Escolar Documentos
Profissional Documentos
Cultura Documentos
This guide provides step-by-step instructions for configuring a basic identity federation deployment between Microsoft Active Directory Federation Services 2 ! "AD FS 2 !# and $ovell Access Manager "$AM# by using the Security Assertion Mar%up &anguage "SAM&# 2 ! "http'((go microsoft com(fwlin%() &in%*d+,-.--/# protocol0 specifically its 1eb 2rowser SS3 4rofile and 5TT4 43ST binding
*n this deployment0 you have the option to configure one or both of the following two scenarios' AD FS 2 ! as 7laims 4rovider and $AM as 8elying 4arty $AM as 7laims or *dentity 4rovider and ADFS 2 ! as 8elying 4arty or Service 4rovider
Note% ?ou can download the evaluation version of $AM from $ovell@s download portal "http'((download novell com#
Linu& 'n(ironment
$AM Anvironment' $AM . , S4B or . 2' S&AS ,, S4, /B bit Note% $AM supports both 1indows and &inu> *n this guide0 we will discuss the identity federation deployment in the &inu> environment
Con*iguring NAM as Claims or )dentity "ro(ider and AD FS 2.0 as $elying "arty or Ser(i e "ro(ider
This section e>plains how to configure a setup in which a user "using $AM# gets federated access to the 1*F sample application through AD FS 2 ! This setup uses the SAM& 2 ! 43ST profile This section includes' 7onfiguring $AM 7onfiguring AD FS 2 !
$ote'
Con*iguring NAM
This section includes' Adding a new service provider connection using metadata A>port *dentity 4rovider metadata to a file
Note% To deploy this identity federation for $AM . , S4. and above0 create a new contract with uri <urn'oasis'names'tc'SAM&'2 !'ac'classes'4assword= and name password form method
. B I / :
Specify a name by which you want to refer to the provider in the Name field Select Metadata Te>t from the Sour e list 4aste the copied AD FS metadata "trimmed one# in the Te&t field 7lic% Next > Finish. Cpdate *dentity Server.
,! 7lic% Ne. ,, Select ldapattribute cn from the Lo al attribute list ,2 Specify name in the $emote attribute field ,. Select http'((schemas >mlsoap org(ws(2!!I(!I(identity(claims( from the $emote names!a e list ,B 7lic% 01 ,I Cpdate *dentity Server
I / : ; -
7lic% Attributes Select adfs-attributes from the Attribute set list Select re6uired attributes to be send with authentication from right to left "for e>ample0 mail0 cn attributes# 7lic% 01 Cpdate *dentity Server
Con*iguring AD FS 2.0
This section includes' Adding a claims provider using metadata Aditing claim rules for claims provider trust Aditing claim rules for the 1*F Sample Application 7hanging AD FS 2 ! Signature Algorithm
Select the 4ass through all claim values and clic% Finish 7lic% Add #u(e *n the Se(ect #u(e "e$%(!te page0 select the Pass Through or Filter an Incoming Claim option 7lic% Next.
,! *n the Con i*ure C(!i$ #u(e page0 in C(!i$ ru(e n!$e0 use the following values
Name +alue
,, &eave the 4ass through all claim values option selected and clic% Finish ,2 To ac%nowledge the security warning0 clic% 3es ,. 7lic% 01
&eave the P!ss throu*h !(( c(!i$ v!(ues option selected0 and then clic% Finish. *n the Issu!nce "r!ns or$ #u(es tab0 clic% Add #u(e. *n the Se(ect #u(e "e$%(!te page0 clic% P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$ 7lic% Next.
,! *n the Con i*ure C(!i$ #u(e page0 enter the following values Name 7laim rule name *ncoming claim type *ncoming $ame *D format +alue 4ass $ame *D 8ule $ame *D Cnspecified
,, &eave the P!ss throu*h !(( c(!i$ v!(ues option selected0 and then clic% Finish. ,2 7lic% &'. Note% *f you configured the optional Step /' 7hange AuthoriDation 8ules when you were testing the original AD FS 2 ! with 1*F Step-by-Step 9uide deployment0 ensure that you add bac% the "ermit All Users issuance authoriDation rules for the 1*F sample application before testing this scenario 3r0 as an alternative0 add a new "ermit or Deny Users 2ased on an )n oming Claim rule allowing incoming $ame *D + KohnLe>ample com to access the application
*n AD FS 2 !' , 2 7lic% Start G Administrati(e Tools G 4indo.s "o.erShell Modules Anter the following command in the 4owerShell command prompt' set-ADFSClaimsProviderTrust TargetName NAM Example SigningCerti i!ate"evo!ationC#e!$ None
Note% ?ou can ma%e many configuration changes to AD FS 2 ! using the 1indows 4owerShell command-line and scripting environment For more information0 see the AD FS 2 ! 1indows 4owerShell Administration section of the AD FS 2 ! 3perations 9uide "http'((go microsoft com(fwlin%()&in%*d+,-B!!I# and the AD FS 2 ! 7mdlets 8eference "http'((go microsoft com(fwlin%()&in%*d+,::.;-#
Con*iguring AD FS 2.0 as Claims or )dentity "ro(ider and NAM as $elying "arty or Ser(i e "ro(ider
This section e>plains how to configure an application through AD FS 2 ! that gets federated access to an application using $ovell Access Manager "$AM# The setup uses the SAM& 2 ! 43ST profile
Con*iguring NAM
This section discusses how to add a new *dentity 4rovider connection using metadata
,! Specify the image to be displayed on the card in the I$!*e field ,, Cpdate *dentity Server
Con*igure AD FS 2.0
This section discusses' Adding a 8elaying 4arty using metadata Aditing 7laim 8ules for 8elaying 4arty Trust
,! *n the Con*igure Claim $ule page0 use the following values Name 7laim rule name Transient $ame *D Mapping 8ule Mail ,, 7lic% Finish +alue *ncoming $ame *D format Transient *dentifier A-Mail Address
For more information about signing(encryption certificates0 see 7ertification Authority-*ssued Signing(Ancryption 7ertificates
Debugging AD FS 2.0
,/ *n Avent Niewer0 clic% A!!li ations G AD FS ,: ?ou can access the trouble shooting help here' ,; http'((technet microsoft com(en-us(library(adfs2-troubleshooting-certificate-problems S2;1S ,!S2- asp> ,- http'((/B B ,, 2I2(fr-fr(library(adfs2-troubleshooting-certificate-problemsS2;1S ,!S2- asp>