4.2 Implementing Credential Provisioning Policies with Novell SecureLogin

The implementation of Credential Provisioning policies with SecureLogin is very customizable. The steps to implement it are different depending upon the platforms SecureLogin is installed on, the applications that are provisioned, and which Identity Manager drivers are involved.

To implement Credential Provisioning policies with SecureLogin, see the following topics:

4.2.1 Meeting Requirements for Credential Provisioning Policies with Novell SecureLogin

In order to use Credential Provisioning Policies with SecureLogin, the following must be in place:

  • Identity Manager 3.0.1

  • Supported on eDirectory™ 8.7x and eDirectory 8.8.1 or above; eDirectory 8.8 is not supported.

  • Verify that jsso.jar, idmcp.jar, and jnet.jar are in the standard location for Identity Manager Java libraries.

  • Novell SecureLogin 6.0 or above

After you have verified that your environment meets the requirements, proceed to Section 4.2.2, Extending LDAP Schema for Novell SecureLogin.

4.2.2 Extending LDAP Schema for Novell SecureLogin

When SecureLogin is deployed on eDirectory servers, a tool called ndsschema.exe is utilized to extend the eDirectory schema with a set of SecureLogin attributes that are used to store encrypted credentials, policies, etc. on Users and container objects. These attributes are:

  • Prot:SSO Auth

  • Prot:SSO Entry

  • Prot:SSO Entry Checksum

  • Prot:SSO Profile

  • Prot:SSO Security Prefs

  • Prot:SSO Security Prefs Checksum

These attributes are specific to eDirectory and are required in order for the SecureLogin product to function. The provisioning API provided in Identity Manager 3.0 Support Pack 1 utilizes the LDAP namespace to perform its functions so that it can work with any SecureLogin credential store. In order to provide LDAP mappings to the attributes listed above, a second tool provided with the SecureLogin product must be utilized. The tool name is ldapschema.exe, and it is used in eDirectory environments to provide the LDAP namespace mapping to the eDirectory attributes.

After running ldapschema.exe, verify the mappings by checking the LDAP Group attribute map in iManager.

  1. In iManager, click LDAP > LDAP Options.

  2. Select the LDAP Group associated with your eDirectory servers that host SecureLogin.

  3. From the LDAP Group properties page, select the Attribute Map option and verify the attributes above are mapped to the following Primary LDAP Attributes:

    • protocom-SSO-Auth-Data

    • protocom-SSO-Entries

    • protocom-SSO-Entries-Checksum

    • protocom-SSO-Profile

    • protocom-SSO-Security-Prefs

    • protocom-SSO-Security-Prefs-Checksum

After the schema is extended, proceed to Section 4.2.3, Determining Deployment Configuration Parameters for Novell SecureLogin.

4.2.3 Determining Deployment Configuration Parameters for Novell SecureLogin

In order to provide the synchronization functionality described in the deployment scenario illustrated in Figure 4-1, the first step is to gather all of the business process information related to the Identity Manager and SecureLogin environments. You can print Table 4-1, Credential Provisioning Policies Worksheet for SecureLogin, and use it as a worksheet to record the information.

Table 4-1 Credential Provisioning Policies Worksheet for SecureLogin

Configuration Information Needed

Information

1) Which applications will be configured for SecureLogin Single Sign-On provisioning?

 

2) Verify that SecureLogin application definitions are preconfigured on the authentication server and are inheritable by new users provisioned to those systems.

 

3) The DNS name or IP address of the SecureLogin repository server.

 

4) The SSL LDAP port for the SecureLogin repository server.

 

5) The fully qualified LDAP distinguished name of the administrator for the SecureLogin repository server.

 

6) The password of the administrator for the SecureLogin repository server.

 

7) The full path and the name of the SSL certificate exported from the SecureLogin server. The certificate must be local to the Identity Manager server.

 

8) Determine if one SecureLogin repository will be used by multiple drivers or if each driver will use a separate repository.

 

9) The application ID for each SecureLogin application.

 

10) Find all required authentication keys for each application. Such as, Username, Password, Client, and Language. They might be different for each application.

 

11) Determine if any of the authentication key values can be set with a static value.

 

12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values).

