Novell eBook Reader User Manual

Novell
Liberty Identity Provider

TM

for Novell

ADMINISTRATION GUIDE

eDirectory

®

www.novell.com

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express
or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties
of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software,
at any time, without any obligation to notify any person or entity of such changes.

You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations
or the laws of the country in which you reside. This product may require export authorization from the U.S. Department of Commerce prior to
exporting from the U.S. or Canada.

Copyright © 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher.

Patents Pending.

Novell, Inc.
1800 South Novell Place
Provo, UT 84606
U.S.A.

www.novell.com

Liberty Identity Provider for Novell eDirectory

April 2003

Online Documentation: To access the online documentation for this and other Novell products, and to get updates, see
www.novell.com/documentation.

Novell Trademarks

eDirectory is a trademark of Novell, Inc.

Novell is a registered trademark of Novell, Inc. in the United States and other countries.

Third-Party Trademarks

All third-party trademarks are the property of their respective owners.

Contents

About This Guide 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1 Overview 5

Understanding the Liberty Alliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Liberty Alliance Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Understanding the Value of the Novell Liberty Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Benefits of the Liberty Identity Provider for Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Define a Liberty Alliance Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Easily Create and Maintain User Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Define Liberty Identity and Service Provider Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Securely Authenticate Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Give Users Control to Federate and Defederate Their Identity Information. . . . . . . . . . . . . . . . . . . . . . . 7

Service Provider Sample Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Installing the Liberty Identity Provider 9

Product Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Liberty Identity Provider Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Liberty Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installing Liberty Identity Provider Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installing Liberty Identity Provider Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installing the Liberty Administration Plug-ins When iManager is Already Installed on Your eDirectory Server . . . . 19

Uninstalling the Liberty Identity Provider Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Creating a Liberty IDP Site 21

Creating a Liberty IDP Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1. Set Up a Liberty IDP Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2. Define Site Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3. Define Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4. Set Up Your Liberty Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5. Manage Your Federations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Configuring Your Liberty Identity Provider to Run in SSL Mode 29

Converting to Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating Certificates for Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Customizing Your Liberty IDP User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

A Installing and Configuring a Sample Service Provider 33

Installing the Sample Service Provider Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring Your Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Adding Additional Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Customizing Your Liberty SP User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Contents 1

B Modifying Apache 39

Modifying the Apache Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Importing Trusted Roots. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

C Troubleshooting Your Liberty IDP Installation and Configuration 43

Troubleshooting Installation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Reviewing Log Files Created During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Troubleshooting Post-Installation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Reviewing Log Files Created After Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Enabling Advanced Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Basic Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Troubleshooting Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Troubleshooting Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Troubleshooting iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2 Liberty Identity Provider for Novell eDirectory

About This Guide

Introduction

The purpose of this documentation is to help you install, configure, and administer the Liberty
identity provider for Novell

The audience for this documentation is network administrators.

This guide is divided into the following sections.

 Chapter 1, “Overview,” on page 5 — An explanation of the benefits of the Liberty identity

provider and an overview of the components that make up the Liberty product.

 Chapter 2, “Installing the Liberty Identity Provider,” on page 9 — Instructions for how to

install Liberty, including system requirements and software installation instructions.

 Chapter 3, “Creating a Liberty IDP Site,” on page 21 — An explanation of the tasks you need

to complete in order to set up a basic Liberty infrastructure.

 Chapter 4, “Configuring Your Liberty Identity Provider to Run in SSL Mode,” on page 29 —

Instructions for how to convert your Liberty identity provider to secure mode (SSL).

 Appendix A, “Installing and Configuring a Sample Service Provider,” on page 33 — A guide

for how to set up your service provider, including instructions for installing a sample service
provider.

 Appendix B, “Modifying Apache,” on page 39 — Information on how to modify your Apache

configuration, including configuration examples and information on how to import trusted
roots.

 Appendix C, “Troubleshooting Your Liberty IDP Installation and Configuration,” on page 43

— Tips and tricks for troubleshooting your IDP installation and configuration issues.

®

eDirectoryTM infrastructure.

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.

®

A trademark symbol (
trademark.

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

Documentation Updates

For the latest Liberty identity provider for Novell eDirectory documentation, including updates to
this administration guide, see the online documentation at the Novell documentation Web site

(http://www.novell.com/documentation).

