NetIQ Access Manager 5.0 Administration Guide

  NetIQ Access Manager 5.0 Administration Guide
    Configuring Access Manager
      Configuring Administration Console
        Configuring the Default View
          Changing the View
          Setting a Permanent Default View
        Managing Administration Console Session Timeout
        Managing Administrators
          Creating Multiple Admin Accounts
          Managing Policy View Administrators
          Managing Delegated Administrators
            Access Gateway Administrators
            Policy Container Administrators
              Adding Policy Container Administrators
              Removing Policy Container Administrators
            Delegated Administrators of Identity Servers
            Creating Users
          Changing Administrator’s Password
            Changing the Password of Administration Console Administrator
            Changing the Administration Password of the User Store Administrator
        Changing the IP Address of Access Manager Devices
          Changing the IP Address of Administration Console
          Changing the IP Address of Identity Server
          Changing the IP Address of Access Gateway Appliance
          Changing the IP Address of Access Gateway Service
          Changing the IP Address of Audit Server
        Mapping the Private IP Address to Public IP Address
          Creating a New NAT IP Address Mapping
          Removing a NAT IP Address Mapping
          Viewing the NAT IP Address Mapping
          Editing a NAT IP Address Mapping
      Setting Up a Basic Access Manager Configuration
        Prerequisites for a Basic Access Manager Setup
        Configuring Identity User Stores
          Using More Than One LDAP User Store
          Configuring the User Store
          Configuring an Admin User for the User Store
          Configuring a User Store for Secrets
            Configuring the Configuration Datastore to Store Secrets
            Configuring an LDAP Directory to Store the Secrets
            Configuring an eDirectory User Store to Use SecretStore
            Troubleshooting Secrets Storage
        Configuring Identity Servers Clusters
          Configuration Notes
            Services of the Real Server
            A Note about Service Configuration
            A Note about Radware Alteon Switches
          Prerequisites for Configuring an Identity Servers Cluster
          Managing a Cluster of Identity Servers
            Creating a Cluster Configuration
            Assigning an Identity Server to a Cluster Configuration
            Configuring a Cluster with Multiple Identity Servers
            Configuring Session Failover
            Editing Cluster Details
            Removing a Server from a Cluster Configuration
            Enabling and Disabling Protocols
            Modifying the Base URL
            Identity Server Authentication APIs
            Configuring Identity Server Global Options
        Configuring Identity Server Shared Settings
          Configuring Attribute Sets
          Editing Attribute Sets
          Adding Custom Attributes
            Creating Shared Secret Names
            Creating LDAP Attribute Names
          User Attribute Retrieval and Transformation
            How User Attribute Retrieval and Transformation Helps
            Managing a Data Source
              Creating a Data Source
              Editing a Data Source
            Managing an Attribute Source
              Creating an Attribute Source
              Editing an Attribute Source
            Managing a Virtual Attribute
              Creating a Virtual Attribute
              Editing a Virtual Attribute
            Retrieving Attributes from a REST Web Service
              Example for Using Input Parameter
              Response Parsing Functions
            Sample JavaScripts with Examples
            Troubleshooting User Attribute Retrieval and Transformation
            User Attribute Retrieval and Transformation Limitations
          Adding Authentication Card Images
          Creating an Image Set
          Metadata Repositories
            Creating Metadata Repositories
            Reimporting Metadata Repositories
          Configuring User Matching Expressions
          Configuring the Advanced Authentication Server
          Configuring Self Service Password Reset Server Details in Identity Server
        Configuring Access Gateway
          Configuring a Reverse Proxy
          Configuring a Public Protected Resource
          Configuring Access Gateway for Authentication
            Verifying Time Synchronization
            Enabling Trusted Authentication
          Setting Up Policies
        Access Gateways Clusters
          Prerequisites for Configuring an Access Gateways Cluster
          Designing the Membership Type for a Cluster
          Configuring a Cluster
          Managing Access Gateway Cluster Configuration
            Creating a New Cluster
            Managing Access Gateway Servers in the Cluster
            Managing Cluster Details
            Editing Cluster Details
            Changing the Primary Cluster Server
            Applying Changes to Access Gateway Cluster Members
              Reverting to a Previous Configuration
              Modifications Requiring an Update All
        Protecting Web Resources Through Access Gateway
          Configuration Options
          WebSocket Support
            Scaling WebSocket
            Accessing WebSocket Resources
            Verifying a WebSocket Connection
          Managing Reverse Proxies and Authentication
            Creating a Proxy Service
            Configuring a Proxy Service
            Modifying the DNS Setting for a Proxy Service
            Configuring ESP Global Options
          Configuring Web Servers of a Proxy Service
          Configuring Protected Resources
            Setting Up a Protected Resource
              Workaround If URL Rewriting Fails
              Understanding URL Path Matching
              Using a Query String in the URL Path
            Configuring an Authentication Procedure for Non-Redirected Login
            Assigning an Authorization Policy to a Protected Resource
            Assigning an Identity Injection Policy to a Protected Resource
            Assigning a Form Fill Policy to a Protected Resource
            Assigning a Timeout Per Protected Resource
            Assigning a Policy to Multiple Protected Resources
          Configuring HTML Rewriting
            Understanding the Rewriting Process
            Specifying DNS Names to Rewrite
              Determining Whether You Need to Specify Additional DNS Names
              Determining Whether You Need to Exclude DNS Names from Rewriting
            Defining the Requirements for the Rewriter Profile
              Types of Rewriter Profiles
              Page Matching Criteria for Rewriter Profiles
              Possible Actions for Rewriter Profiles
              String Replacement Rules for Word Profiles
              String Tokens
              String Replacement Rules for Character Profiles
              Using $path to Rewrite Paths in JavaScript Methods or Variables
            Configuring the HTML Rewriter and Profile
            Creating or Modifying a Rewriter Profile
            Disabling the Rewriter
              Disabling per Proxy Service
              Disabling per URL
              Disabling with Page Modifications
          Configuring Connection and Session Limits
            Configuring TCP Listen Options for Clients
            Configuring TCP Connect Options for Web Servers
            Configuring Connection and Session Persistence
            Configuring Web Servers
          Protecting Multiple Resources
            Using Multi-Homing to Access Multiple Resources
              Domain-Based Multi-Homing
              Path-Based Multi-Homing
              Virtual Multi-Homing
              Creating a Second Proxy Service
              Configuring a Path-Based Multi-Homing Proxy Service
            Setting Up a Group of Web Servers
              Configuring Web Servers at Cluster Level
              Configuring Web Servers at Member Level
            Managing Multiple Reverse Proxies
              Managing Entries in the Reverse Proxy List
              Changing the Authentication Proxy Service
        Configuring Trusted Providers for Single Sign-On
          Understanding the Trust Model
            Identity Providers and Consumers
            Embedded Service Providers
            Configuration Overview
          Configuring General Provider Settings
            Configuring the General Identity Provider Settings
            Configuring the General Identity Consumer Settings
            Configuring the Introductions Class
            Configuring IDP Select Class
            Configuring the Trust Levels Class
          Managing Trusted Providers
            Creating a Trusted Identity Provider
            Creating a Trusted Service Provider
          Modifying a Trusted Provider
          Communication Security
          Selecting Attributes for a Trusted Provider
            Configuring the Attributes Obtained at Authentication
            Configuring the Attributes Sent with Authentication
            Sending Attributes to the Embedded Service Provider
          Managing Metadata
            Viewing and Reimporting a Trusted Provider’s Metadata
            Viewing Trusted Provider Certificates
            Editing a SAML 2.0 Service Provider’s Metadata
            Editing a SAML 1.1 Identity Provider’s Metadata
            Editing a SAML 1.1 Service Provider’s Metadata
          Configuring User Identification Methods for Federation
            Defining User Identification for Liberty and SAML 2.0
              Selecting a User Identification Method for Liberty or SAML 2.0
              Configuring the Attribute Matching Method for Liberty or SAML 2.0
            Defining User Identification for SAML 1.1
              Selecting a User Identification Method for SAML 1.1
              Configuring the Attribute Matching Method for SAML 1.1
            Defining the User Provisioning Method
            User Provisioning Error Messages
          Configuring an Authentication Response for a Service Provider
          Routing to an External Identity Provider Automatically
          Using the Intersite Transfer Service
            Understanding the Intersite Transfer Service URL
            Specifying the Intersite Transfer Service URL for the Login URL Option
            Using Intersite Transfer Service Links on Web Pages
            Configuring an Intersite Transfer Service Target for a Service Provider
            Configuring Whitelist of Target URLs
            Validating Incoming Authentication Request for Assertion Consumer Service URL
            Federation Entries Management
            Step up Authentication Example for an Identity Provider Initiated Single Sign-On Request
            URL Query String Parameters
        Configuring Single Sign-On to Specific Applications
          Configuring SSO to SharePoint Server
            Configuring WS Federation Claims-based Authentication between Access Manager and SharePoint Server
              Exporting the Certificates
              Configuring SharePoint Server as a Service Provider
              Configuring SharePoint Server for Claims-based Authentication
            Configuring SharePoint Server as a Protected Resource
            Enabling Advanced Options for the Proxy Service
            Enabling Global Advanced Options
            Modifying the WS Federation Assertion Validity Time
            Configuring the Trusted Site in Internet Explorer
            Configuring Logout
          Configuring a Protected Resource for Outlook Web Access
