CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2013 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contact CA Technologies Contact CA Support For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product Providing Feedback About Product Documentation If you have comments or questions about CA Technologies product documentation, you can send a message to techpubs@ca.com. To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.
Contents Chapter 1: Introduction 7 SAML 2.0 Single Sign-On... 7 Prerequisites... 8 Chapter 2: Enabling Single Sign-On 11 Export Identity Provider Certificate... 12 Active Directory Federation Service 2.0: Export Token Signing Certificate... 13 Novell Access Manager: Exporting Signing Certificate... 14 Configure SAML Single Sign-On in Nimsoft Service Desk... 16 Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider... 18 Active Directory Federation Service 2.0: Add Relaying Party Trust... 19 Novell Access Manager: Manage Trusted Provider... 21 Configure Identity Provider to send User Identifier as Name ID... 24 Active Directory Federation Service: Add Claim Rules... 24 Novell Access Manager: Create Attribute Set for Trusted Provider... 26 Contents 5
Chapter 1: Introduction This document provides information on configurations needed for enabling SAML based authentication between Nimsoft Service Desk and either Microsoft Active Directory Federation Service (ADFS 2.0) or Novell Access Manager as the Identity Provider. The document also contains information on steps to exchange metadata between Microsoft Active Directory Federation Service (ADFS 2.0) or Novell Access Manager and Nimsoft Service Desk to establish the federation between the two parties and enable Single Sign-On. The Nimsoft Service Desk Single Sign-On tool supports SAML 2.0 based authentication standards for authenticating Nimsoft Service Desk users with an identity provider. Once Single Sign-On (SSO) is configured, users can log seamlessly into the application without being prompted for application user name and password. This section contains the following topics: SAML 2.0 Single Sign-On (see page 7) Prerequisites (see page 8) SAML 2.0 Single Sign-On SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass user information between an identity provider and Nimsoft Service Desk. The Identity Provider and Nimsoft Service Desk communicate via the Client Browser to exchange authentication information. Chapter 1: Introduction 7
Prerequisites The following diagram provides a sequence of events that happen in authenticating a user via SAML based Single Sign-On. Where federation is used for enabling Single Sign-On, the platform receives an SAML Assertion in an HTTP POST request. The SAML Assertion has limited validity period, it contains a unique identifier and it is digitally signed. If the assertion is made during its validity period, if it has not been used before (no session already exists for that user), and if the assertion has a valid signature from the identity provider; the user is granted access to the application and is redirected to the Home Page or the Requested Page (like Service Feedback form, My Outstanding Approvals, Ticket form etc.). If the assertion fails for any reason, the user is informed that the credentials are invalid. Prerequisites For enabling SAML 2.0 based Single Sign-On, configurations need to be done on both; Nimsoft Service Desk and the Identity Provider server. The following conditions must be set before beginning the process of configuring SAML 2.0 Single Sign-On: Identity Provider server is configured and running. Token Signing Certificate is available. HTTPS/SSL should be enabled on IIS server. Nimsoft Service Desk must be installed on a server that is HTTPS/SSL enabled. 8 Single Sign-On Configuration Guide
Prerequisites Before commencing, please ensure that the Identity Provider (either Microsoft Active Directory Federation Service or Novell Access Manager) is already configured and running and that the Token Signing Certificate is available. You will need to enable HTTPS/SSL on Nimsoft Service Desk application server and database server before starting with Single Sign-On configurations. Please contact Nimsoft Support for assistance and instructions on how to do this. Important! Please do not modify any parameters on the application server or database server without assistance from Nimsoft Support. Chapter 1: Introduction 9
Chapter 2: Enabling Single Sign-On For Nimsoft Service Desk and the Identity Provider to recognize the assertions as valid, a federation has to be established between these two systems. To build a federation between an Identity Provider (such as Microsoft Active Directory Federation Service (ADFS 2.0) or Novell Access Manager) and Nimsoft Service Desk, we need to establish trust by exchanging some metadata. Chapter 2: Enabling Single Sign-On 11