About This Guide 3

4 Liberty Identity Provider for Novell eDirectory

1 Overview

This section covers the following topics:

 Understanding the Liberty Alliance

 Liberty Alliance Architecture

 Understanding the Value of the Novell Liberty Identity Provider

 Benefits of the Liberty Identity Provider for Novell eDirectory

 Service Provider Sample Code

Understanding the Liberty Alliance

The Liberty Alliance is a consortium of business leaders with a vision to enable a networked world
in which individuals and businesses can more easily conduct transactions while protecting the
privacy and security of vital identity information.

To accomplish its vision, the Liberty Alliance established an open standard for federated network
identity through open technical specifications.

In essence, this open standard is a structured version of the Security Assertions Markup Language,
commonly referred to as SAML, with the goal of accelerating the deployment of standard-based
single sign-on technology.

Liberty Alliance Architecture

The Liberty Alliance 1.1 specification has two main components: the Liberty identity provider
(Liberty IDP) and the identity consumer, referred to as a Liberty service provider (SP).

A Liberty IDP is the central credential store for a user's identity information, and it is the heart of
the user’s identity federations, or account linkage information. The Liberty IDP also serves as the
authentication authority, which is viewed as a trusted identity store by the Liberty SPs.

Liberty SPs are the Web sites that the user wants to connect to.

A "circle of trust" is formed between Liberty IDPs and SPs to provide the user a secure
infrastructure for controlling his or her identity information, and to facilitate Web single sign-on.

Understanding the Value of the Novell Liberty Identity Provider

When a user authenticates to a Liberty SP, he or she is given the option to federate his or her
identity with his or her preferred Liberty IDP. This process creates a unique link between the
Liberty IDP and SP identities.

Overview 5

The result of this link is realized on the user's next authentication to the Liberty SP. If he or she is
connected to his Liberty IDP, he or she will be authenticated to the Liberty SP with no user
interaction.

It is important to realize that it is the user who controls his or her identity federation. Thus, the user
is responsible for federation (linking) and defederation of his or her identity information.

Benefits of the Liberty Identity Provider for Novell eDirectory

Novell® eDirectoryTM is the most secure, high-performing, scalable Directory Service on the
market today, which are key requirements of a Liberty IDP identity store.

Using Liberty identity provider for Novell eDirectory software, you can accomplish the following:

 Define a Liberty Alliance Identity Provider

 Easily Create and Maintain User Identities

 Define Liberty Identity and Service Provider Relationships

 Securely Authenticate Users

 Give Users Control to Federate and Defederate Their Identity Information

Define a Liberty Alliance Identity Provider

The Liberty identity provider for Novell eDirectory software delivers the technology to deploy a
Liberty Alliance 1.1 Identity Provider.

The “Liberty Server Requirements” on page 9 details the supported server platforms for the Novell
Liberty IDP. Once you have a supported server, and you have installed Novell eDirectory 8.7, you
are ready to install and configure the Liberty IDP technology.

Easily Create and Maintain User Identities

Novell's Web-based configuration tools allows the administrator to quickly define and maintain
user identities.

eDirectory 8.7 also provides the administrator with the option to import users using standard
LDAP format, or synchronize with an external user database by adding Novell DirXML
technology.

Define Liberty Identity and Service Provider Relationships

Novell has designed the Liberty IDP and SP configuration screens to allow the administrator to
quickly define the necessary information to define Liberty identity and service providers.

Liberty SPs are also able to provide configuration information that can be imported directly into
the Liberty IDP service.

®

Securely Authenticate Users

Having a secure identity store is worthless if you allow users to authenticate in an insecure manner.
The Liberty Identity Provider for Novell eDirectory software provides administrators with the
ability to encrypt the user's credentials during the authentication process.

6 Liberty Identity Provider for Novell eDirectory

Authentication is performed using a login form, which the user completes and submits to the
Liberty IDP. If the user’s credentials (username and password) are verified, the user is
authenticated and is able to federate his or her identities with chosen service providers.

Give Users Control to Federate and Defederate Their Identity Information

A user has the option to federate his or her identity whenever he or she connects to a Liberty SP
that is within the circle of trust with that user’s Liberty IDP.

The user is also able to view all of his or her federations, and can remove or defederate his or her
identity with any Liberty SP at any time.

