MyTechReference - Technical Notes

by IDAMGroup

NetIQ Access Manager SAML2.0 SSO with Concur

Novell/NetIQ SAML 2.0 SSO with Concur application.

I am going to show you how Concur application will be integrated with Novell Access Manager using SAML2.0 federation protocol. In this Novell Access Manager will be configured as an Identity Provider and Concur will be Service Provider.

Concur integration will be IdP initiated web SSO, where user will access the IdP initiated URL And they will be prompted for authentication. Once the authentication is successful they will redirected Concur Home Page.

  • NAM Version : 3.2 IR1
  • OS : Sles 1 SP2 64bit

IdP Initiated SSO Flow


  1. When user access the IdP initiated URL
  2. Identity Provider will prompt for authentication.
  3. User enters the credentials.
  4. On successful authentication Identity Provider send SAML Response with Assertion containing users email address to Service Provider (Concur).
  5. Concur validate the SAML Assertion against its user store.
  6. Once the validation is successful it will redirect the Concur home page.

 What to get from Service Provider

  • Concur application Provider ID
  • Concur post Consumer URL
  • Concur application trusted root
  • Concur landing/target page

What to give

  • NAM Metadata (
  • NAM trusted root (Export the trusted root of )

Below are the steps required to configure the SAML2.0 Federation with concur application.

  1. Configure the Shared Attribute
  2. Create SAML2.0 Service Provider
    • Select the Attributes to send along with authentication
    • Select Authentication response
    • Configure the Inter site Transfer URL

Configure Shared Attribute

  •  Create Attribute set which will be shared with Service Provider

 Identity Servers–>Shared Settings


  • Click new and create “mail” attribute which will be shared with Concur application

Name: Concur


Select Local attribute as “mail”
Remote attribute to be mapped :”saml:NameIdentifier”     ( here I am seding mail attribute to Concur so it can be mapped to Concur applications Name Identifier)




  • Click Ok and update the Identity Server

Create Service Provider

  •  Identity Servers–> Edit–>SAML2.0–>Trusted Providers–>Service Provider


  • Concur do not have the metadata file so we need to select Manual Entry to create the Metadata

The provider ID and Post Consumer URL will be provided by the Concur application team.

Name : Concur
Provider ID :<provider ID>
POST Consumer URL:

  • Import the Concur Server Signing certificate and click Next and finish the configuration.


  • Now select the newly created Service Provider (Concur)
  • Click the Attribute tab and select the Attribute set “Concur” and move the mail attribute to “Send with authentication”


  • Click Authentication Response tab and select the Binding as “POST” and select the Unspecified and make it as Default value.


  • Click the Intersite Transfer Service tab and provide the following details

ID : Concur
Target :


  •   Click Ok and update the Identity Server

 Now access the IDP Initiated URL as

NetIQ Access Manager prompts you for the password and once the authentication is successful it will redirect to the Intersite Transfer Service URL


Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.