 

13) If you are implementing SecureLogin provisioning on a driver that is also synchronizing a password to the target application, determine if the SecureLogin provisioning takes place before or after the password is set in the target application server.

 

14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)

 

15) Determine the DN of the User objects for the target application.

 

16) If you are implementing a SecureLogin passphrase, determine the passphrase question and answer.

Question: Answer:

Example Provisioning Configuration Data

Using the provisioning scenario, the following example data provisions a user’s SecureLogin credentials for the SAP Finance server for users in the Finance Active Directory authentication tree:

Table 4-2 Example Credential Provisioning Policies Worksheet for SecureLogin

Configuration Information Needed

Information

1) Which applications will be configured for SecureLogin Single Sign-On provisioning?

SAP Finance Application

2) Verify that SecureLogin application definitions are preconfigured on the authentication server and are inheritable by new users provisioned to those systems.

Verified

3) The DNS name or IP address of the SecureLogin repository server.

151.150.191.5

4) The SSL LDAP port for the SecureLogin repository server.

636

5) The fully qualified LDAP distinguished name of the administrator for the SecureLogin repository server.

cn=admin,ou=prod,dc=testco,dc=.com

6) The password of the administrator for the SecureLogin repository server.

dixml

7) The full path and the name of the SSL certificate exported from the SecureLogin server. The certificate must be local to the Identity Manager server.

c:\novell\nds\FinanceAD.cer

8) Determine if one SecureLogin repository will be used by multiple drivers or if each driver will use a separate repository.

For this example, there is only one repository.

9) The application ID for each SecureLogin application.

SAP - 151.150.191.27

10) Find all required authentication keys for each application. Such as, Username, Password, Client, and Language. They might be different for each application.

SAP Client 010 Login Parameter Client SAP Client 010 Login Parameter Language SAP Client 010 Login Parameter Username SAP Client 010 Login Parameter Password

11) Determine if any of the authentication key values can be set with a static value.

SAP Client 010 Login Parameter Client:”010” SAP Client 010 Login Parameter Language: “EN”

12) For non-static values that are or can be different for each user, make a note of the source of the non-static information (event information or Identity Vault attribute values).

SAP Client 010 Login Parameter Username: Identity Vault attribute “sapUsername” SAP Client 010 Login Parameter Password: Event <password>

13) If you are implementing SecureLogin provisioning on a driver that is also synchronizing a password to the target application, determine if the SecureLogin provisioning takes place before or after the password is set in the target application server.

After

14) The name of the Driver object where the repository and application objects are to be stored. (Can be different drivers.)

SAP driver

15) Determine the DN of the User objects for the target application.

Identity Vault attribute “DirXML-ADContext”

16) If you are going to provision the SecureLogin passphrase, determine the passphrase question and answer.

Question: “Employee code?” Answer: Identity Vault attribute “workforceID”

Miscellaneous Environment Information:

  • The Finance department AD tree serves as the SecureLogin repository for all Finance applications.

  • All finance department provisioning drivers are in a driver set called Finance Drivers.

  • The SAP user account must be deleted and the SecureLogin credentials for the SAP user account must be removed from the Active Directory user when the Identity Vault attribute “employeeStatus” is set to the value “I”.

After all of the configuration data has been determined, proceed to Section 4.2.4, Creating a Repository Object for Novell SecureLogin.

4.2.4 Creating a Repository Object for Novell SecureLogin

Repository objects store static configuration information for SecureLogin. Repository information is independent from the applications that consume the application credentials. This information is applicable for all provisioning events regardless of the connected system (for example SAP, PeopleSoft*, Notes*, etc.). The repository object can be created in Designer or iManager.

Creating a Repository Object for Novell SecureLogin in Designer

The following is one of many methods you can use to create the repository object in Designer.

  1. Right-click the driver object where you want to store the repository object in the outline view.

  2. Click Credential Provisioning > New Repository Object.

  3. Specify a name for the repository object.

  4. Select NSLRepository.xml to use the SecureLogin template.

  5. Click OK.

  6. Double-click the repository object in the outline view to add configuration information.

  7. Click Yes to save the new repository object.

  8. Specify the DNS name or IP address of the SecureLogin server. See worksheet item 3).

  9. Specify the SSL port for the SecureLogin server. See worksheet item 4).

  10. Specify the full path to the SSL certificate exported from the SecureLogin server. The path must include the certificate name and must be local to the Identity Manager server. See worksheet item 7).

