Authors:
Alan Weber – Integrys Energy Group, Inc.
Neil Cashell – Novell Technical Services
Introduction:
The goal of Identity Federation is to enable users of one trusted business partner to securely and seamlessly access resources/systems of another business partner based on the business and technical agreements in a trustworthy manner. Identity Federation enables Single Sign-On, Access Control and Single Sign-Off provisioning for users and links users' identities.
This document helps the user to Configure a Novell Access Manager 3.1 SAML 1.1 Identity provider so that it integrates seamlessly with a Vertex SAML 1.1 Service Provider using the Intersite transfer URL. Vertex is a business partner that we work with on a specific energy-related application – like most SAML 1.1 Service Providers, it consumes a SAML assertion generated by a trusted Identity Provider (Novell Access Manager) to determine single sign on and authorize users.
Although the approach is similar to the solution described for Access Manager 3.0 in the SAML / NAM / Concur Integration document, the newer version of Access Manager simplifies the configuration, especially in terms of sending the users NameIdentifier in the Authentication Response.
Configuration of SAML 1.1 Implementation at Integrys
To configure SAML 1.1, you must first log into Access Manager. The admin server URL is https://dob-amap1:8443/nps/. Log in with your Access Manager credentials.
Once logged in, click the link for Identity Servers, and select the pool. In this example, the pool is named PIDSCL1.
Name your Service Provider.
When integrating with Vertex, you must select "Metadata Text", since they do not use Access Manager and cannot provide a Metadata URL.
The Metadata provided is unique to the environment you’re connecting to, and must have a few necessary components.
Enter the Metadata and click Next
*See Appendix 1 for Vertex’s Metadata.
Add trusted root cert for signing cert to the NIDP-Trusstore. This is a requirement for the Vertex SAML 1.1 Service Provider to load correctly on the Identity Server.
Once you’ve created the Service Provider, you must now choose which attributes you want to send with the SAML assertion. Click the Service Provider you just created.
Click the Attributes link, and select Attribute Set.
If the one you need doesn’t exist, click <New Attribute Set>
Click New and select the attributes you’d like to map.
For Vertex, we map the attributes:
WPSRTWAECISnumber WPSRTWARole cn
NOTE: If the attribute mappings are not showing up, go to Identity Servers > Shared Settings and create mappings. See Novell Documentation for more info.
Once you’ve created your attribute set, select it and choose the attributes you’d like to send with authentication.
Next, click Authentication Response and set the
- NameIdentifier format to be unspecified and set the value to be the LDAP cn
- Assertion Validity period to 7200. This allows SAML sessions to be valid for 2 hours on the Vertex SP.
These settings were requested by Vertex
You may choose to set up an Intersite Transfer Service to simplify your SAML Assertion link. We can’t use it in our environment, but to do this, enter an ID, and the target URL from the Metadata (hint: look for Location=)
Click OK and update your Identity Servers and Access gateways (if required)
You should now be done.
To use your new SAML 1.1 implementation, use the following links
With Intersite Transfer Service:
This uses the ID you created for the Intersite Transfer Service. You cannot add any attributes to the end of this URL, which is why we cannot use it.
https://ids.integrysgroup.com:8443/nidp/saml/idpsend?id=Vertex
Using Intersite Transfer URL without the identifier:
When no identifier is passed to the idpsend service, we need to pass the PID and Target instead. The PID is simply the 'entityID' string from the SP metadata that we imported into the Identity Server SAML setup, and the target is the destination URL that we want to go to.
PID = entityID
Target = Location
You can also add attributes to the end of these links. Note how Integrys adds "site=mer" or "site=mgu" to the end of our target URL. This allows the SP to do some additional processing based on the parameter passed to it.
Appendix 1 – Vertex Metadata
Vertex Metadata. Copy into Notepad for proper formatting. Note that the Certificate entry is not really required as we are using the intersite transfer URL approach and the SP never generates a SAML Authnetication request to the Identity server that could be signed with this certificate.
