Configuring Single Sign On (SSO) from NetIQ Access Manager and LiveTime ITSM

Background

LiveTime Service Manager is a complete IT service management solution that can be used for 11 ITIL processes from Service Request Management through to Change and Release Management. It provides various end-user roles (customers, Supervisors, Technician, Partner, etc) who can access the web based portal & manage service requests.

LiveTime Service Manager includes support for SAML based Single Sign-On (SSO). With this addition of SAML support LiveTime can streamline end user’s experience without forcing the user to re-authenticate at application. Access Manager is a product which facilitates secure access to LiveTime & can leverage the SAML based SSO support in Service Manager to provide seamless experience to end users.

Service Manager allows SSO from Open Source solutions such as Shibboleth, JOSSO, OpenSSO etc as well as commercial vendors like NetIQ Access Manager, CA Siteminder, Oracle Identity Manager etc. In this article we will focus on configuration for SAML based SSO from NetIQ Access Manager to LiveTime Service Manager.

Glossary of Terms

SAML – Secure Assertion Markup Language
SSO – Single Sign On
NAM – NetIQ Access Manager
NAM-IDP – NAM Identity Provider
NAM-AG – NAM Access Gateway

Understanding SSO Configuration

Service Manager manages HTTP session headers from the provider (web access gateway) to enable seamless access for user to application. The Login session is managed by Identity Provider (IdP) and the access to resource is managed by Service Provider (SP). This session information & associated user data is then filtered down to the protected application which uses the given data for granting access to user & bypass authentication.

For the above scenario in this document, Identity Provider is NAM-IDP, Service Provider is NAM-AG & the protected application is LiveTime Service Manager. Configuration for SSO in LiveTime is located at (Setup > Authentication > SSO) as shown in Figure-1. There are three configurations to enable SSO, all of which are mandatory (as explained in following table):

Parameter Description
Session ID This is the name of HTTP header passed to NSD which contains Session ID for the logged in user.
Username Name of the HTTP header which contain login name of the user attempting to access NSD
Email Name of the HTTP header which contain email of the user attempting to access NSD. This email value is used to validate the username.

Preparations for Configuration

SSO Setup Screen with SAML2

Figure 1:SSO Setup Screen with SAML2

This document specifically focuses on SAML based SSO related configuration, so it is assumed that other parts of setup are already available & few key configurations are already done before we proceed. These are few per-requisites before we proceed with further configuration:

  • LiveTime Service Manager is installed & configured with appropriate user store.
  • NetIQ Access Manager is installed & configured with appropriate user store.
  • Both LiveTime & NAM share the same user store OR the user credentials/data is synced among the both user stores.
  • Basic reverse proxy service is configured on NAM for LiveTime (LiveTIme is added as path based OR domain based protected resource).

Configuring NAM for SAML based SSO

As discussed above it is assumed that LiveTime has been configured as protected resource (path based OR domain based). The next step is to configure an Identity Injection policy which injects appropriate headers into the HTTP requests to LiveTime as required for SAML based SSO. Following are the steps to configure the Identity Injection policy for LiveTime.

Steps to Configure Identity Injection Policy for LiveTime

  1. Go to iManager (Access Manager > Policies) & add a new Policy of type – “Access Gateway: Identity Injection”
  2. On the “Edit Rule” page provide description for your policy (Optional)
  3. Create “New” action & select – “Inject Into Custom Header”. In the details select value as “Credential Profile”, then select “SAML Credentials” > “SAML Assertion” (as shown in Figure-2).

    NAM Identity Injection SAML

    Figure 2: NAM Identity Injection Policy – SAML Assertion

  4. Create “New” action & select – “Inject Into Custom Header”. In the details select value as “Credential Profile”, then select “LDAP Credentials” > “LDAP User Name” (as shown in Figure-3).

    NAM Identity Injection LDAP

    Figure 3: NAM Identity Injection Policy – LDAP User Name

  5. Create “New” action & select – “Inject Into Custom Header”. In the details select value as “LDAP Attribute”, then select “mail” (as shown in Figure-4).

    NAM Identity Injection email

    Figure 4: NAM Identity Injection Policy – User eMail

  6. Once all the above configuration are done the identity injection policy will look as shown in Figure-5.

    NAM Identity Injection SSO

    Figure 5: NAM Identity Injection Policy for SAML SSO to NSD

  7. Enable this Identity Injection policy for the protected resource configured for LiveTime.

Configuring LiveTime for SSO

Once we are done with NAM configuration now the setup is ready for enabling LiveTime configuration. It is recommended (not mandatory) that Identity Injection to LiveTime is already enabled & the administrator can verify the HTTP headers received by LiveTime while configuring SSO.

Following are steps to configure SSO on LiveTime:

  1. Login to LiveTime as Administrator & open SSO configuration at (Setup > Authentication > SSO)
  2. Edit the configuration & Select “On” for ‘Active’ field.
  3. If you have login to LiveTime through NAM with Identity Injection policy enabled – Click on the icon to review HTTP headers passed through Access Gateway (NAM).
  4. Configure HTTP header name for SAML Assertion as ‘Session ID’ (e.g. ‘samlsession’ as shown in Figure-5)
  5. Configure HTTP header name for current logged in user as ‘Username’ (e.g. ‘username’ as shown in Figure-5)
  6. Configure HTTP header name for user email as ‘Email’ (e.g. ‘useremail’ as shown in Figure-5)
  7. Once all the above configuration are done the identity injection policy will look as shown in Figure-6.
  8. Save the configuration & validate SSO through NAM.

    SAML SSO NAM HTTP Headers

    Figure 6: LiveTime Configuration for SAML SSO with injected NAM HTTP Headers

Configuration for Simultaneous Logout

In this scenario ‘Simultaneous Logout’ is the ability to logoff from NAM session whenever user clicks Logout on LiveTime portal. LiveTime Service Manager does not have specific configuration to enable Simultaneous Logout with web access gateways (for example this configuration is available for applications like GroupWise, Vibe etc). So in order to enable simultaneous logout for LiveTime one must configure Form Fill policy as follows.

  1. Create a new FormFill policy for LiveTime simultaneous logout.
  2. On the “Edit Policy” page provide description for your policy (Optional)
  3. Create ‘New’ action & select – Form Login Failure
  4. In “Page Matching Criteria” field configure following text from LiveTime logout page – “Your session has ended. Please use the button below to login again.”
  5. In “Redirect to URL” field configure the Logout URL for your setup e.g. https://mynam.com/AGLogout
  6. Once all the above configuration are done the Form Fill policy will look as shown in Figure-7.

    NAM Fill Policy

    Figure 7: NAM Form Fill Policy for Simultaneous Logout from LiveTime-NAM

  7. Enable this Form Fill policy for the protected resource configured for LiveTime.

Conclusion

This article demonstrates that it is possible to leverage SAML based SSO support on LiveTime Service Manager to allow SSO configuration using NetIQ Access Manager.

December 9th, 2011 in News | tags: , , , , ,