Assigning the NESCM Contract to a Protected Resource . . . . . . . . . . . . . . . . . . . . 131
3.5.5 Verifying the User’s Experience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
3.5.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
novdocx (en) 19 February 2010
4 Defining Shared Settings 133
4.1 Configuring Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.2 Editing Attribute Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.3 Configuring User Matching Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.4 Adding Custom Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.4.1 Creating Shared Secret Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.4.2 Creating LDAP Attribute Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.5 Adding Authentication Card Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5 Configuring SAML and Liberty Trusted Providers 141
5.1 Understanding the Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.1.1 Identity Providers and Consumers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.1.2 Embedded Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.1.3 High-Level Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.2 Configuring General Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.2.1 Configuring the General Identity Provider Options . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.2.2 Configuring the General Identity Consumer Options . . . . . . . . . . . . . . . . . . . . . . . . 145
5.3 Creating a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
5.4 Modifying a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
5.4.1 Configuring Communication Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
5.4.2 Using the Intersite Transfer Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.4.3 Selecting Attributes for a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
5.4.4 Managing Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5.4.5 Configuring an Authentication Request for an Identity Provider . . . . . . . . . . . . . . . 159
6 Novell Access Manager 3.1 SP1 Identity Server Guide
5.4.6 Configuring an Authentication Response for a Service Provider . . . . . . . . . . . . . . . 162
5.4.7 Managing the Authentication Card of an Identity Provider . . . . . . . . . . . . . . . . . . . 165
6 Configuring CardSpace 167
6.1 Overview of the CardSpace Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
6.2 Prerequisites for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
6.2.1 Enabling High Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.2.2 Configuring the Client Machines for CardSpace . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
6.3 Authenticating with a Personal Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.4 Authenticating with a Managed Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.4.1 Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.4.2 Configuring a CardSpace Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.4.3 Creating and Installing a Managed Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
6.4.4 Configuring the Relying Party to Trust an Identity Provider. . . . . . . . . . . . . . . . . . . 176
6.4.5 Logging In with the Managed Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
6.5 Authenticating with a Managed Card Backed by a Personal Card. . . . . . . . . . . . . . . . . . . . . 178
6.6 Configuring the Identity Server as a Relying Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.6.1 Defining an Authentication Card and Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.6.2 Defining a Trusted Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.6.3 Cleaning Up Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.6.4 Defederating after User Portal Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.7 Configuring the Identity Server as an Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.7.1 Replacing the Signing Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.7.2 Configuring STS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.7.3 Creating a Managed Card Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.8 Using CardSpace Cards for Authentication to Access Gateway Protected Resources . . . . . 186
novdocx (en) 19 February 2010
7 Configuring WS Federation 187
7.1 Using the Identity Server as an Identity Provider for ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.1.1 Configuring the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.1.2 Configuring the ADFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.1.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.1.4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.2 Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource197
7.2.1 Configuring the Identity Server as a Service Provider . . . . . . . . . . . . . . . . . . . . . . . 198
7.2.2 Configuring the ADFS Server to Be an Identity Provider. . . . . . . . . . . . . . . . . . . . . 201
7.2.3 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
7.2.4 Additional WS Federation Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3 Modifying a WS Federation Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3.1 Renaming the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3.2 Configuring the Attributes Obtained at Authentication . . . . . . . . . . . . . . . . . . . . . . . 203
7.3.3 Modifying the User Identification Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.3.4 Managing the Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
7.3.5 Modifying the Authentication Card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4 Modifying a WS Federation Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4.1 Renaming the Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4.2 Configuring the Attributes Sent with Authentication. . . . . . . . . . . . . . . . . . . . . . . . . 206
7.4.3 Modifying the Authentication Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
7.4.4 Managing the Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8 Configuring User Identification Methods for Federation 209
8.1 Selecting a User Identification Method for Liberty or SAML 2.0. . . . . . . . . . . . . . . . . . . . . . . 209
8.2 Selecting a User Identification Method for SAML 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Contents 7
8.3 Configuring the Attribute Matching Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.4 Defining the User Provisioning Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.5 User Provisioning Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
9 Configuring Communication Profiles 219
9.1 Configuring a Liberty Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
9.2 Configuring a SAML 1.1 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
9.3 Configuring a SAML 2.0 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
10 Configuring Liberty Web Services 223
10.1 Configuring the Web Services Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
10.2 Enabling Web Services and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
10.3 Editing Web Service Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
10.4 Configuring Credential Profile Security and Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . 226
10.5 Configuring Service and Profile Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
10.6 Customizing Attribute Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
10.7 Editing Web Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
10.8 Configuring the Web Service Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
10.9 Mapping LDAP and Liberty Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
10.9.1 Configuring One-to-One Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
10.9.2 Configuring Employee Type Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
10.9.3 Configuring Employee Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
10.9.4 Configuring Postal Address Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
10.9.5 Configuring Contact Method Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
10.9.6 Configuring Gender Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
10.9.7 Configuring Marital Status Attribute Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
novdocx (en) 19 February 2010
11 Maintaining an Identity Server 247
11.1 Managing an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
11.1.1 Updating an Identity Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
11.1.2 Restarting the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
11.2 Editing Server Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.3 Configuring Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.3.1 Enabling Component Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.3.2 Managing Log File Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
11.4 Configuring Session-Based Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
11.4.1 Creating the Administrator Class, Method, and Contract . . . . . . . . . . . . . . . . . . . . 253