            Configuring a Protected Resource for Outlook Web Access
            Configuring an Authentication Procedure
            Configuring a Rewriter Profile
            Configuring Identity Injection
            Configuring Form Fill
          Configuring a Protected Resource for a Novell Vibe 3.3 Server
            Configuring the Novell Vibe Server to Trust Access Gateway
            Configuring a Domain-Based Multi-Homing Service for Novell Vibe
              Configuring the Domain-Based Proxy Service
              Configuring Protected Resources
              Configuring a Rewriter Profile
            Creating a Pin List
          Configuring Access to the Filr Site through Access Manager
        Configuring a Protected Identity Server Through Access Gateways
      Setting Up an Advanced Access Manager Configuration
        Identity Server Advanced Configuration
          Managing an Identity Server
            Updating Identity Server Configuration
            Restarting Identity Server
          Editing Server Details
          Configuring the Custom Response Header for an Identity Server Cluster
        Customizing User Portal
          Getting Started
            Understanding JSP Files
            Types of JSP Files
            Detecting the Correct Mode for Java and JavaScript
            Enabling Impersonation in the Login Page
          Customizing the Identity Server Login Page
            Customizing the User Portal Page Title
            Customizing the Default Login Page to Prompt for Different Credentials
            Modifying the login.jsp File
            Customizing JSP Files
            Customizing the nidp_latest.jsp file
              Authentication Method (Cards) to be Displayed
              The URL to be Used for Populating the Content Area
              The Message to be Displayed
            Configuring Identity Server to Use Custom Login Pages
              Using Properties to Specify the Login Page
              Adding Logic to the main.jsp File
            Troubleshooting Tips for Custom Login Pages
          Customizing the Identity Server Logout Page
            Rebranding the Logout Page
            Replacing the Logout Page with a Custom Page
            Configuring for Local Rather Than Global Logout
            Customizing Logout Pages to Redirect Based on Parameters
          Customizing Identity Server Messages
            To Customize Identity Server Messages
            Customizing the Branding of the Error Page
              Customizing the Titles
              Customizing the Images
              Customizing the Colors
            Customizing Tooltip Text for Authentication Contracts
          Maintaining Customized Identity Server
          Examples for Customizing the User Portal Page Using Configuration Files
            Example 1
            Example 2
            Example 3
            Example 4
        Access Gateway Server Advanced Configuration
          Configuration Overview
          Saving, Applying, or Canceling Configuration Changes
          Managing Access Gateways Settings
            Viewing and Modifying Gateway Settings
            Status Options
            Impact of Configuration Changes
              Devices > Access Gateways
              Devices > Access Gateways > < your gateway/cluster> Services
              System Settings
              Monitoring
              Network Settings
              Security Settings
              Content Settings
            Scheduling a Command
          Managing General Details of Access Gateway
            Changing the Name of Access Gateway and Modifying Other Server Details
            Exporting and Importing an Access Gateway Configuration
              Exporting the Configuration
              Importing the Configuration
              Cleaning Up and Verifying the Configuration
          Setting Up a Tunnel
          Setting the Date and Time
          Configuring Network Settings
            Viewing and Modifying Adapter Settings
            (Access Gateway Appliance) Viewing and Modifying Gateway Settings
            (Access Gateway Appliance) Viewing and Modifying DNS Settings
            (Access Gateway Appliance) Configuring Hosts
            Adding a New IP Address to Access Gateway
            Adding New Network Interfaces to Access Gateway Appliance
          Enabling Access Gateway to Display Post-Authentication Message
        Customizing Access Gateway
          Maintaining a Customized Access Gateway
          Customizing Error Messages and Error Pages on Access Gateway
            Customizing and Localizing Access Gateway Error Messages
            Customizing the Error Pages
          Customizing Logout Requests
            Customizing Applications to Use Access Gateway Logout Page
            Customizing Access Gateway Logout Page
            Configuring the Logout Disconnect Interval
        Access Gateway Content Settings
          Configuring Cache Options
          Controlling Browser Caching
          Configuring a Pin List
          Configuring a Purge List
          Purging Cached Content
          Apache htcacheclean Tool
        Access Gateway Advanced Options
          Configuring Global Advanced Options
          Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service
        Cookie Mangling
        Configuring the HTTP/2 Protocol
        URL Attribute Filter
        Analytics Server Configuration
          Managing Analytics Server
          Managing General Details of Analytics Server
            Changing the Name of Analytics Server and Modifying Other Server Details
            Changing the IP Address and Applying Changes
          Managing Details of a Cluster
          Configuring Analytics Server
          Importing Analytics Server
        Email Server Configuration
        Managing User Portal
          Logging in to the Default User Portal
          Logging in with the Legacy Customized Portal
          Logging in to User Portal from a Web Application
          Managing Authentication Cards
          Specifying a Target
          Blocking Access to the Legacy User Portal Page
          Blocking Access to the WSDL Services Page
      Advanced File Configurator
        Managing Files: Older Approach versus Using Advanced File Configurator
        Managing Configuration Files
          Adding Configurations to a Cluster
          Exporting and Importing Configurations
            Exporting Configurations from a Cluster
            Importing Configurations
          Comparing Configuration Files
          Modifying Configurations
          Applying Configurations to Devices
          Downloading Files from a Server
          Untracking Configurations
          Removing Configurations
          Post-Upgrade Considerations
        Access Manager Configuration Files and Folders
        Example Configuration: Modifying web.xml to Manage Administration Console Session Timeout
        Example: Modifying server.xml to Configure the Encryption Level
      Configuring Authentication
        Authentication Framework
          Creating Authentication Classes
          Creating Custom Authentication Class to Obtain Unstored Transitional Data
          Configuring Authentication Methods
          Configuring Authentication Contracts
            Configuring Options for an Authentication Contract
            Using a Password Expiration Service
            Using Login Redirect URL Parameters
            Using Activity Realms
          Specifying Authentication Defaults
            Specifying Authentication Types
            Creating a Contract for a Specific Authentication Type
        Basic or Form-Based Authentication
          Configuring Basic or Form-Based Authentication
          Specifying Common Class Properties
            Query Property
            JSP Property
            MainJSP Property
            Enabling reCAPTCHA
              Prerequisites for reCAPTCHA
              Configuring Intrusion Detection for Failed Logins
              Setting Up a reCAPTCHA Account
              Configuring reCAPTCHA
        Kerberos Authentication
          Kerberos Privileged Attribute Certificate
          Prerequisites for Configuring Kerberos Authentication
          Configuring Active Directory
            Creating and Configuring the User Account for Identity Server
            Configuring the Keytab File
            Adding Identity Server to the Forward Lookup Zone
          Configuring Identity Server
            Enabling Logging for Kerberos Transactions
            Configuring Identity Server for Active Directory
            Creating the Authentication Class, Method, and Contract
            Creating the bcsLogin Configuration File
            Verifying the Kerberos Configuration
            (Optional) Excluding Kerberos Authentication for Specific IP Addresses
            (Optional) Configuring the Fall Back Authentication Class
            (Optional) Modifying the LDAP Query Parameter of the Kerberos Method
          Configuring the Clients
          Configuring Access Gateway for Kerberos Authentication
        RADIUS Authentication
        Mutual SSL (X.509) Authentication
          Configuring X.509 Authentication
          Configuring Attribute Mappings
          Restricting the X.509 Authentication to a Specific Certificate Authority
          Regular Expression for Extracting the Partial String from DN
          Setting Up Mutual SSL Authentication
            Customizing Certificate Errors
          Configuring X.509 Authentication to Display the Access Manager Error Message
            Configuring a Dual Connector Setup in a Single-Node Identity Server Environment
            Configuring a Dual Connector Setup in a Multi-Node Identity Server Environment
        Passwordless Authentication
        Social Authentication
          Why and When to Use Social Authentication
          Prerequisites for Social Authentication
          Configuring the Social Authentication Class
          How Social Authentication Works With Access Manager
          Adding Images for Social Authentication Providers
          Changing the Default Icons of Social Authentication Providers
          Configuring Supported Social Authentication Providers for API Keys and API Secrets
            Integrating Access Manager with Facebook
            Integrating Access Manager with LinkedIn
            Integrating Access Manager with Twitter
            Integrating Access Manager with Google+
            Integrating Access Manager with Itsme
        Risk-based Authentication
          Introduction to Risk-Based Authentication
            Why Risk-based Authentication
            Features of Risk-based Authentication
            Risk-Based Authentication Key Terms
            How Risk-based Authentication Works
            Understanding Risk Score Calculation
          Setting Up Localhost for Risk Service
          Configuring Risk-based Authentication
            Configuring a Risk Policy
            Configuring a Method for an Authentication Class
            Configuring a Contract for an Authentication Class
            Configuring Rules
          Configuring User History
            Configuring an External Database to Store User History
              Configuring MySQL Database
              Configuring Oracle Database
              Configuring Microsoft SQL Server
              Configuring File-based H2 Database
              Enabling c3p0 Connection Pooling for Database
              Deleting Risk-based Authentication and Device Fingerprint Entries from the Database
            Enabling User History
          Configuring Geolocation Profiling
          Configuring Behavioral Analytics
          Configuring NAT Settings
          Configuring an Authorization Policy to Protect a Resource