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://twa.utilitiesbp.com/SAML2">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:0.1:protocol
urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>twa.utilitiesbp.com</ds:KeyName>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIIE9DCCA9ygAwIBAgIETBpFwzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UE BhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5l bnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEf MB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50 cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMTA1MDIx ODU5MjhaFw0xMzA3MDMwNDI3NTdaMIGaMQswCQYDVQQGEwJVUzEOMAwGA1UE CBMFVGV4YXMxEzARBgNVBAcTClJpY2hhcmRzb24xITAfBgNVBAoTGFZlcnRl eCBCdXNpbmVzcyBTZXJ2aWNlczElMCMGA1UECxMcSW5mb3JtYXRpb24gU3lz dGVtcyBTZWN1cml0eTEcMBoGA1UEAxMTdHdhLnV0aWxpdGllc2JwLmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZm5U/YrxCEePLvi+nD q2n1pavsOmLnkxjgr0yqo1xCzrvCNMVCPcAzzPBfakWCpay7qcr/XLV5rJEG eq29T8Gz8XoFB9/wdq3ZKxK/prV4oW+T8fel9Hlnme4XeEN2nh9mLh8TlLPt KFWObI0k6vQ2Kpy6ezrXXaRx6SMItmCz3CYoSEq9OA79IfIzar9CrC7GoQNs MnnEXlah1pA+4Mcz1H+h7NUVPzP27IBbdoGD5YkLragzU0r7J5VUdh70+VwB /rX9pGXogZp20zOSMw0UnujOdgnPhC4LTLf+wRuqEJmetrbOxUj/x4LV3RUw v3fWeSVDAZ2gMxe50VH2O5ECAwEAAaOCAScwggEjMAsGA1UdDwQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCag JIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFjLmNybDAzBggrBgEF BQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0 MEAGA1UdIAQ5MDcwNQYJKoZIhvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6 Ly93d3cuZW50cnVzdC5uZXQvcnBhMB8GA1UdIwQYMBaAFB7xq4kG+EkPATN3 7hR67hl8kyhNMB0GA1UdDgQWBBT/5wcC3TAejp+3OmYv/7QjS29GgjAJBgNV HRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQB2neGhzzgOgv7novQfZkDxk0U7 1jJ7HZFgZgEx/0U34IXjOM4x2IeaRIRpQidRmEvlTSTVUlamm5IEtT4FIZom VtSZGbh7gCqMLC76iDPGqc3ZoM1VpvkQWpbehtvI5vxlwtg4x/j2oFe7j/rK DdH/9Mex+h0snCGk23WSDrjZ9Z6B3+2RGZ33ek7cGbrinLOGvIi/k5e44Kif Q/qzsCAMqCHG6OfeAJr/NU0yck8DjQ99/NX8kZ7mvuufCS/BH0jastdC8h5N 0VIqcigiqz2VeoaBH7VD77QMvXrb6wsyUyiNqlRIlFwXtBJ179lLLdy8THHa sLIX+T39S+OEMawL
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://twa.utilitiesbp.com/saml.do" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Appendix 2 – Sample Assertion based on our configuration
- Note the Authentication Statement includes the users CN (AWEBER) in the Subject NameIdentifier sections with the unspecified format (as defined in the Authentication Response UI field above)
- Note the Attribute Statement includes the three attributes configured in the 'send with authentication' Attribute UI field above, and required by the SP.