11.4.2 Creating the Logging Session Class, Method, and Contract . . . . . . . . . . . . . . . . . . 255
11.4.3 Enabling Basic Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
11.4.4 Responding to an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
11.5 Monitoring the Health of an Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.5.1 Health States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.5.2 Viewing the Health Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.6 Monitoring Identity Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
11.6.1 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
11.6.2 Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
11.6.3 Incoming HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
11.6.4 Outgoing HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
11.6.5 Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
11.6.6 SAML 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
11.6.7 SAML 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
11.6.8 WSF (Web Services Framework) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
8 Novell Access Manager 3.1 SP1 Identity Server Guide
11.6.9 Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
11.6.10 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
11.7 Enabling Identity Server Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
11.8 Monitoring Identity Server Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
11.9 Viewing the Command Status of the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
12 Troubleshooting the Identity Server and Authentication 275
12.1 Useful Networking Tools for the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
12.2 Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors. . . . . . . . . . . . . 275
12.2.1 The Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
12.2.2 DNS Name Resolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
12.2.3 Certificate Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
12.2.4 Certificates in the Required Trust Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
12.2.5 Certificates in the Correct Certificate Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
12.2.6 Enabling Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
12.2.7 Testing Whether the Provider Can Access the Metadata . . . . . . . . . . . . . . . . . . . . 283
12.2.8 Manually Creating Any Auto-Generated Certificates . . . . . . . . . . . . . . . . . . . . . . . 283
12.3 Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
12.3.1 Authentication Classes and Duplicate Common Names . . . . . . . . . . . . . . . . . . . . . 284
12.3.2 General Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
12.3.3 Slow Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.3.4 Basic Authentication Fails with an eDirectory User Store . . . . . . . . . . . . . . . . . . . . 285
12.3.5 Federation Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.3.6 Mutual Authentication Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12.3.7 Browser Hangs in an Authentication Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.4 Translating the Identity Server Configuration Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.4.1 A Simple Redirect Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
12.4.2 Configuring iptables for Multiple Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
12.5 Problems Reading Keystores after Identity Server Re-installation. . . . . . . . . . . . . . . . . . . . . 291
novdocx (en) 19 February 2010
A Sample Custom Login Pages 293
A.1 Modified login.jsp File for Credential Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
A.2 Custom nidp.jsp File with Custom Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
A.2.1 The Modified nidp.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
A.2.2 The Modified main.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
A.2.3 The Method and the Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
A.3 Custom 3.1 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
A.3.1 The Modified login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
A.3.2 The Method and the Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
A.4 Custom 3.0 login.jsp File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
A.4.1 Modifying the File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
A.4.2 The Method and the Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
B About Liberty 311
C Understanding How Access Manager Uses SAML 313
C.1 Attribute Mapping with Liberty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
C.2 Trusted Provider Reference Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.3 Identity Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.4 Authorization Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.5 What's New in SAML 2.0? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
C.6 Identity Provider Process Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Contents 9
C.7 SAML Service Provider Process Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
D Data Model Extension XML 319
D.1 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
D.2 Writing Data Model Extension XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
novdocx (en) 19 February 2010
10 Novell Access Manager 3.1 SP1 Identity Server Guide
About This Guide
This guide describes the following features of the Access Manager Identity Server:
Chapter 1, “Configuring an Identity Server,” on page 13
Chapter 2, “Configuring Local Authentication,” on page 75
Chapter 3, “Configuring Advanced Local Authentication Procedures,” on page 105
Chapter 4, “Defining Shared Settings,” on page 133
Chapter 5, “Configuring SAML and Liberty Trusted Providers,” on page 141
Chapter 6, “Configuring CardSpace,” on page 167
Chapter 7, “Configuring WS Federation,” on page 187
Chapter 8, “Configuring User Identification Methods for Federation,” on page 209
Chapter 9, “Configuring Communication Profiles,” on page 219
Chapter 10, “Configuring Liberty Web Services,” on page 223
Chapter 11, “Maintaining an Identity Server,” on page 247
novdocx (en) 19 February 2010
Chapter 12, “Troubleshooting the Identity Server and Authentication,” on page 275
This guide is intended to help you understand and configure all of the features provided by the
Identity Server, and includes advanced topics.
It is recommended that you first become familiar with the information in the Novell Access Manager
3.1 SP1 Setup Guide, which helps you understand how to perform a basic Identity Server
configuration, set up a resource protected by an Access Gateway, and configure SSL.
The setup guide and this guide are designed to work together, and important information and setup
steps are not always repeated in both places.
Audience
This guide is intended for Access Manager administrators. It is assumed that you have knowledge of
evolving Internet protocols, such as:
Extensible Markup Language (XML)
Simple Object Access Protocol (SOAP)
Security Assertion Markup Language (SAML)
Public Key Infrastructure (PKI) digital signature concepts and Internet security
Secure Socket Layer/Transport Layer Security (SSL/TSL)
Hypertext Transfer Protocol (HTTP and HTTPS)
Uniform Resource Identifiers (URIs)
Domain Name System (DNS)
Web Services Description Language (WSDL)
About This Guide 11
Feedback
We want to hear your comments and suggestions about this guide and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/
feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there.
Documentation Updates
For the most recent version of the Access Manager Identity Server Guide, visit the Novell Access
Manager Documentation Web site (http://www.novell.com/documentation/novellaccessmanager31/
).
Additional Documentation
Before proceeding, you should be familiar with the Novell Access Manager 3.1 SP1 Installation
Guide and the Novell Access Manager 3.1 SP1 Setup Guide, which provides information about
setting up the Access Manager system.
If you are unfamiliar with SAML 1.1, see “SAML Overview” (http://www.novell.com/
documentation/saml/saml/data/ag8qdk7.html) on the Documentation Web site (http://
www.novell.com/documentation/a-z.html).
novdocx (en) 19 February 2010
For conceptual information about Liberty, and to learn about what is new for SAML 2.0, see
Appendix B, “About Liberty,” on page 311 and Appendix C, “Understanding How Access Manager
Uses SAML,” on page 313.
For information about the other Access Manager devices and features, see the following:
Novell Access Manager 3.1 SP1 Administration Console Guide
Novell Access Manager 3.1 SP1 Access Gateway Guide
Novell Access Manager 3.1 SP1 Policy Management Guide
Novell Access Manager 3.1 SP1 Agent Guide
Novell Access Manager 3.1 SP1 SSL VPN Server Guide
Novell Access Manager 3.1 SP1 Event Codes
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
12 Novell Access Manager 3.1 SP1 Identity Server Guide
1
Configuring an Identity Server
After you log in to the Administration Console, click Devices > Identity Servers. The system
displays the newly installed server.
