McAfee Cloud Identity Manager Product Guideb2b-download.mcafee.com/products/evaluation/Intel/...McAfee Cloud Identity Manager 3.5 Product Guide

Product Guide

McAfee Cloud Identity Managerversion 3.5

2 McAfee Cloud Identity Manager 3.5 Product Guide

COPYRIGHTCopyright © 2013 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSMcAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Contents

1.0 Introduction to McAfee Cloud Identity Manager ........................................................ 91.1 Extensible Framework ......................................................................................... 91.2 Web Single Sign On (SSO) ..................................................................................101.3 Multiple Authentication Methods...........................................................................111.4 Credential Mapping and User Provisioning .............................................................121.5 Authorization Policies and Access Control Enforcement............................................121.6 Event Auditing and Monitoring .............................................................................131.7 Cloud Connector Options ....................................................................................141.8 Web-based Management Console.........................................................................141.9 Supported Environments ....................................................................................151.10 Supported Browsers...........................................................................................151.11 Available Documentation ....................................................................................161.12 Technical Support ..............................................................................................16

2.0 Getting Started with the Management Console.........................................................172.1 The Login Page..................................................................................................172.2 Cloud Identity Manager Version Information..........................................................182.3 The Management Console Dashboard ...................................................................192.4 Management Console — Configuration Tabs (A) .....................................................20

2.4.1 Cloud Connectors Tab .............................................................................202.4.2 Application Adapters Tab .........................................................................222.4.3 Logs Tab ...............................................................................................222.4.4 Monitoring Tab .......................................................................................232.4.5 Addons Tab............................................................................................232.4.6 Admin Tab .............................................................................................24

2.5 Management Console — Cloud Connectors (B) .......................................................262.5.1 Cloud Connectors — Carousel View ...........................................................272.5.2 Cloud Connectors — List View...................................................................282.5.3 Cloud Connectors — Management Options .................................................28

2.6 Management Console — System Snapshots (C) .....................................................322.7 Management Console — Quick Access (D) .............................................................332.8 Configuration Wizards ........................................................................................36

3.0 Cloud Connectors .....................................................................................................373.1 Understanding the Cloud Connector Types ............................................................38

3.1.1 Built-in and Plug-in Cloud Connectors ........................................................383.2 Viewing the Built-in Cloud Connector Types...........................................................393.3 Viewing the Plug-in Cloud Connector Types ...........................................................403.4 Cloud Connector Reference .................................................................................41

4.0 Identity Connectors .................................................................................................534.1 Authentication Types..........................................................................................534.2 Authentication Chain Identity Connector ...............................................................544.3 External Configuration and Additional Considerations..............................................554.4 View All Configured Identity Stores ......................................................................554.5 View All Configured Identity Connectors................................................................564.6 How to Select the Identity Connector Type............................................................574.7 Create an LDAP Identity Store .............................................................................584.8 Create an Active Directory Identity Store ..............................................................594.9 Create an Identity Connector...............................................................................63

4.9.1 Configure an Authentication Chain Identity Connector..................................644.9.2 Configure a CAS Identity Connector ..........................................................654.9.3 Configure an ECA360 Token Identity Connector ..........................................664.9.4 Configure an IWA-AD Identity Connector ...................................................694.9.5 Configure an LDAP Identity Connector .......................................................714.9.6 Configure a SAML2 Proxy Identity Connector ..............................................72

4.10 User Provisioning...............................................................................................74

McAfee Cloud Identity Manager 3.5 Product Guide 3

5.0 Authentication Chains ..............................................................................................755.1 Creating Authentication Chains in the Management Console ....................................755.2 Authentication Modules.......................................................................................765.3 Select the Authentication Module Type..................................................................77

5.3.1 Authentication Methods Available for Primary Authentication ........................785.3.2 Authentication Methods Available for Secondary Authentication.....................80

5.4 Customizing the Authentication Module Login Page.................................................805.4.1 Customize a JDBC or LDAP Login Page.......................................................815.4.2 Customize an OTP or OTP Self-service Login Page .......................................825.4.3 Customize a Combined LDAP and OTP Login Page .......................................84

5.5 Configuring the Authentication Module Options ......................................................865.5.1 Configure a JDBC Authentication Module ....................................................875.5.2 Configure an OpenID Authentication Module ...............................................885.5.3 Configure a Facebook Authentication Module ..............................................915.5.4 Configure a LinkedIn Authentication Module ...............................................925.5.5 Configure a Twitter Authentication Module .................................................935.5.6 Configure an ECA360 Token Authentication Module .....................................945.5.7 Configuring a SAML2 Authentication Module ...............................................955.5.8 Configure a Salesforce Authentication Module ...........................................1025.5.9 Configure an IWA Authentication Module..................................................1035.5.10 Configure a CAS Authentication Module ...................................................1055.5.11 Configure a SAML2 Proxy Authentication Module .......................................1065.5.12 Configure an LDAP Authentication Module ................................................1085.5.13 Configure a Combined LDAP and OTP Authentication Module.......................1105.5.14 Configure a Certificate Authentication Module ...........................................1115.5.15 Configure a SiteMinder Authentication Module ..........................................1145.5.16 Configuring an OTP Authentication Module ...............................................1175.5.17 Configure an OTP Self-service Authentication Module.................................1215.5.18 Configure a TPM Authentication Module ...................................................1235.5.19 Configure a KCD Authentication Module ...................................................123

5.6 Customize the Authentication Module Output Attributes ........................................1255.6.1 Default Output Attributes for a Certificate Authentication Module.................128

5.7 Configuring a Policy for the Authentication Module ...............................................1295.7.1 Configuring the JAAS Policy Type ............................................................1305.7.2 Configuring the Policy Conditions ............................................................1305.7.3 Determined by Cloud Connector: Use Cases .............................................1315.7.4 Configure a Policy for the Authentication Module .......................................132

5.8 Registering a User-defined Authentication Module ................................................1345.8.1 Name the New Authentication Module......................................................1355.8.2 Configure the Authentication Service and the Output Attributes ..................1365.8.3 Specify the Callback Configuration ..........................................................1385.8.4 Review the New Authentication Module Configuration ................................139

6.0 Authentication Reference.......................................................................................1416.1 Integrating CAS with Cloud Identity Manager.......................................................141

6.1.1 CAS Overview ......................................................................................1426.1.2 CAS Considerations...............................................................................1436.1.3 Bypass the Network Proxy for CAS ..........................................................1436.1.4 Configure CAS for User Provisioning ........................................................144

6.2 Integrating Facebook Authentication with Cloud Identity Manager ..........................1446.2.1 Facebook Authentication Overview ..........................................................1456.2.2 Facebook Configuration .........................................................................1466.2.3 Setting Up Cloud Identity Manager on Facebook........................................146

6.3 Integrating IWA with Cloud Identity Manager ......................................................1476.3.1 Active Directory Configuration Steps .......................................................1476.3.2 Internet Explorer Configuration Steps......................................................1486.3.3 Firefox Configuration Steps ....................................................................1486.3.4 Troubleshooting IWA Integration.............................................................149

6.4 Integrating LinkedIn Authentication with Cloud Identity Manager ...........................151


6.4.1 LinkedIn Authentication Overview ...........................................................1526.4.2 Registering an Application in Your LinkedIn Developer’s Account .................153

6.5 Integrating OpenID Authentication with Cloud Identity Manager.............................1546.5.1 OpenID Authentication Service ...............................................................1546.5.2 OpenID Authentication Overview ............................................................1556.5.3 OpenID Configuration Considerations ......................................................156

6.6 Integrating Salesforce Authentication with Cloud Identity Manager .........................1566.6.1 Salesforce Authentication Overview.........................................................1576.6.2 Configuring Salesforce as the Identity Provider .........................................158

6.7 Integrating SiteMinder with Cloud Identity Manager..............................................1596.7.1 SiteMinder Use Cases ............................................................................1606.7.2 Configuration in the Cloud Identity Manager Management Console ..............1646.7.3 Configuration in the SiteMinder Administrative UI......................................1656.7.4 Troubleshooting SiteMinder Integration....................................................168

6.8 Integrating Twitter Authentication with Cloud Identity Manager..............................1696.8.1 Twitter Authentication Overview .............................................................1706.8.2 Registering an Application in Your Twitter Developer’s Account ...................171

6.9 Integrating Cloud Identity Manager in the Cloud and the Enterprise........................1716.9.1 Overview of Cloud Identity Manager in the Cloud and the Enterprise............1726.9.2 Configuring Cloud Identity Manager in the Cloud and the Enterprise ............1736.9.3 SAML2 Proxy Configuration Summary......................................................174

7.0 Cloud Application Trust Profile ...............................................................................1757.1 Cloud Application Trust Profile — Identity Provider Mode .......................................1757.2 Cloud Application Trust Profile — Service Provider Mode........................................1767.3 Cloud Application Trust Profile — Connected Modes ..............................................1777.4 Cloud Authenticators ........................................................................................178

7.4.1 How to Configure a Cloud Authenticator...................................................1797.4.2 Configure a Cloud Authenticator .............................................................180

7.5 The Application Adapter Wizard .........................................................................1827.5.1 Specify a Name and Type for the Application Adapter ................................1837.5.2 Configure a Custom Connection for the Application Adapter ........................1847.5.3 Configure a Token Profile for the Application Adapter.................................185

8.0 Audit Logging.........................................................................................................1878.1 The Auditing Tab .............................................................................................1888.2 Filtering the Audit Log ......................................................................................188

8.2.1 Configure Filter Settings for the Audit Log ................................................1908.2.2 View the Filtered Audit Log.....................................................................192

8.3 Configure the Auditing Policy.............................................................................1928.4 Download the Audit Log....................................................................................1948.5 Purge the Audit Log .........................................................................................1958.6 Audit Event Names and Source Components Reference.........................................196

9.0 Transaction and Error Logging ...............................................................................1979.1 Configure Filter Settings for the Transaction Log ..................................................1989.2 Viewing the Filtered Transaction Log ..................................................................200

9.2.1 Viewing One Transaction Log Entry .........................................................2019.2.2 Viewing All Log Entries Having the Specified Transaction ID........................201

9.3 Configure the Transaction Log ...........................................................................2029.4 Download the Transaction Log ...........................................................................2039.5 Purge the Transaction Log.................................................................................204

10.0 Alerts and Metrics ..................................................................................................20510.1 Alerts.............................................................................................................206

10.1.1 Configuring an Alert ..............................................................................20710.1.2 Filtering the Alert Log............................................................................21610.1.3 Download the Alert Log .........................................................................22110.1.4 Purge the Alert Log ...............................................................................222

10.2 Cloud Metrics ..................................................................................................222


10.2.1 Configuring a Filter for a Cloud Metric......................................................22410.2.2 Configure Filter Settings for a Cloud Metric...............................................22510.2.3 Viewing a Cloud Metric ..........................................................................22710.2.4 Download the Cloud Metrics ...................................................................22810.2.5 Purge the Cloud Metrics .........................................................................229

10.3 Login History...................................................................................................23010.3.1 Configure Filter Settings for the Login History ...........................................23110.3.2 Viewing the Filtered Login History ...........................................................23310.3.3 Download the Login History....................................................................23410.3.4 Purge the Login History .........................................................................235

10.4 Audit Event Names and Actions Reference...........................................................236

11.0 Add-on Services .....................................................................................................23711.1 Identity Proxy Configuration..............................................................................237

11.1.1 Configuring SSO for Salesforce Connect for Outlook ..................................23811.1.2 Salesforce Configuration Requirements ....................................................23911.1.3 The Identity Proxy Window ....................................................................24011.1.4 Configuring Identity Proxy and Token Validation Services...........................24111.1.5 View the Identity Proxy and Token Validation Service URLs ........................24511.1.6 Install the Outlook Plug-in......................................................................24611.1.7 Configure Delegated Authentication in Salesforce ......................................246

11.2 OAuth Management .........................................................................................24711.2.1 OAuth Overview ...................................................................................24811.2.2 OAuth Example ....................................................................................24911.2.3 The OAuth Management Window.............................................................25011.2.4 Create an OAuth Configuration for Google Apps ........................................25111.2.5 Configure OAuth Services in Google Apps.................................................25211.2.6 Create an OAuth Configuration for Salesforce Applications..........................25311.2.7 Configure OAuth Services in Salesforce....................................................254

12.0 Advanced Configuration .........................................................................................25512.1 Configure Data Storage in a File or New Database................................................25612.2 Configure Network Proxy Addresses ...................................................................258

12.2.1 Configure the Enterprise Service Proxy ....................................................25812.2.2 Configure the Route Proxy .....................................................................259

12.3 Configure a Timeout Value for User Sessions .......................................................26012.4 Enable Your Custom Portal Configuration ............................................................26012.5 Managing Admin Accounts ................................................................................261

12.5.1 Create Administrative User Accounts .......................................................26212.5.2 Manage Administrative User Accounts......................................................263

12.6 Certificate Management....................................................................................26412.6.1 Certificate Validation .............................................................................26412.6.2 How to Acquire an X.509 Certificate ........................................................26512.6.3 Cloud Identity Manager Certificates .........................................................26512.6.4 The Certificate Management Window .......................................................26612.6.5 Viewing All X.509 Certificates .................................................................26712.6.6 View One X.509 Certificate.....................................................................26812.6.7 Delete an X.509 Certificate ....................................................................26912.6.8 Export an X.509 Certificate ....................................................................26912.6.9 Import an X.509 Certificate....................................................................27112.6.10Validate an X.509 Certificate ..................................................................27212.6.11Generate a New Key Pair .......................................................................27212.6.12Import Key Pairs...................................................................................27412.6.13Import a Trusted Certificate ...................................................................27512.6.14Replace the SSL Key Pair .......................................................................27612.6.15Enabling Certificate Validation ................................................................276

12.7 Managing Cloud Connector Plug-ins....................................................................27712.7.1 The Connector Plug-ins Window..............................................................27712.7.2 Install a Custom Connector Plug-in..........................................................27812.7.3 Managing an Existing Connector Plug-in...................................................278


12.8 Export System Configuration Settings.................................................................27912.9 Import System Configuration Settings ................................................................28012.10 Restart the Cloud Identity Manager Service .........................................................28012.11 Import a License File........................................................................................28112.12 Configure the Fully Qualified Domain Name .........................................................28212.13 Configuring Remote OTP Settings.......................................................................284

12.13.1Configure Remote OTP Settings ..............................................................28512.14 Language Settings ...........................................................................................286

A: Integrating External One Time Password Servers with Cloud Identity Manager .....287A.1 Two-factor Authentication Using One-time Password.............................................288

A.1.1 LDAP-OTP Authentication.......................................................................289A.1.2 OpenID-OTP Authentication....................................................................290

A.2 Stronger Authorization Using One-time Password .................................................291A.3 One-time Password Server Configuration Overview ..............................................292

B: Integrating RCDevs OpenOTP Server with Cloud Identity Manager ........................293B.1 RCDevs OpenOTP Server Overview ....................................................................294B.2 Installing RCDevs OpenOTP Server.....................................................................295B.3 Configuring RCDevs OpenOTP Server .................................................................296

C: Integrating Microsoft SharePoint with Cloud Identity Manager ..............................297C.1 Overview of SharePoint Integration ....................................................................298C.2 Configuring SharePoint Integration.....................................................................299

C.2.1 Configuring Cloud Identity Manager for SharePoint Integration ...................299C.2.2 Configuring the SaaS or Web Application for SharePoint Integration ............299C.2.3 Configuring the Web Browser for SharePoint Integration ............................301C.2.4 Configuring the Active Directory Domain Controller ...................................301C.2.5 Installing and Configuring SharePoint ......................................................302

D: Integrating McAfee Web Gateway and McAfee Web Protection Service ..................303D.1 Integrating Web Protection Service with Cloud Identity Manager ............................303D.2 Integrating Web Gateway with Cloud Identity Manager .........................................303

D.2.1 Dual Installation Guidelines....................................................................304D.2.2 Configuring Web Gateway to Run in Explicit Proxy Mode.............................304D.2.3 Configuring Cloud Identity Manager as the Upstream Proxy in Web Gateway.304D.2.4 Modifying SSL Scanner Rule Sets in Web Gateway.....................................305D.2.5 Exporting the Default Web Gateway CA Certificate ....................................305

D.3 Configuring Outgoing Cloud Identity Manager Connections ....................................306

E: Integrating Salesforce Chatter Mobile with Cloud Identity Manager.......................307E.1 Salesforce Chatter Mobile Overview....................................................................308E.2 Salesforce Chatter Mobile Configuration ..............................................................309

E.2.1 Configuring Cloud Identity Manager for Salesforce Chatter Mobile................309E.2.2 Configuring SSO and SLO in Salesforce....................................................310E.2.3 Creating a Custom Domain Name in Salesforce.........................................311E.2.4 Setting Up Salesforce Chatter on an Apple iPhone or Android Mobile Device..311E.2.5 Setting Up Pledge on an Apple iPhone or Android Mobile Device ..................311

E.3 Accessing Salesforce Chatter from an Apple iPhone or Android Mobile Device...........311

F: Integrating Active Directory Federation Services 2.0 with Cloud Identity Manager 313F.1 AD FS 2.0 Identity Federation Terms ..................................................................313F.2 Identity Federation with AD FS 2.0.....................................................................314

F.2.1 Use Case 1: AD FS 2.0 as the Identity Provider.........................................315F.2.2 Use Case 2: AD FS 2.0 as the Relying Party..............................................316

F.3 Identity Federation with AD FS 2.0 as Identity Provider.........................................317F.3.1 Configure Cloud Identity Manager as the Relying Party in AD FS 2.0 ............317F.3.2 Editing Claim Rules in AD FS 2.0: Relying Party Trust Example ...................318F.3.3 Configuring Cloud Identity Manager as RP in the Management Console ........320

F.4 Identity Federation with AD FS 2.0 as Relying Party .............................................320F.4.1 Configure Cloud Identity Manager as the Claims Provider in AD FS 2.0.........321


F.4.2 Editing Claim Rules in AD FS 2.0: Claims Provider Trust Example ................322F.4.3 Configuring Cloud Identity Manager as IdP in the Management Console........322

F.5 Locating the AD FS 2.0 Service URLs ..................................................................324F.6 AD FS 2.0 Integration and Certificate Management...............................................324

F.6.1 Certificate Preparation: AD FS 2.0 as Identity Provider...............................325F.6.2 Certificate Preparation: Cloud Identity Manager as Identity Provider ............325

F.7 Software Requirements for AD FS 2.0 Integration ................................................326F.8 Configuring AD FS 2.0 Federation with a WIF Application.......................................326F.9 AD FS 2.0 Considerations and Troubleshooting Tips..............................................326

F.9.1 Registering Your Workstation in the Service Principal Name Directory ..........326F.9.2 Enabling NTLM Authentication in Firefox...................................................326F.9.3 Sharing AD FS 2.0 Claims with a SAML 2.0 Service Provider .......................327F.9.4 “Authentication Required” Pop Up in Internet Explorer ...............................327F.9.5 “Add STS Reference” Option Is Missing in Visual Studio 2008......................327F.9.6 Disabling Certificate Chain Validation.......................................................328F.9.7 Signature Verification Failure..................................................................328F.9.8 Audience Verification Failure...................................................................328

G: Integrating TPM on Microsoft Windows with Cloud Identity Manager.....................329G.1 Enabling TPM on the Client Machine ...................................................................329G.2 Preparing the TPM Environment on the Client Machine ..........................................329

G.2.1 Add Your Windows Home Directory to the Path Variable .............................330G.2.2 Extracting the Public Key and Encryption Key Wrapper...............................330G.2.3 Modify the Security Policy File for JRE......................................................330G.2.4 Sample Security Policy File for JRE ..........................................................331

G.3 Configuring TPM Authentication in Cloud Identity Manager.....................................332G.4 The TPM Authentication Process.........................................................................332

H: Expression Language Support ................................................................................333H.1 Attribute Mapping and Expressions in Cloud Identity Manager ................................333

I: Troubleshooting Tips .............................................................................................335I.1 Internet Explorer Cannot Download File ..............................................................335I.2 The Upgrade Process Does Not Migrate HTTP POST Credentials ..............................335I.3 Not All Settings Are Exported from a MySQL Database..........................................335I.4 AdminiTrack Connector Does Not Support SSO to v3.0 .........................................335


1.0 Introduction to McAfee Cloud Identity Manager

McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) simplifies the management and secures the use of cloud, Software as a Service (SaaS), and web applications for companies and large organizations. Service and application providers can also use Cloud Identity Manager to simplify and improve the authentication process for their customers.

