2.3 Configuring Identity Servers Clusters

1. Go to cfg > slb > adv > direct.

2. Specify e to enable direct access mode.

1. Click Devices > Identity Servers .

2. Under the Servers tab, select Identity Server, and then click New Cluster.

3. Specify a name for the cluster configuration.

   If you did not select the server in the previous step, you can now select required servers. For information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration.

4. Click OK.

5. Specify the following details:

   Field	Description
   Name	Specify a name for the cluster. This field is populated with the name you provided in the New Cluster dialog box. You can change this name here, if necessary. IMPORTANT:Determine your settings for the base URL, protocol, and domain. After you configure trust relationships between providers, changing these settings invalidates the trust model and requires a reimport of the provider’s metadata. Modifying the base URL also invalidates the trust between Embedded Service Provider (ESP) of Access Manager devices. To re-establish the trust after modifying the base URL, you must restart ESP on each device.
   Base URL	Specify the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol. Protocol: Select the communication protocol. Specify HTTPS to run securely (in the SSL mode) and for provisioning. Use HTTP only if you do not require security or have installed an SSL terminator in front of Identity Server. Domain: Specify the DNS name assigned to Identity Server. When you are using an L4 switch, this DNS name must resolve to the virtual IP address set up on the L4 switch for Identity Servers. Using an IP address is not recommended. Port: Default ports are 8080 for HTTP or 8443 for HTTPS. If you want to use port 80 or 443, specify the port here. Configure the operating system to translate the port. See Translating Identity Server Configuration Port in the NetIQ Access Manager 5.0 Installation and Upgrade Guide. Application: Specify Identity Server application. Leave the default value nidp.
   SSL Certificate	Displays the currently assigned SSL certificate. Identity Server comes with a test-connector certificate that you must replace to use SSL in your production environment. You can replace the test certificate now or after you configure Identity Server. You must restart Tomcat whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Managing the Keys, Certificates, and Trust Stores. For information about how to replace the test-connector certificate, see Section 20.0, Enabling SSL Communication.

6. To configure session limits, specify the following details:

   Field	Description
   LDAP Access	Specify the maximum number of LDAP connections Identity Server can create to access the configuration store. You can adjust this value for system performance.
   Default Timeout	Specify the session timeout you want assigned as a default value when you create a contract. This value is also assigned to a session when Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, Identity Server cannot always associate a contract with the request.
   Limit User Sessions	Specify whether user sessions are limited. If selected, you can specify the maximum number of concurrent sessions a user is allowed to authenticate. To limit user sessions, consider the session timeout value (the default is 60 minutes). If the user closes the browser without logging out (or an error causes the browser to close), the session is not cleared until the session timeout expires. If the user session limit is reached and those sessions have not been cleared with a logout, the user cannot log in again until the session timeout expires for one of the sessions. When you enable this option, it affects performance in a cluster with multiple Identity Servers. When a user is limited to a specific number of sessions, Identity Servers must check with the other servers before establishing a new session.
   Deleting Previous User Sessions	You can configure Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. Set the DELETE OLD SESSIONS OF USER option to true and restart Identity Server. For information about configuring this option, see Configuring Identity Server Global Options. Previous sessions are cleared across Identity Server clusters only when a fresh authentication request comes in. When Identity Server deletes previous user sessions, it sends a logout request to the service provider through the SOAP back channel. For example, a user is accessing a protected resource from a machine and wants to access the same protected resource from another device. Identity Server will not give access to the user if the Limit User Sessions has reached a maximum limit. Identity Server must terminate the old session of the user so that the user can access the new session seamlessly.
   Allow multiple browser session logout	Specify whether a user with more than one session to the server is presented with an option to log out of all sessions. If you do not select this option, only the current session can be logged out. Deselect this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out. When you enable this option, restart all ESP that use this Identity Server configuration.

7. To configure TCP timeouts, specify the following details:

   Field	Description
   LDAP	Specify the duration that an LDAP request to the user store can take before timing out.
   Proxy	Specify the duration that a request to another cluster member can take before timing out. When a member of a cluster receives a request from a user who has authenticated with another cluster member, the member sends a request to the authenticating member for information about the user.
   Request	Specify the duration that an HTTP request to an application can take before timing out.

8. Select the required protocols.

   IMPORTANT:Enable only the required protocols. If you are using Access Gateway, enable Liberty. Else, the trusted relationship of Access Gateway and Embedded Service Provider with Identity Server is disabled, and authentication fails.