A newly installed Identity Server is in an unconfigured state and is halted. It remains in this state and
cannot function until you create an Identity Server configuration and assign the Identity Server to
the new configuration. The configuration defines how the Identity Server functions in an Access
Manager configuration. In an Identity Server cluster, multiple servers use the same configuration
and provide failover and load balancing services.
novdocx (en) 19 February 2010
1
Section 1.1, “Managing a Cluster Configuration,” on page 13
Section 1.2, “Customizing Identity Server Messages,” on page 25
Section 1.3, “Customizing the Identity Server Login Page,” on page 30
Section 1.4, “Customizing the Identity Server Logout Page,” on page 48
Section 1.5, “Enabling Role-Based Access Control,” on page 49
Section 1.6, “Using netHSM for the Signing Key Pair,” on page 49
Section 1.7, “Configuring Secure Communication on the Identity Server,” on page 66
Section 1.8, “Security Considerations,” on page 71
For information on configuring local authentication options, see the following:
Chapter 2, “Configuring Local Authentication,” on page 75
Chapter 3, “Configuring Advanced Local Authentication Procedures,” on page 105
Chapter 4, “Defining Shared Settings,” on page 133
Chapter 10, “Configuring Liberty Web Services,” on page 223
1.1 Managing a Cluster Configuration
After you install an Identity Server, you must create a cluster configuration in order to configure the
Identity Server. Even if you have only one Identity Server, you must assign it to a cluster
configuration to configure it. If you have multiple Identity Servers, you can create multiple
configurations and assign different Identity Servers to them as shown in Figure 1-1.
Configuring an Identity Server
13
Figure 1-1 Identity Server Configurations
novdocx (en) 19 February 2010
Configuration A
Identity Server 1
Identity Server 2
Configuration A Configuration B
Identity Server 1
Identity Server 2
When you assign multiple Identity Servers to the same configuration, you need to install a load
balancer that supports either Layer 4 or Layer 7. This device is referred to as an L4 switch in this
manual. The L4 switch allows the work load to be balanced among the machines.
Whether you have one machine or multiple machines in a cluster, the Access Manager software
configuration process is the same. This section describes the following cluster management tasks:
Section 1.1.1, “Creating a Cluster Configuration,” on page 14
Section 1.1.2, “Assigning an Identity Server to a Cluster Configuration,” on page 19
Section 1.1.3, “Configuring Session Failover,” on page 19
Section 1.1.4, “Removing a Server from a Cluster Configuration,” on page 20
Section 1.1.5, “Managing a Cluster with Multiple Identity Servers,” on page 21
Section 1.1.6, “Enabling and Disabling Protocols,” on page 24
Section 1.1.7, “Modifying the Base URL,” on page 24
1.1.1 Creating a Cluster Configuration
This section discusses the settings available for an Identity Server configuration, such as importing
SSL certificates, enabling introductions, and configuring identity consumer settings. You should be
familiar with “Creating a Basic Identity Server Configuration” in the Novell Access Manager 3.1
SP1 Setup Guide before proceeding.
An Identity Server always operates as an identity provider and can optionally be configured to run as
an identity consumer (also known as a service provider), using Liberty, SAML 1.1, SAML 2.0,
CardSpace or WS Federation protocols. In an Identity Server cluster, multiple servers use the same
configuration.
In an Identity Server configuration, you specify the following information:
The base URL for the server or clustered server site.
Certificates for the Identity Server, identity provider, and identity consumer.
Authentication settings, such as whether the identity provider requires signed authentications
from service providers.
The service domains used for publishing and discovering authentications.
14 Novell Access Manager 3.1 SP1 Identity Server Guide
Organizational and contact information for the server, which is published in the metadata of the
Liberty and SAML protocols.
The LDAP directories (user stores) used to authenticate users, and the trusted root for secure
communication between the Identity Server and the user store.
To create an Identity Server configuration:
1 In the Administration Console, click Devices > Identity Servers.
2 Select the Identity Server’s check box, then click New Cluster.
Selecting the server is one way to assign it to the cluster configuration.
3 In the New Cluster dialog box, specify a name for the cluster configuration.
If you did not select the server in the previous step, you can now select the server or servers that
you want to assign to this configuration.
For more information about assigning servers to a configuration, see Section 1.1.2, “Assigning
an Identity Server to a Cluster Configuration,” on page 19.
4 Click OK.
novdocx (en) 19 February 2010
5 Fill in the following fields to specify the Base URL for your Identity Server configuration:
Configuring an Identity Server 15
Name: Specify a name by which you want to refer to the configuration. This field is populated
with the name you provided in the New Cluster dialog box. You can change this name here, if
necessary.
IMPORTANT: Carefully determine your settings for the base URL, protocol, and domain.
After you have configured trust relationships between providers, changing these settings
invalidates the trust model and requires a reimport of the provider’s metadata.
Modifying the base URL also invalidates the trust between the Embedded Service Provider of
Access Manager devices. To re-establish the trust after modifying the base URL, you must
restart the Embedded Service Provider on each device.
Base URL: Specify the application path for the Identity Server. The Identity Server protocols
rely on this base URL to generate URL endpoints for each protocol.
Protocol: Select the communication protocol. Specify HTTPS in order to run securely (in
SSL mode) and for provisioning. Use HTTP only if you do not require security.
Domain: Specify the DNS name assigned to the Identity Server. When you are using an
L4 switch, this DNS name should resolve to the virtual IP address set up on the L4 switch
for the Identity Servers. Using an IP address is not recommended.