Cloud Identity Manager provides support for the following features. For more information about each feature, see the following sections:

• Extensible Framework — See section 1.1 Extensible Framework.• Web Single Sign On (SSO) — See section 1.2 Web Single Sign On (SSO).• Multiple Authentication Methods — See section 1.3 Multiple Authentication Methods.• Credential Mapping and User Provisioning — See section 1.4 Credential Mapping and User

Provisioning.• Authorization Policies and Access Control Enforcement — See section 1.5 Authorization Policies and

Access Control Enforcement.• Event Auditing and Monitoring — See section 1.6 Event Auditing and Monitoring.• Connectors for Popular Cloud Services and Applications — See section 1.7 Cloud Connector Options.• Web-based Management Console — See section 1.8 Web-based Management Console.

1.1 Extensible FrameworkCloud Identity Manager provides an extensible software framework and Software Development Kit (SDK) that software developers can use to extend the built-in functionality of the product. For detailed information, see the following guides:

• McAfee Cloud Identity Manager Integration Guide — For customers who have Java-based or .NET web applications that do not support SAML2 authentication, Cloud Identity Manager provides a custom connector. For information about how to integrate Java-based and .NET web applications with Cloud Identity Manager, see the McAfee Cloud Identity Manager Integration Guide.

• McAfee Cloud Identity Manager Developer’s Guide — For software developers who want to write their own cloud service connectors, authentication modules, or alert notification methods, Cloud Identity Manager provides an SDK. For more information, see the McAfee Cloud Identity Manager Developer’s Guide.


1.2 Web Single Sign On (SSO)In web SSO, a trusted third party authenticates the user to the cloud service or application by providing identity information. In a typical installation, Cloud Identity Manager is the third party that provides identity information from an organization’s internal identity management system to meet the cloud application’s requirements. Cloud Identity Manager also supports authentication services provided by an external third party.

Web SSO is implemented using standard protocols, such as Security Assertion Markup Language (SAML). Cloud Identity Manager also provides custom SSO services for installations that do not support SAML.

The web SSO process depends on web browser features to operate. To implement web SSO, users must first authenticate to Cloud Identity Manager, manually or automatically. Users can authenticate manually through a custom log-in webpage. For users working in a Microsoft Windows Operating System environment, authentication to Cloud Identity Manager can be automated through the Integrated Windows Authentication (IWA) protocol.

After authenticating to Cloud Identity Manager, the user is no longer involved in the web SSO process. All remaining SSO steps are performed by Cloud Identity Manager and are not visible to the end user.

Note: Web SSO requires configuration in the Management Console and in the cloud application’s user interface. Instructions for configuring SSO on the cloud application side are included in the Administrator’s Guide.


1.3 Multiple Authentication MethodsFor web SSO, Cloud Identity Manager supports two methods of authentication. In both methods, the user is seeking access to a service in the cloud.1. Identity Provider (IdP) Initiated Authentication

In IdP-initiated authentication, the user’s authentication request is first sent to Cloud Identity Manager; then, the authentication result is redirected by Cloud Identity Manager to the cloud service through the user’s browser. (See the diagram on the left.)

2. Service Provider (SP) Initiated AuthenticationIn SP-initiated authentication, the authentication request is first sent to the cloud service and then redirected by the service to Cloud Identity Manager through the user’s browser. Finally, as in the previous method, Cloud Identity Manager redirects the authentication result to the cloud service through the user’s browser. (See the diagram on the right.)

Figure 1. IdP-Initiated Authentication (left) and SP-Initiated Authentication (right)

IdP-initiated authentication is so named because Cloud Identity Manager, the Identity Provider, is the first actor in the authentication process. Likewise, SP-initiated authentication is so named because the Service Provider or cloud service is the first actor in the authentication process.

In both methods, the authentication process takes place using redirects through the user’s browser. The redirects are automatic and take place quickly, so that the user is not aware of the authentication process running in the background.


1.4 Credential Mapping and User ProvisioningWeb SSO in Cloud Identity Manager supports multiple sources of identity information by mapping user attributes, or credentials, from the user account in the source organization to the user account in the Service Provider or target. In addition, Cloud Identity Manager can map identity information from an external authentication service to a Service Provider account.

An email address is an example of a user attribute or credential. It can be known by one name in the user accounts of the source organization and by a different name in the user accounts of the Service Provider. The configuration task is to correctly map the user attribute name in the source to the user attribute name in the target.

User provisioning is the creation of user accounts in the Service Provider. Cloud Identity Manager supports automatic provisioning of user accounts in Google Apps and Salesforce.com, which occurs when users first attempt access. User provisioning is like credential mapping except that it allows the mapping of additional attributes related to the cloud service. For example, it allows the mapping of role-based user attributes.

1.5 Authorization Policies and Access Control EnforcementAfter Cloud Identity Manager establishes a session with the user, it can enforce authorization policies and restrict access to cloud services. Authorization policies are defined in the Cloud Connector wizard in the Management Console. Each policy applies to a single service and allows or denies access to specified HTTP URLs.

Figure 2. Authorization Policies and Access Control Enforcement


1.6 Event Auditing and MonitoringThe Cloud Identity Manager auditing feature uses an events-based auditing model that records all events generated by administrative user actions in the Management Console. Using the auditing feature, administrators can configure auditing policies that support the security and compliance requirements of each organization.

The audit log can be searched using a configured filter. Logs can be exported to a signed .zip file and archived. User provisioning and authorization decisions are examples of audited events.

To monitor audited events more closely, alerts can be configured in Cloud Identity Manager. Configuring an alert includes specifying a notification method and the conditions that trigger the alert. Administrators can be notified of alerts by email, or alerts can be written to an alert log. Software developers can write custom alert notification methods using the alerts SDK and register them in the Management Console. Alert conditions include the type of event, the user, occurrence counts, and other event attributes.

In addition to alerts, there is the metrics feature. While alerts are based on audit events, metrics are based on built-in Cloud Identity Manager measures that summarize system data. You can select a metric, configure and apply a filter, and view the results. An example of a metric is the number of successful SSOs.

Cloud Identity Manager collects and stores information about login and logout events for both administrative and enterprise users. You can configure and apply a filter to the stored history and view the results. You can download the login history to a .zip file for archiving, and you can purge or clear the login history from the database.

Note: For information about the alerts SDK, see the McAfee Cloud Identity Manager Developer’s Guide.


1.7 Cloud Connector OptionsCloud Identity Manager provides connectors for popular cloud services and applications, including Google Apps and Salesforce.com. These connectors are built in to Cloud Identity Manager and simplify the configuration and deployment of Google Apps and Salesforce.com in an organization. Cloud Identity Manager provides four ways to configure connectors to cloud services and applications:

• Integrated Connectors — Cloud Identity Manager provides numerous integrated connectors, including connectors for Google Apps and Salesforce.com. Integrated connectors are built in to Cloud Identity Manager and simplify the configuration and deployment of cloud services and applications in your organization.

• SAML Connector — Cloud Identity Manager provides a SAML connector for any cloud service that supports SAML2.0 authentication.

• Custom Connector — Cloud Identity Manager provides a custom connector for cloud services that do not support SAML2.0. Authentication information is passed to the service in the form of a signed token, which the service must verify. To support this option, the McAfee Cloud Identity Manager Integration Guide provides an SDK that simplifies common token processing operations.

• Plug-in Connectors — Cloud Identity Manager provides an Application Programming Interface (API) and SDK that software developers can use to write their own Java-based cloud service connectors. Developers can then register and deploy connectors in the Management Console. To view the cloud service connector SDK, see the McAfee Cloud Identity Manager Developer’s Guide.

1.8 Web-based Management ConsoleCloud Identity Manager runs as a stand-alone server and is configured by an administrator using a web-based Management Console accessible from a web browser. For information about installing Cloud Identity Manager as a stand-alone server, see the McAfee Cloud Identity Manager Installation Guide. For information about configuring Cloud Identity Manager in the Management Console, see the McAfee Cloud Identity Manager Product Guide.


1.9 Supported EnvironmentsCloud Identity Manager supports the following environments:

1.10 Supported BrowsersCloud Identity Manager provides two types of browser support:

• Application Portal — For end users who seek access to SaaS and web applications through a portal using Cloud Identity Manager identity services, Cloud Identity Manager supports the following desktop and mobile web browsers. Note that Cloud Identity Manager services are running in the background and are not visible to the end user:Desktop browsers

Google Chrome 16Mozilla Firefox 9Microsoft Internet Explorer 7, 8, and 9Safari 5.1.2

Mobile browsersAndroid 2.0 devices and WebKit browseriOS devices and Safari browser

• Management Console — The Cloud Identity Manager Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, Cloud Identity Manager supports the following desktop and mobile web browsers:Desktop browsers

Firefox 9Internet Explorer 7, 8, and 9

Mobile browsersNone are currently supported.

Version Architecture

IA-32 Intel® 64

Linux OS

Red Hat Enterprise Linux Serverand Advanced Platform 5.0

Yes Yes

Windows OS

Windows Server 2003 Standard Edition Yes Yes

Windows Server 2003 DataCenter Edition Yes Yes

Windows Server 2003 Enterprise Edition Yes Yes

Windows Server 2008 Yes Yes


1.11 Available DocumentationThe Cloud Identity Manager documentation set includes the following guides:

• McAfee Cloud Identity Manager Product Guide — A complete guide to the Management Console and covers the configuration tasks needed to administer Cloud Identity Manager.

• McAfee Cloud Identity Manager Developer’s Guide — Provides information for software developers who want to write custom Java code that extends Cloud Identity Manager functionality.

• McAfee Cloud Identity Manager Installation Guide — Includes the tasks and procedures that you need to install and remove Cloud Identity Manager as a stand-alone server on Microsoft Windows and Linux operating system platforms. The guide also includes how to start and stop the Cloud Identity Manager service after it is installed.

• McAfee Cloud Identity Manager Integration Guide — Provides instructions on how to integrate Java-based and .NET web applications that do not support SAML2 authentication with Cloud Identity Manager.

Note: In addition to these guides, there are separate guides that document how to configure the different Cloud Connectors. For more information, see the McAfee Cloud Identity Manager Product Guide.

1.12 Technical SupportFor technical assistance, contact McAfee support by one of the following options:

Support portal: https://mysupport.mcafee.com

Phone number: 1-800-937-2237


https://mysupport.mcafee.com

https://mysupport.mcafee.com

2.0 Getting Started with the Management Console

The Cloud Identity Manager Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, Cloud Identity Manager supports the following web browsers:

• Firefox 5 or later versions• Internet Explorer 8 or later versions

2.1 The Login PageTo access the Management Console, enter a link with the following format in a supported web browser: https://hostname:portnumber/login.html.

hostnameSpecifies the name of the server on which Cloud Identity Manager is installed.

portnumberSpecifies the port number of the server on which Cloud Identity Manager is installed.Default: 8443

Note: For information about installing Cloud Identity Manager, see the McAfee Cloud Identity Manager Installation Guide.


When the Management Console login page opens, type your user name and password in the Username and Password fields and click Log in. The initial user name and password are “admin” and “passwd” respectively. You can manage administrative users and passwords by selecting Admin Accounts from the Admin tab drop-down list. For more information, see section 12.5 Managing Admin Accounts.

The Management Console opens with the Cloud Connectors tab selected.CAUTION: THE MANAGEMENT CONSOLE RUNS IN A SINGLE WEBPAGE. ALL NAVIGATION IS PART OF THE WEBPAGE

ITSELF. USING YOUR BROWSER’S BACK, FORWARD, OR REFRESH BUTTONS CAN TAKE YOU OUT OF THE CONSOLE AND IN SOME CASES, CAN RESULT IN THE LOSS OF UNSAVED DATA.

2.2 Cloud Identity Manager Version InformationTo view version information about Cloud Identity Manager, click the About link in the upper right corner of the Management Console. The About dialog box opens and displays the following information about the current Cloud Identity Manager release. Click Ok to close the dialog box.


2.3 The Management Console DashboardWhen you log on, the Cloud Identity Manager Management Console opens with the Cloud Connectors tab selected. In the following screenshot, you can see that the Console dashboard has four distinct areas:

• Configuration Tabs (A)• Cloud Connectors (B)• System Snapshots (C)• Quick Access (D)

For more information about each area of the Management Console dashboard, see the following sections:

• 2.4 Management Console — Configuration Tabs (A)• 2.5 Management Console — Cloud Connectors (B)• 2.6 Management Console — System Snapshots (C)• 2.7 Management Console — Quick Access (D)


2.4 Management Console — Configuration Tabs (A)The Configuration Tabs area in the Management Console dashboard provides access to each of the Cloud Identity Manager functional areas through tabs, where administrators can create, configure, and manage Cloud Connectors, Application Adapters, and auditing policies and perform monitoring and administrative tasks.

The Management Console features the following six tabs and configuration areas. For an overview of each area, see the following sections:

• Cloud Connectors — See section 2.4.1 Cloud Connectors Tab.• Application Adapters — See section 2.4.2 Application Adapters Tab.• Logs — See section 2.4.3 Logs Tab.• Monitoring — See section 2.4.4 Monitoring Tab.• Addons — See section 2.4.5 Addons Tab.• Admin — See section 2.4.6 Admin Tab.

2.4.1 Cloud Connectors Tab

The Management Console opens with the Cloud Connectors tab selected. From the Cloud Connectors tab drop-down list, you can open the following windows:

• Cloud Connectors — Cloud Connectors are the configurations that Cloud Identity Manager uses to provide SSO and SLO services to cloud applications. Each Cloud Connector configuration includes one Identity Connector.

• Identity Connectors — Identity Connectors are the configurations that allow Cloud Identity Manager to connect to and communicate with identity stores and authentication services. Identity stores are the directories that hold user accounts and identity information.


2.4.1.1 Cloud Connectors Window

In the Cloud Connectors window, you can manage the Cloud Connectors. The following table shows a few types of Cloud Connectors and the cloud applications they support:

Note: For more information about Cloud Connectors, see section 2.5 Management Console — Cloud Connectors (B).

2.4.1.2 Identity Connectors Window

In the Identity Connectors window, you can view, edit, create, and delete identity stores and Identity Connectors. Cloud Identity Manager supports two types of identity stores and five types of Identity Connectors, as follows:

Supported Identity Stores: LDAP, Active Directory (AD)

Supported Identity Connectors: LDAP, Integrated Windows Authentication with Active Directory (IWA-AD), Central Authentication Service (CAS), Authentication Chain, SAML2 Proxy

Note: For more information about identity stores and Identity Connectors, see section 4.0 Identity Connectors.

Cloud Connector Type Cloud Application Type

Google Google applications

Salesforce Salesforce applications

ECA360 Token Custom web applications, such as Java-based or .NET applications

SAML2 Applications that support the SAML 2.0 authentication profile

SAML2 Proxy Enterprise applications through a public portal

OpenID Applications that support the OpenID authentication standard

Agresso Opacus

HTTP Post HTTP Server

User Defined Customer applications

Schoology Schoology applications


2.4.2 Application Adapters Tab

You can deploy Cloud Identity Manager as an authentication service in the cloud. When deployed in the cloud, Cloud Identity Manager accepts credentials from an Identity Provider, authenticates the user, and creates a custom token validating the user’s identity for the cloud application. To deploy Cloud Identity Manager as an authentication service in the cloud, configure an Application Adapter and a Cloud Authenticator in the Application Adapters tab in the Management Console:

Note: For more information about Cloud Authenticators and Application Adapters, see section 7.0 Cloud Application Trust Profile.

2.4.3 Logs Tab

From the Logs tab, you can access the Cloud Identity Manager audit logging and transaction and error logging features:

• Audit logging — The auditing feature uses an events-based auditing model that records all events generated by administrator and administrative user actions in the Management Console. Using the auditing feature, administrators can configure auditing policies that support the security and compliance requirements of each organization.For more information about audit logs, see section 8.0 Audit Logging.

• Transaction and error logging — The transaction and error logging feature keeps a log of transactions. A transaction, such as logging in, is defined as a completed identity service operation. Each transaction is a process with multiple steps. Cloud Identity Manager assigns the transactions unique identifiers and records the transaction steps in the log. For more information about transaction and error logging, see section 9.0 Transaction and Error Logging


2.4.4 Monitoring Tab

From the Monitoring tab drop-down list, you can select the following options.

• Alerts — Select the Alerts option to view, filter, configure, download, and purge Alerts.• Metrics — Select the Metrics option to filter events in the audit log.• Login History — Select the Login History option to filter and view login and logout events

triggered by administrative and enterprise users.

For more information about these features, see section 10.0 Alerts and Metrics.

2.4.5 Addons Tab

From the Addons tab drop-down list, you can select the following options.

• Identity Proxy — Select the Identity Proxy option to configure the Salesforce Connect for Outlook plug-in. The plug-in allows Salesforce and Outlook to share and synchronize data.

• OAuth Plugin — Select the OAuth Plugin option to configure an OAuth service in Cloud Identity Manager. OAuth is an authorization protocol that allows you to download data from a user account in a cloud application.

For more information about the Identity Proxy and OAuth Plugin services in Cloud Identity Manager, see section 11.0 Add-on Services.


2.4.6 Admin Tab

Many administrative tasks need to be performed only once or occasionally, or they are advanced configuration tasks that can performed on an as needed basis. From the Admin tab drop-down list, you can select the following administrative tasks.

• Database Management — Select the Database Management option to configure a connection to a new database. This is the database that Cloud Identity Manager uses to store audit logs and other system data. Alternatively, you can elect to store system data in a file. For more information, see section 12.1 Configure Data Storage in a File or New Database.

• Proxy Management — Select the Proxy Management option to configure a network proxy address. The network proxy address allows Cloud Identity Manager to communicate outside the local network. For more information, see section 12.2 Configure Network Proxy Addresses.