          Understanding Risk-based Authentication through Scenarios
            Scenario: Calculating Risk Based on the Device Type
            Scenario: Calculating Risk Based on the Location from Where an Access Request Originates
            Scenario: Calculating Risk Based on the HTTP Header Value
            Scenario: Evaluating the Grant Permissions using the Historical Access Data
            Scenario: Calculating Risk Using Device Fingerprinting
            Scenario: Determining an Improbable Travel Event
          Risk-Based Authentication: Sample Configuration
          Troubleshooting Risk-based Authentication
            Enabling Logging for Risk-based Authentication
            Enabling Auditing for Risk-Based Authentication Events
            Troubleshooting Risk Rule Configuration
            Audit Events Supported for Behavioral Analytics
        Device Fingerprinting
          How It Works
          Understanding Device Fingerprint Parameters
          Configuring a Device Fingerprint Rule
          Configuring an Example Device Fingerprint Policy
        Advanced Authentication
          Prerequisites
          Configuring Advanced Authentication
        SAML 2.0
          Understanding How Access Manager Uses SAML
            Attribute Mapping with Liberty
            Trusted Provider Reference Metadata
            Authorization Services
            Identity Provider Process Flow
            SAML Service Provider Process Flow
          Configuring a SAML 2.0 Profile
          Managing a SAML 2.0 Service Provider
            Creating a SAML 2.0 Service Provider
            Configuring Multiple Instances of a SAML 2.0 Service Provider in an Identity Server Cluster
            Minimizing Service Interruption of SAML 2.0 Service Providers
              Include an Additional Signing Certificate
              Update Settings of a Trusted Service Provider
            Contracts Assigned to a SAML 2.0 Service Provider
            Configuring a SAML 2.0 Authentication Response
            Executing an Authorization-based Role Policy During SAML 2.0 Service Provider Initiated Request
            Editing a SAML 2.0 Service Provider’s Metadata
            Configuring Communication Security for a SAML 2.0 Service Provider
          Managing a SAML 2.0 Identity Provider
            Creating a SAML 2.0 Identity Provider
            Configuring a SAML 2.0 Authentication Request
            Configuring Communication Security for a SAML 2.0 Identity Provider
            Defining Session Synchronization for A-Select SAML 2.0 Identity Provider
          Defining Options for SAML 2.0
            Defining Options for a SAML 2.0 Identity Provider
            Defining Options for a SAML 2.0 Service Provider
          Configuring Liberty or SAML 2.0 Session Timeout
          OIOSAML 3 Compliance
            OIOSAML 3 Metadata Samples
              Identity Provider’s Metadata
              Service Provider’s Metadata
              OIOSAML 3 Request and Response when Access Manager acts as an Identity Provider
            Enabling OIOSAML Compliance
          Modifying An Authentication Card for Liberty or SAML 2.0
          Configuring Multiple SAML 2.0 Service Providers on the Same Host for a Single SAML Identity Provider
          Configuring Active Directory Federation Services with SAML 2.0 for Single Sign-On
            Prerequisites for Configuring AD FS with SAML 2.0
              Environment
              IP Connectivity
              Name Resolution
              Clock Synchronization
            Configuring Access Manager as a Claims or Identity Provider and AD FS 2.0 as a Relying Party or Service Provider
              Configuring Access Manager
              Configuring AD FS 2.0
              Example Scenario: Access Manager as the Claims Provider and AD FS 2.0 as the Relying Party
            Configuring AD FS 2.0 as the Claims or Identity Provider and Access Manager as the Relying Party or Service Provider
              Configuring Access Manager
              Configuring AD FS 2.0
            AD FS 2.0 Basics
              Configuring the Token-Decrypting Certificate
              Adding CA Certificates to AD FS 2.0
            Debugging AD FS 2.0
        WS Federation
          Using Identity Server as an Identity Provider for ADFS
            Configuring Identity Server as an Identity Provider for ADFS
              Prerequisites for Configuring an Identity Provider for ADFS
              Creating a New Authentication Contract
              Setting the WS-Fed Contract as the Default Contract
              Enabling the WS Federation Protocol
              Creating an Attribute Set for WS Federation
              Enabling the Attribute Set
              Creating a WS Federation Service Provider
              Configuring the Name Identifier Format
              Setting Up Roles for ClaimApp and TokenApp Claims
              Importing the ADFS Signing Certificate into the NIDP-Truststore
            Configuring the ADFS Server
              Enabling Email as a Claim Type
              Creating an Account Partners Configuration
              Enabling ClaimApp and TokenApp Claims
              Disabling CRL Checking
            Logging In
            Troubleshooting
              Enabling Logging on the ADFS Server
              Common Errors
          Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource
            Configuring Identity Server as a Service Provider
              Prerequisites for Configuring Identity Server as Service provider
              Enabling the WS Federation Protocol
              Creating a WS Federation Identity Provider
              Modifying the User Identification Specification
              Importing the ADFS Signing Certificate into the NIDP-Truststore
            Configuring the ADFS Server as an Identity Provider
              Enabling a Claim Type for a Resource Partner
              Creating a Resource Partner
            Logging In
            Additional WS Federation Configuration Options
          Managing WS Federation Providers
            Creating an Identity Provider for WS Federation
            Creating a Service Provider for WS Federation
            Contracts Assigned to a WS Federation Service Provider
          Modifying a WS Federation Identity Provider
            Renaming the Trusted Provider
            Configuring the Attributes Obtained at Authentication
            Modifying the User Identification Method
            Viewing the WS Identity Provider Metadata
            Editing the WS Identity Provider Metadata
            Modifying the Authentication Card
            Assertion Validity Window
          Defining Options for WS Federation Service Provider Service Provider
          Modifying a WS Federation Service Provider
            Renaming the Service Provider
            Configuring the Attributes Sent with Authentication
            Modifying the Authentication Response
            Viewing the WS Federation Service Provider Metadata
            Editing the WS Federation Service Provider Metadata
          Configuring STS Attribute Sets
          Configuring STS Authentication Methods
          Configuring STS Authentication Request
        WS-Trust Security Token Service
          Basic Scenarios Supported by WS-Trust STS
            Web Service Client Communicating with Token Protected Web Service Provider
            Web Single Sign-On and STS
            Identity Delegation and Impersonation
            Renewing a Token
            Authentication by Using SAML Tokens
          Configuring WS-Trust STS
            Enabling WS-Trust
            Configuring Access Manager for WS-Trust STS
            Viewing STS Service Details
          Configuring Service Providers
            Adding a Domain and Assigning WS-Trust Operations
            Adding Web Service Providers
              Enabling Delegation and Impersonation
              Configuring ActAs to Lookup Multiple User Stores
              Adding Policy for ActAs and OnBehalfOf
            Managing Service Provider Domains
            Managing Service Providers
            Modifying Service Providers
            A Sample WS-Policy for Web Service Providers
          Configuring Web Service Clients
            Configuring Apache CXF-based Web Service Clients
            Configuring Metro-based Web Service Clients
          Renew Token - Sample Request and Response
            Renew Token - Sample Request
            Renew Token - Sample Response
        OAuth and OpenID Connect
          How OAuth and OpenID Connect Helps
          OAuth Keywords and Their Usage in Access Manager
          Implementing OAuth in Access Manager
          OIDC Front-Channel Logout
          Configuring OAuth and OpenID Connect
            Enabling OAuth and OpenID Connect
            Extending a User Store for OAuth 2.0 Authorization Grant Information
            Defining Global Settings
            Configuring a Resource Server
              Adding a Resource Server
              Restricting the Number of Requests
            Defining Scopes for a Resource Server
              Configuring User Claims or Permission in Scope
              Managing Scopes of a Resource Server
              Modifying Claims and Attributes
            Managing OAuth Client Applications
              Registering OAuth Client Applications
              Modifying Registered Client Applications
          Using Access Gateway in the OAuth Flow
          Configuring Access Gateway for OAuth
            Enabling OAuth in Access Gateway
            Configuring an Authorization Policy based on OAuth Scopes
            Configuring an Identity Injection Policy for OAuth Claims
            Configuring an Identity Injection Policy for User Passwords
            Configuring Access Gateway to Inject OAuth Tokens
          OAuth Scenarios
            Web applications (Resource Server) validate an access token before allowing a client application to access resources
            Access Gateway validates the Access token on behalf of web applications
            Access Gateway injects the Access token on behalf of web applications
          Mobile Authentication
          Exchanging SAML 2.0 Assertions with Access Token
            Configuring Assertion Issuers
          Encrypting Access Token
            Encrypting the Token with the Access Manager Key
            Encrypting the Token with the Resource server Key
          Configuring Multi-Factor Authentication for Resource Owner Credentials Grant
          Viewing Endpoint Details
          OAuth and OpenID Connect Audit Events
          Enabling Logging for OAuth and OpenID Connect
          Managing Client Applications by Using REST API
          Managing OAuth 2.0 Resource Server and Scope by Using REST API
          Revoking Refresh Tokens and the Associated Access Tokens
          Configuring the Demo OAuth Application
        Federated Authentication for Specific Providers
          Setting Up Google Applications
          Integrating Amazon Web Services with Access Manager
            Enabling Web Single Sign-On in the AWS Console
            Configuring AWS as a Service Provider in Access Manager
              Re-Mapping Attribute Sets
              Re-Importing the Metadata
            Integrating Amazon CloudTrail with Access Manager
          Configuring Single Sign-On for Office 365 Services
            Passive and Active Authentication
            Configuring Active and Passive Authentication through WS-Trust and WS-Federation
              Prerequisite
              Configuring an Office 365 Domain By Using WS-Trust Protocol
              Configuring an Office 365 Domain to Federate with Access Manager
              Configuring objectSid as the Immutable ID