Port: Specify the port value for the protocol. Default ports are 8080 for HTTP or 8443 for
HTTPS. If you want to use port 80 or 433, specify the port here.
novdocx (en) 19 February 2010
If you are configuring a Linux Identity Server, you must also configure the operating
system to translate the port. See Section 12.4, “Translating the Identity Server
Configuration Port,” on page 286.
If you are configuring a Windows Identity Server, you must also modify the Tomcat
server.xml
file located in the
\Program Files\Novell\Tomcat\conf
directory.
Change the ports from 8080 and 8443 to 80 and 443, then restart the Tomcat service.
Application: Specify the Identity Server application. Leave the default value nidp.
SSL Certificate: Displays the currently assigned SSL certificate.
The Identity Server comes with a test-connector certificate that you must replace to use SSL in
your production environment. You can replace the test certificate now or after you configure
the Identity Server. If you create the certificate and replace the test-connector now, you can
save some time by restarting Tomcat only once. Tomcat must be restarted whenever you assign
an Identity Server to a configuration and whenever you update a certificate key store. See
Section 1.7.3, “Managing the Keys, Certificates, and Trust Stores,” on page 68.
For information on how to replace the test-connector certificate, see “Enabling SSL
Communication” in the Novell Access Manager 3.1 SP1 Setup Guide.
6 To configure session limits, fill in the following fields:
LDAP Access: Specify the maximum number of LDAP connections the Identity Server can
create to access the configuration store. You can adjust this amount for system performance.
Session Timeout: Specify the session inactivity time allowed before timing out. This is a
global setting that applies to any resource that authenticates to this Identity Server or Identity
Server cluster. The default setting is 60 minutes.
16 Novell Access Manager 3.1 SP1 Identity Server Guide
This is a security setting:
Lower it if you want idle sessions to time out with a smaller window of opportunity for
someone to take over a session of a user who takes a break, leaving an active session
unattended.
Increase it if you want to allow idle users to have a longer time period before they are
forced to log in again.
If the resource is configured to use Basic authentication, the session times out, but the browser
must be closed to terminate the session.
Limit User Sessions: Specify whether user sessions are limited. If selected, you can specify
the maximum number of concurrent sessions a user is allowed to authenticate.
If you decide to limit user sessions, you should also give close consideration to the session
timeout value (the default is 60 minutes). If the user closes the browser without logging out (or
an error causes the browser to close), the session is not cleared until the session timeout
expires. If the user session limit is reached and those sessions have not been cleared with a
logout, the user cannot log in again until the session timeout expires for one of the sessions.
When enabled, this option affects performance in a cluster with multiple Identity Servers.
When a user is limited to a specific number of sessions, the Identity Servers must check with
the other servers before establishing a new session.
novdocx (en) 19 February 2010
Allow multiple browser session logout: Specify whether a user with more than one session to
the server is presented with an option to log out of all sessions. If you do not select this option,
only the current session can be logged out. Deselect this option in instances where multiple
users log in as guests. Then, when one user logs out, none of the other guests are logged out.
When you enable this option, you must also restart any Embedded Service Providers that use
this Identity Server configuration.
7 To configure TCP timeouts, fill in the following fields:
LDAP: Specify how long an LDAP request to the user store can take before timing out.
Proxy: Specify how long a request to another cluster member can take before timing out.
When a member of a cluster receives a request from a user who has authenticated with another
cluster member, the member sends a request to the authenticating member for information
about the user.
Request: Specify how long an HTTP request to another device can take before timing out.
8 To control which protocols can be used for authentication, select one or more of the following
protocols:
Liberty: Uses a structured version of SAML to exchange authentication and authorization data
between trusted identity providers and service providers and provides the framework for user
federation.
IMPORTANT: If you are using other Access Manager devices such as the Access Gateway,
SSL VPN, or the J2EE Agents, you need to enable the Liberty protocol. The Access Manager
devices use an Embedded Service Provider. If you disable the Liberty protocol, you disable the
trusted relationships these devices have with the Identity Server, and authentication fails.
SAML 1.1: Uses XML for exchanging authentication and authorization data between trusted
identity providers and service providers.
SAML 2.0: Uses XML for exchanging encrypted authentication and authorization data
between trusted identity providers and service providers and provides the framework for user
federation.
Configuring an Identity Server 17
STS: A security token service that creates digital identities from claims, which can then be
used as a card or a token for authentication.
CardSpace: Uses Microsoft* client software that stores a user’s information in a digital
identity or information card, which can then be presented and used as authentication
credentials.
WS Federation: Allows disparate security mechanisms to exchange information about
identities, attributes, and authentication.
9 To continue creating the Identity Server configuration, click Next.
The system displays the Organization page.
novdocx (en) 19 February 2010
Use this page to specify organization information for the Identity Server configuration. The
information you specify on this page is published in the metadata for the Liberty 1.2 and
SAML protocols. The metadata is traded with federation partners and supplies various
information regarding contact and organization information located at the Identity Server.
The following fields require information:
Name: The name of the organization.
Display Name: The display name for the organization.
URL: The organization’s URL for contact purposes.
Optional fields include Company, First Name, Last Name, Email, Telephone, and Contact
Type .
10 Click Next to configure the user store.
You must reference your own user store and auto-import the SSL certificate. See Section 2.1.2,
“Configuring the User Store,” on page 77 for information about this procedure.
18 Novell Access Manager 3.1 SP1 Identity Server Guide
11 After you configure the user store, the system displays the new configuration on the Servers
page.
The status icons for the configuration and the Identity Server should turn green. It might take several
seconds for the Identity Server to start and for the system to display a green light. If it does not, it is
likely that the Identity Server is not communicating with the user store you set up. Ensure that you
have entered the user store information correctly, and that you imported the SSL certificate to the
user store. (Edit > Local > [User Store Name].)