• Session Management — Select the Session Management option to specify a timeout value for each session a user establishes with an application. For more information, see section 12.3 Configure a Timeout Value for User Sessions.

• Portal Configuration — Select the Portal Configuration option to enable the use of your custom login, error, and portal pages. For more information, see section 12.4 Enable Your Custom Portal Configuration.

• Admin Accounts — Select the Admin Accounts option to configure one or more administrative user accounts. Administrative users have privileges to log on to the Management Console and configure Cloud Identity Manager. For more information, see section 12.5 Managing Admin Accounts.


• Certificate Management — Select the Certificate Management option to create a signing key pair for use when configuring Cloud Connectors. The signing key pair is a private key-public certificate pair that is used to verify the signature on a SAML assertion. Some cloud applications require signed SAML assertions to authenticate users. For more information, see section 12.6 Certificate Management.

• Connector Management — Select the Connector Management option to open the Connector Plugins window, where you can view and manage all plug-in Cloud Connectors in the Cloud Identity Manager system. In this window, you can also install custom connector plug-ins. For more information, see section 12.7 Managing Cloud Connector Plug-ins.

• Export Configuration — Select the Export Configuration option to export the Cloud Identity Manager system configuration to a .zip file for backup or to import and reuse at a later time. For more information, see section 12.8 Export System Configuration Settings.

• Import Configuration — Select the Import Configuration option to import the Cloud Identity Manager system configuration from a .zip file created by the Export Configuration option. For more information, see section 12.9 Import System Configuration Settings.

• Restart Server — Select the Restart Server option to restart the Cloud Identity Manager server. For more information, see section 12.10 Restart the Cloud Identity Manager Service.

• License — Select the License option to import your license in the Management Console. This option is useful when Cloud Identity Manager is already installed and running and you want to upgrade from an evaluation license and to a permanent license. For more information, see section 12.11 Import a License File.

• Domain Settings — Select the Domain Settings option to configure a fully qualified domain name (FQDN) for the server on which Cloud Identity Manager is installed. This setting ensures that users on other machines can access Cloud Identity Manager services. For more information, see section 12.12 Configure the Fully Qualified Domain Name.

• Miscellaneous Settings — Select the Miscellaneous Settings option to configure remote delivery of one-time passwords. For more information, see section 12.13 Configuring Remote OTP Settings.

• Language Settings — Select the Language Settings option to specify the language displayed in the Management Console. For more information, see section 12.14 Language Settings.


2.5 Management Console — Cloud Connectors (B)The Management Console opens with the Cloud Connectors tab selected and the configured Cloud Connectors displayed in Carousel View:

In the Cloud Connectors tab in the Management Console, you can choose a Carousel View or a List View of the configured Cloud Connectors. You can click New Cloud Connector to open the cloud application wizard and create a new Cloud Connector. Last update shows the date when any Cloud Connector configuration was last updated by an administrator. The refresh button refreshes the Carousel or List view, as needed.

While the Carousel and List views have different formats, they display the same information with the following exception:

• Carousel View — Select this option to view the Cloud Connector’s type.• List View — Select this option to view the name of the Identity Connector that is paired with the

Cloud Connector.

For more information about Cloud Connectors, see section 3.0 Cloud Connectors.


2.5.1 Cloud Connectors — Carousel View

The Carousel view shows each Cloud Connector’s type and name. Cloud Connector types are represented by cloud symbols. The Cloud Connector name is displayed below the Cloud Connector type. This is the name that you specify when you create the Cloud Connector.

In the Carousel view, you can expand and collapse the Cloud Connectors area by clicking the arrow on the upper right. When there are more than four Cloud Connectors configured, you can scroll through them by clicking the arrows on the far left and right. To open a Cloud Connector in the cloud application wizard for viewing or modification, click on the cloud symbol. When you mouse over the cloud symbol, icons appear, presenting you with the following Cloud Connector management options: Edit, Duplicate, Troubleshoot, and Delete.

Note: For more information about the Cloud Connector management icons and options, see section 2.5.3 Cloud Connectors — Management Options.


2.5.2 Cloud Connectors — List View

In the Cloud Connectors List view, you can click the Edit, Duplicate, Troubleshoot, and Delete icons to access these Cloud Connector management options. For each Cloud Connector in the list, you can view the name of the Identity Connector that is part of its configuration.

Each page of the List view can display up to ten Cloud Connectors. When there are multiple pages, you can navigate between them using the First Page, Previous Page, Next Page, and Last Page buttons located below the list and to the left. Below the list and to the right, the total number of configured Cloud Connectors is displayed. In the following example, the total number of Cloud Connectors is 21, Page 2 is selected, and Cloud Connectors 11-20 are displayed:

2.5.3 Cloud Connectors — Management Options

In both the Carousel and List views, you can edit, duplicate, troubleshoot, and delete Cloud Connectors by clicking the following icons:

From left to right, the icons are:• Edit — Clicking the Edit icon opens the Cloud Connector in the cloud application wizard and allows

you to modify the configuration and save the changes.• Duplicate — Clicking the Duplicate icon creates a Cloud Connector with the same name and

configuration as the original Cloud Connector except that “CopyOf” is appended to the beginning of the name.Example: CopyOforiginalname

• Troubleshoot — Clicking the Troubleshoot icon opens three tabs:— General Info — In the General Info tab, you can view configuration values for the specified

Cloud Connector.— Audit Logs — In the Audit Logs tab, you can configure and apply a filter to the Audit Log.— Alerts — In the Alerts tab, you can configure and apply a filter to the Alerts log.

• Delete — When you click the Delete icon, you are prompted to confirm the deletion of the selected Cloud Connector.


2.5.3.1 How to Read the Summary Information in the General Info Tab

When you click the troubleshooting icon associated with a Cloud Connector, the General Info tab opens and displays summary information about the Cloud Connector’s configuration. The information is organized as follows:

NameSpecifies the name assigned to the Cloud Connector when it was created.

Identity ProviderSpecifies the name of the Identity Connector that was selected when the Cloud Connector was configured.

Download Metadata(SAML2 Cloud Connectors) Clicking this link allows you to open an XML file containing the SAML2 metadata configured for the Cloud Connector you are viewing or to download the file to your web browser’s download directory.


Identity ConnectorThe Identity Connector area provides the following information:

Identity Connector NameSpecifies the name assigned to the Identity Connector when it was created.

Identity Connector TypeSpecifies the type of Identity Connector.Supported types: LDAP, Integrated Windows Authentication with Active Directory, Central Authentication Service, Authentication Chain, SAML2 Proxy

Identity StoreIdentifies the identity store by type and by host name and port number of the server on which the identity store is installed.Example: LDAP:localhost:20389

Identity Store TypeSpecifies the type of identity store.Supported types: LDAP, Active Directory

Application Endpoint LocationThe Application Endpoint Location URLs are used by the end user to access the Cloud Identity Manager SSO and SLO services directly when SSO and SLO are initiated by the Identity Provider (IdP-initiated SSO and SLO):

SSO ServiceSpecifies the URL of the Cloud Identity Manager SSO service.

SLO ServiceSpecifies the URL of the Cloud Identity Manager SLO service.


Service Connection Endpoint LocationThe Service Connection Endpoint Location URLs are used by the Service Provider when initiating SSO and SLO (SP-initiated SSO and SLO):

SSO ServiceSpecifies the URL of the Cloud Identity Manager SSO service used by the Service Provider when initiating SSO (SP-initiated SSO).Note: Copy and paste this URL in the corresponding field when configuring SSO on the Service Provider side.

SLO ServiceSpecifies the URL of the Cloud Identity Manager SLO service used by the Service Provider when initiating SLO (SP-initiated SLO).Note: Copy and paste this URL in the corresponding field when configuring SLO on the Service Provider side.

SSO Demo ServiceThe SSO Demo Service area provides the URL and an alias that you can use to access the Cloud Identity Manager SSO service through a portal:

SSO test URLSpecifies the URL that you can use to access the Cloud Identity Manager SSO service through a portal.

AliasSpecifies a short name that you can use in place of the longer URL to access the Cloud Identity Manager SSO service through a portal.


2.6 Management Console — System Snapshots (C)When Carousel View is selected in the Cloud Connectors window or Application Adapters window in the Management Console, you can view snapshots or graphs of the overall functioning of the Cloud Identity Manager system during the most recent 30-minute period. In the Cloud Connectors window, the graphs apply to all Cloud Connectors. In the Application Adapters window, the graphs apply to all Application Adapters.

Along the horizontal axis of the graphs, the most recent 30-minute period is shown in 24-hour time at five-minute intervals. The graph on the left shows the number of sign-in and sign-out events over this period. The graph is divided in half by a horizontal line labeled 0.0. The number of sign-in events and sign-out events at any point in time are plotted above and below this line, respectively.

The graph on the right shows the number of alerts across the most recent 30-minute period.

Note: The titles of the graphs correspond to the configuration you are viewing. For example, on the Cloud Connectors screen, the graphs are entitled Sign In/Sign Outs Across All SSO Applications and Alerts Across All SSO Applications. On the Application Adapters screen, the graphs are entitled Sign In/Sign Outs Across All Application Adapters and Alerts Across All Application Adapters.


2.7 Management Console — Quick Access (D)The bottom area of the Management Console provides another snapshot of Cloud Identity Manager as well as quick access to key configurations already in the system. It consists of three parts: Alerts, Identity Connectors or Cloud Authenticators, and Service Provider Integration Kits.

Note: Identity Connectors are displayed when the Cloud Connectors tab is selected. Cloud Authenticators are displayed when the Application Adapters tab is selected.

• Alerts — Lists the date and time of the most recent alerts. You can view details about each alert by clicking System Alert. The Alert Detail area opens and shows the severity and a summary of the selected alert. Clicking See All Alerts opens the Alerts window in the Monitoring tab. In the Alerts window, you can filter existing alerts and create and configure new event audit policies that generate alerts.

Note: For more information about alerts, see section 10.1 Alerts.• Identity Connectors or Cloud Authenticators — Lists the most recently configured Identity

Connectors or Cloud Authenticators in the system. You can click each Identity Connector or Cloud Authenticator to view or modify its configuration. Clicking See All opens the Identity Connectors or Cloud Authenticators window. You can use preconfigured Identity Connectors and Cloud Authenticators when configuring new Cloud Connectors and Application Adapters, respectively.

Note: For more information about Identity Connectors, see section 4.0 Identity Connectors. For more information about Cloud Authenticators, see section 7.4 Cloud Authenticators.


• Service Provider Integration Kits — Lists the Service Providers that have preconfigured connectors built in to Cloud Identity Manager. To view the built-in configurations for user provisioning, click the Service Provider names in the list.

Note: This shortcut to the Service Provider Integration Kits is only available when Carousel View is selected in the Cloud Connectors window.

Clicking Google opens the View User Provisioning Plugin for ‘google’ dialog box. The SaaS Connection Parameters area shows the user attributes that Google expects when connecting to Cloud Identity Manager. The SaaS Account Profile area shows the user attributes that Google expects when the user’s account is provisioned in Google. For more information about Google connectors, see the McAfee Cloud Identity Manager Google Cloud Connector Guide.


Clicking Salesforce opens the View User Provisioning Plugin for ‘salesforce’ dialog box. The SaaS Connection Parameters area shows the user attributes that Salesforce expects when connecting to Cloud Identity Manager. The SaaS Account Profile area shows the user attributes that Salesforce expects when the user’s account is provisioned in Salesforce. Since Salesforce expects up to 12 user attributes, they are shown on two pages. Page 1 shows user attributes 1-6. Page 2 shows user attributes 7-12. For more information about Salesforce connectors, see the McAfee Cloud Identity Manager Salesforce Cloud Connector Guide.


2.8 Configuration WizardsThe Management Console includes wizards or step-by-step guides for configuring many Cloud Identity Manager components, including wizards for the primary components in the following list. For more information about each wizard, see the corresponding section:

• Cloud Connectors — See section 3.0 Cloud Connectors.• Authentication Modules — See section 5.2 Authentication Modules.• Application Adapters — See section 7.5 The Application Adapter Wizard.• Alerts — See section 10.1.1 Configuring an Alert.

When you open a wizard, such as the New Cloud Connector wizard, in the Management Console, the steps in the wizard are displayed in a menu on the left. You can view any step in the wizard by clicking it on the menu.

The menu icons provide status information about each configuration step:

Indicates that configuration of the step has not started.

Indicates that configuration of the step is complete.

Indicates that configuration of the step is not complete.


3.0 Cloud Connectors

A Cloud Connector is the configuration that allows Cloud Identity Manager to connect to and provide services for a cloud application. For example, a Salesforce Cloud Connector is the configuration that allows Cloud Identity Manager to connect to a Salesforce application, such as Sales Cloud 2, and to provide SSO, SLO, and other services.

Cloud Connectors are configured in the Cloud Connector wizard. The Cloud Connector types share some, but not all, of the configuration steps in the wizard. For example, all Connectors have the initial Application Type and Identity Connector steps and the Review step in common. The remaining wizard steps, however, can be different for each type of Cloud Connector.

For more information about Cloud Connectors, see the following sections:1. Understanding the Cloud Connector Types — See section 3.1 Understanding the Cloud Connector

Types.2. Viewing the Built-in Cloud Connector Types - See section 3.2 Viewing the Built-in Cloud Connector

Types.3. Viewing the Plug-in Cloud Connector Types — See section 3.3 Viewing the Plug-in Cloud Connector

Types4. Cloud Connector Reference — For a list of all supported Cloud Connectors and the name of the User

Guide to consult for each Connector, see section 3.4 Cloud Connector Reference.


3.1 Understanding the Cloud Connector TypesCloud Identity Manager offers a variety of built-in and plug-in Cloud Connectors that simplify the configuration of single sign-on to SaaS and web applications. In the SaaS model, the Service Provider hosts the application and data in the cloud, and end users access the hosted service over the Internet through a web browser on a local computer. To view all Cloud Connector types, see section 3.4 Cloud Connector Reference.

3.1.1 Built-in and Plug-in Cloud Connectors

While the plug-in Cloud Connectors can be installed, disabled, enabled, deleted, and modified, the built-in Cloud Connectors are part of the Cloud Identity Manager system and cannot be managed in any way. For more information about managing plug-in Cloud Connectors, see section 12.7 Managing Cloud Connector Plug-ins.

Cloud Identity Manager supports the following types of SaaS and web applications with built-in or plug-in Cloud Connectors. Not all supported types are listed:

• Cloud Connectors for cloud applications that support SAML2 authentication — Cloud Identity Manager provides both built-in and plug-in SAML2 Cloud Connectors, including the following examples.Built-in SAML2 Connectors: Agresso, Google, Office 365, and SalesforcePlug-in SAML2 Connectors: BoxNet, EchoSign, ServiceNow, SuccessFactors, SugarCRM, WebEx, and Zoho

• Generic Cloud Connector for SAML2 cloud applications — Cloud Identity Manager provides a generic SAML2 Cloud Connector for any cloud application that supports SAML2 authentication, but is not included in the Cloud Identity Manager application catalog.

• Cloud Connectors for cloud applications running on an HTTP server — Cloud Identity Manager provides plug-in HTTP POST Cloud Connectors for many cloud applications, including Bill, Carbonite, ConstantContact, Deskaway, DropBox, EchoSpan, Expensify, GetSatisfaction, HubSpot, InsideView, LinkedIn, LogMeIn, LogMeInRescue, MailChimp, Atlassian, Recurly, RemedyForce, ServiceMax, TribeHR, Twitter, and VerticalResponse.

• Generic Cloud Connector for HTTP POST cloud applications — Cloud Identity Manager provides a generic HTTP POST Cloud Connector for any cloud application that runs on an HTTP server, but is not included in the Cloud Identity Manager application catalog.

• Custom Cloud Connector for .NET and Java-based web applications — Cloud Identity Manager provides a built-in custom Cloud Connector type named ECA360 Token for .NET and Java-based web applications.

• One-of-a-kind Cloud Connectors for cloud applications that support single sign-on using a custom method — Cloud Identity Manager provides built-in one-of-a-kind Cloud Connectors for applications that use a custom SSO method, including NetSuite and Schoology.

• Cloud Connectors for other cloud applications and SSO types — Cloud Identity Manager provides built-in Cloud Connectors for other cloud applications and SSO types, including Generic OpenID, Impersonation (Kerberos), and SharePoint (WS-Federation).


http://www.google.com/apps

3.2 Viewing the Built-in Cloud Connector TypesTo view the built-in Cloud Connector types, click New Cloud Connector in the Cloud Connectors tab in the Management Console. The Cloud Connector wizard opens at the Cloud Application Type step. In the following screenshot, Salesforce is selected as the new cloud application type, and “salesforce-sales” is specified as the new cloud application name.

Similarly, each of the other Cloud Connector types can be selected and assigned names. We recommend assigning meaningful names that provide some information about the Cloud Connector. For example, “salesforce-sales” conveys that the application type is Salesforce and the particular Salesforce application is Sales.

The navigation pane in the New Cloud Connector wizard lists the configuration steps for the selected cloud application type. To view the configuration steps for any cloud application type, click the corresponding cloud icon. For example, the preceding screenshot shows that a Salesforce Cloud Connector has the following configuration steps. While not all steps are required, they are listed in the order that you complete them in the Cloud Connector wizard:1. Cloud Application Type (current step)2. Identity Connector3. SAML Credential Mapping4. SAML Assertion5. Just-in-Time User Provisioning6. Authorization Enforcement7. Review

Note: To view the plug-in Cloud Connector types, click More>. For more information, see section 3.3 Viewing the Plug-in Cloud Connector Types.


3.3 Viewing the Plug-in Cloud Connector TypesTo view the plug-in Cloud Connector types, click More on the Cloud Application Type step of the Cloud Connector wizard. The More Applications window opens.

In this window, the plug-in applications are displayed alphabetically. To view the applications by category, select the categories in the list on the left side. For example, there are two applications in the Expense Management category. When you select it, Concur and Coupa are the only applications displayed.

You can filter the current view by typing one or more letters in the Filter Application Type field. For example, when you type a “b” in the field, only applications whose names contain the letter b are displayed.

To select an application, click it, and then click Ok. The More Applications dialog box closes, and the selected application is added to the window on the Cloud Application Type step of the Cloud Connector wizard.