    The SecureLogin server can run on multiple platform types. Refer to the platform-specific documentation for information on how to export the SSL certificates.

  11. Specify the fully qualified LDAP distinguished name of the SecureLogin administrator. See worksheet item 5).

  12. Click Set password.

  13. Specify the SecureLogin administrator’s password twice, then click OK. See worksheet item 6).

  14. Review the information, then click the Save icon to save the information.

  15. (Optional) If you want to create other configuration parameters for the repository object, click the Add new item icon.

    1. Specify a name for the parameter.

    2. Specify a display name for the parameter.

    3. Specify a description for the parameter for your reference.

      The parameter is stored as a string.

    4. Click OK.

    5. Click the Save icon to save the repository object.

After the repository object is created, proceed to Creating an Application Object for Novell SecureLogin.

Creating a Repository Object for Novell SecureLogin in iManager

  1. In iManager, select Credential Provisioning > Configuration.

  2. Browse to and select the Driver object where the repository object will be stored, then click OK.

  3. Click New to create a repository.

  4. Specify a name for the repository object, then select NSLRepository.xml to use the SecureLogin template to create a repository.

  5. Click OK.

  6. Specify the DNS name or IP address of the SecureLogin server. See worksheet item 3).

  7. Specify the SSL port for the SecureLogin server. See worksheet item 4).

  8. Specify the full path to the SSL certificate exported from the SecureLogin server. The path must include the certificate name and must be local to the Identity Manager server. See worksheet item 7).

    The SecureLogin server can run on multiple platform types. Refer to the platform specific documentation for the steps on how to export the SSL certificate.

  9. Specify the fully qualified LDAP distinguished name of the SecureLogin administrator. See worksheet item 5).

  10. Click Set password.

  11. Specify the SecureLogin administrator’s password twice, then click OK. See worksheet item 6).

  12. Review the values specified, then click OK.

  13. (Optional) If you need to create other configuration parameters for the repository, click New.

    1. Specify a name for the parameter.

    2. Specify a display name for the parameter.

    3. Specify a description of the parameter for your reference.

      The parameter is stored as a string.

    4. Click OK.

After the repository object is created, proceed to Creating an Application Object for Novell SecureLogin in iManager.

4.2.5 Creating an Application Object for Novell SecureLogin

Application objects store application authentication parameter values for SecureLogin. Application information is specific to the applications that are consuming the application credential (for example, GroupWise® client information or SAP database client information). The application objects can be created in Designer or iManager.

Creating an Application Object for Novell SecureLogin in Designer

The following is one of many methods you can use to create the application object in Designer.

  1. In the outline view, right-click the driver object where you want to store the application object.

  2. Click Credential Provisioning > New Application Object.

  3. Specify a name for the application object.

  4. Select NSLApplication.xml to use the SecureLogin template.

  5. Click OK.

  6. Double-click the application object in the outline view to add configuration information.

  7. Click Yes to save the new application object.

  8. Specify the SecureLogin Application ID. See worksheet item 9).

    To find the application ID in SecureLogin, click My Logins. The application ID is stored in the Id field.

  9. Click the Save icon to save the application.

  10. Click the Add new item icon to add the authentication keys required for the application.

    1. Specify a name for the authentication key.

    2. Specify a display name for the authentication key.

    3. Specify a description of the authentication key for your reference.

      The authentication key is stored as a string.

    4. Click OK.

    5. Repeat Step 10 for each new authentication key that needs to be entered.

      To find the authentication key for your application, manually create a SecureLogin credential for a user in the application and have the user log in. After the user has logged in, the authentication key information is displayed under My Logins in the SecureLogin administration window.

  11. Specify the authentication key value if it is a static value that is shared by all user credentials.

  12. Click the Save icon to save the application.

After the application object is created, proceed to Configuring Credential Provisioning Policies for Novell SecureLogin.