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2011-08-22T16:27:06Z" MajorVersion="1" MinorVersion="1" Recipient="https://twa.utilitiesbp.com/SAML2" ResponseID="idBd5V6Z6streMSo7VtTAbd02TyC4"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#idBd5V6Z6streMSo7VtTAbd02TyC4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">7odfnLwMKVNff1LvN1OdSMogPeQ=</DigestValue></ds:Reference></ds:SignedInfo><SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> JzDlcLfqXEBX749BS7imw4d98PgU2J7RgFFQ+XT3Wpr+7rE+pdN074pi9DREfwQ7todPvBmPaQ6f IdgT+3sni540nIWLzfJoCF1aO9GVUrtov93GAQkno4lMEH4BM5L5dG44dn3In1qfz651LgdOJmHd KQlGgLCtQ5wp622QoG/fGTdK2EzXaUeljweVnOggiKI2Qc85AChLkW4gp8oMnNFojjhlIkwP4DBF +TchGXIcIPdytzHQgAC50uhKiqc32sI3weHtUMweiYF7Fip5SaDRoDwR6RvfwY6XUJqHOZgC1kQa shHa8E6lat6Cyi7PK29lk5ZvbUbnJ9n3PR1C2Q== </SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate> MIIFKTCCBBGgAwIBAgIkAhwR/6UpfOR12tND14KglLl6lwmgZUJPabz1NSLpAgICMXqOMA0GCSqG SIb3DQEBBQUAMDUxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENBMRcwFQYDVQQKFA5ET0JfQU1B UDFfdHJlZTAeFw0xMDA3MjExOTQzMDZaFw0xMjA3MjExOTQzMDZaMEAxFTATBgNVBAMTDHRlc3Qt c2lnbmluZzEWMBQGA1UECxMNYWNjZXNzTWFuYWdlcjEPMA0GA1UEChMGbm92ZWxsMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzXZM9iq4TovAODD38DPcWWi6WnjpSWfMPuAhPGovqeB d943+4Mtl5sumVlBiZ5gduf6lje1gdofaeEGUHfxB85NnRWwGSlU9YcJcDUk1U7pEd+lcAmv8ax+ ajY5dnrfV5ShdVnTpNwZTE6Rb4TQ5sowYZbZvTebZjjBIVjlhJ9mKlYbomkPC4qroKLUWY+B0zPY k9RD5PRRCVF6Dg93Td5ZBNzOZ5PqVYIuy5A24dQtpRCRN7m/JUn1pAuqIdDWvpAFOyWZoeJhtBrG 5TABLpKRU8MQI0izb7KdmT5t7ocECXmdt+8CCLLOapg0rjYyuzYzx67kuTWt06r5N3w9iQIDAQAB o4ICFDCCAhAwHQYDVR0OBBYEFJxc+5vVttmxai1REoIOaeaD6KtSMB8GA1UdIwQYMBaAFJA2K98X gUno3HU172FdovqJM6/8MIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBT ZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3Np dG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEAMAgwBgIBAQIBRjAIMAYC AQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEAAgEAogYCARcBAf+jggEEoFgCAQICAgD/ AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh//////////wEBAAIEBvDfSDAY MBACAQACCH//////////AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAA AAAAAAAwGDAQAgEAAgh//////////wEBAAIEEf+lKTAYMBACAQACCH//////////AQEAAgQR/6Up ok4wTAIBAgIBAAICAP8DDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADASMBACAQACCH////////// AQEAMBIwEAIBAAIIf/////////8BAQAwDQYJKoZIhvcNAQEFBQADggEBABxNc7zqYirc/zxWHeT8 LZvxFzu0uMAWfY8HLpjvb61ekS4NnDc/dx2ZtOQOJJGJPZvP85YU6yj71ecEnGqzjVlHqlV+4iC8 /YPlFA+wIKLe0aKxhSDnMwN7gqVlab/gxxWNgRzfiY9I+XmwzVy6JpfWaGM9XcqSGkIY9ddc1f9e kbDn3MH6iVl+UsKreifJ0qlG/ERvVFVXOWz3P0x3JBfnt9rxmy8O5uu0SPKgyzHBwcylECWw5WYv 0TfUTMdXdKjSj6POyvpPQZ9kUX10qxlm2wK6bZCQGdpYJwvHDhIn/Z2QLwf5fbZF6FcXQ7yezhPK DHDphwGwajkO0q+CWv8= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> <samlp:Status><samlp:StatusCode Value="samlp:Success"/></samlp:Status> <saml:Assertion AssertionID="id8WpvY1BeYhq5FY7GnY-aHWeWA3Y" IssueInstant="2011-08-22T16:27:06Z" Issuer="https://ids.integrysgroup.com/nidp/saml/metadata" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2011-08-22T14:27:06Z" NotOnOrAfter="2011-08-22T18:27:06Z"/><saml:AuthenticationStatement