1.1.2 Assigning an Identity Server to a Cluster Configuration
novdocx (en) 19 February 2010
After you create a configuration, you must assign an Identity Server to it. For clustering, you can
assign more than one Identity Server to the configuration (see Section 1.1.5, “Managing a Cluster
with Multiple Identity Servers,” on page 21 for the steps to set up a cluster). A configuration uses
any shared settings you have specified, such as attribute sets, user matching expressions, and custom
attributes that are defined for the server.
1 In the Administration Console, click Devices > Identity Servers.
2 On the Servers page, select the server’s check box, then choose Actions > Assign to Cluster.
You can select all displayed servers by selecting the top-level Server check box.
3 Select the configuration’s check box, then click Assign.
You are prompted to restart Tomcat. The status icon for the Identity Server should turn green. It
might take several seconds for the Identity Server to start and for the system to display the
green light.
1.1.3 Configuring Session Failover
When you set up an Identity Server cluster and add more than one Identity Server to the cluster, you
have set up fault tolerance. This ensures that if one of the Identity Servers goes down, users still
have access to your site because the remaining Identity Server can be used for authentication.
However, it doesn’t provide session failover. If a user has authenticated to the failed Identity Server,
that user is prompted to authenticate and the session information is lost.
When you enable session failover and an Identity Server goes down, the user’s session information
is preserved. Another peer server in the cluster re-creates the authoritative session information in the
background. The user is not required to log in again and experiences no interruption of services.
“Prerequisites” on page 20
“Configuring Session Failover” on page 20
“How Fallover Peers Are Selected” on page 20
Configuring an Identity Server 19
Prerequisites
An Identity Server cluster with two or more Identity Servers.
Sufficient memory on the Identity Servers to store additional authentication information. When
an Identity Server is selected to be a failover peer, the Identity Server stores about 1 K of
session information for each user authenticated on the other machine.
Sufficient network bandwidth for the increased login traffic. The Identity Server sends the
session information to all the Identity Servers that have been selected to be its failover peers.
All trusted Embedded Services Providers need to be configured to send the attributes used in
Form Fill and Identity Injection policies at authentication. If you use any attributes other than
the standard credential attributes in your contracts, you need to send these attributes also. To
configure the attributes to send, click Devices > Identity Servers > Edit > Liberty > [Name of
Service Provider] > Attributes.
Configuring Session Failover
1 In the Administration Console, click Devices > Identity Servers.
novdocx (en) 19 February 2010
2 In the list of clusters and Identity Servers, click the name of an Identity Server cluster.
3 Click the IDP Failover Peer Server Count, then select the number of failover peers you want
each Identity Server to have.
To disable this feature, select 0.
To enable this feature, select one or two less than the number of servers in your cluster.
For example, if you have 4 servers in your clusters and you want to allow for one server
being down for maintenance, select 3 (4-1=3). If you want to allow for the possibility of
having two down, select 2 (4-2=2).
If you have eight or more servers in your cluster, the formula 8-2=6 gives each server 6
peers. This is probably more peers than you need for session failover. In a larger cluster,
you should probably limit the number of peers to 2 or 3. If you select too many peers, your
machines might require more memory to hold the session data and you might slow down
your network with the additional traffic for session information.
4 Click OK.
How Fallover Peers Are Selected
The failover peers for an Identity Server are selected according to their proximity. Access Manager
sorts the members of the cluster by their IP addresses and ranks them according to how close their IP
addresses are to the server who needs to be assigned failover peers. It selects the closest peers for the
assignment. For example, if a cluster member exists on the same subnet, that member is selected to
be a failover peer before a peer that exist on a different subnet.
1.1.4 Removing a Server from a Cluster Configuration
Removing an Identity Server from a configuration disassociates the Identity Server from the cluster
configuration. The configuration, however, remains intact and can be reassigned later or assigned to
another server.
1 In the Administration Console, click Devices > Identity Servers.
20 Novell Access Manager 3.1 SP1 Identity Server Guide
2 Select the server, then click Stop. Wait for the Health indicator to turn red.
3 Select the server, then choose Actions > Remove from Cluster.
For information about deleting an Identity Server, see Section 11.1, “Managing an Identity Server,”
on page 247.
1.1.5 Managing a Cluster with Multiple Identity Servers
To add capacity and to enable system failover, you can cluster a group of Identity Servers and
configure them in a cluster configuration to act as a single server. However, a cluster is not intended
for login failover because all authentication data for a user is stored in memory on the cluster
member or authenticating server that originally handled the user's authentication. If this server
malfunctions, all users whose authentication data resides on the authenticating server must
reauthenticate unless you also configure session failover (see Section 1.1.3, “Configuring Session
Failover,” on page 19).
All requests that require user authentication information must be processed on the user’s
authenticating server. For example, if an HTTP request is received by a cluster server other than the
authenticating server, then the HTTP request is forwarded to the authenticating server in the cluster.
This server processes the HTTP request and routes it back through the forwarding cluster member
and then to the original requester.
novdocx (en) 19 February 2010
A cluster of Identity Servers should reside behind an L4 switch. Clients access the virtual IP (VIP)
address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by
balancing traffic across the cluster. Whenever a user accesses the virtual IP address assigned to the
L4 switch, the system routes the user to one of the Identity Servers in the cluster, as traffic
necessitates.
“Prerequisites” on page 21
“Setup” on page 22
Prerequisites
An L4 switch installed. You can use the same switch for Identity Server clustering and Access
Gateway clustering, provided that you use different virtual IPs. The LB algorithm can be
anything (hash/sticky bit), defined at the Real server level. For configuration tips, see
“Configuration Tips for the L4 Switch ” in the Novell Access Manager 3.1 SP1 Setup Guide.
Persistence (sticky) sessions enabled on the L4 switch. Normally you define this at the virtual
server level.
An Identity Server configuration created for the cluster. You assign all the Identity Servers to
this configuration. See Section 1.1.1, “Creating a Cluster Configuration,” on page 14 for
information about creating an Identity Server configuration. See Section 1.1.2, “Assigning an
Identity Server to a Cluster Configuration,” on page 19 for information about assigning identity
servers to configurations.
