Jeff.Krug: Created page with "This page discusses some of the configuration issues with NetIQ Access Manager. == AuthnContextDeclRef == NetIQ Access Manager does not use this field correctly. In general..."

2019-01-22T18:14:20Z

Created page with "This page discusses some of the configuration issues with NetIQ Access Manager. == AuthnContextDeclRef == NetIQ Access Manager does not use this field correctly. In general..."

New page

This page discusses some of the configuration issues with NetIQ Access Manager.

== AuthnContextDeclRef ==

NetIQ Access Manager does not use this field correctly. In general Authn Context Declarations would be used in replace of Authn Context Classes for special interoperability cases. NetIQ Access Manager uses both Context Classes and includes a Context Declaration Reference. This is a bit strange as one would presumably supersede the other. Additionally, a context declaration reference is specifically a URL where the Authentication Context Declaration can be found, but NetIQ Access Manager populates it with just a string by default. This may have meaning internal to NetIQ Access Manager but it does not have meaning to any other product, and it is not the correct SAML usage.

== Use of SHA-256==
This page documents some NetIQ settings related to SAML: [[https://www.netiq.com/documentation/netiqaccessmanager4_appliance/identityserverhelp/data/b13ucle3.html NetIQ Docs]]. It includes a property '''SAML_SIGN_METHODDIGEST_SHA256''' that can be set to force the device to use SHA256.

== Use of Metadata ==
Thus far in our testing (2014 Feb 12) NetIQ Access Manager does not seem to be able to import SAML 2 Metadata with much success. Based on that, here is some guidance on how to extract relevant configuration details for SAML 2.0.

=== Extracting Certificates ===
Using an text editor, typically one that includes column numbers in some fashion. You want to open a new file and paste in the following:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Then open the metadata file and find the certificate in base64. If you are creating a certificate for a service provider you want to locate the section in the metadata with this tag '''<SPSSODescriptor ...>'''. Then locate the certificate within this section, it will be enclosed within these tags '''<X509Certificate>'''. If there are multiple certificates, you will need to create multiple files and then review them for which is the most appropriate to use.

Copy the base64 text between the opening tag '''<X509Certificate>''' and the closing '''</X509Certificate>'''. Paste this text in between the two lines above in the certificate file.

If the file you are copying from included the certificate on a single line, you need to add carriage returns so that each line is 63 characters long (this is why a text editor with column numbers is useful). The final resulting file should look like this:

-----BEGIN CERTIFICATE-----
MIIF8TCCA9mgAwIBAgIBKjANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRAwDgYDVQQHEwdBdGxhbnRhMQ0wCwYDVQQKEwRHVFJJMRMw
EQYDVQQLEwpJQ0wgLSBJRUFEMTkwNwYDVQQDEzBHRklQTSBSZWZlcmVuY2UgRmVk
ZXJhdGlvbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgkqhkiG9w0BCQEWDmhl
bHBAZ2ZpcG0ubmV0MB4XDTEyMDMxNTE1MzIyNFoXDTE3MDMxNTE1MzIyNFowbzEd
MBsGA1UEAxMUcmhlbHNwLnJlZi5nZmlwbS5uZXQxCzAJBgNVBAgTAkdBMQswCQYD
VQQGEwJVUzEVMBMGA1UEChMMR2VvcmdpYSBUZWNoMR0wGwYDVQQLExRHVFJJIC0g
R0ZJUE0gUHJvamVjdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANHD
S+kyIFdINFXFACq8sTn6/v59ngqh76ZKSl+Ad5ICeTbto5P+qAIt5t+5++IhjyL5
YYuiQ+IUcZu4nDE++XC3+O7TmTGwxEZ0eHe4mTVbEXzdxJECi9OPbAv+CCHd/O33
+95x5+JKLpwUOIbnHQNrXXGkbZlsl9RchQsv2Grbt9JkImTs5b/DjA9wiT2i42Kh
CK3J78D+QCkxR+T5TT0CXe4BljZXvEy2TRtQb8M6A8I6Uo249RuFLpGyDr45Mqre
3MWplhGUaJ49f/U1fFq38b2gOyDUVua0KyVYuHJ+HIleO2BI26Pz1oweD6Wuyl8J
PStTLp9pNChZ9336BFhLYoY32FDlTBqo3PrcJ78dOl04rgaX7E1167YiEAsMcov8
Go1IdqFMeE9aN2CbxesKMgdwoP+EOzf0XkErn59L2Dnq1hOPOG/LQwnmJTfrHjqe
Bnvv/67L7j7w8lQbiVbgSPT1MrAC0nUNVNOY3JtQHuYWkxkDJaD3ytQuyKUkbPXU
d9eilY4INgzVtFSU4fU+IPg0jt3DGqUK2BI7G8nMALXlJEEnNQvUUCyrqKbO5ULg
CumyjTeD+ZtFvL1QG2Cm0ZGxoDUhps3bBs/EpmH7tyT2vtdlapV1dl4cXQxdrS+6
2gwIflUkEB/PYqjxL5oAtLOon4IeTHAXw0yI/Y0HAgMBAAGjXDBaMAkGA1UdEwQC
MAAwEQYJYIZIAYb4QgEBBAQDAgZAMDoGCWCGSAGG+EIBBAQtFitodHRwOi8vcmVm
LmdmaXBtLm5ldC9jZXJ0cy9yZWYtZ2ZpcG0tY2EuY3JsMA0GCSqGSIb3DQEBCwUA
A4ICAQA4M9QC5UpwJc+k0yglhhi9R9f81MUh+esCY+31lXKDt94tgLci/KXMQLnG
fdM3Aee12G6fYv4G1ATotBIHIBevP7LYxTImubBdm2xDuzxgr9rPNwlk32fFwqbc
mDDgWm7UmYwOoPAf0va3XeSD86Q6VjXeoaa8uAOItkqmmzSe5qIJfX0qznL44GCI
33XLgKwzNZB2TbPb1d3EQohfkcZwQXLHokXIFipSbYPz73v6AFs5S/EcqRT6ldIE
DCKJND4Rip0VvmIqI7QUkwMnpcohIiU2kRurUp8zOTrtEf+8tORxDUSjgEVmcvgi
rKdt2pnBpYokyLs6wsmPggJL9+/5AEuE23CES3ruZ1aiIBWOpAtCZSAgLK+c8c+Q
HCTSuzSaPekiugjaKWmDCe83d7yZQ7dIHYlO/AqYpjWi901NQYPJQGCOP8Ar7hKs
oA+2SVOUG+tGa6cIBmWvpNO9xTPfE0y9X9FI/TK3l2/IO7z6IMu5iv7MCXAr6N3G
aehxtz96m0wgRAQdlKzRNf4T4KV7092pDe50IDRcOUR43JML18IjE85GW4adMNGn
1q6RGRai/Ux0w/SdqcrR7sOWNizIMBMtDd6MMm16aBVfMVdiLDpPl+uV40r6virM
TL3JOaisSS3lw8aDc0vVslsm+SjrfPfP0Rwvbtyflm0ZLxGmBw==
-----END CERTIFICATE-----

Save the file with a crt or pem file extension. To insure that errors were introduced when the file was created open the file either by double clicking in Windows or in other operating systems use your Internet browser. You can review the text contents of the file this way to validate it's correct.

== Attribute Names ==
When configuring GFIPM Attributes in NetIQ Access Manager, do not specify a namespace, set the remote attribute name to the full formal name for the GFIPM Attribute, and specify the attribute NameFormat as URI (it seems to default to Unspecified).

NetIQ Access Manager - Revision history

Jeff.Krug: Created page with "This page discusses some of the configuration issues with NetIQ Access Manager. == AuthnContextDeclRef == NetIQ Access Manager does not use this field correctly. In general..."