NetIQ Access Manager

From NIEF Wiki
Jump to navigation Jump to search

This page discusses some of the configuration issues with NetIQ Access Manager.

AuthnContextDeclRef

NetIQ Access Manager does not use this field correctly. In general Authn Context Declarations would be used in replace of Authn Context Classes for special interoperability cases. NetIQ Access Manager uses both Context Classes and includes a Context Declaration Reference. This is a bit strange as one would presumably supersede the other. Additionally, a context declaration reference is specifically a URL where the Authentication Context Declaration can be found, but NetIQ Access Manager populates it with just a string by default. This may have meaning internal to NetIQ Access Manager but it does not have meaning to any other product, and it is not the correct SAML usage.

Use of SHA-256

This page documents some NetIQ settings related to SAML: [NetIQ Docs]. It includes a property SAML_SIGN_METHODDIGEST_SHA256 that can be set to force the device to use SHA256.

Use of Metadata

Thus far in our testing (2014 Feb 12) NetIQ Access Manager does not seem to be able to import SAML 2 Metadata with much success. Based on that, here is some guidance on how to extract relevant configuration details for SAML 2.0.

Extracting Certificates

Using an text editor, typically one that includes column numbers in some fashion. You want to open a new file and paste in the following:

 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----

Then open the metadata file and find the certificate in base64. If you are creating a certificate for a service provider you want to locate the section in the metadata with this tag <SPSSODescriptor ...>. Then locate the certificate within this section, it will be enclosed within these tags <X509Certificate>. If there are multiple certificates, you will need to create multiple files and then review them for which is the most appropriate to use.

Copy the base64 text between the opening tag <X509Certificate> and the closing </X509Certificate>. Paste this text in between the two lines above in the certificate file.

If the file you are copying from included the certificate on a single line, you need to add carriage returns so that each line is 63 characters long (this is why a text editor with column numbers is useful). The final resulting file should look like this:

 -----BEGIN CERTIFICATE-----
 MIIF8TCCA9mgAwIBAgIBKjANBgkqhkiG9w0BAQsFADCBqjELMAkGA1UEBhMCVVMx
 CzAJBgNVBAgTAkdBMRAwDgYDVQQHEwdBdGxhbnRhMQ0wCwYDVQQKEwRHVFJJMRMw
 EQYDVQQLEwpJQ0wgLSBJRUFEMTkwNwYDVQQDEzBHRklQTSBSZWZlcmVuY2UgRmVk
 ZXJhdGlvbiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHTAbBgkqhkiG9w0BCQEWDmhl
 bHBAZ2ZpcG0ubmV0MB4XDTEyMDMxNTE1MzIyNFoXDTE3MDMxNTE1MzIyNFowbzEd
 MBsGA1UEAxMUcmhlbHNwLnJlZi5nZmlwbS5uZXQxCzAJBgNVBAgTAkdBMQswCQYD
 VQQGEwJVUzEVMBMGA1UEChMMR2VvcmdpYSBUZWNoMR0wGwYDVQQLExRHVFJJIC0g
 R0ZJUE0gUHJvamVjdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANHD
 S+kyIFdINFXFACq8sTn6/v59ngqh76ZKSl+Ad5ICeTbto5P+qAIt5t+5++IhjyL5
 YYuiQ+IUcZu4nDE++XC3+O7TmTGwxEZ0eHe4mTVbEXzdxJECi9OPbAv+CCHd/O33
 +95x5+JKLpwUOIbnHQNrXXGkbZlsl9RchQsv2Grbt9JkImTs5b/DjA9wiT2i42Kh
 CK3J78D+QCkxR+T5TT0CXe4BljZXvEy2TRtQb8M6A8I6Uo249RuFLpGyDr45Mqre
 3MWplhGUaJ49f/U1fFq38b2gOyDUVua0KyVYuHJ+HIleO2BI26Pz1oweD6Wuyl8J
 PStTLp9pNChZ9336BFhLYoY32FDlTBqo3PrcJ78dOl04rgaX7E1167YiEAsMcov8
 Go1IdqFMeE9aN2CbxesKMgdwoP+EOzf0XkErn59L2Dnq1hOPOG/LQwnmJTfrHjqe
 Bnvv/67L7j7w8lQbiVbgSPT1MrAC0nUNVNOY3JtQHuYWkxkDJaD3ytQuyKUkbPXU
 d9eilY4INgzVtFSU4fU+IPg0jt3DGqUK2BI7G8nMALXlJEEnNQvUUCyrqKbO5ULg
 CumyjTeD+ZtFvL1QG2Cm0ZGxoDUhps3bBs/EpmH7tyT2vtdlapV1dl4cXQxdrS+6
 2gwIflUkEB/PYqjxL5oAtLOon4IeTHAXw0yI/Y0HAgMBAAGjXDBaMAkGA1UdEwQC
 MAAwEQYJYIZIAYb4QgEBBAQDAgZAMDoGCWCGSAGG+EIBBAQtFitodHRwOi8vcmVm
 LmdmaXBtLm5ldC9jZXJ0cy9yZWYtZ2ZpcG0tY2EuY3JsMA0GCSqGSIb3DQEBCwUA
 A4ICAQA4M9QC5UpwJc+k0yglhhi9R9f81MUh+esCY+31lXKDt94tgLci/KXMQLnG
 fdM3Aee12G6fYv4G1ATotBIHIBevP7LYxTImubBdm2xDuzxgr9rPNwlk32fFwqbc
 mDDgWm7UmYwOoPAf0va3XeSD86Q6VjXeoaa8uAOItkqmmzSe5qIJfX0qznL44GCI
 33XLgKwzNZB2TbPb1d3EQohfkcZwQXLHokXIFipSbYPz73v6AFs5S/EcqRT6ldIE
 DCKJND4Rip0VvmIqI7QUkwMnpcohIiU2kRurUp8zOTrtEf+8tORxDUSjgEVmcvgi
 rKdt2pnBpYokyLs6wsmPggJL9+/5AEuE23CES3ruZ1aiIBWOpAtCZSAgLK+c8c+Q
 HCTSuzSaPekiugjaKWmDCe83d7yZQ7dIHYlO/AqYpjWi901NQYPJQGCOP8Ar7hKs
 oA+2SVOUG+tGa6cIBmWvpNO9xTPfE0y9X9FI/TK3l2/IO7z6IMu5iv7MCXAr6N3G
 aehxtz96m0wgRAQdlKzRNf4T4KV7092pDe50IDRcOUR43JML18IjE85GW4adMNGn
 1q6RGRai/Ux0w/SdqcrR7sOWNizIMBMtDd6MMm16aBVfMVdiLDpPl+uV40r6virM
 TL3JOaisSS3lw8aDc0vVslsm+SjrfPfP0Rwvbtyflm0ZLxGmBw==
 -----END CERTIFICATE-----

Save the file with a crt or pem file extension. To insure that errors were introduced when the file was created open the file either by double clicking in Windows or in other operating systems use your Internet browser. You can review the text contents of the file this way to validate it's correct.

Attribute Names

When configuring GFIPM Attributes in NetIQ Access Manager, do not specify a namespace, set the remote attribute name to the full formal name for the GFIPM Attribute, and specify the attribute NameFormat as URI (it seems to default to Unspecified).