The base URL DNS name of this configuration must resolve via DNS to the IP address of the
L4 virtual IP address. The L4 switch balances the load between the Identity Servers in the
cluster.
Ensure that the L4 administration server using port 8080 has the following TCP ports open:
8443 (secure Administration Console)
Configuring an Identity Server 21
7801 + 1 (for back-channel communication with cluster members. You need to open two
consecutive ports such as 7801 and 7802.)
636 (for secure LDAP)
389 (for clear LDAP)
524 (network control protocol on the L4 switch for server communication)
The identity provider ports must also be open:
8080 (non-secure login)
8443 (secure login)
1443 (server communication)
If you are using introductions (see Section 1.1.1, “Creating a Cluster Configuration,” on
page 14), you must configure the L4 switch to load balance on ports 8445 (identity provider)
and 8446 (identity consumer).
Setup
1 Install the additional Identity Servers.
novdocx (en) 19 February 2010
During installation, choose option 2, Install Novell Identity Server. You run the installation for
each new Identity Server you want to add. Specify the IP address and administration credentials
of each additional Identity Server. If you are installing on a machine without the Administration
Console, the installation asks you for the Administration Console’s IP address. After you install
the Identity Servers, the servers are displayed on the Servers page in Identity Servers.
2 Assign the Identity Servers to the same cluster configuration (see Section 1.1.2, “Assigning an
Identity Server to a Cluster Configuration,” on page 19).
3 Click the name of the cluster configuration.
22 Novell Access Manager 3.1 SP1 Identity Server Guide
The system displays the Cluster Details page, which lets you manage the configuration’s
cluster details, health, alerts, and statistics.
4 Click Edit.
5 Fill in the following fields as required:
novdocx (en) 19 February 2010
Cluster Communication Backchannel: Specify a communications channel over which the
cluster members maintain the integrity of the cluster. For example, this TCP channel is used to
detect new cluster members as they join the cluster, and to detect members that leave the
cluster. A small percentage of this TCP traffic is used to help cluster members determine which
cluster member would best handle a given request. This back channel should not be confused
with the IP address/port over which cluster members provide proxy requests to peer cluster
members.
Port: Specify the TCP port of the cluster back channel on all of the Identity Servers in the
cluster. 7801 is the default TCP port.
Because the cluster back channel uses TCP, you can have cluster members on different
networks. However, firewalls must allow the ports specified here plus one to pass through.
You need to open two ports for each cluster, for example, 7801 and 7802.
Encrypt: Encrypts the content of the messages that are sent between cluster members.
Level Four Switch Port Translation: Configure the L4 switch to translate the port of the
incoming request to a new port when the request is sent to a cluster member. Because the
cluster members communicate with each other over the same IP address/port as the L4 switch,
the cluster implementation needs to know what that port is. The translated port is the port on
the cluster members where other cluster members can contact it. This is the IP address and port
where cluster members provide proxy requests to other cluster members.
Port translation is enabled on switch: Specify whether the port of the L4 switch is
different from the port of the cluster member. For example, enable this option when the L4
switch is using port 443 and the Identity Server is using port 8443.
Cluster member translated port: Specify the port of the cluster member.
IDP Failover Peer Server Count: For configuration information, see Section 1.1.3,
“Configuring Session Failover,” on page 19.
6 Click OK, then update the Identity Server as prompted.
Configuring an Identity Server 23
1.1.6 Enabling and Disabling Protocols
You can control which protocols can be used for authenticating with an Identity Server
configuration. A protocol must be enabled and configured before users can use the protocol for
authentication. For tight security, consider disabling the protocols that you are not going to use for
authentication.
When disabling a protocol, updating the Identity Server configuration is not enough. You must stop
and start the Identity Server.
1 In the Administration Console, click Devices > Identity Servers > Edit.
2 In the Enabled Protocols section, select the protocols to enable
3 To disable a protocol, deselect it.
4 Click OK.
5 (Conditional) If you have enabled a protocol, update the Identity Server.
6 (Conditional) If you have disabled a protocol, updating the Identity Server is not enough.
6a Select the Identity Server, then click Stop.
6b When the health turns red, select the Identity Server, then click Start.
novdocx (en) 19 February 2010
6c Repeat the process for each Identity Server in the cluster.
1.1.7 Modifying the Base URL
When configuring an Identity Server, you must carefully determine your settings for the base URL,
protocol, and domain. Changing the base URL invalidates the trust model and requires a reimport of
the provider’s metadata, and a restart of the affected Embedded Service Providers. It also changes
the ID of the provider and the URLs that others use for access.
When you change the base URL of the Identity Server, you invalidate the following trusted
relationships:
The trusted relationships that the Identity Server has established with each Access Manager
device that has been configured to use the Identity Server for authentication
The trusted relationship that each Access Manager device has established with the Identity
Server when the Identity Server configuration was selected.
The trusted relationships that the Identity Server has established with other service providers.
The sessions of any logged in users are destroyed and no user can log in and access protected
resources until the trust relationships are reestablished.
To modify the base URL and re-establish trust relationships:
1 In the Administration Console, click Devices > Identity Servers > Edit.
2 Change the protocol, domain, port, and application settings, as necessary.
3 Click OK.
4 On the Identity Servers page, click Update.
This re-creates the trusted Identity Server configuration to use the new Base URL and
metadata.
24 Novell Access Manager 3.1 SP1 Identity Server Guide
5 Restart Tomcat on each Identity Server in the configuration:
Linux Identity Server: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows Identity Server: Enter the following commands:
net stop Tomcat5
net start Tomcat5
6 For each Access Manager device configured to trust the configuration of this modified base
URL, you must update the device so that the Embedded Service Provider trusts the new
Identity Server configuration:
Click Access Gateways, then click Update for any servers with a Status of Update.