3.4 Cloud Connector ReferenceIn the Cloud Connectors tab in the Management Console, you can view, edit, create, duplicate, troubleshoot, and delete the supported types of Cloud Connectors. For more information about each type, see the following guides:

Connector Type SSO Type McAfee Cloud Identity ManagerCloud Connector Guide

37signals HTTP POST Built-in HTTP POST Cloud Connector Guide

Accellion Custom Accellion Cloud Connector Guide

AceProjects HTTP POST Built-in HTTP POST Cloud Connector Guide

ActiveCollab HTTP POST Built-in HTTP POST Cloud Connector Guide

ActiveHosted HTTP POST Built-in HTTP POST Cloud Connector Guide

AdaptivePlanning HTTPPOST Built-in HTTP POST Cloud Connector Guide

AddThis HTTPPOST Built-in HTTP POST Cloud Connector Guide

AdknowledgeAdvertiser HTTPPOST Built-in HTTP POST Cloud Connector Guide

AdminiTrack HTTP POST Built-in HTTP POST Cloud Connector Guide

ADP SAML 2.0 ADP Cloud Connector Guide

AdReady HTTP POST Built-in HTTP POST Cloud Connector Guide

ADrive HTTP POST Built-in HTTP POST Cloud Connector Guide

AdSpeed HTTP POST Built-in HTTP POST Cloud Connector Guide

AerLingus HTTP POST Built-in HTTP POST Cloud Connector Guide

Agresso SAML 2.0 Agresso Cloud Connector Guide

AirCanada HTTP POST Built-in HTTP POST Cloud Connector Guide

AllClients HTTP POST Built-in HTTP POST Cloud Connector Guide

AmazonAWS Custom AmazonAWS Cloud Connector Guide

AmericanAirlines HTTP POST Built-in HTTP POST Cloud Connector Guide

AppHarbor HTTP POST Built-in HTTP POST Cloud Connector Guide

ApplicantStack HTTP POST Built-in HTTP POST Cloud Connector Guide

AppMakr HTTP POST Built-in HTTP POST Cloud Connector Guide

AppShore HTTP POST Built-in HTTP POST Cloud Connector Guide

Appsplit HTTP POST Built-in HTTP POST Cloud Connector Guide

ArenaSolutionsBOMControl HTTP POST Built-in HTTP POST Cloud Connector Guide

ArenaSolutionsPartsList HTTP POST Built-in HTTP POST Cloud Connector Guide

ArenaSolutionsPDXViewer HTTP POST Built-in HTTP POST Cloud Connector Guide

AribaExchange HTTP POST Built-in HTTP POST Cloud Connector Guide

Asana HTTP POST Built-in HTTP POST Cloud Connector Guide

Atlassian HTTP POST Built-in HTTP POST Cloud Connector Guide

AtMail HTTP POST Built-in HTTP POST Cloud Connector Guide

Balsamiq HTTP POST Built-in HTTP POST Cloud Connector Guide

BarracudaNetworks HTTP POST Built-in HTTP POST Cloud Connector Guide

BeanStalk HTTP POST Built-in HTTP POST Cloud Connector Guide

BetterLesson HTTP POST Built-in HTTP POST Cloud Connector Guide


BidSpeed HTTP POST Built-in HTTP POST Cloud Connector Guide

BigCommerce HTTP POST Built-in HTTP POST Cloud Connector Guide

Bijk HTTP POST Built-in HTTP POST Cloud Connector Guide

Bill HTTP POST Built-in HTTP POST Cloud Connector Guide

BillingOrchard HTTP POST Built-in HTTP POST Cloud Connector Guide

Bime HTTP POST Built-in HTTP POST Cloud Connector Guide

BlueFolder HTTP POST Built-in HTTP POST Cloud Connector Guide

Bontq HTTP POST Built-in HTTP POST Cloud Connector Guide

BookFresh HTTP POST Built-in HTTP POST Cloud Connector Guide

Box HTTP POST Built-in HTTP POST Cloud Connector Guide

BoxNet SAML 2.0 BoxNet Cloud Connector Guide

BrightCove HTTP POST Built-in HTTP POST Cloud Connector Guide

Brightpearl HTTP POST Built-in HTTP POST Cloud Connector Guide

BTwoBee HTTP POST Built-in HTTP POST Cloud Connector Guide

Buffer HTTP POST Built-in HTTP POST Cloud Connector Guide

BugAware HTTP POST Built-in HTTP POST Cloud Connector Guide

BugHost HTTP POST Built-in HTTP POST Cloud Connector Guide

BUGtrack HTTP POST Built-in HTTP POST Cloud Connector Guide

BusinessExchange HTTP POST Built-in HTTP POST Cloud Connector Guide

CacheFly HTTP POST Built-in HTTP POST Cloud Connector Guide

CakeMail HTTP POST Built-in HTTP POST Cloud Connector Guide

CampaignMonitor HTTP POST Built-in HTTP POST Cloud Connector Guide

CapsuleCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

Captoom HTTP POST Built-in HTTP POST Cloud Connector Guide

Carbonite HTTP POST Built-in HTTP POST Cloud Connector Guide

Care2 HTTP POST Built-in HTTP POST Cloud Connector Guide

CDW-G HTTP POST Built-in HTTP POST Cloud Connector Guide

Celoxis HTTP POST Built-in HTTP POST Cloud Connector Guide

CheckFront HTTP POST Built-in HTTP POST Cloud Connector Guide

Clarizen SAML 2.0 Clarizen Cloud Connector Guide

ClearOS HTTP POST Built-in HTTP POST Cloud Connector Guide

ClickTime HTTP POST Built-in HTTP POST Cloud Connector Guide

Clicktools HTTP POST Built-in HTTP POST Cloud Connector Guide

ClientSpot HTTP POST Built-in HTTP POST Cloud Connector Guide

Cloudbees HTTP POST Built-in HTTP POST Cloud Connector Guide

CloudFlare HTTP POST Built-in HTTP POST Cloud Connector Guide

CloudSharePro HTTP POST Built-in HTTP POST Cloud Connector Guide

Cloudwords HTTP POST Built-in HTTP POST Cloud Connector Guide

CodebaseHQ HTTP POST Built-in HTTP POST Cloud Connector Guide



Concur HTTP POST Built-in HTTP POST Cloud Connector Guide

ConstantContact HTTP POST Built-in HTTP POST Cloud Connector Guide

ContactChamp HTTP POST Built-in HTTP POST Cloud Connector Guide

Contactology HTTP POST Built-in HTTP POST Cloud Connector Guide

ConvertExperiments HTTP POST Built-in HTTP POST Cloud Connector Guide

Coupa SAML 2.0 Coupa Cloud Connector Guide

Cozimo HTTP POST Built-in HTTP POST Cloud Connector Guide

Craigslist HTTP POST Built-in HTTP POST Cloud Connector Guide

CrazyEgg HTTP POST Built-in HTTP POST Cloud Connector Guide

CriteriaHireSelect HTTP POST Built-in HTTP POST Cloud Connector Guide

CrunchBase HTTP POST Built-in HTTP POST Cloud Connector Guide

Danaher HTTP POST Built-in HTTP POST Cloud Connector Guide

DeltaSkyMiles HTTP POST Built-in HTTP POST Cloud Connector Guide

Desk HTTP POST Built-in HTTP POST Cloud Connector Guide

Deskaway HTTP POST Built-in HTTP POST Cloud Connector Guide

DeskCustom Custom DeskCustom Cloud Connector Guide

Diigo HTTP POST Built-in HTTP POST Cloud Connector Guide

DirectIQ HTTP POST Built-in HTTP POST Cloud Connector Guide

DNSstuff HTTP POST Built-in HTTP POST Cloud Connector Guide

dotPhoto HTTP POST Built-in HTTP POST Cloud Connector Guide

DropSend HTTP POST Built-in HTTP POST Cloud Connector Guide

EBSuiteCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

ECA360Token Custom ECA360 Token Cloud Connector Guide

EchoSign SAML 2.0 EchoSign Cloud Connector Guide

EchoSpan HTTP POST Built-in HTTP POST Cloud Connector Guide

Edmodo HTTP POST Built-in HTTP POST Cloud Connector Guide

edocr HTTP POST Built-in HTTP POST Cloud Connector Guide

EggZack HTTP POST Built-in HTTP POST Cloud Connector Guide

Egnyte SAML 2.0 Egnyte Cloud Connector Guide

eIFRS HTTP POST Built-in HTTP POST Cloud Connector Guide

Elementool HTTP POST Built-in HTTP POST Cloud Connector Guide

EliteEmail HTTP POST Built-in HTTP POST Cloud Connector Guide

Eloqua HTTP POST Built-in HTTP POST Cloud Connector Guide

EmailBrain HTTP POST Built-in HTTP POST Cloud Connector Guide

EmpireAvenue HTTP POST Built-in HTTP POST Cloud Connector Guide

Endomondo HTTP POST Built-in HTTP POST Cloud Connector Guide

EngineYard HTTP POST Built-in HTTP POST Cloud Connector Guide

EnterpriseWizardEndUser HTTP POST Built-in HTTP POST Cloud Connector Guide

EnterpriseWizardStaff HTTP POST Built-in HTTP POST Cloud Connector Guide



Enthusem HTTP POST Built-in HTTP POST Cloud Connector Guide

EStreamDesk Custom EStreamDesk Cloud Connector Guide

Etsy HTTP POST Built-in HTTP POST Cloud Connector Guide

ExpenseCloud HTTP POST Built-in HTTP POST Cloud Connector Guide

Expensify HTTP POST Built-in HTTP POST Cloud Connector Guide

EzineArticles HTTP POST Built-in HTTP POST Cloud Connector Guide

FanTools HTTP POST Built-in HTTP POST Cloud Connector Guide

FatWallet HTTP POST Built-in HTTP POST Cloud Connector Guide

FaxItNice HTTP POST Built-in HTTP POST Cloud Connector Guide

FedEx HTTP POST Built-in HTTP POST Cloud Connector Guide

FengOffice HTTP POST Built-in HTTP POST Cloud Connector Guide

Fidessa HTTP POST Built-in HTTP POST Cloud Connector Guide

FilesAnywhere HTTP POST Built-in HTTP POST Cloud Connector Guide

FivePM HTTP POST Built-in HTTP POST Cloud Connector Guide

Flavors.me HTTP POST Built-in HTTP POST Cloud Connector Guide

Flickr HTTP POST Built-in HTTP POST Cloud Connector Guide

FlipDrive HTTP POST Built-in HTTP POST Cloud Connector Guide

FluidSurveys HTTP POST Built-in HTTP POST Cloud Connector Guide

Flurry HTTP POST Built-in HTTP POST Cloud Connector Guide

FogBugz HTTP POST Built-in HTTP POST Cloud Connector Guide

Fonality HTTP POST Built-in HTTP POST Cloud Connector Guide

Force.com SAML 2.0 Salesforce Cloud Connector Guide

FormStack HTTP POST Built-in HTTP POST Cloud Connector Guide

Fotki HTTP POST Built-in HTTP POST Cloud Connector Guide

Freckle HTTP POST Built-in HTTP POST Cloud Connector Guide

FreeAgent HTTP POST Built-in HTTP POST Cloud Connector Guide

FreeOnlineSurveys HTTP POST Built-in HTTP POST Cloud Connector Guide

FreshBooks HTTP POST Built-in HTTP POST Cloud Connector Guide

Freshdesk Custom Freshdesk Cloud Connector Guide

FuseMail HTTP POST Built-in HTTP POST Cloud Connector Guide

GeoOp HTTP POST Built-in HTTP POST Cloud Connector Guide

Geotoko HTTP POST Built-in HTTP POST Cloud Connector Guide

GetDashboard HTTP POST Built-in HTTP POST Cloud Connector Guide

GetSatisfaction HTTP POST Built-in HTTP POST Cloud Connector Guide

GigPark HTTP POST Built-in HTTP POST Cloud Connector Guide

Ginzametrics HTTP POST Built-in HTTP POST Cloud Connector Guide

Glance HTTP POST Built-in HTTP POST Cloud Connector Guide

Gliffy HTTP POST Built-in HTTP POST Cloud Connector Guide

GlobalFolders HTTP POST Built-in HTTP POST Cloud Connector Guide



goFMS HTTP POST Built-in HTTP POST Cloud Connector Guide

Google SAML 2.0 Google Cloud Connector Guide

GoSquared SAML 2.0 Google Cloud Connector Guide

GrapevineSurveys SAML 2.0 Google Cloud Connector Guide

Gravatar HTTP POST Built-in HTTP POST Cloud Connector Guide

GreenRope HTTP POST Built-in HTTP POST Cloud Connector Guide

Grockit HTTP POST Built-in HTTP POST Cloud Connector Guide

HeapCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

HelpOnClick HTTP POST Built-in HTTP POST Cloud Connector Guide

Heroku HTTP POST Built-in HTTP POST Cloud Connector Guide

HiltonHotels HTTP POST Built-in HTTP POST Cloud Connector Guide

HipChat HTTP POST Built-in HTTP POST Cloud Connector Guide

HootSuite HTTP POST Built-in HTTP POST Cloud Connector Guide

HostAnalytics SAML 2.0 HostAnalytics Cloud Connector Guide

Hotels.com HTTP POST Built-in HTTP POST Cloud Connector Guide

Hotwire HTTP POST Built-in HTTP POST Cloud Connector Guide

HTTP POST Generic HTTP POST Generic HTTP POST Cloud Connector Guide

HtwoDesk HTTP POST Built-in HTTP POST Cloud Connector Guide

HubPages HTTP POST Built-in HTTP POST Cloud Connector Guide

HubSpot HTTP POST Built-in HTTP POST Cloud Connector Guide

Iacez HTTP POST Built-in HTTP POST Cloud Connector Guide

iContact HTTP POST Built-in HTTP POST Cloud Connector Guide

iCyte HTTP POST Built-in HTTP POST Cloud Connector Guide

IdeaScale Custom IdeaScale Cloud Connector Guide

IDrive HTTP POST Built-in HTTP POST Cloud Connector Guide

ImpelCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

Impersonation Kerberos Impersonation Cloud Connector Guide

Indicee HTTP POST Built-in HTTP POST Cloud Connector Guide

InDinero HTTP POST Built-in HTTP POST Cloud Connector Guide

InformaticaCommunity HTTP POST Built-in HTTP POST Cloud Connector Guide

InsideSales HTTP POST Built-in HTTP POST Cloud Connector Guide

InsideView HTTP POST Built-in HTTP POST Cloud Connector Guide

InstantSurvey HTTP POST Built-in HTTP POST Cloud Connector Guide

Instapaper HTTP POST Built-in HTTP POST Cloud Connector Guide

IntelForum HTTP POST Built-in HTTP POST Cloud Connector Guide

Interstate HTTP POST Built-in HTTP POST Cloud Connector Guide

Intervals HTTP POST Built-in HTTP POST Cloud Connector Guide

IntuitQuickBooks HTTP POST Built-in HTTP POST Cloud Connector Guide

InvoiceDude HTTP POST Built-in HTTP POST Cloud Connector Guide



InvoiceJournal HTTP POST Built-in HTTP POST Cloud Connector Guide

InvoiceMachine HTTP POST Built-in HTTP POST Cloud Connector Guide

InvoicePlace HTTP POST Built-in HTTP POST Cloud Connector Guide

Invoicera HTTP POST Built-in HTTP POST Cloud Connector Guide

Invotrak HTTP POST Built-in HTTP POST Cloud Connector Guide

Jigsaw HTTP POST Built-in HTTP POST Cloud Connector Guide

Jira HTTP POST Built-in HTTP POST Cloud Connector Guide

JitbitHelpDesk HTTP POST Built-in HTTP POST Cloud Connector Guide

JitbitKnowledgeBase HTTP POST Built-in HTTP POST Cloud Connector Guide

Jive SAML 2.0 Jive Cloud Connector Guide

JobScoreJobSeeker HTTP POST Built-in HTTP POST Cloud Connector Guide

Jobvite HTTP POST Built-in HTTP POST Cloud Connector Guide

JoyentCloud HTTP POST Built-in HTTP POST Cloud Connector Guide

KarmaCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

KashFlow HTTP POST Built-in HTTP POST Cloud Connector Guide

Ketera HTTP POST Built-in HTTP POST Cloud Connector Guide

KeySurvey HTTP POST Built-in HTTP POST Cloud Connector Guide

KnowledgeTree HTTP POST Built-in HTTP POST Cloud Connector Guide

LeadMaster HTTP POST Built-in HTTP POST Cloud Connector Guide

LessAnnoyingCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

LetterGenie HTTP POST Built-in HTTP POST Cloud Connector Guide

LightCMS HTTP POST Built-in HTTP POST Cloud Connector Guide

Lijit HTTP POST Built-in HTTP POST Cloud Connector Guide

LinkedIn HTTP POST Built-in HTTP POST Cloud Connector Guide

LiquidPlanner HTTP POST Built-in HTTP POST Cloud Connector Guide

Litmos HTTP POST Built-in HTTP POST Cloud Connector Guide

LiveChat HTTP POST Built-in HTTP POST Cloud Connector Guide

LivePerson HTTP POST Built-in HTTP POST Cloud Connector Guide

LogMeIn HTTP POST Built-in HTTP POST Cloud Connector Guide

LogMeInRescue HTTP POST Built-in HTTP POST Cloud Connector Guide

Lokad HTTP POST Built-in HTTP POST Cloud Connector Guide

LongJump SAML 2.0 LongJump Cloud Connector Guide

LoopFuse HTTP POST Built-in HTTP POST Cloud Connector Guide

LucidChart HTTP POST Built-in HTTP POST Cloud Connector Guide

LuxorCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

MaaS360 HTTP POST Built-in HTTP POST Cloud Connector Guide

MailChimp HTTP POST Built-in HTTP POST Cloud Connector Guide

Mals-e HTTP POST Built-in HTTP POST Cloud Connector Guide

Marketo SAML 2.0 Marketo Cloud Connector Guide



MarriottHotels HTTP POST Built-in HTTP POST Cloud Connector Guide

McAfeeSaaSEmail Custom McAfeeSaaSEmail Cloud Connector Guide

Meetup HTTP POST Built-in HTTP POST Cloud Connector Guide

Metacafe HTTP POST Built-in HTTP POST Cloud Connector Guide

Metricly HTTP POST Built-in HTTP POST Cloud Connector Guide

MFG HTTP POST Built-in HTTP POST Cloud Connector Guide

MindSalt HTTP POST Built-in HTTP POST Cloud Connector Guide

Mint HTTP POST Built-in HTTP POST Cloud Connector Guide

Mixpanel HTTP POST Built-in HTTP POST Cloud Connector Guide

MongoHQ HTTP POST Built-in HTTP POST Cloud Connector Guide

MongoLab HTTP POST Built-in HTTP POST Cloud Connector Guide

MyERP HTTP POST Built-in HTTP POST Cloud Connector Guide

myPhotopipe HTTP POST Built-in HTTP POST Cloud Connector Guide

Neosites HTTP POST Built-in HTTP POST Cloud Connector Guide

Netbiscuits HTTP POST Built-in HTTP POST Cloud Connector Guide

NetDocuments HTTP POST Built-in HTTP POST Cloud Connector Guide

NetSuite Custom NetSuite Cloud Connector Guide

NewRelic HTTP POST Built-in HTTP POST Cloud Connector Guide

Nexonia HTTP POST Built-in HTTP POST Cloud Connector Guide

NexTag HTTP POST Built-in HTTP POST Cloud Connector Guide

NMQuote HTTP POST Built-in HTTP POST Cloud Connector Guide

Nomadesk HTTP POST Built-in HTTP POST Cloud Connector Guide

NomadeskPartner HTTP POST Built-in HTTP POST Cloud Connector Guide

Nozbe HTTP POST Built-in HTTP POST Cloud Connector Guide

Nutshell HTTP POST Built-in HTTP POST Cloud Connector Guide

Office 365 SAML 2.0 Microsoft Office 365 Cloud Connector Guide

OfficeDrop HTTP POST Built-in HTTP POST Cloud Connector Guide

OneHub HTTP POST Built-in HTTP POST Cloud Connector Guide

OnePlace HTTP POST Built-in HTTP POST Cloud Connector Guide

OnSIPAdmin HTTP POST Built-in HTTP POST Cloud Connector Guide

ooVoo HTTP POST Built-in HTTP POST Cloud Connector Guide

OpenDrive HTTP POST Built-in HTTP POST Cloud Connector Guide

OpenID Generic OpenID OpenID Cloud Connector Guide

Oprius HTTP POST Built-in HTTP POST Cloud Connector Guide

OrangeHRMLive HTTP POST Built-in HTTP POST Cloud Connector Guide

Orbitz HTTP POST Built-in HTTP POST Cloud Connector Guide

Osmek HTTP POST Built-in HTTP POST Cloud Connector Guide

OWA2K10 HTTP POST Built-in HTTP POST Cloud Connector Guide

OWA2K7 HTTP POST Built-in HTTP POST Cloud Connector Guide



PageDNA HTTP POST Built-in HTTP POST Cloud Connector Guide

Paymo HTTP POST Built-in HTTP POST Cloud Connector Guide

PBase HTTP POST Built-in HTTP POST Cloud Connector Guide

Pbworks HTTP POST Built-in HTTP POST Cloud Connector Guide

Pingdom HTTP POST Built-in HTTP POST Cloud Connector Guide

Pipedrive HTTP POST Built-in HTTP POST Cloud Connector Guide

PipelineDeals HTTP POST Built-in HTTP POST Cloud Connector Guide

PitneyBowes HTTP POST Built-in HTTP POST Cloud Connector Guide

PlanDone HTTP POST Built-in HTTP POST Cloud Connector Guide

Plaxo HTTP POST Built-in HTTP POST Cloud Connector Guide

Podio HTTP POST Built-in HTTP POST Cloud Connector Guide

Polldaddy HTTP POST Built-in HTTP POST Cloud Connector Guide

PollEverywhere HTTP POST Built-in HTTP POST Cloud Connector Guide

PressKing HTTP POST Built-in HTTP POST Cloud Connector Guide

Priceline HTTP POST Built-in HTTP POST Cloud Connector Guide