Export Identity Provider Certificate To establish Federated Trust and complete enabling Single Sign-On you will need to undertake the following actions: 1. Export Token Signing Certificate from the Identity Provider into a supported file format. 2. Configure Single Sign-On in Nimsoft Service Desk and Download Metadata from Nimsoft Service Desk and save as Domainname.XML. 3. Add Nimsoft Service Desk as Trusted Service Provider in Identity Provider system. 4. Configure Identity Provider to send User Identifier as Name ID. The following sections provide detailed instructions on how to set-up the exchange of metadata between the Identity Provider and Nimsoft Service Desk and other configurations for enabling Single Sign-On. Note: Where configurations are needed on the Identity Provider, the document has sub-sections on undertaking the given action on Microsoft Active Directory Federation Services (ADFS) 2.0 and Novell Access Manager. Depending on the Identity Provider you are using, you can browse to the relevant sub-section. This section contains the following topics: Export Identity Provider Certificate (see page 12) Configure SAML Single Sign-On in Nimsoft Service Desk (see page 16) Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider (see page 18) Configure Identity Provider to send User Identifier as Name ID (see page 24) Export Identity Provider Certificate Federation servers use Public/Private Key pairs to digitally sign all security tokens they produce. Later, after they are received from a partner federated server, these keys validate the authenticity of the encrypted security token. Certificates are used to secure communications and establish trust. The Public Key portion of the Signing Certificate is exported from the Identity Provider and saved in an appropriate location. Once the Signing Certificate is saved on the local system accessible by Nimsoft Service Desk, the XML Metadata of the certificate can be used when undertaking Single Sign-On configuration in Nimsoft Service Desk. 12 Single Sign-On Configuration Guide
Export Identity Provider Certificate The Signing Certificate has to be stored in a Base64 encoded file in ADFS 2.0 and PEM file in Novell Access Manager. Steps for Exporting the Signing Certificate for Microsoft Active Directory Federation Services (AD FS) 2.0and Novell Access Manager are given below in the respective sections. Active Directory Federation Service 2.0: Export Token Signing Certificate The Token Signing Certificate can be exported from the ADFS 2.0 Management, services snap-in. Follow these steps: 1. Log into the Identity Provider(Identity Provider) Server and click on Administrative Tools<ADFS 2.0 Management The ADFS 2.0 window gets displayed. 2. Click Services to open the Service Snap-in. The available Services will be displayed. 3. Click on Certificates in the Services Snap-in. The Certificates pane will be displayed with the available Certificates. 4. Select the Certificate under Token-Signing in the Certificates Pane. The Certificate folder will be displayed. 5. Click on Copy to File Option in the Details tab of the Certificate window. The Certificate Export Wizard will be launched. 6. Click Next in the Welcome to the Certificate Export Wizard window. The Export Private Key Page will be displayed. Chapter 2: Enabling Single Sign-On 13
Export Identity Provider Certificate 7. Check No do not export private key option in this page. This will ensure that only the Public Key gets exported. 8. Click Next to proceed further. You will be prompted to choose the file format in which the certificate is to be exported. 9. Select the Base64 encoded X.509 (.CER) option and click Next You will be prompted to select the location where the file is to be saved. 10. Select a location where the token signing certificate is to be saved. You will now need to specify a file name to identity the token signing certificate that is being exported. 11. Specify an appropriate file name, verify that the file type is Base 64 Encoded (.cer) and click Save. The Certificate Export Wizard window will display the File Name and location specified. Verify the file path specified. 12. Click Next to proceed with exporting the Token Signing Certificate. The Certificate will get exported to the location specified. The Certificate Export Wizard window will be displayed with a message The export was successful. 13. Click OK and then Finish to exit the Certificate Export Wizard. Export of the Token Signing Certificate is now complete. You can validate the successful export of the Token Signing Certificate by browsing for the file at the location that you specified. You can open the certificate in any editor like Notepad. This certificate can now be used for Configuring SAML Single Sign-On on Nimsoft Service Desk. Novell Access Manager: Exporting Signing Certificate You can export the Signing Certificate from the Novell imanager, Access Manager, Certificates pane. Follow these steps: 1. Login to Novell imanager Administration Console; and in the Access Manager option, select Certificates. A list of all certificates configured with Novell Access Manager will be displayed. 14 Single Sign-On Configuration Guide