Creating an Application Object for Novell SecureLogin in iManager

  1. In iManager, select Credential Provisioning > Configuration.

  2. Browse to and select the Driver object where the application object will be stored, then click OK.

  3. Select the Applications tab, then click New.

  4. Specify a name for the application object.

  5. Select NSLApplication.xml to use the SecureLogin template to create an application.

  6. Click OK.

  7. Specify the SecureLogin Application ID. See item worksheet 9).

    To find the application ID in SecureLogin, click My Logins. The application ID is stored in the Id field.

  8. Click New to create an authentication key parameter. See worksheet item 10).

    1. Specify a name for the authentication key.

    2. Specify a display name for the authentication key.

    3. Specify a description of the authentication key for your reference.

      The authentication key is stored as string.

      To find the authentication key for your application, manually create a SecureLogin credential for a user in the application and have the user log in. After the user has logged in, the authentication key information is displayed under My Logins in the SecureLogin administration window.

    4. Click OK.

    5. Specify the value of the authentication key, if it is static, then click OK.

After the application object is created, proceed to Configuring Credential Provisioning Policies for Novell SecureLogin.

4.2.6 Configuring Credential Provisioning Policies for Novell SecureLogin

After the repository and application objects are created, policies need to be created to provision SecureLogin information. The policies use the information stored in the repository and application objects. There are three actions in the Policy Builder that allow the provisioning of SecureLogin credentials:

Clear SSO Credential

The clear SSO credential action allows you to clear the SSO credential, so objects can be deprovisioned.

Figure 4-2 Clear SSO Credential

  • Enter Credential Store Object DN: Browse to and select the repository object.

  • Enter Target User DN: Create the DN of the target users by using the Argument Builder. See worksheet item 15).

  • Enter Application Credential ID: Specify the application ID. See worksheet item 9).

  • Enter Login Parameter Strings: Launch the String Builder and enter each authentication key for the application. See worksheet item 10).

Set SSO Credential

The set SSO credential action allows you to set the SSO credential when a user object is created or when a password is modified.

Figure 4-3 Set SSO Credential

  • Enter Credential Store Object DN: Browse to and select the repository object.

  • Enter Target User DN: Create the DN of the target users by using the Argument Builder. See worksheet item 15).

  • Enter Application Credential ID: Specify the application ID. See worksheet item 9).

  • Enter Login Parameter Strings: Launch the String Builder and enter each authentication key for the application. See worksheet item 10).

Set SSO Passphrase

The set SSO passphrase action allows you to create a SecureLogin passphrase and answer for a user object when it is provisioned.

Figure 4-4 Set SSO Passphrase

  • Enter Credential Store Object DN: Browse to and select the repository object.

  • Enter Target User DN: Create the DN of the target users by using the Argument Builder. See worksheet item 15).

  • Enter Question and Answer Strings: Launch the String Builder and enter the passphrase question and answer. See worksheet item 16).

Example Credential Provisioning Policies

The provisioning policies can be implemented and customized to meet the needs of your environment. The following example explains how to implement the polices for the scenario presented in Figure 4-1.

In the Finance scenario, SecureLogin provisioning occurs after a password is successfully set in SAP. Most of the necessary parameters are statically configured and available to all policies through the repository and application objects. However, there are non-static data parameters (sapUsername, password, DirXML-ADContext, and workforceID) that are available only after the SAP User Management driver <add> or <modify-password> commands complete and the <output> status document is returned from the SAP User Management driver shim. The <ouput> document no longer contains any of the Subscriber channel operation attributes and the user context of the command is lost, thus preventing queries on the object. It is therefore necessary to do the following:

  • Make sure the SAP User driver’s Subscriber Create policy enforces the presence of the non-static data parameters.

  • Cache the non-static parameters required for the provisioning operation prior to issuing the Subscriber command to the SAP User driver shim.

  • Retrieve cached data for use in SecureLogin provisioning after the command completes successfully.