ProofHQ HTTP POST Built-in HTTP POST Cloud Connector Guide

Proofhub HTTP POST Built-in HTTP POST Cloud Connector Guide

Proposable HTTP POST Built-in HTTP POST Cloud Connector Guide

ProtoShare HTTP POST Built-in HTTP POST Cloud Connector Guide

Put.io HTTP POST Built-in HTTP POST Cloud Connector Guide

Qhub HTTP POST Built-in HTTP POST Cloud Connector Guide

Qualtrics HTTP POST Built-in HTTP POST Cloud Connector Guide

Quantcast HTTP POST Built-in HTTP POST Cloud Connector Guide

QuestionPro HTTP POST Built-in HTTP POST Cloud Connector Guide

RationalSurvey HTTP POST Built-in HTTP POST Cloud Connector Guide

ReallySimpleSystems HTTP POST Built-in HTTP POST Cloud Connector Guide

ReardenCommerce HTTP POST Built-in HTTP POST Cloud Connector Guide

Recurly HTTP POST Built-in HTTP POST Cloud Connector Guide

Relenta HTTP POST Built-in HTTP POST Cloud Connector Guide

RemedyForce HTTP POST Built-in HTTP POST Cloud Connector Guide

RemotiaCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

Replicon SAML 1.1 Replicon Cloud Connector Guide

Reviewsnap HTTP POST Built-in HTTP POST Cloud Connector Guide

RightScale HTTP POST Built-in HTTP POST Cloud Connector Guide

Saasu HTTP POST Built-in HTTP POST Cloud Connector Guide

Salesboom HTTP POST Built-in HTTP POST Cloud Connector Guide

Salesforce SAML 2.0 Salesforce Cloud Connector Guide

SalesGenius HTTP POST Built-in HTTP POST Cloud Connector Guide

SalesJunction HTTP POST Built-in HTTP POST Cloud Connector Guide



SAML1.1 Generic SAML 1.1 SAML 1.1 Cloud Connector Guide

SAML2.0 Generic SAML 2.0 SAML2 Cloud Connector Guide

SAML2.0 Proxy SAML 2.0 SAML2 Proxy Cloud Connector Guide

Sazneo HTTP POST Built-in HTTP POST Cloud Connector Guide

Schoology Custom Schoology Cloud Connector Guide

SearchmetricsEssentials HTTP POST Built-in HTTP POST Cloud Connector Guide

Send6 HTTP POST Built-in HTTP POST Cloud Connector Guide

SendGrid HTTP POST Built-in HTTP POST Cloud Connector Guide

SendThisFile HTTP POST Built-in HTTP POST Cloud Connector Guide

ServiceMax HTTP POST Built-in HTTP POST Cloud Connector Guide

ServiceNow SAML 2.0 ServiceNow Cloud Connector Guide

Severa HTTP POST Built-in HTTP POST Cloud Connector Guide

ShareFile SAML 2.0 ShareFile Cloud Connector Guide

SharePoint WS-Federation SharePoint Cloud Connector Guide

ShiftPlanning HTTP POST Built-in HTTP POST Cloud Connector Guide

ShoeBoxed HTTP POST Built-in HTTP POST Cloud Connector Guide

SilkRoad SAML 2.0 SilkRoad Cloud Connector Guide

Simplicant HTTP POST Built-in HTTP POST Cloud Connector Guide

SimplyBill HTTP POST Built-in HTTP POST Cloud Connector Guide

SiteKreator HTTP POST Built-in HTTP POST Cloud Connector Guide

skedge.me HTTP POST Built-in HTTP POST Cloud Connector Guide

Slickdeals HTTP POST Built-in HTTP POST Cloud Connector Guide

SlideRocket HTTP POST Built-in HTTP POST Cloud Connector Guide

SmartBrief HTTP POST Built-in HTTP POST Cloud Connector Guide

Smarter HTTP POST Built-in HTTP POST Cloud Connector Guide

SmarterTravel HTTP POST Built-in HTTP POST Cloud Connector Guide

SmartInvoice HTTP POST Built-in HTTP POST Cloud Connector Guide

SmartQWeb HTTP POST Built-in HTTP POST Cloud Connector Guide

Smartsheet HTTP POST Built-in HTTP POST Cloud Connector Guide

SnapBill HTTP POST Built-in HTTP POST Cloud Connector Guide

SnapFish HTTP POST Built-in HTTP POST Cloud Connector Guide

Southwest HTTP POST Built-in HTTP POST Cloud Connector Guide

SpotlightReporting HTTP POST Built-in HTTP POST Cloud Connector Guide

SpringCM SAML 2.0 SpringCM Cloud Connector Guide

StandingCloud HTTP POST Built-in HTTP POST Cloud Connector Guide

StarwoodHotels HTTP POST Built-in HTTP POST Cloud Connector Guide

StoreGrid HTTP POST Built-in HTTP POST Cloud Connector Guide

StreamSend HTTP POST Built-in HTTP POST Cloud Connector Guide

SuccessFactors SAML 2.0 SuccessFactors Cloud Connector Guide



SugarCRM SAML 2.0 SugarCRM Cloud Connector Guide

SugarSync HTTP POST Built-in HTTP POST Cloud Connector Guide

SurveyGizmo HTTP POST Built-in HTTP POST Cloud Connector Guide

SurveyShare HTTP POST Built-in HTTP POST Cloud Connector Guide

Survs HTTP POST Built-in HTTP POST Cloud Connector Guide

Syncd HTTP POST Built-in HTTP POST Cloud Connector Guide

Syncplicity SAML 2.0 Syncplicity Cloud Connector Guide

TactileCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

TappIn HTTP POST Built-in HTTP POST Cloud Connector Guide

Teambox HTTP POST Built-in HTTP POST Cloud Connector Guide

TeamDesk HTTP POST Built-in HTTP POST Cloud Connector Guide

TeamWorkLive HTTP POST Built-in HTTP POST Cloud Connector Guide

TenderSupport Custom TenderSupport Cloud Connector Guide

TestFlight HTTP POST Built-in HTTP POST Cloud Connector Guide

Theresumator HTTP POST Built-in HTTP POST Cloud Connector Guide

TickSpot HTTP POST Built-in HTTP POST Cloud Connector Guide

TimeBridge HTTP POST Built-in HTTP POST Cloud Connector Guide

Timetonote HTTP POST Built-in HTTP POST Cloud Connector Guide

Toodledo HTTP POST Built-in HTTP POST Cloud Connector Guide

Travelocity HTTP POST Built-in HTTP POST Cloud Connector Guide

TribeHR HTTP POST Built-in HTTP POST Cloud Connector Guide

Trovix HTTP POST Built-in HTTP POST Cloud Connector Guide

TrueShare HTTP POST Built-in HTTP POST Cloud Connector Guide

Twitter HTTP POST Built-in HTTP POST Cloud Connector Guide

Unbounce HTTP POST Built-in HTTP POST Cloud Connector Guide

Usabilla HTTP POST Built-in HTTP POST Cloud Connector Guide

useKitProBindr HTTP POST Built-in HTTP POST Cloud Connector Guide

UserVoice Custom UserVoice Cloud Connector Guide

VerticalResponse HTTP POST Built-in HTTP POST Cloud Connector Guide

VisionHelpdesk HTTP POST Built-in HTTP POST Cloud Connector Guide

Vitalist HTTP POST Built-in HTTP POST Cloud Connector Guide

VMwareAccountLogin HTTP POST Built-in HTTP POST Cloud Connector Guide

Volusion HTTP POST Built-in HTTP POST Cloud Connector Guide

WalgreensPhoto HTTP POST Built-in HTTP POST Cloud Connector Guide

webCRM HTTP POST Built-in HTTP POST Cloud Connector Guide

WebEx SAML 2.0 WebEx Cloud Connector Guide

WebExConnect SAML 2.0 WebExConnect Cloud Connector Guide

WebSuitePro HTTP POST Built-in HTTP POST Cloud Connector Guide

WeCollaborate HTTP POST Built-in HTTP POST Cloud Connector Guide



Wedoist HTTP POST Built-in HTTP POST Cloud Connector Guide

Weebly HTTP POST Built-in HTTP POST Cloud Connector Guide

Wistia HTTP POST Built-in HTTP POST Cloud Connector Guide

WizeHive HTTP POST Built-in HTTP POST Cloud Connector Guide

Woot HTTP POST Built-in HTTP POST Cloud Connector Guide

WorkforceTrack HTTP POST Built-in HTTP POST Cloud Connector Guide

Wrike HTTP POST Built-in HTTP POST Cloud Connector Guide

Wufoo HTTP POST Built-in HTTP POST Cloud Connector Guide

Xactly HTTP POST Built-in HTTP POST Cloud Connector Guide

YahooMail HTTP POST Built-in HTTP POST Cloud Connector Guide

Yapta HTTP POST Built-in HTTP POST Cloud Connector Guide

ZAPSurvey HTTP POST Built-in HTTP POST Cloud Connector Guide

Zendesk SAML 2.0 Zendesk Cloud Connector Guide

Zepppelin HTTP POST Built-in HTTP POST Cloud Connector Guide

ZipDX HTTP POST Built-in HTTP POST Cloud Connector Guide

ZipRecruiter HTTP POST Built-in HTTP POST Cloud Connector Guide

ZipSurvey HTTP POST Built-in HTTP POST Cloud Connector Guide

Zoho SAML 2.0 Zoho Cloud Connector Guide




4.0 Identity Connectors

To access the Identity Connector window in the Management Console, select Identity Connectors from the Cloud Connectors tab drop-down list. The Identity Connector window presents two options:

• Identity Store — Identity stores are the directories that hold user accounts and identity information. Selecting the Identity Store option allows you to view, create, edit, delete, and save identity store configurations that can be reused elsewhere in the Management Console.

• Identity Connector — Identity Connectors are the configurations that allow Cloud Identity Manager to connect to and communicate with identity stores and authentication services. Selecting the Identity Connector option allows you to view, create, edit, delete, and save Identity Connector configurations that can be reused elsewhere in the Management Console.

4.1 Authentication TypesCloud Identity Manager supports the following authentication types: identity stores, Identity Connectors, and authentication modules. The Identity Connector types are also supported as authentication modules. While Identity Connectors stand alone, authentication modules can be assembled and ordered in authentication chains. For more information about authentication chains, see section 5.0 Authentication Chains.

Supported Identity Stores• LDAP• Active Directory (AD)

When you create an LDAP or Active Directory identity store in the Management Console, you configure connection parameters that allow Cloud Identity Manager to connect to the specified identity store. The connection parameters include the host name and port number of the identity store, for example.

Supported Identity Connectors• Authentication Chain• Central Authentication Service (CAS)• ECA360 Token Authentication• Integrated Windows Authentication with Active Directory (IWA-AD)• LDAP• SAML2 Proxy

When you create an Identity Connector, you select an identity store or authentication service. For an identity store, you configure LDAP or Active Directory search parameters. For an authentication service, such as CAS, you configure parameters specific to each service. For an authentication chain, you assemble and order authentication modules. For more information about the authentication chain Identity Connector, see section 4.2 Authentication Chain Identity Connector.


Supported Authentication Modules• JDBC• OpenID• Facebook• LinkedIn• Twitter• ECA360 Token• SAML2• Salesforce• Integrated Windows Authentication (IWA)• Central Authentication Service (CAS)• SAML2 Proxy• LDAP• LDAP and OTP (McAfee® Pledge)• Certificate• SiteMinder• OTP• OTP Self-service• TPM• KCD

You can access the supported authentication modules through the authentication chain Identity Connector described in this chapter.

Note: McAfee Pledge is a software token that generates one-time passwords on a mobile device.

4.2 Authentication Chain Identity ConnectorAuthentication chains allow you to combine multiple authentication methods together in one Identity Connector. The authentication methods are the modules that make up the authentication chain. You can add authentication modules to and remove them from an authentication chain, and you can determine the order of the modules in the chain. For more information, see sections 4.9.1 Configure an Authentication Chain Identity Connector and 5.0 Authentication Chains.

Authentication modules can be built-in Cloud Identity Manager modules or user-defined modules that you write using the Cloud Identity Manager SDK and register in the Management Console. For information about how to write your own authentication modules, see the McAfee Cloud Identity Manager Developer’s Guide. For information about how to register a user-defined authentication module, see section 5.8 Registering a User-defined Authentication Module.


4.3 External Configuration and Additional ConsiderationsThis Identity Connectors section covers configuration of the two identity stores and five Identity Connectors in Cloud Identity Manager using the Management Console. CAS, IWA-AD, and SAML2 Proxy authentication all require external configuration steps, additional considerations, or both. For more information, see the following sections:

• 6.1 Integrating CAS with Cloud Identity Manager• 6.3 Integrating IWA with Cloud Identity Manager• 6.9 Integrating Cloud Identity Manager in the Cloud and the Enterprise

Note: Integrating Cloud Identity Manager in the cloud and the enterprise requires a SAML2 Proxy Identity Connector.

4.4 View All Configured Identity StoresSelecting the Identity Store option in the Identity Connectors window opens the Identity Store window. This window lists all identity store configurations. The Type column shows whether the identity store type is LDAP or Active Directory. The Host Name column shows the host name and port number of the server on which the LDAP or Active Directory identity store is installed. In the following screenshot, one LDAP identity store is configured.

The following actions are available in the Identity Store window:• New Identity Store — Opens the New Identity Store dialog box where you can create a new

identity store configuration.• Edit — Opens the selected identity store configuration in a dialog box where you can view and edit

configuration values.• Delete — Deletes the selected identity store configuration.

Note: Each identity store has an ID, which is assigned by Cloud Identity Manager. The ID is a string formed by concatenating the identity store type, the host name, and the port number. For example, an LDAP identity store is assigned an ID with the following format: LDAP:hostname:portnumber. Likewise, an Active Directory identity store is assigned an ID with this format: Active Directory:hostname:portnumber.


4.5 View All Configured Identity ConnectorsSelecting the Identity Connector option in the Cloud Connectors tab opens the Identity Connector window. This window lists all Identity Connector configurations. The Identity Connector Name column shows the name that is assigned to the Identity Connector when it is created. The Type column shows whether the Identity Connector type is LDAP, CAS, IWA-AD, Authentication Chain, or SAML2 Proxy. In the following screenshot, one Identity Connector of type LDAP is configured.

The following actions are available in the Identity Connector window:• New Identity Connector — Opens the New Identity Connector dialog box where you can

create a new Identity Connector configuration.• Edit — Opens the selected Identity Connector configuration in a dialog box where you can view and

edit configuration values.• Test — Tests the Identity Connector configuration.• Delete — Deletes the selected Identity Connector configuration.


4.6 How to Select the Identity Connector TypeWhen identity information is stored in an LDAP or Active Directory identity store inside an enterprise, configure the Identity Connector as follows:

• Configure an LDAP Identity Connector with an LDAP identity store.• Configure an IWA-AD Identity Connector with an Active Directory identity store.

When authentication is handled by an authentication service, such as CAS, configure the Identity Connector as follows:

• Configure a CAS Identity Connector when the authentication service is CAS.• Configure a SAML2 Proxy Identity Connector for a Cloud Identity Manager instance in the cloud that

delegates authentication to a Cloud Identity Manager instance in the enterprise.

• Configure an authentication chain Identity Connector when you want to offer or require more than one method of authentication. For more information about authentication chains, see section 5.0 Authentication Chains.

The following table summarizes the relationships between Identity Connector types, identity stores, and authentication services.

Identity Connector Type Identity Store Authentication Service

LDAP LDAP

IWA-AD Active Directory (AD)

CAS Central Authentication Service

ECA360 Token

Cloud Identity Manager provides an authentication service through an Application Adapter that produces the ECA360 Token. For more information, see section 7.0 Cloud Application Trust Profile.

SAML2 Proxy

Using an identity store, Cloud Identity Manager in the enterprise provides an authentication service for Cloud Identity Manager in the cloud.

Authentication Chain

The authentication chain is a special Identity Connector case that allows you to assemble and order multiple authentication modules. For a list of authentication modules, see section 4.1 Authentication Types.


4.7 Create an LDAP Identity StoreYou can create an LDAP identity store to hold user accounts and identity information.

To create an LDAP identity store1. In the Identity Connector window, select the Identity Store option.

The Identity Store window opens.2. Click New Identity Store.

The New Identity Store dialog box opens.3. Select LDAP for the identity store Type.

The New Identity Store dialog box expands to show the fields required for configuring an LDAP identity store.

4. To configure an SSL connection to the LDAP identity store, select the Enable SSL checkbox.5. Specify the following fields for the LDAP identity store:

Server HostSpecifies the IP address or host name of the server on which the LDAP identitystore is installed.

Server PortSpecifies the port number of the server on which the LDAP identity store isinstalled.

UsernameSpecifies the user name required for access to the LDAP identity store.Example: uid=admin,ou=system

PasswordSpecifies the password required for access to the LDAP identity store.

6. (Optional) To test the connection to the LDAP identity store, click Test.7. Click Save Identity Store.

The LDAP identity store configuration is saved and added to the list in the Identity Store window.


4.8 Create an Active Directory Identity StoreYou can create an Active Directory identity store to hold user accounts and identity information. Active Directory authentication is based on Kerberos, a network authentication protocol. In this procedure, you specify a Kerberos authentication method for the Active Directory identity store. The Kerberos options are:

• Authentication with a user name and password — To select this option, deselect the Use stored credentials checkbox, and specify user name and password in their respective fields.