            Configuring Federation with Office 365 Services for Multiple Domains
              Creating Multiple Domains in Office 365 and Establishing Federation with Access Manager
              Configuring Federation for Multiple Domains
            Configuring an Office 365 Domain That Supports Passive Federation by using SAML 2.0
              Prerequisite
              Configuring an Office 365 Domain to Federate with Access Manager
            Troubleshooting Scenarios
              WS-Trust and WS-Federation Scenarios
              SAML 2.0 Scenarios
              Office 365 Domain Scenarios
              Single Sign-on Fails in Skype for Business 2016
            Sample Tokens
              Sample SAML Token
              Sample WS-Trust Token
              Sample WS-Federation Token
          Integrating Salesforce With Access Manager By Using SAML 2.0
          Integrating Shibboleth Identity Provider With Access Manager
        Other Authentication Types
          Persistent Authentication
            Frequent Re-authentication Using Password
            Persistence Auth Class Properties
            Customizing the Login Page For Persistent Authentication
            Configuring the Persistent Authenticator Class
            Logging Out of the Persistent Sessions
            Limitations of Using Persistent Authentication Class
          ORed Credential Class
          OpenID Authentication
          Password Retrieval
          Smart Card Authentication with NMAS
            Prerequisites for Configuring Smart card Authentication with NMAS
            Creating a User Store for the NESCM Method
            Creating a Contract for the Smart Card
              Creating an NMAS Class for NESCM
              Creating a Method to Use the NMAS Class
              Creating an Authentication Contract to Use the Method
            Assigning the NESCM Contract to a Protected Resource
            Verifying the User’s Experience
            Troubleshooting
          Two-Factor Authentication Using Time-Based One-Time Password
            Why Two-Factor Authentication
            Prerequisites for TOTP
            Configuring TOTP Class, Method, and Contract
            Registering with TOTP
            Verifying the TOTP Configuration
          Service Provider Brokering
            Configuring a SP Broker
            Configuring a Brokering for Authorization of Service Providers
            Creating and Viewing Brokering Groups
              Creating a Brokering Group
              Configuring Trusted Identity Providers and Service Providers
              Configuring Brokering Rules
              Constructing Brokering URLs
              Validating Brokering Rules
            Generating the Brokering URLs by Using an ID and Target in the Intersite Transfer Service
            Assigning the Local Roles Based on Remote Roles and Attributes
            SP Brokering Example
          Configuring SAML 1.1
            Configuring a SAML 1.1 Profile
            Creating a SAML 1.1 Service Provider
            Creating a SAML 1.1 Identity Provider
            Configuring Communication Security for SAML 1.1
            Editing a SAML 1.1 Identity Provider’s Metadata
            Editing a SAML 1.1 Service Provider’s Metadata
            Configuring the SAML 1.1 Authentication Response
            Defining Options for SAML 1.1 Service Provider
            Modifying the Authentication Card for SAML 1.1
          Configuring Liberty
            Configuring a Liberty Profile
            Creating a Liberty Service Provider
            Creating a Liberty Identity Provider
            Configuring Communication Security for Liberty
            Configuring a Liberty Authentication Request
            Configuring the Liberty Authentication Response
            Defining Options for Liberty Service Provider
              To Define Options for Liberty Service Provider
            Defining Options for Liberty Identity Provider
            Configuring the Session Timeout
            Modifying the Authentication Card
          Configuring Liberty Web Services
            Web Services Framework
            Managing Web Services and Profiles
              Modifying Service and Profile Details for Employee, Custom, and Personal Profiles
              Modifying Details for Authentication, Discovery, LDAP, and User Interaction Profiles
              Editing Web Service Descriptions
              Editing Web Service Policies
              Create Web Service Type
            Configuring Credential Profile Security and Display Settings
            Customizing Attribute Names
            Configuring the Web Service Consumer
            Mapping LDAP and Liberty Attributes
              Configuring One-to-One Attribute Maps
              Configuring Employee Type Attribute Maps
              Configuring Employee Status Attribute Maps
              Configuring Postal Address Attribute Maps
              Configuring Contact Method Attribute Maps
              Configuring Gender Attribute Maps
              Configuring Marital Status Attribute Maps
      Access Manager Policies
        Understanding Policies
          Selecting a Policy Type
          Tuning the Policy Performance
          Managing Policies
            Creating Policies
            Sorting Policies
            Deleting Policies
            Renaming or Copying a Policy
            Importing and Exporting Policies
            Refreshing Policy Assignments
            Viewing Policy Information
          Managing Policy Containers
          Managing a Rule List
            Rule Evaluation for Role Policies
            Rule Evaluation for Authorization Policies
            Rule Evaluation for Identity Injection and Form Fill Policies
            Viewing Rules
          Adding Policy Extensions
            Installing the Extension on Administration Console
              Uploading and Configuring a JAR File
              Importing a ZIP File
            Distributing a Policy Extension
            Managing a Policy Extension Configuration
            Viewing Extension Details
          Enabling Policy Logging
        Role Policies
          Understanding RBAC in Access Manager
            Assigning All Authenticated Users to a Role
            Using a Role to Create an Authorization
            Using Prioritized Rules in an Authorization Policy
          Enabling Role-Based Access Control
          Creating Roles
            Selecting Conditions
              Authenticating IDP Condition
              Authentication Contract Condition
              Authentication Method Condition
              Authentication Type Condition
              Credential Profile Condition
              LDAP Group Condition
              LDAP OU Condition
              LDAP Attribute Condition
              Liberty User Profile Condition
              Roles from Identity Provider Condition
              User Store Condition
              Virtual Attribute Condition
              Condition Extension
              Data Extension
            Using Multiple Conditions
              AND Conditions, OR groups
              OR Conditions, AND groups
              Using the Not Options
              Adding Multiple Conditions
              Adding New Condition Groups
              Disabling Conditions and Condition Groups
            Selecting an Action
              Activate Role
              Activate Selected Role
          Example Role Policies
            Creating an Employee Role
            Creating a Manager Role
            Creating a Rule for a Contract with ORed Credentials
          Creating Access Manager Roles in an Existing Role-Based Policy System
            Activating Roles from External Sources
            Using Conditions to Assign Roles
              Creating a Role by Using an LDAP Attribute
              Creating a Role by Using the Location of the User Objects
              Creating a Role by Using a Group Membership Attribute
          Mapping Roles between Trusted Providers
            Prerequisites for Mapping Roles between Trusted Providers
            To Map Roles between Trusted Providers
          Enabling and Disabling Role Policies
          Importing and Exporting Role Policies
        Authorization Policies
          Designing an Authorization Policy
            Controlling Access with a Deny Rule and a Negative Condition
            Configuring the Result on Condition Error Option
            Many Rules or Many Conditions
            Using Multiple Conditions
            Controlling Access with Multiple Conditions
            Using Permit Rules with a Deny Rule
            Using Deny Rules with a General Permit Rule
            Public Policies
            General Design Principles
            Using the Refresh Data Option
            Assigning Policies to Resources
          Creating Access Gateway Authorization Policies
          Sample Access Gateway Authorization Policies
            Sample Policies Based on Organizational Rules
              LDAP Context Policies
              Role Policies with Authorization Policies
            Sample Workflow Policy
          Conditions
            Authentication Contract Condition
            Client IP Condition
            Credential Profile Condition
            Current Date Condition
            Day of Week Condition
            Current Day of Month Condition
            Current Time of Day Condition
            HTTP Request Method Condition
            LDAP Attribute Condition
            LDAP OU Condition
            Liberty User Profile Condition
            Roles Condition
            Risk Score
            OAuth Scopes
            URL Condition
            URL Scheme Condition
            URL Host Condition
            URL Path Condition
            URL File Name Condition
            URL File Extension Condition
            Virtual Attribute Condition
            X-Forwarded-For IP Condition
            Condition Extension
            Data Extension
            Using the URL Dredge Option
            Edit Button
          Importing and Exporting Authorization Policies
        Identity Injection Policies
          Designing an Identity Injection Policy
            Using the Refresh Data Option
          Configuring an Identity Injection Policy
          Configuring an Authentication Header Policy
          Configuring a Custom Header Policy
          Configuring a Custom Header with Tags
          Specifying a Query String for Injection
          Injecting into the Cookie Header
          Configuring an Inject Kerberos Ticket Policy
          Configuring an OAuth Token Inject Policy
          Importing and Exporting Identity Injection Policies
        Form Fill Policies
          Understanding an HTML Form
          Implementing Form Fill Policies
            Designing a Form Fill Policy
              Verifying the Content or Page Type of the Form
              Creating a Form Matching Rule
              Including JavaScript in a Form Fill Policy
              Form Fill Character Sets (UTF-8)
            Creating a Form Fill Policy
            Creating a Login Failure Policy
            Creating an Inject JavaScript Policy
              Sample Inject JavaScript Policy
            Troubleshooting a Form Fill Policy
              Valid HTML Structure
              The Option Element Does Not Contain a Value Attribute
              The Form Element Does Not Contain a Method Attribute
          Creating and Managing Shared Secrets
            Naming Conventions for Shared Secrets
            Creating a Shared Secret Independent of a Policy
            Modifying and Deleting a Shared Secret
          Importing and Exporting Form Fill Policies
          Configuring a Form Fill Policy for Forms With Scripts
            Why Does Form Fill Fail with the Default Policy?
