MyTechReference - Technical Notes


by IDAMGroup

NetIQ Access Manager SAML2.0 SSO with Concur

Novell/NetIQ SAML 2.0 SSO with Concur application.

I am going to show you how Concur application will be integrated with Novell Access Manager using SAML2.0 federation protocol. In this Novell Access Manager will be configured as an Identity Provider and Concur will be Service Provider.

Concur integration will be IdP initiated web SSO, where user will access the IdP initiated URL https://login.mytechreference.com/nidp/saml2/idpsend?id=Concur. And they will be prompted for authentication. Once the authentication is successful they will redirected Concur Home Page.

  • NAM Version : 3.2 IR1
  • OS : Sles 1 SP2 64bit

IdP Initiated SSO Flow

Concor_SSO_Flow

  1. When user access the IdP initiated URL  https://login.mytechreference.com/nidp/saml2/idpsend?id=Concur
  2. Identity Provider will prompt for authentication.
  3. User enters the credentials.
  4. On successful authentication Identity Provider send SAML Response with Assertion containing users email address to Service Provider (Concur).
  5. Concur validate the SAML Assertion against its user store.
  6. Once the validation is successful it will redirect the Concur home page.

 What to get from Service Provider

  • Concur application Provider ID
  • Concur post Consumer URL
  • Concur application trusted root
  • Concur landing/target page

What to give

  • NAM Metadata (https://login.mytechreference.com/nidp/saml2/metadata)
  • NAM trusted root (Export the trusted root of  http://login.mytechreference.com )

Below are the steps required to configure the SAML2.0 Federation with concur application.

  1. Configure the Shared Attribute
  2. Create SAML2.0 Service Provider
    • Select the Attributes to send along with authentication
    • Select Authentication response
    • Configure the Inter site Transfer URL

Configure Shared Attribute

  •  Create Attribute set which will be shared with Service Provider

 Identity Servers–>Shared Settings

concur_SAML_1

  • Click new and create “mail” attribute which will be shared with Concur application

Name: Concur

concur_SAML_2

Select Local attribute as “mail”
Remote attribute to be mapped :”saml:NameIdentifier”     ( here I am seding mail attribute to Concur so it can be mapped to Concur applications Name Identifier)

concur_SAML_3

concur_SAML_4

concur_SAML_5

  • Click Ok and update the Identity Server

Create Service Provider

  •  Identity Servers–> Edit–>SAML2.0–>Trusted Providers–>Service Provider

concur_SAML_6

  • Concur do not have the metadata file so we need to select Manual Entry to create the Metadata

The provider ID and Post Consumer URL will be provided by the Concur application team.

Name : Concur
Provider ID : https://implementation.concursolutions.com?entity=<provider ID>
POST Consumer URL: https://implementation.concursolutions.com/SAMLRedirector/ClientSAMLLogin.aspx

  • Import the Concur Server Signing certificate and click Next and finish the configuration.

concur_SAML_7

  • Now select the newly created Service Provider (Concur)
  • Click the Attribute tab and select the Attribute set “Concur” and move the mail attribute to “Send with authentication”

concur_SAML_8

  • Click Authentication Response tab and select the Binding as “POST” and select the Unspecified and make it as Default value.

concur_SAML_9

  • Click the Intersite Transfer Service tab and provide the following details

ID : Concur
Target : https://implementation.concursolutions.com/portal.asp

concur_SAML_10

  •   Click Ok and update the Identity Server

 Now access the IDP Initiated URL as https://login.mytechreference.com/nidp/saml2/idpsend?id=Concur

NetIQ Access Manager prompts you for the password and once the authentication is successful it will redirect to the Intersite Transfer Service URL https://implementation.concursolutions.com/portal.asp

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.