• Authentication using a Kerberos principal and encryption key — To select this option, select the Use stored credentials checkbox, and specify the principal and path to the keytab file in the Principal and Choose stored credentials file fields, respectively.

To create an Active Directory identity store1. In the Identity Connector window, select the Identity Store option.

The Identity Store window opens.2. Click New Identity Store.

The New Identity Store dialog box opens.3. Select Active Directory for the identity store Type.

The New Identity Store dialog box expands to show the fields required for configuring an Active Directory identity store.


4. Specify the following fields for the Active Directory identity store:Allow fallback

Select this checkbox to allow basic authentication (valid username and password) when IWA-AD authentication fails.

Use stored credentialsSelect this checkbox to authenticate using a keytab file containing pairs of Kerberos principals and encrypted keys instead of authenticating with a user name and password pair.Note: Selecting this checkbox opens the Choose stored credentials file field and Browse button and the Upload stored credentials button. The Username and Password fields are replaced by the Principal field.

Use domain IPSelect this checkbox to specify the IP address in addition to the domain name of the Active Directory server for when the domain name cannot be resolved.Note: Selecting this checkbox opens the Domain IP field.

Domain nameSpecifies the domain name of the Active Directory server.

Domain IPSpecifies the IP address of the Active Directory server.

UsernameSpecifies the service principal name (SPN) that uniquely identifies your Active Directory account.

PasswordSpecifies the password of your Active Directory account.

Principal(Kerberos) Specifies the name of the Kerberos principal in the keytab file.

Choose stored credentials file(Kerberos) Specifies the path and file name of the Kerberos keytab file.Note: You can use the Browse button to search for the keytab file.


5. (Optional) To test the connection to the Active Directory identity store, click Test.The Test AD Connection dialog box opens and shows the status of the Active Directory connection process in four stages:— Resolve AD Hostname— Ping Host— Connect to AD— Login to AD

a. To view the details of the connection process, click Details.The Test AD Connection dialog box expands to show the stages. To hide the details, click Hide.


b. To download the AD connection log when the test is complete, click Download.The download dialog box opens.

c. On the download dialog box, select an option, and click OK:• Open the log file with a text editor.• Save the log file in your web browser’s download directory.The log file is opened or saved, and the download dialog box closes.

d. To close the Test AD Connection dialog box when the test is complete, click Close.6. (Kerberos) To upload the keytab file, click Upload stored credentials.7. Click Save Identity Store.

The Active Directory identity store configuration is saved and added to the list in the Identity Store window.


4.9 Create an Identity ConnectorYou can create an Identity Connector that connects Cloud Identity Manager to identity information. For detailed information about how to configure the parameters for each Identity Connector type, see the following sections:

• Authentication Chain — See section 4.9.1 Configure an Authentication Chain Identity Connector.• Central Authentication Service — See section 4.9.2 Configure a CAS Identity Connector.• ECA360 Token Authentication — See section 4.9.3 Configure an ECA360 Token Identity Connector.• Integrated Windows Authentication with Active Directory — See section 4.9.4 Configure an IWA-AD

Identity Connector.• LDAP — See section 4.9.5 Configure an LDAP Identity Connector.• SAML2 Proxy — See section 4.9.6 Configure a SAML2 Proxy Identity Connector.

To create an Identity Connector1. Select Identity Connectors from the Cloud Connectors tab drop-down list.

The Identity Connector window opens.2. Click New Identity Connector.

The New Identity Connector dialog box opens.3. Type a name in the Identity Connector field.

4. Select one of the following options from the Identity Connector Type drop-down list:— Authentication Chain— Central Authentication Service— ECA360 Token Authentication— Integrated Windows Authentication with Active Directory— LDAP— SAML2 Proxy

The New Identity Connector dialog box expands to show configuration parameters for the selected Identity Connector type.

5. Configure the parameters required for the selected Identity Connector type.6. Click Save Identity Connector.

The Identity Connector configuration is saved and added to the list in the Identity Connector window.


4.9.1 Configure an Authentication Chain Identity Connector

An authentication chain, which is a custom chain of authentication modules, is a type of Identity Connector. Authentication modules can be built-in Cloud Identity Manager modules or user-defined modules that you write using the Cloud Identity Manager SDK and register in the Management Console. For information about how to write your own authentication modules, see the McAfee Cloud Identity Manager Developer’s Guide. For information about how to register a user-defined authentication module, see section 5.8 Registering a User-defined Authentication Module.

To configure an authentication chain Identity Connector, you begin on the New Identity Connector dialog box. For complete documentation of authentication chains, see section 5.0 Authentication Chains.

To configure an authentication chain Identity Connector1. Click New Identity Connector in the Identity Connector window.

The New Identity Connector dialog box opens.2. Type a name in the Identity Connector field.3. Select Authentication Chain from the Identity Connector Type drop-down list.

The Identity Connector dialog box expands to show the area where you add and order authentication modules.

4. Click one of the following buttons:— Up — Moves the selected authentication module up one row in the table of modules configured

for the authentication chain.— Down — Moves the selected authentication module down one row in the table of modules

configured for the authentication chain.— New — Opens the authentication module wizard, where you can configure an authentication

module for the authentication chain and add it to the table.Note: For complete configuration details, see section 5.2 Authentication Modules.

5. After one or more authentication modules are configured for the authentication chain and ordered in the table, click Save Identity Connector.The authentication chain configuration is saved as an Identity Connector.


4.9.2 Configure a CAS Identity Connector

CAS is an acronym for Central Authentication Service. To configure a CAS Identity Connector, complete the CAS-specific fields on the New Identity Connector dialog box.

Note: Integrating CAS with Cloud Identity Manager requires additional configuration. For an overview of CAS including the additional configuration steps, see section 6.1 Integrating CAS with Cloud Identity Manager.

To configure a CAS Identity Connector1. Specify values for the following fields:

SignIn URLSpecifies the URL of the CAS sign-in page.Example: https://cas-server:8443/cas/login

SignOut URLSpecifies the URL of the CAS sign-out page.Example: https://cas-server:8443/cas/logout

Validate URLSpecifies the URL of the CAS service that validates Service Tickets.Example: https://cas-server:8443/cas

Clock SkewSpecifies a value to use when calculating the expiration time. This value is designed to offset small differences between clocks on different computer systems.Default value: 20Units: seconds

2. Click Save Identity Connector.The CAS Identity Connector configuration is saved and added to the list in the Identity Connector window.


4.9.3 Configure an ECA360 Token Identity Connector

Before you can configure an ECA360 Token Identity Connector, you need to configure an Application Adapter-Cloud Authenticator pair. After the pair is configured, click the troubleshooting icon corresponding to the Application Adapter. The General Info tab opens. In that tab, you can locate the SSO and SLO URL values that you need when configuring the ECA360 Token Identity Connector. For an example, see the following screenshot.

Note: For more information about configuring Application Adapters and Cloud Authenticators, see section 7.0 Cloud Application Trust Profile.


To configure an ECA360 Token Identity Connector1. In the Option configuration area, specify the following fields:

a. Copy the SSO Service URL in the Application Endpoint Location area in the General Info tab, and paste it in the SSO URL field. This value specifies the URL of the SSO service provided by the Application Adapter.

b. Copy the SLO Service URL in the Service Connection Endpoint Location area in the General Info tab, and paste it in the SLO URL field. This value specifies the URL of the SLO service provided by the Application Adapter.

c. Type the value specified in the Issuer field on the Token Profile step of the Application Adapter wizard in the Assertion Issuer field.

d. Select the key pair specified on the Token Profile step of the Application Adapter wizard from the X509 Certificate drop-down list.Note: Do not select intel cloud expressway from the drop-down list. Selecting the self-signed key pair that comes with Cloud Identity Manager compromises the security of the Cloud Identity Manager system.

2. In the Output attributes area, you have the option of mapping one or more attributes from a source to a target. The attribute source is the ECA360 token produced by the Application Adapter and consumed by the ECA360 Token Identity Connector. The target attributes are the attributes output by the Identity Connector.

a. To add an attribute mapping to the table in the Output attributes area, click Add.The New attribute dialog box opens.

b. Type the name of the output attribute in the Target name field.


c. To configure the Source name, click Edit.The Select source dialog box opens.

d. Select the source attribute from the Select authentication result drop-down list, or select the Add authentication result checkbox, and type the name of the source attribute in the field that opens.

e. (Optional) To extract a value from the source attribute, select the Extract value from entry checkbox, and type an expression in the Expression field that opens.

f. Click Ok.The Select source dialog box closes.

g. Click Save.The New attribute dialog box closes, and the new attribute mapping is added to the table in the Output attributes area.

3. To edit an attribute mapping in the table, select it, and click Edit.The Edit attribute dialog box opens. For configuration details, see step 2.

4. To remove an attribute from the table of output attributes, select it, click Remove, and click OK.5. Repeat steps 2, 3, and 4, as needed.6. Click Save Identity Connector.

The ECA360 Token Identity Connector configuration is saved and added to the list in the Identity Connector window.


4.9.4 Configure an IWA-AD Identity Connector

IWA-AD is an acronym for Integrated Windows Authentication with Active Directory. Configuring an IWA-AD Identity Connector requires that you create a new Active Directory identity store or use an existing one. For information about how to create an Active Directory identity store, see section 4.8 Create an Active Directory Identity Store.

Integrating IWA with Cloud Identity Manager requires additional configuration on the Active Directory server and in your Internet Explorer or Firefox browser. For more information, see section 6.3 Integrating IWA with Cloud Identity Manager.

In this procedure, you configure the IWA-AD fields on the New Identity Connector dialog box. The settings are grouped into two areas:

• Option configuration• Output attributes

To configure an IWA-AD Identity Connector1. In the Option configuration area, select an existing Active Directory identity store from the

Identity Store drop-down list, or click New Active Directory to create a new Active Directory identity store.

2. Configure the following Active Directory fields and settings:

BaseDNSpecifies the Distinguished Name (DN) of the entry in the LDAP tree at which to start searching for a user.Example: DC=AD-DOMAIN

Search AttributeSpecifies the user attribute to search for and return.Example: sAMAccountName

Search ScopeSpecifies one of the following values:• BASE — Search the Base DN entry only.• ONE_LEVEL — Only search the entries one level below the Base DN.• SUBTREE — Search the Base DN and the entire subtree.


3. Configure the Active Directory output attributes in the Output attributes area. This area is populated with a default set of Active Directory output attributes. Output attributes are available for credential mapping and provisioning to a SaaS or web application. You can customize the output attribute set by adding attributes to and removing attributes from the Output attributes area. To customize the output attributes, click one or more of the following options:

— Add — Click Add to add an attribute to the Output attributes area.The New attribute dialog box opens. Type the name of the attribute in the Attribute name field, and click Save.

— Edit — Select an output attribute, and click Edit to modify the attribute’s name.The Edit attribute dialog box opens. Modify the name of the attribute, and click Save.

— Remove — Select an output attribute, and click Remove to remove the attribute from the Output attributes area. At the prompt, click OK to verify.

Note: We recommend confirming that the specified output attributes have values at runtime. Otherwise, if an output attribute is specified in the Output attributes area, but has no value at runtime, a runtime error occurs.

4. Click Save Identity Connector.The IWA-AD Identity Connector configuration is saved and added to the list in the Identity Connector window.


4.9.5 Configure an LDAP Identity Connector

When you configure an LDAP Identity Connector, you create a new LDAP identity store or use an existing one. For information about how to create an LDAP identity store, see section 4.7 Create an LDAP Identity Store.

In this procedure, you configure the settings for an LDAP Identity Connector. The configuration settings are grouped into two areas:

• Option configuration • Output attributes

To configure an LDAP Identity Connector1. In the Option configuration area, select an existing LDAP identity store from the Identity Store

drop-down list, or click New LDAP to create a new LDAP identity store.2. Configure the following LDAP fields and settings:

BaseDNSpecifies the Distinguished Name (DN) of the entry in the LDAP tree at which to start searching for a user.Example: ou=users,ou=system

Search AttributeSpecifies the user attribute to search for and return.Example: uid



3. Configure the LDAP output attributes in the Output attributes area. This area is populated with a default set of LDAP output attributes. Output attributes are available for credential mapping and provisioning to a SaaS or web application. You can customize the output attribute set by adding attributes to and removing attributes from the Output attributes area. To customize the output attributes, click one or more of the following options:





4. Click Save Identity Connector.The LDAP Identity Connector configuration is saved and added to the list in the Identity Connector window.

4.9.6 Configure a SAML2 Proxy Identity Connector

Configure a SAML2 Proxy Identity Connector for an instance of Cloud Identity Manager in the cloud that is delegating authentication to an instance of Cloud Identity Manager in the enterprise. Because Cloud Identity Manager in the cloud initiates the SSO process, it requires the sign-in and sign-out URLs of Cloud Identity Manager in the enterprise.

These values are provided on the SAML Credential Mapping step of the Cloud Connector wizard when you configure a SAML2 Proxy Cloud Connector for Cloud Identity Manager in the enterprise. They are listed in the Credential Mapping table as the target attributes ssourl and slourl. Copy and save the source values so that you can paste them in the SignIn URL and SignOut URL fields in the following procedure.

Note: For more information about SAML2 Proxy authentication, see section 6.9 Integrating Cloud Identity Manager in the Cloud and the Enterprise.


To configure a SAML2 Proxy Identity Connector1. Specify the following fields:

SignIn URLSpecifies the sign-in page URL of the SAML2 Proxy authentication service provided by an instance of Cloud Identity Manager in the enterprise for the instance of Cloud Identity Manager in the cloud.Note: This value is displayed on the SAML Credential Mapping step of the SAML2 Proxy Cloud Connector wizard.

SignOut URLSpecifies the sign-out page URL of the SAML2 Proxy authentication service provided by an instance of Cloud Identity Manager in the enterprise for the instance of Cloud Identity Manager in the cloud.Note: This value is displayed on the SAML Credential Mapping step of the SAML2 Proxy Cloud Connector wizard.

Assertion IssuerSpecifies the URL of the Cloud Identity Manager instance in the enterprise as the SAML assertion issuer.Example: https://e360sso-server:8443/splat/identityserviceNote: This value is displayed on the SAML Assertion step of the SAML2 Proxy Cloud Connector wizard.

Select signature keypairSelect a preconfigured key pair from the drop-down list. Before sending the user’s credentials to Cloud Identity Manager in the enterprise, Cloud Identity Manager in the cloud signs the credentials with the private key.Default: intel cloud expressway

Certificate to verify SAML responseSelect an X.509 certificate from the drop-down list. Cloud Identity Manager in the cloud uses the certificate to verify the signature and accept the SAML assertion from Cloud Identity Manager in the enterprise.Default: intel cloud expressway

2. Click Save Identity Connector.The SAML2 Proxy Identity Connector configuration is saved and added to the list in the Identity Connector window.


4.10 User ProvisioningUser provisioning is the population of identity information from an identity source to a target. Cloud Identity Manager supports provisioning of identity information to user accounts in Google Apps or Salesforce. When user provisioning is enabled in the Cloud Connector wizard, user accounts in Google or Salesforce are automatically created, deleted, or updated to reflect the status of the corresponding accounts in the identity source. On-demand or dynamic user provisioning is also called just-in-time (JIT) user provisioning.

The identity information consists of one or more user attributes, such as a user name or email address. Each attribute is configured in the User Provisioning step of the Cloud Connector wizard and can have one of the following source types:

• A constant value• The result of an authentication decision• The result of an expression

User attributes can be the result of a decision made by an authentication service, a constant value, or the result of an expression. Expressions allow administrators to perform operations on identity information, such as adding two string values, one a constant value and the other a value in an identity store field.

In the User Provisioning step, you map user attributes from the identity source to the corresponding user attributes in the target. This step is necessary, because the same identity information is stored differently in different user accounts.

For example, the User Account Mapping table in the User Provisioning window maps user attributes from an LDAP Identity Connector (the source) to a Google Apps account (the target). The user attribute known as last name is stored in a field named sn (for surname) in the LDAP identity store, but in the Google Apps account, last name is stored in the familyName field.


5.0 Authentication Chains

Authentication chains allow you to combine multiple authentication methods together in one Identity Connector. The authentication methods are the modules that make up the authentication chain. You can add authentication modules to and remove them from an authentication chain, and you can determine the order of the modules in the chain. The authentication chain is one type of Identity Connector.

Authentication chains allow you to configure strong authentication or authentication that is more flexible. For an example of strong authentication, you can require successful authentication by two or more authentication methods or add OTP or TPM as a secondary authentication method to a primary authentication method, creating two-factor authentication.

For an example of more flexible authentication, assume that an application accepts Facebook or Salesforce authentication. You can create an authentication chain consisting of two authentication modules, one for Facebook authentication and the other for Salesforce authentication, and configure an OR relationship between them. For more information about configuring relationships between authentication modules, see section 5.7 Configuring a Policy for the Authentication Module.

Authentication modules can be built-in Cloud Identity Manager modules or user-defined modules that you write using the Cloud Identity Manager API and register in the Management Console. For information about how to write your own authentication modules, see the McAfee Cloud Identity Manager Developer’s Guide. For information about how to register a user-defined authentication module, see section 5.8 Registering a User-defined Authentication Module.

5.1 Creating Authentication Chains in the Management ConsoleThere are two ways to create an authentication chain in the Management Console:

• Cloud Connectors tab — When you create an authentication chain in the Cloud Connectors tab in the Management Console, you are creating an Identity Connector that stands alone and can be reused when configuring new Cloud Connectors.

Note: For more information about creating an authentication chain Identity Connector, see section 4.9.1 Configure an Authentication Chain Identity Connector.

• Application Adapters tab — When you create an authentication chain in the Application Adapters tab in the Management Console, you are creating a Cloud Authenticator. Unlike an authentication chain Identity Connector, a Cloud Authenticator’s configuration includes an associated Application Adapter as well as attribute mapping for the Adapter. Like an authentication chain Identity Connector, Cloud Authenticator configurations are saved and can be reused.

Note: For more information about creating a Cloud Authenticator, see section 7.4 Cloud Authenticators.


Regardless of the approach you take to creating an authentication chain, the user interface is the same. You can create new authentication modules and add them to the authentication chain. You can move the authentication modules up and down the authentication chain. And you can edit or delete authentication modules in the chain.

5.2 Authentication ModulesThe Authentication Module wizard opens when you click New on the New Identity Connector dialog box. The following wizard steps, which are displayed on the left, are shared by most authentication module types:

1. Select the authentication module type — See section 5.3 Select the Authentication Module Type.2. Customize the authentication module login page — See section 5.4 Customizing the Authentication

Module Login Page.3. Configure the authentication module options — See section 5.5 Configuring the Authentication

Module Options.4. Customize the authentication module output attributes — See section 5.6 Customize the

Authentication Module Output Attributes.5. Configure an authentication policy for the authentication module — See section 5.7 Configuring a

Policy for the Authentication Module.