            Understanding How a Form Is Submitted
            Creating a Form Fill Policy for Autosubmission
            Configuring the Advanced Options for Autosubmission
        External Attribute Source Policies
          Enabling External Attributes Policy
          Creating an External Attribute Source Policy
          External Attribute Source Policy Examples
            Scenario 1
            Scenario 2
        Risk-based Policies
      Integrating Access Manager with Microsoft Azure
        Automatic Hybrid Azure AD Join for Windows Devices
          How Automatic Hybrid Azure AD Join Works
          Setting Up Automatic Hybrid Azure AD Join for Windows Devices
            Prerequisites for Automatic Hybrid Azure AD Join
            Preparing Azure AD for Automatic Hybrid Azure AD Join
            Configuring Access Manager for Automatic Hybrid Azure AD Join
            Validating Hybrid Azure AD Join
            Verifying Device Registration Status
          Automatic Hybrid Azure AD Join for Windows Downlevel Devices
          How SSO to Microsoft Azure Applications Work
          Troubleshooting Automatic Hybrid Azure AD Join
        Azure Active Directory Conditional Access with Access Manager
        Registering Devices to Microsoft Intune Mobile Device Management
        Enabling Access Manager with Microsoft Windows Autopilot
      Appmarks
        Creating an Appmark
        Creating Multiple Appmarks for an Application
        Managing Icons
      Enabling Mobile Access
        Requirements for the MobileAccess App
        Configuring the MobileAccess App
        Helping Users Register Their Mobile Devices
          Registering iOS Devices
          Registering Android Devices
            Manual
            HTML Page with Anchor Link
        Installing MobileAccess on a Mobile Device
        Understanding the MobileAccess PIN
        Managing Mobile Devices
          Deregistering Mobile Devices as an Administrator
          Deregistering a Mobile Device as a User
          Deleting and Reinstalling the MobileAccess App on a Device
      Branding of the User Portal Page
        To Customize the Title of the User Portal
      High Availability and Fault Tolerance
        Installing Secondary Administration Console
          Prerequisites for Installing Secondary Administration Console
            Managing Administration Consoles Installed with Clustered Identity Servers
          Installing Second Console
          Understanding How Consoles Interact with Each Other and with Access Manager Devices
            Tasks Requiring the Primary Console
            Tasks Available from the Secondary Console
        Configuration Tips for the L4 Switch
          Sticky Bit
          Network Configuration Requirements
          Health Checks
            Health Checks for Identity Server
            Health Checks for Access Gateway
          Real Server Settings Example
          Virtual Server Settings Example
        Setting up L4 Switch for IPv6 Support
          Web SSO Over IPv6
          Federated SSO over IPv6
            Federated SSO over IPv6 Using Artifact Binding
              Configuration
              How it Works?
            Federated SSO over IPv6 using Post Binding
              Configuration
              How It Works
          Limitations
        Using a Software Load Balancer
      Sample Configuration for Protecting an Application Through Access Manager
        Installation Overview and Prerequisites
          Installation Architecture
          Deployment Overview
            Prerequisite Tasks
            Deployment Tasks
        Setting Up the Web Server
          Installing the Apache Web Server and PHP Components
          Installing Digital Airlines Components
          Configuring Name Resolution
        Configuring Public Access to Digital Airlines
        Implementing Access Restrictions
          Enabling an Authentication Procedure
            Common Authentication Problems
          Configuring a Role-Based Policy
            Adding an LDAP Attribute to Your Configuration
            Creating a Sales Role
            Creating a New User with a Sales Role
            Creating the Identity Injection Policy for a Custom Header
          Assigning an Authorization Policy to Protect a Resource
          Configuring an Identity Injection Policy for Basic Authentication
            Configuring the Web Server for Basic Authentication
              Enabling LDAP Clear-Text Passwords
              Enabling Basic Authentication
            Creating an Identity Injection Policy for Basic Authentication
    Security And Certificates
      Securing Access Manager
        Securing Administration Console
        Protecting the Configuration Store
        Security Considerations for Certificates
        Configuring Secure Communication on Identity Server
          Configuring Enhanced Security for Service Provider Communications
          Viewing the Services That Use the Signing Key PairSigning
            Protocols
            SOAP Back Channel
            Profiles
          Viewing Services That Use the Encryption Key PairEncryption
          Managing the Keys, Certificates, and Trust Stores
        Security Considerations for Identity Server
          Federation Options
          Authentication Contracts
          Forcing 128-Bit Encryption
          Configuring the Encryption Method for the SAML Assertion
          Blocking Access to Identity Server Pages
          Using netHSM for the Signing Key Pair
            How Access Manager Uses Signing and Interacts with the netHSM Server
            Configuring Identity Server for netHSM
        Enabling Secure Cookies
          Securing the ESP Session Cookie on Access Gateway
          Securing the Proxy Session Cookie
            Setting an Authentication Cookie with a Secure Keyword for HTTP
            Preventing Cross-Site Scripting Vulnerabilities
        Preventing Cross-site Scripting Attacks
          Option 1: HTML Escaping
          Option 2: Filtering
          Option: 3 Understanding Relaxed Query Parameters
      Setting Up Advanced Session Assurance
      Understanding Access Manager Certificates
        Process Flow
        Access Manager Trust Stores
        Access Manager Keystores
          Identity Server Keystores
          Access Gateway Keystores
          Keystores When Multiple Devices Are Installed on Administration Console
      Creating Certificates
        Creating a Locally Signed Certificate
        Editing the Subject Name
        Assigning Alternate Subject Names
        Generating a Certificate Signing Request
        Importing a Signed Certificate
      Managing Certificates and Keystores
        Viewing Certificate Details
        Adding a Certificate to a Keystore
        Renewing a Certificate
        Exporting a Private/Public Key Pair
        Exporting a Public Certificate
        Importing a Private/Public Key Pair
        Managing Certificates in a Keystore
        Using Multiple External Signing Certificates
      Assigning Certificates to Access Manager Devices
        Importing a Trusted Root to the LDAP User Store
        Managing Identity Server Certificates
        Assigning Certificates to an Access Gateway
          Managing Embedded Service Provider Certificates
          Managing Reverse Proxy and Web Server Certificates
        Changing a Non-Secure (HTTP) Environment to a Secure (HTTPS) Environment
      Managing Trusted Roots and Trust Stores
        Managing Trusted Roots and Trust Stores
          Importing Public Key Certificates (Trusted Roots)
          Adding Trusted Roots to Trust Stores
          Auto-Importing Certificates from Servers
          Exporting a Public Certificate of a Trusted Root
          Viewing Trust Store Details
          Viewing Trusted Root Details
        Viewing External Trusted Roots
      Enabling SSL Communication
        Enabling SSL Communication
          Identifying the SSL Communication Channels
          Using Access Manager Certificates
            Configuring Secure Communication on Identity Server
            Configuring Access Gateway for SSL
          Using Externally Signed Certificates
            Obtaining Externally Signed Certificates
            Configuring Identity Server to Use an Externally Signed Certificate
            Configuring Access Gateway to Use an Externally Signed Certificate
          Using an SSL Terminator
            Required Setup
            Configuring the SSL Terminator
            Configuring Access Gateway
          SSL Renegotiation
        Using SSL on Access Gateway Communication Channels
        Configuring SSL for Authentication between Identity Server and Access Manager Components
        Prerequisites for SSL
          Prerequisites for SSL Communication between Identity Server and Access Gateway
          Prerequisites for SSL Communication between Access Gateway and Web Servers
        Configuring SSL Communication with Browsers and Access Gateway
        Configuring SSL between the Proxy Service and the Web Servers
        Configuring the SSL Communication
    Maintaining Access Manager
      Analytics Dashboard
        Advantages of Using Analytics Dashboard
        Architecture of Analytics Dashboard
        Who Can Access Analytics Dashboard
        Getting Started with Analytics Dashboard
        Prerequisites for Viewing Graphs on Analytics Dashboard
        Enabling Events for Each Graph
        Viewing Data in Analytics Dashboard
          Real-time Data
          Historic Data
        Types of Graphs
          Unique Users Logged In
          Active Users
          Access Gateway Active Users
          Geolocation of Users Logged In
          Geo-Maps
          Risky Logins
          Identity Server Accessed Applications
          Most Accessed Access Gateway Applications
          Most Used Browsers
          Most Used Endpoint Devices
          Most Active Users
          Client IP Addresses
          Authentication Methods Used
          Failed Authentications
          Logins
          Access Gateway Logins
          Access Gateway Uptime
          Access Gateway Requests
          Access Gateway Cache Utilization
          Identity Server Devices
          Access Gateway Devices
        Accessing Analytics Dashboard
        Managing Analytics Dashboard
          Managing Layout of a Dashboard
          Exporting and Importing a Customized Dashboard
            Exporting a Customized Dashboard
            Importing a Customized Dashboard
          Filtering Data to View Required Details
          Adding or Modifying Refresh Time for the Real-time Dashboard
          Creating Visualization
          Creating a Custom Dashboard
          Customizing the Views of Graphs
            Use Case: Customizing Unique Users Logged In Graph
            Use Case: Customizing View for Client IP Address Graph
          Discovering Data
            Viewing Index Pattern
            Viewing and Sharing Reports
          Logging Analytics Server Events
        Snapshot and Restore
          What is a Snapshot?