Click SSL VPNs, then click Update for any servers with a Status of Update.
Click J2EE Agents, then click Update for any agents with a Status of Update.
7 For each service provider you have configured to trust the configuration of this modified base
URL, you must send them the new metadata and have them re-import it.
For information about setting up SSL and changing an Identity Server from HTTP to HTTPS, see
“Enabling SSL Communication” in the Novell Access Manager 3.1 SP1 Setup Guide.
novdocx (en) 19 February 2010
1.2 Customizing Identity Server Messages
Section 1.2.1, “Customizing Messages,” on page 25
Section 1.2.2, “Customizing the Branding of the Error Page,” on page 27
Section 1.2.3, “Customizing Tooltip Text for Authentication Contracts,” on page 29
1.2.1 Customizing Messages
1 To customize the error pages, determine whether you need one custom file or multiple files:
If you do not need to support multiple languages, you can create one custom file for all
your customized messages.
If you need to support multiple languages, you need to create a custom file for each
language you want to customize.
2 Create the custom properties file and name it:
To support one language, name the file
To support multiple languages, create a
nidp_custom_resources.properties
nidp_custom_resources.<le_cy>.properties
file for each supported language. Replace <le_cy> with the standard convention for Java
Resource Bundles for the language or the language and country. For example:
nidp_custom_resources_en_US.properties
nidp_custom_resources_fr.properties
nidp_custom_resources_es.properties
If you want to support a custom messages for a language and a country and for just the
language, you must create two files. For example:
nidp_custom_resources_es_VE.properties
nidp_custom_resources_es.properties
3 Copy the
nidp.jar
file to a working area. This file is located in the following directory:
.
Configuring an Identity Server 25
novdocx (en) 19 February 2010
Linux:
Windows:
4 Unzipthe
5 In the working directory, locate the
com/novell/nidp/resource/strings
com/novell/nidp/resource/logging
com/novell/nidp/resource/jsp
com/novell/nidp/resource/jcc
com/novell/nidp/resource/noxlate
com/novell/nidp/liberty/wsf/idsis/ppservice/model
com/novell/nidp/liberty/wsf/idsis/epservice/model
com/novell/nidp/liberty/wsf/idsis/opservice/model
com/novell/nidp/liberty/wsf/idsis/apservice/model
com/novell/nidp/liberty/wsf/interaction
com/novell/nidp/liberty/wsf/idsis/ssservice/model
com/novell/nidp/servlets/handler/identityeditor
com/novell/nidp/servlets/handler/identityaccesseditor
com/novell/nidp/liberty/wsf/idsis/model
com/novell/nidp/liberty/wsf/idsis/authority/ldap/attribute/plugins/
resources
com/novell/nidp/liberty/wsf/idsis/ldapservice/model
/var/opt/novell/tomcat5/webapps/nidp/WEB-INF/lib
C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\lib
nidp.jar
file to the working directory.
.properties
files in the following directories:
The properties files that have been localized contain the messages that end users might see. The
properties files that have not been localized contain messages that the end users should not see.
6 Locate the messages you want to customize and copy them to your custom file.
All the messages you want to customize are placed in this file, even though they come from
different properties files. Your file should look similar to the following if you selected to
customize messages from the
SSModelResources_en_US.properties
NIDPMAIN.100=An Identity Provider response was received that failed to
authenticate this session.
NIDPMAIN.101=A request for identity federation could not be completed.
NIDPMAIN.102=A request for identity federation termination could not be
completed.
SS.WKSLdapCreds = LDAP Credentials
SS.WKSELdapCredsUserName = LDAP User Name
SS.WKSELdapCredsUserDN = LDAP User DN
SS.WKSELdapCredsUserPassword = LDAP Password
SS.WKSX509Creds = X509 Credentials
nidp_resources_en_US.properties
file. For example:
file and the
7 (Conditional) If you are supporting multiple languages, copy the messages to each custom
language file.
8 Replace the messages in the file with your custom messages.
Replace the string after the equals (=) sign with your translated or customized message.
If you are using double-byte characters, the characters need to be in Unicode, hexadecimal
format with a
prefix. For example:
\u5c71
.
\u
9 Save the file.
10 Copy the custom properties file to the following directory on all Identity Servers in the cluster:
Linux:
Windows:
/var/opt/novell/tomcat5/webapps/nidp/WEB-INF/classes
C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\classes
26 Novell Access Manager 3.1 SP1 Identity Server Guide
11 (Optional) To enable messages about the loading of the custom properties files, enable debug
logging:
11a In the Administration Console, click Devices > Identity Servers > Edit > Logging.
11b In the Component File Logger Levels section, select Debug level for Application.
11c Click OK, then update the Identity Server.
12 Restart Tomcat.
Linux Identity Server: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows Identity Server: Enter the following commands:
net stop Tomcat5
net start Tomcat5
13 (Optional) To verify the loading of the custom properties files:
13a View the log file by clicking Auditing > General Logging.
13b Search for messages similar to the following in the
The named Custom Properties File was loaded and will be used:
catalina.out or stdout.log
file:
novdocx (en) 19 February 2010
Custom Properties File successfully loaded! Name: <Custom Properties
FileName>
An error occurred loading a specific Custom Properties File. Loading
of other Custom Properties Files will continue.
<Error Description>, Attempting to load Custom Properties File! Name:
<Custom Properties FileName>
The locale specifier in the Custom Properties File filename could not
be successfully parsed into a valid locale. Loading of other Custom
Properties Files will continue.
Custom Properties File load failed. Could not determine correct
locale! Name: <Custom Properties FileName>
A general error occurred loading Custom Properties Files. Loading will
stop and all un-loaded Custom Properties Files will not be loaded.
<Error Description>, Attempting to load Custom Properties Files!