Service Provider Sample Code

Although the Liberty identity provider for Novell eDirectory software does not provide an actual
Liberty SP, Novell provides sample code to accelerate the deployment of a Liberty SP. This code
is in the form of sample Web pages, JSPs and other Java code that allows users to federate and
display their federation information.

Overview 7

8 Liberty Identity Provider for Novell eDirectory

2 Installing the Liberty Identity Provider

This chapter provides instructions for installing Liberty identity provider for Novell® eDirectoryTM
software and contains the following topics:

 Product Components

 System Requirements

 Installing Liberty Identity Provider Software

 Uninstalling the Liberty Identity Provider Software

Product Components

Your Liberty identity provider (Liberty IDP) installation includes the following components and
specific version numbers:

 Novell iManager 1.5.1

 JVM* 1.4

 Apache* 2

 Tomcat* 4.1.18

WARNING: You must not have any of these components already installed on the machine where you will be

installing your Liberty identity provider. If any of these components are already installed, your Liberty identity
provider will not install successfully.

System Requirements

Review the following system requirements to ensure that your server and client environments meet
installation prerequisites:

 “Liberty Identity Provider Requirements” on page 9

 “Liberty Server Requirements” on page 9

Liberty Identity Provider Requirements

The Liberty IDP is a self-contained installation and does not require licensed hardware to run.

Liberty Server Requirements

You must have Novell eDirectory version 8.7 installed in your Liberty environment prior to
installing the Liberty identity provider. We recommend that you do not have eDirectory installed
on the same machine where you will be installing the Liberty IDP. Ideally, you should run your
Liberty IDP, service provider, and LDAP server on separate machines.

Installing the Liberty Identity Provider 9

The Novell-supported platform for installing the Liberty IDP is a Windows* 2000 server or
workstation.

To run the Liberty IDP, you must have:

 a static IP address

 an iManager-compatible browser: Internet Explorer 5.5 or above, or Netscape* 6.2 or above

For additional information and full system requirements for Novell eDirectory 8.7, refer to the
Novell eDirectory 8.7 Quick Start, available at the Novell Documentation site (http://

www.novell.com/documentation/lg/edir87/index.html).

You can download Novell eDirectory at Novell Software Downloads (http://

download.novell.com).

Installing Liberty Identity Provider Software

To install a basic Liberty IDP infrastructure, complete the following procedures:

 “Installing Liberty Identity Provider Software” on page 10

 “Installing the Liberty Administration Plug-ins When iManager is Already Installed on Your

eDirectory Server” on page 19

Installing Liberty Identity Provider Software

The Liberty IDP software should only be installed on compatible hardware (see “Liberty Identity

Provider Requirements” on page 9). The installation is divided into four sections: an installation

introduction, a pre-installation summary, the Liberty IDP installation, and a completion record. At
any given point of the installation process, you can follow the progress of your installation by
referring to the left-hand side of the install dialog. (See Figure 1.)

To install the Liberty IDP:

1 At the Web download site, click the Web download link to automatically download the Liberty

IDP executable.

2 Run the executable.

InstallAnywhere* will guide you through the installation process.

3 After you have read the introductory screen, click Next.

10 Liberty Identity Provider for Novell eDirectory

Figure 1 Liberty Identity Provider Introduction

4 If you accept the License Agreement, select the accept button, then click Next.

Figure 2 License Agreement

5 The Liberty IDP created by the installation is configured to run in a non-SSL mode by default.

This mode is sufficient for testing purposes only. You cannot use the non-SSL mode in a
production environment. For information on how to convert to SSL mode, see Chapter 4,

“Configuring Your Liberty Identity Provider to Run in SSL Mode,” on page 29.

Click Next if you accept the SSL warning.

Installing the Liberty Identity Provider 11

Figure 3 SSL Warning

6 The Liberty IDP requires Novell iManager to be installed. Even if you already have iManager

installed on your machine, click Next to proceed with the installation.

Figure 4 Install iManager

The iManager installation is a wizard that consists of several screens that run on top of your
Liberty IDP installation wizard. InstallAnywhere will guide you through the iManager
installation.

6a Select the language you want (English is the default), then click OK.

12 Liberty Identity Provider for Novell eDirectory