   • Liberty: Uses a structured version of SAML to exchange authentication and data between trusted identity providers and service providers and provides the framework for user federation.

   • SAML 1.1: Uses XML for exchanging authentication and data between trusted identity providers and service providers.

   • SAML 2.0: Uses XML for exchanging encrypted authentication and data between trusted identity providers and service providers and provides the framework for user federation.

   • WS Federation: Allows disparate security mechanisms to exchange information about identities, attributes, and authentication.

   • WS-Trust: Allows secure communication and integration between services by using security tokens.

   • OAuth & OpenID Connect: Allows Identity Server to act as an authorization server to issue access token to a client application based on user’s grant.

9. Click Next.

10. Specify the following details:

    • Name: The name of the organization.

    • Display Name: The display name for the organization.

    • URL: The organization’s URL for contact purposes.

    Company, First Name, Last Name, Email, Telephone, and Contact Type are optional fields.

    IMPORTANT:The information you specify on this page is published in the metadata for Liberty 1.2 and SAML. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at Identity Server.

11. Click Next to configure the user store.

    You must reference your own user store and auto-import the SSL certificate. See Section 2.2, Configuring Identity User Stores for information about this procedure.

    After you configure a user store, the system displays the new configuration on the Servers page.

1. Click Devices > Identity Servers.

2. On the Servers page, select the server’s check box.

3. Click Actions > Assign to Cluster.

4. Select the configuration’s check box, then click Assign.

   Restart Tomcat. The status icon for Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display the green icon.

1. Click Devices > Identity Servers > [Identity Server cluster].

2. Click IDP Failover Peer Server Count, then select the number of failover peers for each Identity Server.

   • To disable this feature, select 0.

   • To enable this feature, select one or two less than the number of servers in your cluster. For example, if you have four servers in your clusters and you want to allow for one server being down for maintenance, select 3 (4-1=3). If you want to allow for the possibility of two servers being down, select 2 (4-2=2).

     If you have eight or more servers in your cluster, the formula 8-2=6 gives each server 6 peers. In a larger cluster, you must limit the number of peers to 2 or 3. If you select too many peers, your machines require more memory to hold the session data and slow down your network with the additional traffic for the session information.

3. Click OK.

1. Click Devices > Identity Servers > [name of the cluster configuration].

   The Cluster Details page contains the following tabs:

   • Details: To modify the cluster name or its settings, click Edit, then continue with Step 2.

   • Health: Click to view the health of the cluster.

   • Alerts: Click to view the alerts generated by members of the cluster.

   • Statistics: Click to view the statistics of the cluster members.

2. Modify the following details as required:

   Field	Description
   Cluster Communication Backchannel	Specify a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member can handle a request more efficiently. This back channel must not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members. Port: Specify the TCP port of the cluster back channel on all Identity Servers in the cluster. 7801 is the default TCP port. Encrypt: Encrypts the content of the messages that are sent between cluster members.
   Level Four Switch Port Translation	Configure the L4 switch to translate the port of the incoming request to a new port when the request is sent to a cluster member. Because the cluster members communicate with each other over the same IP address/port as the L4 switch, the cluster implementation needs to know what that port is. The translated port is the port on the cluster members where other cluster members can contact it. This is the IP address and port where cluster members provide proxy requests to other cluster members. Port translation is enabled on switch: Specify whether the port of the L4 switch is different from the port of the cluster member. For example, enable this option when the L4 switch is using port 443 and Identity Server is using port 8443. Cluster member translated port: Specify the port of the cluster member.
   IDP Failover Peer Server Count	For configuration information, see Configuring Session Failover.

3. Click OK and then update Identity Server when prompted.

1. Click Devices > Identity Servers.

2. Select the server, then click Stop. Wait for the Health indicator to turn red.

3. Select the server and then choose Actions > Remove from Cluster.

1. Click Devices > Identity Servers > Edit.

2. In the Enabled Protocols section, select the required protocols to enable.

3. To disable a protocol, deselect it.

4. Click OK.

5. (Conditional) If you have enabled a protocol, update Identity Server.

6. (Conditional) If you have disabled a protocol, stop and start Identity Server.

   1. Select Identity Server and click Stop.

   2. When the health turns red, select Identity Server, and click Start.

   3. Repeat the process for each Identity Server in the cluster.

1. Click Devices > Identity Servers > Edit.

2. Change the protocol, domain, port, and application settings, as necessary.

3. Click OK.

4. On the Identity Servers page, click Update.

   This re-creates the trusted Identity Server configuration to use the new base URL and metadata.