          Setting up a Snapshot Policy
          Executing the Snapshot Policy Manually
          Getting Status of the Snapshot Policy
          Deleting a Snapshot Policy
          Deleting Individual Snapshot Policy
          Restoring the Snapshot
        Sample Queries for Analytics Dashboard
        Sample Analytics Dashboard Snapshot and Restore
      Auditing
        Setting Up Logging Server and Console Events
        Important Points to Consider When Using Syslog
          Limitations of Syslog
          Caching Audit Events
          Debugging Syslog
        Configuring Syslog for Auditing over UDP and TLS
          Auditing using UDP
          Auditing using TLS over TCP
          Configuring Administration Console as a Remote Audit Server
        Enabling Identity Server Audit Events
        Enabling Access Gateway Audit Events
      Logging
        Understanding the Types of Logging
          Component Logging for Troubleshooting Configuration or Network Problems
          HTTP Transaction Logging for Proxy Services
        Understanding the Log Format
          Understanding the Correlation Tags in the Log Files
          Sample Scenario
        Identity Server Logging
          Configuring Logging for Identity Server
            Enabling Component Logging
            Managing Log File Size
          Configuring Session-Based Logging
            Creating Administrator Class, Method, and Contract
            Creating Logging Session Class, Method, and Contract
            Enabling Basic Logging
            Responding to an Incident
              Creating a Logging Ticket
              Enabling a Logging Session
              Viewing the Log File
          Capturing Stack Traces of Exceptions
        Access Gateway Logging
          Managing Access Gateway Logs
            Configuring the Log Level
            Configuring the Log File
          Configuring Logging of HTTP Headers
            Configuring Logging Headers in Request from Client to Proxy
            Configuring Logging Headers in Response from Proxy to Client
          Configuring Logging of SOAP Messages
          Configuring Logging for a Proxy Service
            Determining Logging Requirements
            Calculating Rollover Requirements
              Calculating diskfull_time
              Calculating max_roll_time
              Calculating max_log_roll_size
            Enabling Logging
            Configuring Common Log Options
            Configuring Extended Log Options
            Configuring the Size of the Log Partition
        Downloading Log Files
          Administration Console Logs
          Identity Server Logs
          Access Gateway Appliance and Access Gateway Service Logs
        Turning on Logging for Policy Evaluation
      Monitoring Component Statistics
        Identity Server Statistics
          Monitoring Identity Server Statistics
            Application
            Authentications
            Incoming HTTP Requests
            Outgoing HTTP Requests
            Liberty
            SAML 1.1
            SAML 2
            WSF (Web Services Framework)
            Clustering
            LDAP
            SP Brokering
            Risk-Based Authentication
            OAuth
          Monitoring Identity Server Cluster Statistics
        Access Gateway Statistics
          Monitoring Access Gateway Statistics
            Server Activity Statistics
              Server Activity
              Connections
              Bytes
              Requests
              Cache Freshness
            Server Benefits Statistics
            Service Provider Activity Statistics
              Application
              Authentications
              Incoming HTTP Requests
              Outgoing HTTP Requests
              Liberty
              Clustering
              SP Brokering
          Monitoring Access Gateway Cluster Statistics
        Component Statistics Through REST APIs
          Monitoring API for Identity Server Statistics
            Endpoints of the REST API
            Supported Commands and Their Outputs
              httpInRequests
              inUrlTypes
              httpOutRequests
              ldapServerConfig
              ldapConnections
              ldapConnectionWaits
              ldapReplicaStats
              ldapPerfOverview
              ldapFailOverview
              authPerf
          Monitoring API for Access Gateway Statistics
      Access Manager Licensing
        How Licensing Works
        Viewing License Details
        Applying License
        Renewing a Subscription License
        Access Manager Licensing API
      Monitoring Component Command Status
        Viewing the Command Status of Identity Server
          Viewing the Status of Current Commands
          Viewing Detailed Command Information
        Viewing the Command Status of Access Gateway
          Viewing the Status of Current Commands
          Viewing Detailed Command Information
        Viewing the Command Status of the Analytics Server
          Viewing the Status of Current Commands
          Viewing Detailed Command Information
        Reviewing the Command Status for Certificates
      Monitoring Server Health
        Health States
        Monitoring Health by Using the Hardware IP Address
        Monitoring Health of Identity Servers
          Monitoring the Health of an Identity Server
          Monitoring the Health of a Cluster
        Monitoring the Health of Access Gateways
          Monitoring the Health of an Access Gateway
            Service Categories of Access Gateway Appliance
            Service Categories of Access Gateway Service
          Monitoring the Health of an Access Gateway Cluster
        Monitoring Health of Analytics Server
          Monitoring Health of Analytics Server
          Monitoring the Health of Analytics Server Cluster
        Monitoring the Health of Services
      Monitoring Alerts
        Monitoring Identity Server Alerts
        Monitoring Access Gateway Alerts
          Viewing Access Gateway Alerts
          Viewing Access Gateway Cluster Alerts
          Managing Access Gateway Alert Profiles
          Configuring an Alert Profile
          SNMP Profile
          Configuring a Log Profile
          Configuring an Email Profile
          Configuring a Syslog Profile
        Monitoring Analytics Server Alerts
          Viewing Analytics Server Alerts
          Viewing Analytics Server Cluster Alerts
      Monitoring Access Manager By Using Simple Network Management Protocol
        SNMP Architecture in Access Manager
        Features of Monitoring Using SNMP
        Using the Default MIB File with External SNMP Systems
        Querying For SNMP Attributes
        Enabling Monitoring for Access Manager Components
      Impersonation
        Impersonation Terminology
        Prerequisites for Creating an Impersonated Session
        Enabling Impersonation
        Impersonation Flow
        Implementing Impersonation in Custom Portal Pages
          Understanding the Impersonation-Specific JSP Files
          Determining When to Show the Specific JSP Files
        Audit Event for Impersonation
        Troubleshooting
      Back Up and Restore
        How The Backup and Restore Process Works
          Default Parameters
          The Process
        Backing Up the Access Manager Configuration
        Restoring the Access Manager Configuration
          Restoring the Configuration on a Standalone Administration Console
          Restoring the Configuration with an Identity Server on the Same Machine
        Restoring an Identity Server
        Restoring an Access Gateway
          Clustered Access Gateway
          Single Access Gateway
      Code Promotion
        How Code Promotion Helps
        Sequence of Promoting the Configuration Data
        Prerequisites for Performing Code Promotion
        Viewing Configuration Files Paths
        Exporting the Configuration Data
        Importing the Configuration Data
          Uploading the Configuration File to Import
          Selecting a Component to Import the Configuration Data
          Importing the Identity Server Configuration Data
            Importing Identity Server Clusters
          Importing the Access Gateway Configuration Data
            Selecting Proxy Services and Protected Resources to Import
            Verifying the Component-Specific Configuration Changes
            Updating Identity Server User Store References
            Setting Up New Proxy Services in the Target System after the Import
          Post-Import Configuration Tasks
        Troubleshooting Code Promotion
        Code Promotion Limitations
      Troubleshooting
        Troubleshooting Administration Console
          Global Troubleshooting Options
            Checking for Potential Configuration Problems
            Checking for Version Conflicts
            Checking and Terminating User Sessions
            Checking for Invalid Policies
            Viewing System Alerts
          Diagnostic Configuration Export Utility
          Restoring a Failed Secondary Console
          Moving the Primary Administration Console to a New Hardware
          Converting a Secondary Administration Console into a Primary Console
            Shutting Down Primary Administration Console
            Changing the Master Replica
            Restoring CA Certificates
            Verifying the vcdn.conf File
            Deleting Objects from the eDirectory Configuration Store
            Performing Component-Specific Procedures
              Identity Server Installed with the Failed Primary Administration Console
              Third Administration Console
              Access Gateway Appliance
              Access Gateway Services
              Identity Server
              Old Primary Administration Console
          Repairing the Configuration Datastore
          Session Conflicts
          Unable to Log In to Administration Console
          Exception Processing IdentityService_ServerPage.JSP
          Backup and Restore Fail Because of Special Characters in Passwords
          Unable to Install the NMAS SAML Method
          Incorrect Audit Configuration
          Unable to Update Access Gateway Listening IP Address in Administration Console Reverse Proxy
          During Access Gateway Installation Any Error Message Should Not Display Successful Status
          Incorrect Health Is Reported on Access Gateway
          Administration Console Does Not Refresh the Command Status Automatically
          SSL Communication with Weak Ciphers Fails
          Error: Tomcat did not stop in time. PID file was not removed
          (Access Manager on Cloud) Metadata Under System Setup of SAML 2 Applications Is Displayed after a Delay of 5 to 10 Seconds
          Administration Console Shows Malformed Request Error
        Troubleshooting Access Gateway
          Useful Troubleshooting Files
            Apache Logging Options for Gateway Service
              Ignoring Some Standard Messages
              Modifying the Logging Level for Apache Logs
            Access Gateway Service Log Files
          Verifying That All Services Are Running
          Microsoft Office Documents Do Not Open When SharePoint Is Accelerated by Access Gateway Appliance
          Troubleshooting SSL Connection Issues
          Enabling Debug Mode and Core Dumps
            Starting Apache in the Debug Mode
            Examining the Debug Information
            Disabling the Debug Mode
