10.3 Using SAML Authentications from OpenText Access Manager to Provide Single Sign-On to OpenText Identity Governance through the OSP

If you are using OSP with OpenText Identity Governance and you have OpenText Access Manager installed and configured to provide SAML authentications to other applications, you can allow the SAML authentications from OpenText Access Manager to provide single sign-on through OSP to OpenText Identity Governance.

Obtain the SAML 2.0 metadata from the OpenText Access Manager server by accessing the following default URL:
```
https://identity-server-dns-name:port/nidp/saml2/metadata
```
Configure the SAML 2.0 settings on the OSP server.
1. Ensure that Apache Tomcat is running on the OSP server.
2. Launch the OpenText Identity Governance Configuration Update utility from the OSP server. For more information, see Section 15.1.5, Using the OpenText Identity Governance Configuration Update Utility.
3. Click the Authentication tab.
4. Click Show Advanced Options.
5. Under Authentication Method > Method select SAML 2.0.
6. Use the following information to configure OSP to use SAML 2.0:
  Mapping Attribute
  
  Specify the attribute listed is the one you want to use to map the user accounts to OpenText Access Manager. The default value is mail.
  
  Landing Page
  
  Select where the landing page for your users is internal, external, or if there is not one. The default value is None.
  
  Metadata source
  
  Select URL to use the OpenText Access Manager metadata.
  
  Metadata URL:
  
  Specify the OpenText Access Manager metadata URL in this field.
  https://identity-server-dns-name:port/nidp/saml2/metadata
  
  Load on save
  
  Select this option to load the metadata.
  
  Configure OpenText Access Manager on exit
  
  Select this option to automatically configure OpenText Access Manager when you exit the OpenText Identity Governance Configuration Update utility.
7. Under the OpenText Identity Governance Bootstrap Administrator heading, ensure that you are using an LDAP-based bootstrap administrator account. For more information, see Section 4.1.1, Using the Bootstrap Administrator.
8. Click OK to save the changes.
9. Click Yes to accept the certificate.
10. When the OpenText Access Manager Auto-Configuration appears, restart Apache Tomcat on the OSP server. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.
Automatically configure the SAML 2.0 settings in OpenText Access Manager for OSP.
1. Access the Administration Console for OpenText Access Manager using the full DNS name. For example:
```
https://mybusiness.com:8443
```
2. In OpenText Access Manager Administrator Credentials, specify the user name and password of the OpenText Access Manager administrator in LDAP format. For example, cn=admin,o=mybusiness.
3. Ensure that the Unique Display Name is automatically created as IDM-NAM Trust.
4. In Authentication Server Administrator Credentials, specify the user name and password of the OpenText Identity Governance configuration administrator.
5. Click OK to save the configuration information.
6. In the pop-up window, click Yes to update the OpenText Access Manager configuration.
7. Read the OpenText Access Manager SAML 2 configuration summary when it appears, then click OK.
Restart Apache Tomcat on the OSP server. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.
(Conditional) If you configured OSP to utilize multiple keypairs, you might have to import the OSP encryption certificate into the NIPD Trust Store in OpenText Access Manager.
1. Obtain a copy of the OSP encryption certificate from:
```
https://osp-server:port/osp/s/idm/encryptionCertificate 
```
2. Add the encryption certificate to the NIDP Trust Store in OpenText Access Manager. For more information, see Managing Trusted Roots and Trust Stores in the NetIQ Access Manager 5.0 Administration Guide.