5. Restart Tomcat on each Identity Server in the configuration:

   Specify one of the following commands:

   /etc/init.d/novell-idp restart

   systemctl restart -idp

   For the Docker deployment, perform the following steps:

   1. Run the kubectl get pods command to view the Access Manager pods.

   2. Go to the Identity Server pod by running the kubectl exec --namespace <name-of-the-namespace> -it pod/<name-of-the-identity-server-pod> -- sh command.

   3. Run the /etc/init.d/novell-idp restart or systemctl restart -idp command.

6. For each Access Manager device configured to trust the configuration of this modified base URL, you must update the device so that the Embedded Service Provider trusts the new Identity Server configuration:

   Click Access Gateways, then click Update for any servers with a Status of Update.

7. For each service provider you have configured to trust the configuration of this modified base URL, you must send them the new metadata and have them re-import it.

Perform the following steps to configure user attributes:

1. Click Devices > Identity Servers > Edit > Authentication API.

2. In Attribute Set, select the required attribute set.

   For information about attribute set, see Configuring Attribute Sets.

3. Select the required attributes from the Available Attributes list and move them to Selected Attributes.

4. Click Save > Close.

1. Click Devices > Identity Servers > Edit > Options > New.

2. Set the following properties based on your requirement:

   Property	Value
   ALLOW AUTH POLICY EXECUTION	Select false to disable Identity Server to execute authorization policies. The default value is true. For example, see Executing an Authorization-based Role Policy During SAML 2.0 Service Provider Initiated Request.
   ALLOW GRACE LOGIN FOR EXPIRING PASSWORD (Access Manager 5.0 Service Pack 1 and later)	When the value is set to true, users get grace logins when their password is about to expire. By default, the property is set to true on all Identity Server clusters. Select false if you do not want users to get a grace login for an expiring password. In case of Active Directory, this option works when the pwdlastset attribute has a zero value (pwdlastset=0) in the user store. This means users must change their password at the next login. If you set this option to false, the user will not be redirected to Password Management Servlet (if configured).
   CHECK ACTIVE CLUSTER MEMBERS FOR PROXY (Access Manager 5.0 Service Pack 1 and later)	Select true to enable verifying whether the incoming cluster cookie for Identity Server refers to an active node of the cluster. By default, this option is set to false.
   CLUSTER COOKIE DOMAIN	Set this property to change the domain attribute of Identity Server cluster cookie. For example, see Configuring X.509 Authentication to Display the Access Manager Error Message.
   CLUSTER COOKIE PATH	Set this property to change the Path attribute for Identity Server cluster cookie. The default value is /nidp. For example, see Configuring X.509 Authentication to Display the Access Manager Error Message.
   CRL REFRESH INTERVAL DAYS (Access Manager 5.0 Service Pack 1 and later)	Access Manager caches the Certificate Revocation Lists (CRL) used in X.509 Authentication. Specify the duration in days after that you want the CRL to be refreshed in the CRL cache.
   DECODE RELAY STATE PARAM	Select true to enable the relay state URL decoding. The default value is false.
   DELETE OLD SESSIONS OF USER	Select true to enable Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. The default value is false.
   HTTP ONLY CLUSTER COOKIE	Select false to disable the HTTPOnly flags for Identity Server cluster cookies. The default value is true. For example, see Enabling Secure or HTTPOnly Flags for Cluster Cookies.
   HTTP POPULATE LOGINNAME FROM SAML AUTH REQUEST	Select true to auto-populate the email ID on the Identity Server login page for a SAML 2.0 authentication. The default value is false. For more information, see Auto-Populating the Username on the Identity Server Login Page.
   HTTP POPULATE PARSED LOGINNAME FROM SAML AUTH REQUEST	Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a SAML 2.0 authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false. For more information, see Auto-Populating the Username on the Identity Server Login Page.
   HTTP POPULATE LOGINNAME FROM WSFED AUTH REQUEST	Select true to auto-populate the email ID on the Identity Server login page for a WS-Fed authentication request. The default value is false.
   HTTP POPULATE PARSED LOGINNAME FROM WSFED AUTH REQUEST	Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a WS-Fed authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false.
   IS SAML2 POST INFLATE	Select true to enable Identity Server to receive deflated SAML 2.0 POST messages from its trusted providers. The default value is false. You can configure post binding to be sent as a compressed option by configuring this property. For example, see the note in Step 4.
   IS SAML2 POST SIGN RESPONSE	Select true to enable the identity provider to sign the entire SAML 2.0 response for all service providers.