Export Identity Provider Certificate 2. Select Signing certificate from the available option. The Signing Certificate gets displayed in the pane. Review the certificate details, including the certificate validity (Valid from and Valid to) You need to export this certificate to a location that can be accessed by Nimsoft Service Desk. 3. Click on the dropdown in the Export Public Certificate option on the Certificate Pane. The file options will be displayed. 4. Select PEM File as the file option. The File Download screen will be displayed, prompting you to choose whether you wish to Open the file or Save it. 5. Click Save to save the Signing Certificate as a PEM File. A prompt will be displayed for you to choose File Name and File Format. In this prompt, you can also browse to a location where you wish to save the file. 6. Specify a File name, and browse to the location where you wish to save the file. Note: Please make sure that the file format is PEM file. 7. Click Save The export of the Signing Certificate is now complete. You can validate the successful export of the Signing Certificate by browsing for the file at the location that you specified. You can open the certificate in any editor like Notepad. This certificate can now be used for Configuring SAML Single Sign-On on Nimsoft Service Desk. Chapter 2: Enabling Single Sign-On 15
Configure SAML Single Sign-On in Nimsoft Service Desk Configure SAML Single Sign-On in Nimsoft Service Desk To enable Single Sign-On, Nimsoft Service Desk has to be configured to trust assertions being sent by the Identity Provider. This is made possible by pasting the Identity Provider Certificate in the Identity Provider Certificate Field in the Nimsoft Service Desk Application. You will need to following information and recommendations to configure Single Sign-On in Nimsoft Service Desk. Authorization Domain This information is used by Nimsoft Service Desk to determine which customer the user belongs to. You can enter any valid domain name in this field. It is recommended that you use your email domain name here. Important! The Authorization Domain name has to be unique in each instance of Nimsoft Service Desk. No two companies (using Nimsoft Service Desk in SaaS mode) can have the same Authorization Domain name. Identity Provider URL: This is the URL to which Nimsoft Service Desk will send the SAML requests. Per common standard, the URL for the Identity Provider is given below: Active Directory Federation Service is https://servername.domain/adfs/ls/ Novell Access Manager is https://servername.domain/nidp/saml2/sso Identity Provider Logout URL: This is the URL to which the user is directed when the user logs out of Nimsoft Service Desk or the session times out. This should be a page on your server which asks the user to log out fully or re-login to Nimsoft Service Desk. This is not a required field. You can choose to leave it blank Identity Provider Certificate: This is the signing certificate exported from the Identity Provider. You have to copy the certificate in its entirety and paste it in this field. This is the Token-Signing Certificate that you exported from the Identity Provider to a file in your local directory prior to commencing with Nimsoft Service Desk Configuration. The certificate is saved as Base64 Encoded (.cer) file from Active Directory Federation Service 2.0 or PEM file from Novell Access Manager. 16 Single Sign-On Configuration Guide
Configure SAML Single Sign-On in Nimsoft Service Desk You can configure SAML 2.0 Single Sign-On in Nimsoft Service Desk from the Manage Configuration form in Application Setup. Follow these steps: 1. Log into Nimsoft Service Desk Application using Administrator credentials. 2. Click Application Setup <Manage Configurations in the Navigation Menu. The Manage Configurations form will be displayed. 3. Click Single Sign On tab in the Manage Configuration form. The Single Sign-On form will be displayed. 4. Check the Enable SAML Single Sign On checkbox. Important! Ensure that you check this checkbox. Failure to do so will result in the other configurations not being recognized by the application. 5. Specify a Valid Domain Name in the Authorization Domain field, Example: testdomain.com. 6. Specify the URL of your Identity Provider SAML endpoint in the Identity Provider Login URL field. This is where Nimsoft Service Desk will send SAML requests. 7. (Optional) Specify a valid URL to Redirect to URL on Logout in the Identity Provider Logout URL field. You will not need to access the Identity Provider Certificate that you exported from the Identity Provider. You can open the file with any standard text editor. 8. Copy the Identity Provider Certificate entirely; including the Begin Certificate and End Certificate; and Paste it in the Identity Provider Certificate field. 9. Click Apply Changes to save the settings. SAML Single Sign-On confirmation on Nimsoft Service Desk is now compete. Chapter 2: Enabling Single Sign-On 17
Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider Once the Single Sign-On is configured in Nimsoft Service Desk, the Metadata becomes available on this location: https://nsd.nimsoftondemand.com/servicedesk/sso/metadata/domainname You can download the metadata from this location and save it in an appropriate location as XML file (as shown below). The XML file can be opened on any editor like Notepad to copy the details for adding Nimsoft Service Desk as a Trusted Partner within the Identity Provider. Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider To complete the exchange of metadata between Nimsoft Service Desk and the Identity Provider, metadata from Nimsoft Service Desk has to be added to the Identity Provider to build the federated trust. This enables the Identity Provider to recognize SAML requests coming from Nimsoft Service Desk as valid requests and initiate actions for authenticating the login request. To configure this portion of the trust, you must have the metadata downloaded from Nimsoft Service Desk after configuring SAML Single Sign-On. Instructions for adding Nimsoft Service Desk as trusted partner in Active Directory Federation Service (AD FS) 2.0 and Novell Access Manager are given in the following sections. 18 Single Sign-On Configuration Guide
Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider Active Directory Federation Service 2.0: Add Relaying Party Trust You can add Nimsoft Service Desk as trusted service provider in Active Directory Federation Service 2.0 by adding Relaying Party Trust. Follow these steps: 1. Log into the Identity Provider(Identity Provider) Server and click on Administrative Tools<ADFS 2.0 Management The ADFS 2.0 window gets displayed. 2. Right Click on Relying Party Trusts snap-in In the ADFS 2.0 window and select Add Relying Party Trust. The Add Relying Party Trust Wizard window gets displayed. You can review the introduction before proceeding. 3. Click Start to proceed. The Select Data Source dialog gets displayed. You can choose to import the data of the relaying party online, or choose to import the data from a file. 4. Select the Import Data mode and the location of the metadata. To import data by specifying a host name or an URL: Select Import data about the relying party published online or in a local network. In the Federation metadata address (host name or URL), enter the URL: https://hostname:port/servicedesk/sso/metadata/domainname To import data from a file: Select Import data about the relying party from a file: Click Browse Browse to the location where metadata from Nimsoft Service Desk is saved and select the XML file containing the metadata from the Single Sign-On configuration in Nimsoft Service Desk. 1. Click Next. The Specify Display Name dialog gets displayed. 2. Specify an appropriate Display name to describe the relaying party. Example: Nimsoft Service Desk. 3. (Optional) Provide any relevant information in the Notes field. This could be any information you wish to add to distinguish the Relaying Party. 4. Click Next. The Choose Issuance Authorization Rule page gets displayed. Chapter 2: Enabling Single Sign-On 19
Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider 5. Select the option 'Permit all users to access this relying party' and then click Next. The Ready to Add Trust page gets displayed. Please check the following settings for the Relaying Party Trust before proceeding: 1. Click the Endpoints tab to review the endpoint settings. If the XML File has been read and interpreted correctly, then you should be able to see an entry for Nimsoft Service Desk in the Endpoints tab. This is the end point where the SAML Response will be posted once the user has been authenticated by the Identity Provider. Note: Please review the settings and ensure that the endpoint shows https://hostname:port/servicedesk/sso/response/authorizationdomainname. 2. Click the Advanced tab to review the secure hash algorithm to use for the relaying party trust. 6. Click OK. The SHA value set will be displayed. Ensure that the secure hash algorithm value displayed is SHA-1. Note: If the secure hash algorithm value is not set as SHA-1; please click the drop-down and select SHA-1 from the list. The settings needed for Nimsoft Service Desk as a Trusted Provider are now complete. The Finish page gets displayed. The Relying Party Trust has now been configured and Nimsoft Service Desk has been added as a trusted service provider in Active Directory Federation Service 2.0. 7. Check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check-box. This will display the dialog necessary for you to set the attribute that will be used to identify a user. 8. Click Close. The Add Relaying Party Trust wizard will close and the Edit Claim Rules dialog will be displayed. You can now add the attribute that will be used to identify the user and complete the configuration. 20 Single Sign-On Configuration Guide
Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider Novell Access Manager: Manage Trusted Provider You can add Nimsoft Service Desk as trusted service provider in Novell Access Manager by adding Nimsoft Service Desk to the Trusted Providers list. Follow these steps: 1. Login to Novell imanager Administration Console; and in the Access Manager option, select Identity Servers The Servers tab will display a list of Identity Server clusters. 2. Click Edit to edit the cluster entry. The cluster protocol will be displayed. Chapter 2: Enabling Single Sign-On 21
Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider 3. In the Protocol, select SAML 2.0 tab The SAML 2.0 tab will display a list of existing Trusted Providers. You can add Nimsoft Service Desk as a Trusted Provider to this list. 4. Click New; and from the option displayed (Identity Provider/Service Provider), select Service Provider. The Create Trusted Service Provider Screen gets displayed. You will need to provide the following information: Name Source Specify a Name that can be used to logically identify the Nimsoft Service Desk instance that you are configuring as Service Provider. Example: Nimsoft Service Desk - Production This field allows you to choose how the metadata will be provide. Choose from the available options in the drop-down list. You can choose either Metadata Text or Metadata URL Choose Metadata URL if: The Nimsoft Service Desk instance is directly accessible from the Identity Provider Server. Nimsoft Service Desk Metadata can be accessed from this location: https://nsd.nimsoftondemand.com/servicedesk/sso/metadata/domainname Choose Metadata Text if: you wish to copy paste the Metadata text. 22 Single Sign-On Configuration Guide
Add Nimsoft Service Desk as Trusted Service Provider in the Identity Provider Text: This field allows you to Paste the Metadata from the XML file that you saved after configuring Single Sign-On in Nimsoft Service Desk. Using any text editor, copy the XML data completely; and paste it into this field. You can enter all the relevant information into these fields to add Nimsoft Service Desk as a Trusted Provider. 5. Select Next. The configuration details will be displayed. You can review these to confirm all details. 6. Click Finish to complete adding Nimsoft Service Desk as Trusted Service Provider. You will be returned to the SAML 2.0 tab and you will be able to see Nimsoft Service Desk in the list of Trusted Providers in the Service Providers section. For the changes to get applied to the Identity Provider server, you have to update the Identity Server. 7. Click on Identity Servers under Access manager to navigate back to the Identity Server screen. Click Update All to update the configurations. Nimsoft Service Desk will now be recognized as Trusted Service Provider by the Novell Access Manager Identity Provider server. You can now add the attribute that will be used to identify the user and complete the configuration. Chapter 2: Enabling Single Sign-On 23
Configure Identity Provider to send User Identifier as Name ID Configure Identity Provider to send User Identifier as Name ID After configured the Identity Provider and Nimsoft Service Desk to trust assertions, the next step is establishing the Attribute Statement portion of the SAML Assertion. This requires setting up an attribute that will be used to identify a user. Different applications use different attributes to identify a user. For the Identity Provider to recognize which user is trying to access Nimsoft Service Desk and for Nimsoft Service Desk to recognize which user has been authenticated, you will have to map user identifier attributes on both Nimsoft Service Desk and the Identity Provider. You could choose unique identifiers like Principle Name, Email ID or any other such attributes that is unique to each user. Note: If you have undertaken Contact Synchronization to synchronize user data from your directory server to Nimsoft Service Desk, the Name Identifier is typically the field that has been mapped to the username on Nimsoft Service Desk. Instructions for configuring the identity provider to send the User Identifier for Microsoft Active Directory Federation Services (ADFS) 2.0and Novell Access Manager are given below in the respective sections. Active Directory Federation Service: Add Claim Rules When you exit the Add Relaying Party Trust wizard by checking the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox, the Edit Claim Rules form is displayed. In the Edit Claim Rules form, you can configure Active Directory Federation Service to use the User Principal Name as Name ID. Follow these steps: 1. Click Add Rules button in the Issuance Transform Rules tab. The Add Transform Claim Rule wizard gets displayed. You will be prompted to Select Rule Template. 2. Choose a rule template from the dropdown options under Claim rule template It is recommended that you use the 'Send LDAP Attributes as Claim as the Claim Rule Template. 3. Click Next. The Configure Rule page gets displayed. 24 Single Sign-On Configuration Guide