            Enabling the Core Dumps in RHEL
          Useful Troubleshooting Tools for Access Gateway Service
          Solving Apache Restart Issues
            Removing an Advanced Configuration Settings
            Viewing the Logged Apache Errors
            Viewing the Errors as Apache Generates Them
            The ActiveMQ Module Fails to Start
          Understanding the Authentication Process of Access Gateway Service
          Issue While Accelerating the Ajax Applications
          Accessing Lotus-iNotes through Access Gateway Asks for Authentication
          Configuration Issues
          Embedded Service Provider Does not Start
          Cannot Inject a Photo into HTTP Headers
          Access Gateway Caching Issues
          Issues while Changing the Management IP Address in Access Gateway Appliance
          Issue While Adding Access Gateway in a Cluster
        Troubleshooting Identity Server and Authentication
          Useful Networking Tools for Identity Server
          Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors
            Metadata
              Embedded Service Provider Metadata
              Service Provider Metadata
            DNS Name Resolution
            Certificate Names
            Certificates in the Required Trust Stores
            Enabling Debug Logging
              ESP Cannot Resolve the Base URL of Identity Server
              Trusted Roots Are Not Imported into the Appropriate Trusted Root Containers
              The Server Certificate Has an Invalid Subject Name
            Testing Whether the Provider Can Access the Metadata
            Manually Creating Any Auto-Generated Certificates
          Authentication Issues
            Authentication Classes and Duplicate Common Names
            General Authentication Troubleshooting Tips
            Slow Authentication
            Federation Errors
            Mutual Authentication Troubleshooting Tips
            Browser Hangs in an Authentication Redirect
            Duplicate Set-Cookie Headers
            Identity Server Does Not Convert Passwords Containing Accents over Letters (åäö) Correctly
          Problems Reading Keystores after Identity Server Re-installation
          After Setting Up the User Store to Use SecretStore, Users Report 500 Errors
          When Multiple Browser Logout Option Is Enabled, the User Does Not Get Logged Out from Different Sessions
          After Consuming a SAML Response, the Browser Is Redirected to an Incorrect URL
          Configuring SAML 1.1 Identity Provider Without Specifying Port in the Login URL Field
          Attributes Are Not Available Through Form Fill When OIOSAML Is Enabled
          Issue in Importing Metadata While Configuring Identity Provider or Service Provider Using Metadata URL
          Enabling Secure or HTTPOnly Flags for Cluster Cookies
          Apache Portable Runtime Native Library Does Not Get Loaded in Tomcat
          Metadata Mentions Triple Des As Encryption Method
          Issue in Accessing Protected Resources with External Identity Provider When Both Providers Use Same Cookie Domain
          SAML Intersite Transfer URL Setup Does Not Work for Non-brokered Setups after Enabling SP Brokering
          Orphaned Identity Objects
          Users Cannot Log In to Identity Server When They Access Protected Resources with Any Contract Assigned
          An Attribute Query from OIOSAML.SP Java Service Provider Fails with Null Pointer
          Disabling the Certificate Revocation List Checking
          Step Up Authentication for Identity Server Initiated SSO to External Provider Does Not Work Unless It Contains a Matching Local Contract
          Metadata Cannot be Retrieved from the URL
          Authentication Request to a Service Provider Fails
          SAML 2.0 POST Compression Failure Does Not Throw a Specific Error Code
          SAML 1.1 Service Provider Re-requests for Authentication
          Identity Server Statistics Logs Do Not Get Written In Less Than One Minute
          No Error Message Is Written in the Log File When an Expired Certificate Is Used for the X509 Authentication
          Terminating an Existing Authenticated User from Identity Server
          Clustered Nodes Looping Due to JGroup Issues
          Authentication With Aliases Fails
          nidp/app Does Not Redirect to nidp/portal after Authentication
          Login to Office 365 Fails when WS-Trust MEX Metadata Is Larger than 65 KB
          Unsafe Server Certificate Change in SSL/TLS Renegotiations Is Not Allowed
          Viewing Request and Response Headers of All Protocols in a Log File
          Provisioning of LDAP Attribute for Social Authentication User Failed
          User Authentication Fails When the Advanced Authentication Generic Class Is Used
          Cannot Create an Authentication Class with Advanced Authentication Generic Class - Recreating the Endpoints with Advanced Authentication or Advanced Authentication SaaS
          CORS Request to the Token Introspection Endpoint Fails
          The User Portal Page Does Not Display the Branding
          The SAML Authentication Fails When an Unsigned Request Contains an ACS URL
          Unable to Perform Single Sign-on When Azure Active Directory Is the Identity Provider
          Debug Logs Suppression for WS-Trust Authentication Failure
        Troubleshooting Analytics Server
          Launching Access Manager Dashboard Displays a Blank Page
          Graphs Do Not Display Any Data When You Launch Access Manager Dashboard
          Clearing the Existing Realtime Data to View the Imminent Data on Graphs
          Cannot Launch Access Manager Dashboard After Reimporting Analytics server
          The Analytics Server Health Is Not Reported to Administration Console
          Access Manager Dashboard Does Not Display Graphs, but Displays the Health Status of Devices
        Troubleshooting Certificate Issues
          Resolving the JCC Communication between Devices and Administration Console
          Resolving Certificate Import Issues
            Importing an External Certificate Key Pair
            Resolving a -1226 PKI Error
            When the Full Certificate Chain Is Not Returned During an Automatic Import of the Trusted Root
            Using Internet Explorer to Add a Trusted Root Chain
          Mutual SSL with X.509 Produces Untrusted Chain Messages
          Certificate Command Failure
          Cannot Log In with Certificate Error Messages
          When a User Accesses a Resource, the Browser Displays Certificate Errors
          Canceling Certificates Modification Results in Errors
          A Device Reports Certificate Errors
          Renewing the expired eDirectory certificates
          Certificate Trust Store Objects of the Identity Server Clusters Are Deleted Randomly
          Secondary Administration Console Does Not Reflect the Replaced Certificate
        Troubleshooting Access Manager Policies
          Turning on Logging for Policy Evaluation
          Common Configuration Problems That Prevent a Policy from Being Applied as Expected
            Enabling Roles for Authorization Policies
            LDAP Attribute Condition
            Result on Condition Error Value
            An External Secret Store and Form Fill
          The Policy Is Using Old User Data
          Form Fill and Identity Injection Silently Fail
          Checking for Corrupted Policies
          Policy Page Timeout
          Policy Creation and Storage
          Policy Distribution
          Policy Evaluation: Access Gateway Devices
            Successful Policy Configuration Example
            No Policy Defined Configuration Example
            Deny Access Configuration/Evaluation Example
        Troubleshooting MobileAccess
          Using the Same Mobile Device for Different Users Causes the Expired Session Error
          Simple Authentication with a Pop-up Browser Window Does Not Work for MobileAccess
          Users Fail to Authenticate to MobileAccess when Appmarks Are Launched in the Chrome Browser
          Changes to MobileAccess Do Not Appear in Administration Console
          Facebook Basic SSO Connector Does Not Work from MobileAccess
        Troubleshooting Code Promotion
          Troubleshooting Identity Server Code Promotion
            Exporting Identity Server Configuration Data Fails
            Importing Identity Server Configuration Data Fails
          Troubleshooting Access Gateway Code Promotion
            Exporting Access Gateway Configuration Data Fails
            Importing Access Gateway Configuration Data Fails
            Policy Configuration Is Locked
            Access Gateway Configuration Is Locked
            Access Gateway Cluster Is Not Associated with any Identity Server
            Proxy Service Type Does Not Match
            Policy Type Does Not Match
            Cannot Import a Virtual Proxy Service to SSL enabled Master Proxy
            Cookie Domain and Published DNS Name Do Not Match
            SSL Enabled Web Server Configuration Is Imported to a Non-SSL Proxy Service
            Names of Master Proxy Service Are Different
            Reverse Proxy and Master Proxy Service Do Not Exist
            Proxy Service Does Not Exist in the Target Setup
            DNS Name Is Not Unique
            Revert Process Fails for Access Gateway
          Troubleshooting Device Customization Code Promotion
            Custom Files Are Not Imported
        Troubleshooting the Device Fingerprint Rule
          Enabling the Debug Option for the Device Fingerprint Rule
          Using Logs to Understand How the Device Fingerprint Rule Is Evaluated
            A Fingerprint Does Not Exist
            Fingerprint Matches
            Fingerprint Does Not Match
            When Fingerprint Matches though Some Parameters in the Group Do Not Match
            When Fingerprint Does Not Match as the Evaluation of Group Parameters Fails
        Troubleshooting Advanced Session Assurance
          Troubleshooting Using the Log Files
            Using Logs
            Using debug Logs
          Important Error Messages
            Cookie mismatch. The session might have been hijacked. Logging out session <sessionID>
            Nonce has been used already. Possible replay attack. Logging out the session <sessionID>
            Fingerprint evaluation failed. The session might have been hijacked. Logging out the session <sessionID>
          Checking Session Assurance Configuration Details
          The Advanced Session Assurance Page Does Not Display the Access Gateway Cluster
        Troubleshooting XML Validation Errors on Access Gateway Appliance
          Modifying a Configuration That References a Removed Object
          Configuration UI Writes Incorrect Information to the Local Configuration Store
        Troubleshooting OAuth and OpenID Connect
          The Token Endpoint Returns an Invalid Code Error Message
          OAuth Tokens Are in Binary Format Instead of JWT Format
          Users Cannot Register a Client Application
          Token Exchanges Show Redirect URI Invalid Error
          Users Cannot Register or Modify a Client Application with Specific Options
          A Specific Claim Does Not Come to the UserInfo Endpoint during Claims Request
          Access Gateway OAuth Fails
          After Allowing Consent, 500 Internal Server Error Occurs
          The Access Token Does Not Get Exchanged with Authorization Code When Using a Multi-Node Identity Server Cluster