The following authentication module wizard steps are not shared by all authentication module types:• Authentication Login Page — Only wizards corresponding to authentication modules that collect

user credentials through an HTML form include the Authentication Login Page step. Authentication modules that collect user credentials through an HTML form include: JDBC, LDAP, and OTP or OTP Self-service. On the Authentication Login Page step, administrators can customize the login page. For more information, see section 5.4 Customizing the Authentication Module Login Page.

• Authentication Options — Configuring a SAML2 authentication module in the wizard consists of the following steps in place of the Authentication Options step: SAML SSO, Assertion Verification, and SAML SLO. For more information, see section 5.5.7 Configuring a SAML2 Authentication Module.

5.3 Select the Authentication Module TypeOn the Authentication Module step of the Authentication Module wizard, select a built-in or user-defined authentication module from the list of available module types. To register a user-defined authentication module, click Register new module. The Authentication Module wizard opens. For more information, see section 5.8 Registering a User-defined Authentication Module.

When you configure the first authentication module in the authentication chain, you can select from all but a few of the built-in authentication methods. The following authentication methods, which are only available after the first authentication module is configured, are the exceptions:

• OTP• TPM• KCD

For more information about the built-in authentication methods, see the following sections:• Authentication methods that are always available — See section 5.3.1 Authentication Methods

Available for Primary Authentication.• Authentication methods that are only available after the first authentication module is configured —

See section 5.3.2 Authentication Methods Available for Secondary Authentication.

In addition to the built-in authentication module types, you can create your own authentication module and register it in the Management Console. For information about how to create a user-defined authentication module, see the McAfee Cloud Identity Manager Developer’s Guide.


5.3.1 Authentication Methods Available for Primary Authentication

Most built-in authentication methods are available for primary authentication. For more information about each method, see the corresponding sections:

• JDBC — See sections 5.4.1 Customize a JDBC or LDAP Login Page and 5.5.1 Configure a JDBC Authentication Module.

• OpenID — See section 5.5.2 Configure an OpenID Authentication Module.• Facebook — See section 5.5.3 Configure a Facebook Authentication Module.• LinkedIn — See section 5.5.4 Configure a LinkedIn Authentication Module.• Twitter — See section 5.5.5 Configure a Twitter Authentication Module.• ECA360 Token — See section 5.5.6 Configure an ECA360 Token Authentication Module.• SAML2 — See section 5.5.7 Configuring a SAML2 Authentication Module.• Salesforce — See section 5.5.8 Configure a Salesforce Authentication Module.• IWA — See section 5.5.9 Configure an IWA Authentication Module.• CAS — See section 5.5.10 Configure a CAS Authentication Module.• SAML2 Proxy — See section 5.5.11 Configure a SAML2 Proxy Authentication Module.• LDAP — See section 5.5.12 Configure an LDAP Authentication Module.• LDAP and OTP (Pledge) — See sections 5.4.3 Customize a Combined LDAP and OTP Login Page

and 5.5.13 Configure a Combined LDAP and OTP Authentication Module.• Certificate — See section 5.5.14 Configure a Certificate Authentication Module.• SiteMinder — See section 5.5.15 Configure a SiteMinder Authentication Module.


Figure 3. Authentication Module Types

Figure 4. Authentication Module Types (continued)

After you select the authentication module type, click Next to open the next step in the wizard.


5.3.2 Authentication Methods Available for Secondary Authentication

The following built-in authentication methods are only available after the first authentication module is configured:

• OTP Types— Built-in OTP Server — Select the OTP or OTP Self-service authentication module type when you

are using the OTP server that is built into Cloud Identity Manager. For more information, see section Appendix A: Integrating External One Time Password Servers with Cloud Identity Manager.

— External OTP server — Select a user-defined authentication module type when you are using an OTP solution other than the OTP server that is built into Cloud Identity Manager. For an example of how to integrate an external OTP solution with Cloud Identity Manager, see section Appendix B: Integrating RCDevs OpenOTP Server with Cloud Identity Manager.

• TPM — For more information about TPM authentication, see section Appendix G: Integrating TPM on Microsoft Windows with Cloud Identity Manager.

• KCD — For more information about KCD authentication, see section 5.5.19 Configure a KCD Authentication Module.

OTP, TPM, and KCD authentication each add a second authentication factor to a primary authentication method, which is called two-factor authentication. Therefore, these modules are only available after the first module is added to the authentication chain. For configuration details, see the following sections:

• OTP — See sections 5.4.2 Customize an OTP or OTP Self-service Login Page, 5.5.16 Configuring an OTP Authentication Module, and 5.5.17 Configure an OTP Self-service Authentication Module.

• TPM — See section 5.5.18 Configure a TPM Authentication Module.• KCD — See section 5.5.19 Configure a KCD Authentication Module.

5.4 Customizing the Authentication Module Login PageThe Authentication Login Page step of the Authentication Module wizard opens when configuring modules that collect user credentials through an HTML form, including JDBC, LDAP, and OTP or OTP Self-service modules. On this step of the wizard, you can customize the login page, or accept the default values. Custom settings include the login page title, any notes, and labels for the login fields.

On this step of the wizard, you can also select whether the user credentials are entered on a login page or output as attributes by the preceding authentication module in the authentication chain. You can specify that one credential is entered on a login page, while the other credential is an attribute output by the preceding authentication module in the chain.

Note: If both credentials are output by the preceding authentication module, no login page is displayed.

The Authentication Login Page step is different for different types of authentication modules. For more information about each type, see the corresponding sections:

• JDBC or LDAP — See section 5.4.1 Customize a JDBC or LDAP Login Page.• OTP or OTP Self-service — See section 5.4.2 Customize an OTP or OTP Self-service Login Page.• LDAP and OTP (Pledge) — See section 5.4.3 Customize a Combined LDAP and OTP Login Page.


5.4.1 Customize a JDBC or LDAP Login Page

In this procedure, you customize the login page for a JDBC or LDAP authentication module.

To customize a JDBC or LDAP login page1. Use the default title for the login page, or specify a custom title in the Login title field.

Default: Login2. (Optional) Provide login notes for the end user in the Login notes field. The notes are displayed on

the login page along with the title and login fields.

3. Use the default labels provided in the Name login field and Password login field, or click Edit to specify alternatives. Clicking Edit opens the Configure Login Field dialog box and allows you to specify an alternative label for the Name or Password login field or to use an attribute output by the preceding module in place of the login credential.


4. (Optional) Select one of the following options as the source of the login credential:a. Login credentials — Select this option to specify a custom label for the login field on the login

page, and type the label in the Login field label field.b. Preceding module’s output — Select this option to use one of the attributes output by the

preceding authentication module in the chain in place of the login credential, and select the attribute from the drop-down list that opens.

c. Click Ok.The Configure Login Field dialog box closes, and the label or output attribute is displayed in the login field that you edited.

5. Repeat steps 3 and 4 as needed.6. Click Next.

The Authentication Options step opens.

5.4.2 Customize an OTP or OTP Self-service Login Page

For an OTP or OTP Self-service authentication module, you can specify whether buttons are displayed on the login page of the mobile device in addition to a custom heading, notes, and labels. If you are configuring an OTP or OTP Self-service authentication module based on:

• The built-in OTP server — The button options are preconfigured. To view the options, see Figure 5. Built-in OTP Module Type Has Preconfigured Button Options.

• An external OTP server — The button options are configured using the SDK provided with Cloud Identity Manager. For more information, see the McAfee Cloud Identity Manager Developer’s Guide.


To customize an OTP or OTP Self-service login page1. Use the default title for the login page, or specify a custom title in the Login title field.

Default: One-time Password (OTP) Verification2. (Optional) Provide login notes for the end user in the Login notes field. The notes are displayed on

the login page along with the title and login fields.Example: Enter the one-time password generated by Pledge.

3. Use the default label provided in the Password login field, or click Edit to specify an alternative. Clicking Edit opens the Configure Login Field dialog box and allows you to specify an alternative label for the Password login field or to use an attribute output by the preceding module in place of the login credential.

4. (Optional) Select one of the following options as the source of the login credential:— Login credentials — Select this option to specify a custom label for the login field on the login

page, and type the label in the Login field label field. — Preceding module’s output — Select this option to use one of the attributes output by the


5. Click Ok.The Configure Login Field dialog box closes, and the label or output attribute is displayed in the login field that you edited.


6. To specify whether buttons are displayed on the login page of the mobile device, select or deselect one or more of the checkboxes at the start of each row in the Button/Link Configuration table. To select or clear all button options, select or deselect the checkbox next to the Index heading. To modify the preconfigured names, double-click them. The button options include:— Submit OTP — Selecting this option allows the end user to submit the one-time password

generated by the OTP client to the OTP server for verification.— Re-generate OTP — Selecting this option allows the end user to request a one-time password

from the OTP client.

Figure 5. Built-in OTP Module Type Has Preconfigured Button Options

7. Click Next.The Authentication Options step opens.

5.4.3 Customize a Combined LDAP and OTP Login Page

Configuring a combined LDAP and OTP authentication module allows you to collect both the user name and password credentials and the one-time password on one login page. In this OTP implementation, an OTP client on a mobile device generates the one-time password, and the user submits the password to the OTP server. Cloud Identity Manager supports the OTP clients: Pledge and Yubico Key (YubiKey).

For more information about LDAP and OTP authentication, see the corresponding sections:• LDAP — See section 5.5.12 Configure an LDAP Authentication Module.• OTP — See section 5.5.16 Configuring an OTP Authentication Module.


To customize a combined LDAP and OTP login page1. Use the default title for the login page, or specify a custom title in the Login title field.

Default: Login2. (Optional) Provide login notes for the end user in the Login notes field. The notes are displayed on

the login page along with the title and login fields.

3. Use the default labels provided in the Name login field, Password login field, and OTP login field, or click Edit to specify alternatives. Clicking Edit opens the Configure Login Field dialog box and allows you to specify an alternative label for the Name, Password, or OTP login field or to use an attribute output by the preceding module in place of the login credential.

4. (Optional) Select one of the following options as the source of the login credential:a. Login credentials — Select this option to specify a custom label for the login field on the login

page, and type the label in the Login field label field.b. Preceding module’s output — Select this option to use one of the attributes output by the


c. Click Ok.The Configure Login Field dialog box closes, and the label or output attribute is displayed in the login field that you edited.

5. Repeat steps 3 and 4 as needed.6. Click Next.

The Authentication Options step opens.


5.5 Configuring the Authentication Module OptionsOn the Authentication Options step of the Authentication Module wizard, you configure fields and settings that are specific to the type of authentication module you selected. For information about configuring each type of authentication module, see the following sections:

• JDBC — See section 5.5.1 Configure a JDBC Authentication Module.• OpenID — See section 5.5.2 Configure an OpenID Authentication Module.• Facebook — See section 5.5.3 Configure a Facebook Authentication Module.• LinkedIn — See section 5.5.4 Configure a LinkedIn Authentication Module.• Twitter — See section 5.5.5 Configure a Twitter Authentication Module.• ECA360 Token — See section 5.5.6 Configure an ECA360 Token Authentication Module.• SAML2 — See section 5.5.7 Configuring a SAML2 Authentication Module.• Salesforce — See section 5.5.8 Configure a Salesforce Authentication Module.• IWA — See section 5.5.9 Configure an IWA Authentication Module.• CAS — See section 5.5.10 Configure a CAS Authentication Module.• SAML2 Proxy — See section 5.5.11 Configure a SAML2 Proxy Authentication Module.• LDAP — See section 5.5.12 Configure an LDAP Authentication Module.• LDAP and OTP (Pledge) — See section 5.5.13 Configure a Combined LDAP and OTP

Authentication Module.• Certificate — See section 5.5.14 Configure a Certificate Authentication Module.• SiteMinder — See section 5.5.15 Configure a SiteMinder Authentication Module.• OTP — See section 5.5.16 Configuring an OTP Authentication Module.• OTP Self-service — See section 5.5.17 Configure an OTP Self-service Authentication Module.• TPM — See section 5.5.18 Configure a TPM Authentication Module.• KCD — See section 5.5.19 Configure a KCD Authentication Module.

Note: OTP and OTP Self-service, TPM, and KCD authentication each add a second authentication factor to a primary authentication method, which is called two-factor authentication. Therefore, these modules are only available after the first module is added to the authentication chain.


5.5.1 Configure a JDBC Authentication Module

Configure the JDBC fields and settings on the Authentication Options step of the Authentication Module wizard. JDBC is an acronym for Java DataBase Connectivity. The JDBC driver is a client-side adapter that converts requests from Java programs to a protocol that the DBMS uses. DBMS is an acronym for DataBase Management System. Use the JDBC authentication module when user information is stored in a database.

To configure a JDBC authentication module1. Configure the fields in the Database Connection area of the dialog box:

JDBC DriverSpecifies the name of the JDBC driver.Value: com.mysql.jdbc.Driver

DB URLSpecifies the URL of the database.Format: jdbc:mysql://ServerName:Port/DatabaseName

DB User NameSpecifies the user name of the database administrator.

DB PasswordSpecifies the password of the database administrator.

2. (Optional) Click Test Connection to test the configuration of the database connection.


3. Select one of the following Query String options:a. Typical Query String — Select this option to specify a user name and password in a JDBC table.

Table NameSpecifies the name of the JDBC table.Example: table1

User Name ColumnSpecifies the name of the column in the JDBC table containing the user name or ID.Example: uid

Password ColumnSpecifies the name of the column in the JDBC table containing the password.Example: password

Example Query String: SELECT FROM table1 WHERE uid=? and password=?b. Custom Query String — Select this option to specify a custom query string.

4. Click Next.The Output Attributes step of the Authentication Module wizard opens.

5.5.2 Configure an OpenID Authentication Module

Cloud Identity Manager supports the following OpenID Providers with built-in connectors:• Google — Visit http://code.google.com/googleapps/domain/sso/

openid_reference_implementation.html.• Yahoo — Visit http://openid.yahoo.com/.• myOpenID — Visit https://www.myopenid.com/.

In addition, Cloud Identity Manager supports any OpenID Provider through the generic OpenID connector option.


http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html

http://openid.yahoo.com/

https://www.myopenid.com/

In this procedure, you configure the OpenID fields and settings on the Authentication Options step of the Authentication Module wizard. For OpenID Providers that use the Attribute Exchange Extension, the Attribute Fetch area lists the user attributes that the OpenID Provider sends to Cloud Identity Manager when the user is authenticated. Cloud Identity Manager, in turn, can use these attributes for user provisioning. The attribute list is different for each of the OpenID Providers, as follows.

Note: Integrating OpenID authentication with Cloud Identity Manager does not require additional configuration in the OpenID Provider, but can require additional configuration in Cloud Identity Manager. For more information and additional considerations, see section 6.5 Integrating OpenID Authentication with Cloud Identity Manager.

To configure an OpenID authentication module1. In the Option Configuration area, select an OpenID Provider from the following options:

— Google (Default)— Yahoo — myOpenID — Generic

Selecting an option populates the fields with provider-specific values.2. In the OpenID Identifier field, specify the published URL of the OpenID Provider’s service.

Google example: https://www.google.com/accounts/o8/idYahoo example: http://me.yahoo.com

OpenID Provider Attribute Exchange List

Google country, email, firstname, lastname, language

Yahoo fullname, nickname, email, gender

myOpenID fullname, nickname, email, birthdate, gender, postalcode, country, language

Generic configurable


3. (Optional) For OpenID Providers that use the Attribute Exchange Extension, specify the following fields:Attribute Prefix

Specifies the schema used to map attributes from a source of identity information to an OpenID target.Google and Yahoo example: http://axschema.org/myOpenID and Generic example: http://schema.openid.net/

Attribute FetchSpecifies one or more user attributes that can be identified by a unique URL.Examples:

http://axschema.org/contact/emailhttp://schema.openid.net/contact/email

AddClicking Add opens one of the following Add dialog boxes:• Built-in OpenID Identity Connectors — Select an attribute from the Attribute Alias drop-

down list, and click Ok to add it to the Attribute Fetch list.

• Generic OpenID Identity Connectors — Type the attribute name in the Attribute Alias field and the attribute ID in the Attribute ID field, and click Ok to add the attribute to the Attribute Fetch list.

Edit(Generic) Clicking Edit opens the Edit dialog box, where you can edit an attribute name and ID for a Generic OpenID Provider.

DeleteClicking Delete deletes the selected attribute from the Attribute Fetch list.

4. Select one of the following OP Logout options:— Enable — (Default) Enables SLO for this OpenID Provider.— Disable — Disables SLO for this OpenID Provider.

Note: OP is an acronym for OpenID Provider.


5. (Optional) Specify the OpenID Provider’s logout URL in the Logout URL field.Google example: https://www.google.com/accounts/LogoutYahoo example: https://login.yahoo.com/config/login?logout=3D1


5.5.3 Configure a Facebook Authentication Module

In this procedure, you configure the Facebook fields and settings on the Authentication Options step of the Authentication Module wizard. Integrating Facebook authentication with Cloud Identity Manager requires additional configuration. For an overview of Facebook authentication and additional configuration details, see 6.2 Integrating Facebook Authentication with Cloud Identity Manager.

The App ID and App Secret values are assigned when you register Cloud Identity Manager with Facebook and can be viewed in your Facebook account. For more information about registering Cloud Identity Manager with Facebook, see section 6.2.2 Facebook Configuration.

Note: Facebook authentication is based on the OAuth standard. While a Facebook Identity Connector supports SSO, it does not support SLO as a result.

When you configure a Facebook authentication module, you have the option of uploading a whitelist file. A Facebook whitelist file contains a list of users who are allowed to access the SaaS or web application by first authenticating to a Facebook account. The whitelist file is a text file containing user emails separated by commas, semicolons, or spaces. Users who can authenticate to Facebook, but whose emails are not included in the whitelist are denied access to the SaaS or web application.


To configure a Facebook authentication module1. Provide values for the following fields:

App IdSpecifies the application ID assigned to Cloud Identity Manager by Facebook.

App SecretSpecifies the application secret assigned to Cloud Identity Manager by Facebook.

2. (Optional) Select the Facebook whitelist checkbox.The Whitelist dialog box opens.a. Click Browse to locate the Facebook whitelist file on your computer.

Note: The whitelist file is a text file of user emails separated by commas. The whitelist identifies users who are allowed to access the SaaS or web application by first authenticating to Facebook.

b. Click Upload Whitelist to save the contents of the whitelist file in the Cloud Identity Manager system.

c. (Optional) Click Download Whitelist to save the whitelist in the following location and file:<Download_Directory>/whitelist.txt<Download_Directory>

Specifies your web browser’s download directory.3. Click Next.

The Output Attributes step of the Authentication Module wizard opens.

5.5.4 Configure a LinkedIn Authentication Module

In this procedure, you configure the LinkedIn fields and settings on the Authentication Options step of the Authentication Module wizard. Integrating LinkedIn with Cloud Identity Manager requires additional configuration. For an overview of LinkedIn authentication and additional configuration details, see section 6.4 Integrating LinkedIn Authentication with Cloud Identity Manager.

Note: You obtain values for the App ID and App Secret fields when you register the SaaS or web application in LinkedIn.

To configure a LinkedIn authentication module1. In the App ID field, specify the API or consumer key assigned by LinkedIn.2. In the App Secret field, specify the API or consumer secret assigned by LinkedIn.3. Click Next.