Configure Identity Provider to send User Identifier as Name ID 4. Configure the Claim Rule by providing the following information: Claim Rule Name This is the name to identify the Claim Rule Example: Send Principle as Name ID Attribute Store This is the location of the Attribute Store. You can choose an option from the drop-down list. Example: Active Directory Mapping of LDAP Attributes to Outgoing Claim Type You can select the LDAP Attribute and corresponding Outgoing Claim Type from the drop-down lists. Example: LDAP Attribute- User Principle Name and Outgoing Claim Type: Name ID. 5. Click Finish. Configuring Transform Claim Rule is complete and the Edit Claim Rules window is displayed. The rule(s) that you just configured get displayed in the Issuance Transform Tab. 6. Click Apply and then OK to complete the setup. This completes configuration of Single Sign-On for Nimsoft Service Desk with Active Directory Federation Service AD FS 2.0 as the Identity Provider. Chapter 2: Enabling Single Sign-On 25
Configure Identity Provider to send User Identifier as Name ID Novell Access Manager: Create Attribute Set for Trusted Provider You have to create an Attribute Set on Novell Access Manager to send identity attributes to Nimsoft Service Desk as part of the Attribute Statement portion of the SAML assertion. You can configure the Attribute Set from the Shared Settings on the Identity Server. Follow these steps: 1. Login to Novell imanager Administration Console; and in the Access Manager option, select Identity Servers 2. Click Shared Settings tab Any attribute set previously created will be displayed. You can create new Attribute Set from this form. 3. Click New The Create Attribute Set screen will be displayed. 4. Specify the following information in the Create Attribute Set screen: Set Name This is the name used to identify which service provider the attribute set is to be used for. Example: NSD Attribute Select Set to use as template You can choose a template from the drop-down. Default: None This document provides you with the steps to map Email Address (mail attribute) as a Name ID within SAML Response as an example. 5. Click Next You will be prompted to Define Attributes 6. Click New The Add Attribute Mapping lookup will be displayed. 7. Choose Local Attribute option; and select LDAP Attribute Mail (LDAP Attribute Profile) from the drop-down list. 8. (Optional) Specify a Remote Attribute. 9. Select Remote namespace and Remote format You can leave the Remote namespace option as None and Remote format as Unspecified. 26 Single Sign-On Configuration Guide
Configure Identity Provider to send User Identifier as Name ID 10. Click OK. The settings will be saved. 11. Click Finish You can now associate the attribute set with Nimsoft Service Desk in Novell Access Manager and configure it so that the attributes are available and sent to Nimsoft Service Desk via SAML assertions 12. Click Attributes in the Configuration tab. You will be able to map the attribute which should be used to send with authentication from the available attributes. 13. Click Attribute set drop-down list and select the attribute set you defined in the earlier (Example- NSD Attribute). The LDAP Mail Attribute (LDAP Attribute Profile)that you selected while configuring the Attribute Set will be displayed in the Available List. 14. Select the attribute and using the blue arrow to move it to the Send with authentication field. The Attribute will now get listed in the Send with authentication list. 15. Click Apply. The Attribute to be used has now been set. 16. Click on Authentication Response tab in the configuration form. You need to set the correct binding in this form. 17. Click the drop-down in the Binding field, and select Post Now you can set the Name Identified Format Default Value. 18. Click the radio button under Default for Unspecified and select LdapAttribute:mail [LDAP Attribute Profile] from the drop down menu. 19. Click Apply The screen displays attributes mapped between Nimsoft Service Desk and Novell Access Manager. Chapter 2: Enabling Single Sign-On 27
Configure Identity Provider to send User Identifier as Name ID For the changes to get applied, you will need to update the Identity Server. 20. Click on Identity Servers in the Administration Console and select Update All to update all configurations. Configuration on Single Sign-On for Nimsoft Service Desk with Novell Access Manager as the Identity Provider is now complete. 28 Single Sign-On Configuration Guide