6.0 SAML/Account Management Connectors

The Application Connector Catalog includes a specialized set of connectors called Account Management Connectors. In addition to simplifying Access Manager configuration, these connectors can also configure SaaS Account Manager (SAM) in Access Manager to automatically provision user accounts at the corresponding SaaS providers. SAM can provision user accounts, update, and deprovision accounts for connected applications based on changes made in your user store.

Each SAML/Account Management connector requires configuration at the SaaS provider. Detailed instructions are available when you configure the application in Access Manager Administration Console.

When you save your application configuration, SAM starts provisioning users from the specified LDAP user stores that are members of the filtered groups to the SaaS provider. Depending on the number of users and groups in your user stores, the operation time varies.

To see the list of all SAML/Account Management connectors that Access Manager provides, see Application Connector Catalog > Account Management.

NOTE:SAM supports only SAML 2.0 applications.

Prerequisite

To provision SAML accounts by using SAM, you must first deploy the SAM appliance and configure the appropriate SAML/Account Management connector for the SAML application.

For more information about deploying the SAM appliance and SAML/Account Management connectors, see NetIQ SaaS Account Management 1.0 ‘Installation Guide and NetIQ SaaS Account Management 1.0 Connectors Guide.

You do not need to perform any action in Access Manager. Installing and configuring SAM automatically configure the SAM-NAM integration.

Perform the following steps in Access Manager to configure a new SAML/Account Management connector:

On Dashboard, under Administrative Tasks, click Applications.
Select the appropriate Identity Server cluster to use the application.
Click the plus sign + and then perform any of the following actions:
- Click Add Application from Catalog, click the filter icon, select Account Management, and then search for the connector that you want to configure.
  
  For more information, see Section 2.0, Application Connector Catalog.
- Click Import Application from File and select the file.
(Optional) Review the name of the application and specify additional appmarks if needed.
Review and configure other sections: Application Connector Setup, Attributes, Access and Roles, and System Setup.
Expand the Account Management section and select Enable Account Management.
Click Setup Instructions and follow the help for configuring the service account and completing other steps at the SAML application site.
Provide the required information, such as credentials for the service account and other details, for the SaaS application. This information varies depending on the connector.

Under LDAP User Store Configuration, specify the user store information:

Field	Description
User Store	Select the user store that you want SAM to use for provisioning users to SaaS applications.
Polling Interval	Specify a duration for SAM to check your LDAP user store for changes
LDAP Groups and Authorizations	Select the LDAP groups containing users that might be provisioned to SaaS applications. You can map authorizations returned by the SaaS application, such as licenses, service plans, roles, and groups to the local LDAP groups in the Access Manager user stores. While provisioning qualified users from the LDAP user stores to a SaaS application, SAM creates these users with the authorizations as mapped in the LDAP Groups and Authorizations page. Click the LDAP Groups and Authorizations icon to perform the following actions: Add, view, or remove the selected groups. Manage authorizations for the selected groups. NOTE:The LDAP Groups and Authorizations page does not work in Microsoft Internet Explorer and Microsoft Edge 18 or earlier. Consider upgrading to the new Chromium-based Edge (which provides backward-compatibility with IE 11) or using another browser, such as Chrome or Firefox.

Field

Description

User Store

Select the user store that you want SAM to use for provisioning users to SaaS applications.

Polling Interval

Specify a duration for SAM to check your LDAP user store for changes

LDAP Groups and Authorizations

Select the LDAP groups containing users that might be provisioned to SaaS applications.

You can map authorizations returned by the SaaS application, such as licenses, service plans, roles, and groups to the local LDAP groups in the Access Manager user stores. While provisioning qualified users from the LDAP user stores to a SaaS application, SAM creates these users with the authorizations as mapped in the LDAP Groups and Authorizations page. Click the LDAP Groups and Authorizations icon to perform the following actions:

Add, view, or remove the selected groups.
Manage authorizations for the selected groups.

NOTE:The LDAP Groups and Authorizations page does not work in Microsoft Internet Explorer and Microsoft Edge 18 or earlier. Consider upgrading to the new Chromium-based Edge (which provides backward-compatibility with IE 11) or using another browser, such as Chrome or Firefox.

(Conditional)If you want to add more than one user store, click the plus (+) icon next to the heading and provide the similar information for the additional user store. Repeat this step to add multiple user stores.

Click Save.

After you save your application configuration, SAM begins provisioning users from the specified LDAP user stores that are members of the filtered groups to the SaaS service provider.