          No Error Message When a Token Request Contains Repetitive Parameters
          OAuth Token Encryption/Signing Key Is Compromised or Corrupted
          Tracing OAuth Requests
          OAuth Client Registration Fails If a Role Policy Contains a Condition Other than LDAP Attribute, LDAP Group, or LDAP OU
          The Identity Injection Policy Does Not Inject Passwords
          OAuth Apps Fail After Upgrading Access Manager
          Authorization Server Responds with the Service Unavailable Message for a Revocation Request
          Unable to Delete Scopes That Contain Special Characters
          OAuth Client Application Returns an Error Message
        Troubleshooting User Attribute Retrieval and Transformation
          No Value Is Fetched from Attribute Source in Identity Server
          Error Message While Testing a Database Connection
          Regex Replace Error Message
        Troubleshooting Impersonation
          Internet Explorer Caching Error
        Troubleshooting Branding
          Changes to Branding Do Not Appear in Administration Console
        Troubleshooting Licensing
          Access Manager Continues to Display the Old License Although a New License is Applied
        Using Log Files for Troubleshooting
          Sample Authentication Traces
            Direct Authentication Request to Identity Server
            Protected Resource Authentication Trace
              Entries from an Identity Server Log
              Entries from an Access Gateway Log
              Correlating the Log Entries between Identity Server and Access Gateway
          Understanding Policy Evaluation Traces
            Format
              Rule List Evaluation Result
              Rule Evaluation Result
              Condition Set Evaluation Result
              Condition Evaluation Result
              Policy Action Initiation
              Policy Action Completion
            Policy Result Values
            Role Assignment Traces
              When the User Is Assigned Roles
              When the Role Policy Is Not Enabled
              When an Authorization Policy Uses a Role
            Identity Injection Traces
              When the User Has Authenticated
              When the User Has Not Authenticated
            Authorization Traces
              When the Protected Resource Requires Authentication
              When the Protected Resource Does Not Require Authentication
            Form Fill Traces
              Enabling Form Fill Logging
              Sample Form and Policy Used for the Trace
              Embedded Service Provider Trace
              Proxy Service Trace
          Adding Hashed Cookies into Browsers
            Adding Hashed Identity Server Cookies into Browsers
            Adding Hashed Access Gateway Cookies into Browsers
            Adding Hashed ESP Cookies into Browsers
        Access Manager Audit Events and Data
        Event Codes
        Troubleshooting Social Authentication
          Cases of Alphabets in Consumer Key Fails to Update
        Troubleshooting Issuing of PRT Tokens
      Access Manager Audit Events and Data
        JavaScript Object Notation (JSON) Event Format
        NIDS: Sent a Federate Request (002e0001)
        NIDS: Received a Federate Request (002e0002)
        NIDS: Sent a Defederate Request (002e0003)
        NIDS: Received a Defederate Request (002e0004)
        NIDS: Sent a Register Name Request (002e0005)
        NIDS: Received a Register Name Request (002e0006)
        NIDS: Logged Out an Authentication that Was Provided to a Remote Consumer (002e0007)
        NIDS: Logged out a Local Authentication (002e0008)
        NIDS: Provided an Authentication to a Remote Consumer (002e0009)
        NIDS: User Session Was Authenticated (002e000a)
        NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b)
        NIDS: User Session Authentication Failed (002e000c)
        NIDS: Received an Attribute Query Request (002e000d)
        NIDS: User Account Provisioned (002e000e)
        NIDS: Failed to Provision a User Account (002e000f)
        NIDS: Web Service Query (002e0010)
        NIDS: Web Service Modify (002e0011)
        NIDS: Connection to User Store Replica Lost (002e0012)
        NIDS: Connection to User Store Replica Reestablished (002e0013)
        NIDS: Server Started (002e0014)
        NIDS: Server Stopped (002e0015)
        NIDS: Server Refreshed (002e0016)
        NIDS: Intruder Lockout (002e0017)
        NIDS: Severe Component Log Entry (002e0018)
        NIDS: Warning Component Log Entry (002e0019)
        NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider as Identity Provider and Service Provider Are not in Same Group (002E001A)
        NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider Because a Policy Evaluated to Deny (002E001B)
        NIDS: Brokered an Authentication from Identity Provider to Service Provider (002E001C)
        NIDS: Web service Request was authenticated (002e001D)
        NIDS: Web service Request for authentication Failed (002e001E)
        NIDS: OAuth2 Authorization code issued (002e0028)
        NIDS: OAuth2 token issued (002e0029)
        NIDS: OAuth2 Authorization code issue failed (002e0030)
        NIDS: OpenID token issued (002e0031)
        NIDS: OAuth2 refresh token issued (002e0032)
        NIDS: OAuth2 token issue failed (002e0033)
        NIDS: OpenID token issue failed (002e0034)
        NIDS: OAuth2 refresh token issue failed (002e0035)
        NIDS: OAuth2 client has been registered successfully (002e0036)
        NIDS: OAuth2 client has been modified successfully (002e0037)
        NIDS: OAuth2 client has been deleted successfully (002e0038)
        NIDS: OAuth2 user has provided consent (002e0039)
        NIDS: OAuth2 user has revoked consent (002e0040)
        NIDS: OAuth2 token validation success (002e0041)
        NIDS: OAuth2 token validation failed (002e0042)
        NIDS: OAuth2 client registration failed (002e0043)
        NIDS: OAuth2 refresh token revoked success (002e0055)
        NIDS: OAuth2 refresh token revocation failed (002e0056)
        NIDS: OAuth2 Authorization none issued (002e0057)
        NIDS: OAuth2 OIDC Front-Channel Logout Success (002e0058)
        NIDS: OAuth2 AA Authorization Code Exchange (002e0071)
        NIDS: OAuth2 AA Access Token Exchange (002e0072)
        NIDS: Step-up authentication (002e0719)
        NIDS: Roles PEP Configured (002e0300)
        NIDS: Risk-Based Authentication Action for User (002e0045)
        NIDS: Risk-Based Authentication Action for User (002e0046)
        NIDS: Risk-Based Authentication Action for User (002e0047)
        NIDS: Token was Issued to Web Service (002E001F)
        NIDS: Issued a Federation Assertion (002E0102)
        NIDS: Received a Federation Assertion (002E0103)
        NIDS: Assertion Information (002E0104)
        NIDS: Sent a Federation Request (002E0105)
        Access Gateway: PEP Configured (002e0301)
        Roles Assignment Policy Evaluation (002e0320)
        Access Gateway: Authorization Policy Evaluation (002e0321)
        Access Gateway: Form Fill Policy Evaluation (002e0322)
        Access Gateway: Identity Injection Policy Evaluation (002e0323)
        Access Gateway: Access Denied (0x002e0505)
        Access Gateway: URL Not Found (0x002e0508)
        Access Gateway: System Started (0x002e0509)
        Access Gateway: System Shutdown (0x002e050a)
        Access Gateway: Identity Injection Parameters (0x002e050c)
        Access Gateway: Identity Injection Failed (0x002e050d)
        Access Gateway: Form Fill Authentication (0x002e050e)
        Access Gateway: Form Fill Authentication Failed (0x002e050f)
        Access Gateway: URL Accessed (0x002e0512)
        Access Gateway: IP Access Attempted (0x002e0513)
        Access Gateway: Webserver Down (0x002e0515)
        Access Gateway: All WebServers for a Service is Down (0x002e0516)
        Access Gateway: Application Accessed (002E0514)
        Access Gateway: Session Created (002E0525)
        Management Communication Channel: Health Change (0x002e0601)
        Management Communication Channel: Device Imported (0x002e0602)
        Management Communication Channel: Device Deleted (0x002e0603)
        Management Communication Channel: Device Configuration Changed (0x002e0604)
        Management Communication Channel: Device Alert (0x002e0605)
        Management Communication Channel: Statistics (002e0606)
        Risk-Based Authentication Successful (002e0025)
        Risk-Based Authentication Failed (002e0026)
        Risk-Based Authentication for User (002e0027)
        Impersonation Sign in (002E0048)
        Impersonation: Impersonator Logs Out (002E0049)
        Impersonation: Session Started (002E0050)
        Impersonation: Impersonatee Denies (002E0051)
        Impersonation: Impersonatee Approves (002E0052)
        Impersonation: Impersonator Cancels (002E0053)
        Impersonation: Authorization Policy Fails (002E0054)
      Event Codes
        Administration Console (009)
        Identity Server (001)
        Linux Access Gateway Appliance(045)
        Access Gateway Service (046)
        Server Communications (JCC) (007)
        Policy Engine (008)
        SOAP Policy Enforcement Point (011)
        Backup and Restore (010)
        Modular Authentication Class (012)
    Appendix
      What Is Federated Authentication
        Understanding a Simple Federation Scenario
        Configuring Federation
          Prerequisites for Configuring Federation
          Establishing Trust between Providers
            Configuring Site A to Trust Site B as a Service Provider
            Configuring Site B to Trust Site A as an Identity Provider
            Verifying the Trust Relationship
            Configuring User Authentication
          Configuring SAML 1.1 for Account Federation
            Configuring User Account Matching
            Configuring the Default Contract for Single Sign-On
            Verifying the Trust Relationship with SAML 1.1
        Sharing Roles
          Configuring Role Sharing
            Defining a Shared Attribute Set
            Obtaining the Role Assignments
            Configuring Policies to Process Received Roles
          Verifying the Configuration
        Setting Up Federation with Third-Party Providers
      Understanding Liberty
      Data Model Extension XML
        Elements
        Writing Data Model Extension XML
      SOAP versus REST API
      OAuth versus Other Protocols
      OAuth Concepts
        OAuth Terminology
        Why OpenID Connect
        OAuth Authorization Grant
          Authorization Code Grant (Web Server)
          Implicit Grant
          Resource Owner Credential Grant
          Client Credential Grant
          Security Assertion Markup Language (SAML) 2.0 Bearer Grant
        Authentication Flows
          Authentication by Using the Authorization Code Flow
          Authentication by Using the Implicit Flow
          Authentication by Using Hybrid Flow
        End User Operations
          User Authorization
          Revoking Authorizations
      Access Manager Reports Samples
        Application Access Summary Report
        User Application Access Summary Report
        Application Specific User Access Report
        Federation Summary Report
        User Login Contract Summary Report
        User Login Failure Report
        Application Specific Risk based Authentication Report
    Legal Notice