NOTE:Sample policies are available in XML format on the Identity Manager 3.0 Support Pack 1 media. The filenames are SampleInputTransform.xml, SampleSubCommandTransform.xml, and SampleSubEventTransform.xml. The files are found in the following directories, depending upon the platform:

  • linux\setup\utilities\cred_prov

  • nt\dirxml\utilities\cred_prov

  • nw\dirxml\utilities\cred_prov

The files are installed to the Identity Manager server, if Credential Provisioning Sample Policies is selected during the installation of the utilities. The sample policies are installed to the following locations, depending upon the platform:

  • Windows: C:\Novell\NDS\DirXMLUtilities (default; the user can change it during install)

  • NetWare®: SYS:\System\DirXmlUtilities

  • Linux (eDir 8.7): /usr/lib/dirxml/rules/credprov

  • Linux (eDir 8.8.1): /opt/novell/eDirectory/lib/dirxml/rules/credprov (default; the user can change it during the install)

The sample policies provide a starting point to develop a policy that works for your environment.

Operation Data Caching

The mechanism that is available for required operation data caching is the <operation-data> element. Because you might need to provision the SecureLogin account from either an <add> or <modify-password> command, a logical place to implement the non-static data caching policy is in the Subscriber Command Transformation policy. The following example shows a typical SecureLogin Provisioning <operation-data> element:

<operation-data> <nsl-sync-data> <nsl-target-user-dn> cn=GLCANYON,ou=finance,dc=prod,dc=testco,dc=com </nsl-target-user-dn> <nsl-app-username>GCANYON</nsl-app-username> <password><!-- content suppressed --></password> <nsl-passphrase-answer>50024222</nsl-passphrase-answer> </nsl-sync-data> </operation-data>

In the sample Finance department scenario from Figure 4-1, the following values are needed to populate the operation data payload:

  • The <nsl-target-user-dn> element is populated with the value of the DirXML-ADContext attribute from the Identity Vault, which was set by the Active Directory driver. To ensure that the SAP User driver is notified when the value is set by the AD driver, make sure you add DirXML-ADContext to the Subscriber filter as a notify attribute.

  • The <nsl-app-username> element is populated by the value of the sapUsername attribute which, for an <add> command, is generated by the Create policy of the SAP User driver and is therefore available as an operation attribute. With the SAP User driver, the SAP User name value is part of the association value. This means that for password modification events the names are parsed from the association.

  • The password element is populated with the value of the <password> element in the <add> or <modify-password> command.

  • The <nsl-passphrase-answer> element is populated with the value of the workforceID attribute from the Identity Vault, which was set by the SAP HR driver. Although this value should be set during initial provisioning to the Identity Vault, it is still a good practice to add workforceID to the Subscriber filter as a notify attribute.

SecureLogin Provisioning

In the scenario, the first available location from which the operation data can be retrieved and utilized for SecureLogin credential provisioning is in the driver's Input Transformation policy. In the sample scenario, three policies are implemented:

  • Set SecureLogin Credentials after successful password synchronization.

  • Set SecureLogin Passphrase and Answer

  • Remove SecureLogin Credentials if Application User Deleted (Identity Vault object not deleted)

    NOTE:There is a sample policy in the SampleInputTransform.xml file that sets SecureLogin credentials after a successful password synchronization occurs. The file is located in the Credential Provisioning folder on the Identity Manager 3.0 Support Pack 1 media.

The Set SecureLogin Credentials policy needs to make sure the provisioning happens only if the returned command status is success and the previously set <operation-data> is present.

SecureLogin Deprovisioning

There are many scenarios that can utilize a policy in which a user account for a connected application is deleted and the Identity Vault account remains. In the Finance scenario, there is a requirement to delete the SAP User account and deprovision the SecureLogin credentials when the User's Identity Vault employeeStatus attribute value is set to “I”. To handle this situation, the SAP User driver's Subscriber Event Transformation contains a policy to transform the modify attribute value into an object delete. Because the Active Directory account name is still needed after the delete command is completed, the <operation-data> event needs to be set on the <delete> command so it is available to the SecureLogin deprovisioning policy in the Input Transformation policy.

<operation-data> <nsl-sync-data> <nsl-target-user-dn> cn=GLCANYON,ou=finance,dc=prod,dc=testco,dc=com </nsl-targer-user-dn> </nsl-sync-data> </operation-data>

The policy for transforming the <modify> event into a <delete> and creating this element is available in the sample Credential Provisioning policies in the SampleSubEventTransform.xml file.