   SAML2 ISSUER FORMAT	Select true to add the Format attribute in saml:Issuer element. Add /opt/novell/nids/lib/webapp/WEB-INF/classes/nidpconfig.properties file on each Identity Server in the cluster.
   SAML2 ISSUER NAME QUALIFIER	Select true to add the Name Qualifier attribute in saml:Issuer element.Add /opt/novell/nids/lib/webapp/WEB-INF/classes/nidpconfig.properties file on each Identity Server in the cluster.
   LOGIN CSRF CHECK	Select true to enable Cross-Site Request Forgery (CSRF) check for the Password Class and TOTP Class. This is applicable for Access Manager default pages. If you have modified any page, you must add the CSRF token to the page. To add the CSRF token, add the following: JAVA: <% String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID); NIDPSessionData sData = NIDPContext.getNIDPContext().getSession(request).getSessionData(sid); boolean csrfCheckRequired = NIDPEdirConfigUtil.isConfigured(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) ? NIDPEdirConfigUtil.getValueAsBoolean(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) : false; %> HTML: <% if (csrfCheckRequired) { %> <input type="hidden" name="AntiCSRFToken" value=" <%=sData.getAntiCSRFToken()%>"> <% } %>
   OAUTH TOKENS IN BINARY FORMAT	Select true to send tokens in the binary format. By default, the value is set to false and tokens are sent in the JWT format. It is recommended to not use this property unless you have an existing client application that cannot manage a token larger than the existing binary token. NOTE:: When set to true, few features, such as token encryption using resource server keys and token revocation, will not be available.
   RENAME SESSION ID	Select false to prevent changing the session ID automatically. The default value is true.
   SAML1X ATTRIBUTE MATCH BY NAME	Select true to perform a strict check on the name space of the attributes received in the assertion. For example, see SAML 1.1 Service Provider Re-requests for Authentication.
   SAML2 ATTRIBUTE CONSUMING INDEX	This option can be used to identify globally the value of AttributeConsumingServiceIndex of SAML 2 authentication requests. If SAML2 ATTRIBUTE CONSUMING INDEX is not configured in SAML 2.0 options, Access Manager considers the SAML2 ATTRIBUTE CONSUMING INDEX configuration in Identity Server global options. If you require to assign the property values for multiple entries, you can use comma (,) as separator. Provide the value in the format specified in the following example: For protected resource URL: https://www.example.com:446/test/Test/test.php->2 In this example, the “2” is assigned to AttributeConsumingServiceIndex of SAML 2 authentication request coming from the protected resource. For default value: default->10 If the SAML 2 authentication request comes from the protected resource that is not configured, the default value 10 is assigned to AttributeConsumingServiceIndex. For multiple protected resource URLs: https://www.example.com:446/test/Test/test.php->2,https://www.example.com:446/test/Test/view.php->3
   SECURE CLUSTER COOKIE	Select false to disable the secure flags for cluster cookies. The default value is true. For example, see Enabling Secure or HTTPOnly Flags for Cluster Cookies.
   STS CHANGE ISSUER	Specify the value in this format: SPentityID:UPNDomain -> new IssuerID. For example, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/ In case of multiple children domains, add each parent domain and child domain separated by a comma. For example, if namnetiq.in is the parent domain and support.namnetiq.in and engineering.namnetiq.in are children domains, specify the following entries: urn:federation:MicrosoftOnline:namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:engineering.namnetiq.in -> https://namnetiq.com/nidp/wsfed/ For example, see Configuring Federation for Multiple Domains.
   STS OFFICE365 MULTI DOMAIN SUPPORT AUTO	Select true to enable users to access Office 365 services by using the Issuer URI specific to the domain they belong to. The default value is false. For example, see Creating Multiple Domains in Office 365 and Establishing Federation with Access Manager.
   USE DEVICE ID IN URN COOKIE (Access Manager 5.0 Service Pack 1 and later)	In an Access Manager environment with multiple Identity Servers and Access Gateways, a cluster cookie (UrnNovellNidpClusterMemberId) is automatically set for the serving node of the cluster. When requests come to Identity Server or Embedded Service Provider (ESP), this cookie is used by all nodes of the cluster to perform the proxying, if necessary. For higher security, enable this property to use hashing for the cookie value. false: The default setting. true: Enables this property for both Identity Server and ESP. IDP: Enables this property for Identity Server. To set up this property only for ESP, see USE_DEVICE_ID_IN_URN_COOKIE in Configuring ESP Global Options.
   WSF SERVICES LIST	Select full to enable users to access the Services page. Select 404 to return an HTTP 404 status code: Not Found. Select 403 to return an HTTP 403 status code: Forbidden. Select empty to return an empty services list. The default value is full. For example, see Blocking Access to the WSDL Services Page.