To create custom error pages for the Access Gateway, see “Customizing Error Pages on the Gateway
Appliance” in the Novell Access Manager 3.1 SP1 Access Gateway Guide.
1.2.2 Customizing the Branding of the Error Page
The following page (
err.jsp
) is returned when the Identity Server encounters an error:
Configuring an Identity Server 27
The file is located in the following directory.
novdocx (en) 19 February 2010
Linux:
Windows:
/var/opt/novell/tomcat5/webapps/nidp/jsp
\Program Files\Novell\Tomcat\webapps\nidp\jsp
IMPORTANT: After you have customized this page, you need to ensure you back up this page
before doing an upgrade. The upgrade process overrides any custom changes made to the
err.jsp
page.
For information on customizing the error message, see Section 1.2.1, “Customizing Messages,” on
page 25.
You can customize the following items:
The window title and the display title. See “Customizing the Titles” on page 28.
The header image and the Novell logo. See “Customizing the Images” on page 29.
Background colors. See “Customizing the Colors” on page 29.
Customizing the Titles
The window title appears in the browser title bar. To replace this text, open the
locate the following text that appears between the
<title><%=handler.getResource(JSPResDesc.TITLE)%></title>
Replace the content between the
<title>
and
<head></head>
</title>
tags with the title you want to appear. For
tags:
err.jsp
file and
example:
<title>My Company</title>
The display title is the title that appears in the top frame of the page. Locate the following text that
appears in the
<div id="title"><%=handler.getResource(JSPResDesc.PRODUCT)%></div>
<body>
of the page:
Replace the content between the
For example:
28 Novell Access Manager 3.1 SP1 Identity Server Guide
<div id="title">
and
</div>
with the title you want to appear.
<div id="title">My Company</div>
Customizing the Images
novdocx (en) 19 February 2010
To replace the header image, open the
err.jsp
file and locate the following text in the body of the
file.
<div><img src="/nesp/images/AccessMan_Login_Head.png"></div>
Replace the value of the
src
attribute with the path and filename of the image you want to use.
To replace the Novell logo image, locate the following text in the body of the file.
<div id="logo"><img src="/nesp/images/AccessMan31_Nlogo.png"></div>
Replace the value of the
src
attribute with the path and filename of the image you want to use.
Customizing the Colors
To change the background colors on the page, modify the color values in the
<head>
.
<style>
section of the
1.2.3 Customizing Tooltip Text for Authentication Contracts
The strings that users see when they mouse over the cards for authentication contracts can be
customized. If you need to support only one language, modify the text in the Administration
Console.
1 In the Administration Console, click Devices > Identity Servers > Edit > Local > Contracts.
2 Click the name of a contract, then click Authentication Card.
3 Replace the English text in the Tex t option with the required language, then click OK.
4 Repeat Step 2 and Step 3 for each contract in the list.
5 Click OK, then update the Identity Server.
If you need to support multiple languages, you need to localize the tooltips. The nidsCardText
attribute of the nidsAuthLocalContract object needs to be changed to a resource ID. The following
procedure explains how to do this in the Administration Console. You can also use an LDAP
browser.
1 In the Administration Console, click Devices > Identity Servers > Edit > Local > Contracts.
2 Click the name of a contract, then click Authentication Card.
3 Replace the text in the Tex t option with a resource ID.
For example, replace
Name/Password - Form
with
CUSTOM_NamePwdFormToolTip
.
4 Click OK.
5 Repeat Step 2 through Step 4 for each contract in the list.
6 Click OK, then update the Identity Server.
7 Use custom string resource files to define the localized strings.
7a Change to the
WEB-INF/classes
directory.
7b For each supported language, create a properties file. For example:
Configuring an Identity Server 29
nidp_custom_resources_fr.properties
nidp_custom_resources_es.properties
If you have already created these files for custom messages (see Section 1.2.1,
“Customizing Messages,” on page 25), use the existing files.
7c For each resource ID you have created, add an entry that contains the resource ID and the
text you want displayed for that language. For example:
CUSTOM_NamePwdFormToolTip=Forma de Nombre/Clave
7d Repeat Step 7c for each supported language file.
8 Restart Tomcat.
Linux Identity Server: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows Identity Server: Enter the following commands:
net stop Tomcat5
net start Tomcat5
1.3 Customizing the Identity Server Login Page
novdocx (en) 19 February 2010
You can create custom login pages that are displayed when the user authenticates to the Identity
Server. You might want to rebrand the User Portal or authenticate users with non-default attributes
(such as the email address attribute rather than the cn attribute). You also might be fronting several
protected resources with an Access Gateway, and you need to create a unique login page for each
resource.
When you customize the login page, you need to decide on the type of page to use. See
Section 1.3.1, “Selecting the Login Page and Modifying It,” on page 31. After you have made that
decision, you need to configure the Identity Server to display the correct login page. See
Section 1.3.2, “Configuring the Identity Server to Use Custom Login Pages,” on page 42.
Using Custom Pages from Previous Releases: The process for customizing login pages has been
modified in Access Manager 3.1 SP1. This new process requires some modifications to login pages
that have been customized for either 3.1 or 3.0. If you need information on these modification
procedures, see the following sections in the Novell Access Manager 3.1 SP1 Installation Guide:
“Modifying 3.0 Login Pages for 3.1 SP1”
“Upgrading from Access Manager 3.1 to 3.1 SP1”
Modifying the Target of the User Portal: If you want to control the target when users log directly
into the Identity Server, see Section 2.7.2, “Specifying a Target,” on page 101.
Modifying Error Pages: Both the Identity Server and the Access Gateway return error pages to the
user. For information on customizing these messages and pages, see the following:
“Customizing Identity Server Messages” on page 25
“Customizing Error Pages on the Gateway Appliance” in the Novell Access Manager 3.1 SP1
Access Gateway Guide
30 Novell Access Manager 3.1 SP1 Identity Server Guide
Loading...