AuthenticationInstant="2011-08-22T16:27:06Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">AWEBER</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">AWEBER</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UserID" AttributeNamespace="alliance:attributes"><saml:AttributeValue>AWEBER</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="EISnumber" AttributeNamespace="alliance:attributes"><saml:AttributeValue>CEI</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="Role" AttributeNamespace="alliance:attributes"><saml:AttributeValue>BROKER</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><CanonicalizationMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id8WpvY1BeYhq5FY7GnY-aHWeWA3Y"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue xmlns="http://www.w3.org/2000/09/xmldsig#">KCX1ESSgB5xcYFfciPzG0rYaMko=</DigestValue></ds:Reference></ds:SignedInfo><SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#"> XwTW1S/Gmx8c6W42l6wplc99RX0tVottWl/T09MIqL68ii6+UoBmxTAs8Z+euOqtrGFgSAdTc+P7 twZPPUT0o8sQc9Ejrs72yNfvYOdSJwQXCW0wwUkbIzp+G4vWaGGqbmwhyLabfsNKb4QmJE46HHO4 zGv3n/d55nG+hYgAWClqOYAtJfBra/OL9WfI/pE9LyAdI1VTIOcRtG28Te9YRO5ixywzYjPrmZ5t HmLnTOt4hnvTk8/MYXWlVi8SaMaTqva9QqTkmi4kYNo8fAD34OSqKFVDLzjT6B53Pc4cCjGMdgMy rm87QanG/iWsfYUPRMNaTaN+nx2JD8YF/lwWKg== </SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate> MIIFKTCCBBGgAwIBAgIkAhwR/6UpfOR12tND14KglLl6lwmgZUJPabz1NSLpAgICMXqOMA0GCSqG SIb3DQEBBQUAMDUxGjAYBgNVBAsTEU9yZ2FuaXphdGlvbmFsIENBMRcwFQYDVQQKFA5ET0JfQU1B UDFfdHJlZTAeFw0xMDA3MjExOTQzMDZaFw0xMjA3MjExOTQzMDZaMEAxFTATBgNVBAMTDHRlc3Qt c2lnbmluZzEWMBQGA1UECxMNYWNjZXNzTWFuYWdlcjEPMA0GA1UEChMGbm92ZWxsMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzXZM9iq4TovAODD38DPcWWi6WnjpSWfMPuAhPGovqeB d943+4Mtl5sumVlBiZ5gduf6lje1gdofaeEGUHfxB85NnRWwGSlU9YcJcDUk1U7pEd+lcAmv8ax+ ajY5dnrfV5ShdVnTpNwZTE6Rb4TQ5sowYZbZvTebZjjBIVjlhJ9mKlYbomkPC4qroKLUWY+B0zPY k9RD5PRRCVF6Dg93Td5ZBNzOZ5PqVYIuy5A24dQtpRCRN7m/JUn1pAuqIdDWvpAFOyWZoeJhtBrG 5TABLpKRU8MQI0izb7KdmT5t7ocECXmdt+8CCLLOapg0rjYyuzYzx67kuTWt06r5N3w9iQIDAQAB o4ICFDCCAhAwHQYDVR0OBBYEFJxc+5vVttmxai1REoIOaeaD6KtSMB8GA1UdIwQYMBaAFJA2K98X gUno3HU172FdovqJM6/8MIIBzAYLYIZIAYb4NwEJBAEEggG7MIIBtwQCAQABAf8THU5vdmVsbCBT ZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3Np dG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBSKAaAQEAMAgwBgIBAQIBRjAIMAYC AQECAQoCAWmhGgEBADAIMAYCAQECAQAwCDAGAgEBAgEAAgEAogYCARcBAf+jggEEoFgCAQICAgD/ AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh//////////wEBAAIEBvDfSDAY MBACAQACCH//////////AQEAAgQG8N9IoVgCAQICAgD/AgEAAw0AQAAAAAAAAAAAAAAAAwkAQAAA AAAAAAAwGDAQAgEAAgh//////////wEBAAIEEf+lKTAYMBACAQACCH//////////AQEAAgQR/6Up ok4wTAIBAgIBAAICAP8DDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADASMBACAQACCH////////// AQEAMBIwEAIBAAIIf/////////8BAQAwDQYJKoZIhvcNAQEFBQADggEBABxNc7zqYirc/zxWHeT8 LZvxFzu0uMAWfY8HLpjvb61ekS4NnDc/dx2ZtOQOJJGJPZvP85YU6yj71ecEnGqzjVlHqlV+4iC8 /YPlFA+wIKLe0aKxhSDnMwN7gqVlab/gxxWNgRzfiY9I+XmwzVy6JpfWaGM9XcqSGkIY9ddc1f9e kbDn3MH6iVl+UsKreifJ0qlG/ERvVFVXOWz3P0x3JBfnt9rxmy8O5uu0SPKgyzHBwcylECWw5WYv 0TfUTMdXdKjSj6POyvpPQZ9kUX10qxlm2wK6bZCQGdpYJwvHDhIn/Z2QLwf5fbZF6FcXQ7yezhPK DHDphwGwajkO0q+CWv8= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> </saml:Assertion> </samlp:Response>