   WSFED ASSERTION VALIDITY	Specify the assertion validity time in second for WS Federation Provider (SP) to accommodate clock skew between the service provider and SAML identity provider. The default value is 1800 seconds. For example, see Assertion Validity Window. NOTE:You can set the WSFED assertion validity time for each WS-Federation Service Provider where the default is 300.
   WSTRUST AUTHORIZATION ALLOWED ACTAS VALUES	Specify the user names who can perform ActAs operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with ActAs elements. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf.
   WSTRUST AUTHORIZATION ALLOWED ONBEHALF VALUES	Specify the user names who can perform OnBehalfOf operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with OnBehalfOf elements. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf.
   WSTRUST AUTHORIZATION ALLOWED VALUES	Specify the user names who can perform both ActAs and OnBehalfOf operations. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf.
   SESSION ASSURANCE USER AGENT EXCLUDE LIST	Specify the user-agent string for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server.
   SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST	Specify the user-agent REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server.
   SESSION ASSURANCE URL EXCLUDE LIST	Specify the URL for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server.
   SESSION ASSURANCE URL REGEX EXCLUDE LIST	Specify the URL REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server.
   SESSION ASSURANCE IDC COOKIE GRACEPERIOD	Specify the time in second till which Identity Server will accept the old IDC cookie after issuing a new cookie. The default value is 15 second.
   OTHER	Specify Property Name and Property Value if you want to configure any other property.
   NAM_DFP_KEYS_ENFORCE_STRICT	Click OTHER to configure this property. When Advanced Session Assurance is enabled, specify true to send session keys only the first time when the device information is fetched. Specify false to send session keys each time the device information is fetched. The default value is false.
   ENCODE_TARGET_URL_QUERY	Click OTHER to configure this property. When this option is set to true, the target URL query (SAML Request) is URL encoded. This option is set to true by default. When you set this option to false, the following will happen after authentication: The target URL query is not URL encoded The user is not redirected to the service provider The following message is displayed: <amLogEntry> 2018-08-20T17:00:18Z WARNING NIDS Application: Error during Inflate. Exception message: "It should be divisible by four"
   NMAS_SAML_SIGN_METHODDIGEST_SHA256	Click OTHER to configure this property. Set this option to true while using the NMAS SAML method. When set to true, it uses SHA265 algorithm for SAML 2 assertion. If this property is not configured or the value is set to false, SHA1 algorithm is used. The default value is false.
   persist_caches_on_reconfigure	Click OTHER to configure this property. After you update a configuration or reconfigure it, the user session details and read attributes get deleted from the cache. Set this option to true to retain the details after a configuration update.
   OAUTH_CLAIMS_TO_USE_LDAP_ATTR_FORMAT	Click OTHER to configure this property. Set this option to true to configure the OAuth claims data type according to the schema data type of the LDAP attribute. If the LDAP attribute data type is single-valued, the claims data is returned as a string. If the LDAP attribute data type is multi-valued, the claims data is returned as a string array irrespective of the value count. For example, let us assume that a client application uses the Authorization Code flow and sends the access token to the userinfo endpoint. Then you can choose the format of the token's attribute data type that will be returned. The following is an example of attributes when this property is not configured or set to false: "family_name": "Lastname" The following is an example of attributes when this property is set to true: "family_name": [ "Lastname" ] This option is set to false by default.
   OAUTH_REDIRECT_URL_EXACT_MATCH	Click OTHER to configure this property. Set this option to true. When set to true, it validates query parameters in the redirect URI registered with the OAuth client applications.
   OAUTH_PARAMETERS_ENCODE_BASE64	Click OTHER to configure this property. Set this option to true. When set to true, and state parameter is passed with “&” and redirect URI as URL encoded values in the request, the state parameter parses the “&” and gets decoded state value.
   ENCODE_AUTHZ_STATE_PARAMETER	Click OTHER to configure this property. Set this option to true. When set to true, and state parameter is passed with JSON value as URL encoded values in the request, the same state encoded JSON state value is received in the response.
   OIDC_PROTOCOL_COMPLIANCE	Click OTHER to configure this property. Set this option to true. When set to true, the attribute values in the token is received as Boolean. The following is an example of attributes when this property is set to true: email_verifed : true

3. Click OK > Apply.