5.5.5 Configure a Twitter Authentication Module

In this procedure, you configure the Twitter fields and settings on the Authentication Options step of the Authentication Module wizard. Integrating Twitter with Cloud Identity Manager requires additional configuration. For an overview of Twitter authentication and additional configuration details, see section 6.8 Integrating Twitter Authentication with Cloud Identity Manager.

Note: You obtain values for the App ID and App Secret fields when you register the SaaS or web application in Twitter.

To configure a Twitter authentication module1. In the App ID field, specify the API or consumer key assigned by Twitter.2. In the App Secret field, specify the API or consumer secret assigned by Twitter.3. Click Next.



5.5.6 Configure an ECA360 Token Authentication Module

Before you can configure an ECA360 Token authentication module, you need to configure an Application Adapter-Cloud Authenticator pair. After the pair is configured, click the troubleshooting icon corresponding to the Application Adapter. The General Info tab opens. In that tab, you can locate the SSO and SLO URL values that you need when configuring the ECA360 Token authentication module. For an example, see the following screenshot.

Note: For more information about configuring Application Adapters and Cloud Authenticators, see section 7.0 Cloud Application Trust Profile.

To configure an ECA360 Token authentication module1. In the Option configuration area, specify the following fields:

a. Copy the SSO Service URL in the Application Endpoint Location area in the General Info tab, and paste it in the SSO URL field. This value specifies the URL of the SSO service provided by the Application Adapter.

b. Copy the SLO Service URL in the Service Connection Endpoint Location area in the General Info tab, and paste it in the SLO URL field. This value specifies the URL of the SLO service provided by the Application Adapter.

c. Type the value specified in the Issuer field on the Token Profile step of the Application Adapter wizard in the Assertion Issuer field.

d. Select the key pair specified on the Token Profile step of the Application Adapter wizard from the X509 Certificate drop-down list.Note: Do not select intel cloud expressway from the drop-down list. Selecting the self-signed key pair that comes with Cloud Identity Manager compromises the security of the Cloud Identity Manager system.



5.5.7 Configuring a SAML2 Authentication Module

In place of a single Authentication Options step, the SAML2 authentication module wizard has three steps:1. SAML SSO — Configure SSO for the SAML2 authentication module.2. Assertion Verification — Configure assertion verification for the SAML2 authentication module.3. SAML SLO — Configure SLO for the SAML2 authentication module.

5.5.7.1 Configure SSO for a SAML2 Authentication Module

The following procedure refers to two types of issuers:• IDP Issuer — The IDP Issuer is the Identity Provider. The Identity Provider issues signed SAML

assertions that attest to the user’s identity. The SAML assertions are signed by an X.509 certificate. For information about how to acquire an X.509 certificate, see section 12.6 Certificate Management.

• Issuer — The Issuer is Cloud Identity Manager. Cloud Identity Manager issues a signing key pair. If the X.509 certificate and signing key pair match, the signed SAML assertion is valid. Both the X.509 certificate and signing key pair are configured in the Management Console.


To configure SSO for a SAML2 authentication module1. Select one or both of the following options:

— IDP Initiated SSO — Selecting the IDP Initiated SSO checkbox allows you to enable SSO initiated by the Identity Provider.

— SP Initiated SSO — Selecting the SP Initiated SSO checkbox allows you to enable SSO initiated by the cloud application.

2. (SP Initiated SSO) Perform the following steps:a. Select or deselect the Bypass request match check checkbox as follows:

• Selecting the checkbox — Specifies that Cloud Identity Manager does not compare the authentication request and response, looking for a match.

• Deselecting the checkbox — Specifies that Cloud Identity Manager does compare the ID attribute in the authentication request that it sends to the Identity Provider with the InResponseTo attribute in the authentication response that it receives from the Identity Provider, looking for a match.

Note: For more information about this setting, consult the SaaS or web application vendor’s SSO profile.

b. Type the URL of the Cloud Identity Manager server in the Issuer field.Note: Cloud Identity Manager is the issuer of the signing key pair.


c. (Optional) Select the signature checkbox.i. Select one of the following signature types:

• XML Signature — Specifies that Cloud Identity Manager sign SSO requests with an XML signature.

• SAML Binding Signature — Specifies that Cloud Identity Manager sign SSO requests with a SAML binding signature.

ii. Select a preconfigured key pair from the Signature Keys drop-down list.Note: In SP-initiated SSO, Cloud Identity Manager redirects the user’s SSO request to the Identity Provider through the user’s browser and issues a signing key pair. The Identity Provider uses the Cloud Identity Manager URL and signing key pair to verify the SSO request.

d. (Optional) Open the Advanced area and verify the following:i. “RSA_WITH_SHA_1” is selected from the Signature generation method drop-down list.ii. “C_14_N_EXCLUSIVE” is selected from the Canonicalization generation method drop-

down list.iii. Select one of the following options from the KeyInfo Type drop-down list:

• RSA_KEY_VALUE — Specifies that the SAML assertion is signed with an RSA private key.• X_509_DATA — Specifies that the SAML assertion is signed with an X.509 certificate

containing a private key.e. In the Single Sign On Service area, configure Cloud Identity Manager as the SSO service:

i. Select one of the following options from the Binding drop-down list:HTTP_POST — The authentication response is placed in the HTTP body.HTTP_REDIRECT — The authentication response is placed in the URL.

ii. Type the SSO URL of Cloud Identity Manager in the Location field.3. Click Next.

The Assertion Verification step opens.


5.5.7.2 Configure Assertion Verification for a SAML2 Authentication Module

Provide the URL of the SAML assertion issuer and the name of the X.509 certificate, so that Cloud Identity Manager can verify the SAML assertion. The SAML assertion issuer is the Identity Provider.

To configure assertion verification for a SAML2 authentication module1. Type the URL of the Identity Provider in the IDP Issuer field.2. Select an X.509 certificate from the X509 Certificate drop-down list.3. (Optional) To restrict the SAML assertion’s audience to a specified URL, select the Audience

checkbox, and type the URL in the Audience field.Note: The audience is the Assertion Consumer Service (ACS) or endpoint that consumes SAML assertions. In the Audience field, specify Cloud Identity Manager as the ACS service.

4. Click Next.The SAML SLO step opens.

5.5.7.3 Configure SLO for a SAML2 Authentication Module

The following procedure refers to two types of issuers:• IDP Issuer — The IDP Issuer is the Identity Provider. The Identity Provider issues signed SAML

assertions that attest to the user’s identity. The SAML assertions are signed by an X.509 certificate. For information about how to acquire an X.509 certificate, see section 12.6 Certificate Management.

• Issuer — The Issuer is Cloud Identity Manager. Cloud Identity Manager issues a signing key pair. If the X.509 certificate and signing key pair match, the signed SAML assertion is valid. Both the X.509 certificate and signing key pair are configured in the Management Console.


To configure SLO for a SAML2 authentication module1. (Optional) Select the IDP Initiated SLO checkbox.

The IDP Initiated SLO dialog box opens.

a. Select the Request Verification checkbox, and type the URL of the Identity Provider in the IDP Issuer field.Note: The Identity Provider is the issuer of the X.509 certificate.

b. Select the Signature Verification checkbox, and select an X.509 certificate from the X509 Certificate drop-down list.Note: In IdP-initiated SLO, the Identity Provider sends the SLO request to Cloud Identity Manager. Cloud Identity Manager uses the Identity Provider URL and X.509 certificate to verify the request.

c. Select the Response Creation checkbox, and type the URL of the Cloud Identity Manager server in the Issuer field.Note: Cloud Identity Manager is the issuer of the signing key pair.

d. Select the Signature checkbox:i. Select one of the following signature types:

• XML Signature — Specifies that Cloud Identity Manager sign SLO responses with an XML signature.

• SAML Binding Signature — Specifies that Cloud Identity Manager sign SLO responses with a SAML binding signature.

ii. Select one of the preconfigured key pairs from the Signature Keys drop-down list.Note: In IdP-initiated SLO, Cloud Identity Manager issues a signing key pair in response to the Identity Provider’s SLO request. The Identity Provider uses the Cloud Identity Manager URL and signing key pair to verify the response.

e. Open the Advanced area.i. Verify that “RSA_WITH_SHA_1” is selected from the Signature generation method drop-

down list.


ii. Verify that “C_14_N_EXCLUSIVE” is selected from the Canonicalization generation method drop-down list.

iii. Select one of the following options from the KeyInfo Type drop-down list:• RSA_KEY_VALUE — Specifies that the SAML assertion is signed with an RSA private key.• X_509_DATA — Specifies that the SAML assertion is signed with a private key associated

with an X.509 certificate.2. (Optional) Select the SP Initiated SLO checkbox.

The SP Initiated SLO dialog box opens.

a. Select the Request Creation checkbox.i. Select one of the following signature types:

• XML Signature — Specifies that Cloud Identity Manager sign SLO requests with an XML signature.

• SAML Binding Signature — Specifies that Cloud Identity Manager sign SLO requests with a SAML binding signature.

ii. Type the URL of the Cloud Identity Manager server in the Issuer field.Note: Cloud Identity Manager is the issuer of the signing key pair.

iii. Select one of the preconfigured key pairs from the Signature Keys drop-down list.Note: In SP-initiated SLO, Cloud Identity Manager redirects the user’s SLO request to the Identity Provider through the user’s browser and issues a signing key pair. The Identity Provider uses the Cloud Identity Manager URL and signing key pair to verify the SLO request.

b. Open the Advanced area.i. Verify that “RSA_WITH_SHA_1” is selected from the Signature generation method drop-

down list.ii. Verify that “C_14_N_EXCLUSIVE” is selected from the Canonicalization generation

method drop-down list.iii. Select one of the following options from the KeyInfo Type drop-down list:

• RSA_KEY_VALUE — Specifies that the SAML assertion is signed with an RSA private key.• X_509_DATA — Specifies that the SAML assertion is signed with a private key associated

with an X.509 certificate.


c. Select the Response Verification checkbox.i. Type the URL of the Identity Provider in the IDP Issuer field.

Note: The Identity Provider is the issuer of the X.509 certificate.ii. Select an X.509 certificate from the X509 Certificate drop-down list.

Note: In SP-initiated SLO, the Identity Provider creates a response to the Cloud Identity Manager SLO request. Cloud Identity Manager uses the Identity Provider URL and X.509 certificate to verify the response.

3. Open the Single Logout Service area.Note: Cloud Identity Manager provides the SLO service.

a. Select one of the following options from the Binding drop-down list:• HTTP_POST — The authentication response is placed in the HTTP body.• HTTP_REDIRECT — The authentication response is placed in the URL.

b. Type the SLO URL of Cloud Identity Manager in the Location field.4. Click Next.



5.5.8 Configure a Salesforce Authentication Module

In this procedure, you configure the Salesforce fields and settings on the Authentication Options step of the Authentication Module wizard. Integrating Salesforce authentication with Cloud Identity Manager requires additional configuration. For an overview of Salesforce authentication and additional configuration details, see 6.6 Integrating Salesforce Authentication with Cloud Identity Manager.

To configure a Salesforce authentication module1. Verify that SFDC is selected from the SAML2 IDP Type drop-down list.

Note: SFDC is an acronym for Salesforce.com.2. Browse for and upload the Salesforce Metadata File that you downloaded and saved from your

Salesforce administrator account. For more information, see section 6.6.2 Configuring Salesforce as the Identity Provider.The following fields are populated with values from the Salesforce metadata file:SignIn URL

Specifies the URL of the Salesforce authentication service sign-in page.SignOut URL

Specifies the URL of the Salesforce authentication service sign-out page.IDP Assertion Issuer

Specifies the Identity Provider that issues SAML assertions.Note: Salesforce is the Identity Provider.

3. Specify the Service Provider that issues SAML assertions in the SP Assertion Issuer field.4. Select a preconfigured key pair from the Select signature keypair drop-down list.

Example: intel cloud expressway5. Select the corresponding X.509 certificate from the Certificate to verify SAML response drop-

down list.Example: intel cloud expressway



5.5.9 Configure an IWA Authentication Module

IWA is an acronym for Integrated Windows Authentication. Configuring an IWA authentication module requires that you create a new Active Directory identity store or use an existing one. For information about how to create an Active Directory identity store, see section 4.8 Create an Active Directory Identity Store.

Integrating IWA with Cloud Identity Manager requires additional configuration on the Active Directory server and in your Internet Explorer or Firefox browser. For more information, see section 6.3 Integrating IWA with Cloud Identity Manager.

In this procedure, you configure the IWA fields and settings on the Authentication Options step of the Authentication Module wizard. The settings are grouped into two areas:

• Option configuration • Output attributes

To configure an IWA authentication module1. In the Option configuration area, select an existing Active Directory identity store from the

Identity Store drop-down list, or click New Active Directory to create a new Active Directory identity store.

2. Configure the following Active Directory fields and settings:

BaseDNSpecifies the Distinguished Name (DN) of the entry in the LDAP tree at which to start searching for a user.Example: DC=AD-DOMAIN

Search AttributeSpecifies the user attribute to search for and return.Example: sAMAccountName



3. Configure the Active Directory output attributes in the Output attributes area. This area is populated with a default set of Active Directory output attributes. Output attributes are available for credential mapping and provisioning to a SaaS or web application. You can customize the output attribute set by adding attributes to and removing attributes from the Output attributes area. To customize the output attributes, click one or more of the following options:





4. Click Save Identity Connector.5. Click Next.



5.5.10 Configure a CAS Authentication Module

CAS is an acronym for Central Authentication Service. To configure a CAS authentication module, complete the CAS-specific fields on the Authentication Options step of the Authentication Module wizard.

Note: Integrating CAS with Cloud Identity Manager requires additional configuration. For an overview of CAS including the additional configuration steps, see section 6.1 Integrating CAS with Cloud Identity Manager.

To configure a CAS authentication module1. Specify values for the following fields:

SignIn URLSpecifies the URL of the CAS sign-in page.Example: https://cas-server:8443/cas/login

SignOut URLSpecifies the URL of the CAS sign-out page.Example: https://cas-server:8443/cas/logout

Validate URLSpecifies the URL of the CAS service that validates Service Tickets.Example: https://cas-server:8443/cas

Clock SkewSpecifies a value to use when calculating the expiration time. This value is designed to offset small differences between clocks on different computer systems.Default value: 20Units: seconds



5.5.11 Configure a SAML2 Proxy Authentication Module

Configure a SAML2 Proxy authentication module for an instance of Cloud Identity Manager in the cloud that is delegating authentication to an instance of Cloud Identity Manager in the enterprise. Because Cloud Identity Manager in the cloud initiates the SSO process, it requires the sign-in and sign-out URLs of Cloud Identity Manager in the enterprise.

These values are provided on the SAML Credential Mapping step of the Cloud Connector wizard when you configure the SAML2 Proxy Cloud Connector for Cloud Identity Manager in the enterprise. They are listed in the Credential Mapping table as the target attributes ssourl and slourl. Copy and save the source values so that you can paste them in the SignIn URL and SignOut URL fields in this procedure.

Note: For more information about SAML2 Proxy authentication, see section 6.9 Integrating Cloud Identity Manager in the Cloud and the Enterprise.


To configure a SAML2 Proxy authentication module1. Specify the following fields:

SignIn URLSpecifies the sign-in page URL of the SAML2 Proxy authentication service provided by an instance of Cloud Identity Manager in the enterprise for the instance of Cloud Identity Manager in the cloud.Note: This value is displayed on the SAML Credential Mapping step of the SAML2 Proxy Cloud Connector wizard.

SignOut URLSpecifies the sign-out page URL of the SAML2 Proxy authentication service provided by an instance of Cloud Identity Manager in the enterprise for the instance of Cloud Identity Manager in the cloud.Note: This value is displayed on the SAML Credential Mapping step of the SAML2 Proxy Cloud Connector wizard.

Assertion IssuerSpecifies the URL of the Cloud Identity Manager instance in the enterprise as the SAML assertion issuer.Example: https://e360sso-server:8443/splat/identityserviceNote: This value is displayed on the SAML Assertion step of the SAML2 Proxy Cloud Connector wizard.

Select signature keypairSelect a preconfigured key pair from the drop-down list. Before sending the user’s credentials to Cloud Identity Manager in the enterprise, Cloud Identity Manager in the cloud signs the credentials with the private key.Default: intel cloud expressway

Certificate to verify SAML responseSelect an X.509 certificate from the drop-down list. Cloud Identity Manager in the cloud uses the certificate to verify the signature and accept the SAML assertion from Cloud Identity Manager in the enterprise.Default: intel cloud expressway



5.5.12 Configure an LDAP Authentication Module

When you configure an LDAP authentication module, you create a new LDAP identity store or use an existing one. For information about how to create an LDAP identity store, see section 4.7 Create an LDAP Identity Store.

In this procedure, you configure the settings for an LDAP authentication module. The configuration settings are grouped into two areas:

• Option configuration• Output attributes

To configure an LDAP authentication module1. In the Option configuration area, select an existing LDAP identity store from the Identity Store

drop-down list, or click New LDAP to create a new LDAP identity store.2. Configure the following LDAP fields and settings:





3. Configure the LDAP output attributes in the Output attributes area. This area is populated with a default set of LDAP output attributes. Output attributes are available for credential mapping and provisioning to a SaaS or web application. You can customize the output attribute set by adding attributes to and removing attributes from the Output attributes area. To customize the output attributes, click one or more of the following options:







5.5.13 Configure a Combined LDAP and OTP Authentication Module

Configuring a combined LDAP and OTP authentication module allows you to collect both the user name and password credentials and the one-time password on one login page. In this OTP implementation, an OTP client on a mobile device generates the one-time password, and the user submits the password to the OTP server. Cloud Identity Manager supports the OTP clients: Pledge and Yubico Key (YubiKey).

For more information about LDAP and OTP authentication, see the corresponding sections:• LDAP — See section 5.5.12 Configure an LDAP Authentication Module.• OTP — See section 5.5.16 Configuring an OTP Authentication Module.

On the Authentication Options step of the Authentication Module wizard, you configure the LDAP and OTP fields and settings.

To configure a combined LDAP and OTP authentication module1. In the LDAP Options Configuration area, select an existing LDAP identity store from the

Identity Store drop-down list, or click New LDAP to create a new LDAP identity store.2. Configure the following LDAP fields and settings:





3. In the OTP Options Configuration area, select one of the following options:— To specify an existing OTP connector — Select an option from the OTP Connector drop-down

list.— To create a new OTP connector — Click New OTP Connector.

The OTP Connector dialog box opens.— To delete the OTP connector shown in the OTP Connector field — Click Delete OTP

Connector, and then click OK to confirm.Note: If you try to delete an OTP module that is used by another authentication chain, an error message displays.

4. (Optional) In the OTP Connector dialog box, create a new OTP connector:

a. Specify the following fields:Server Host

Specifies the host name or IP address of the OTP server.Server Port

Specifies the port number of the OTP server.b. (Optional) To test the OTP server configuration, click Test Connection.c. Click Save OTP Connector.

The OTP connector is saved and automatically selected in the OTP Connector field.5. From the UID drop-down list in the OTP Mapping area, select an LDAP output attribute as the

user identifier required for OTP authentication.6. Click Next.


5.5.14 Configure a Certificate Authentication Module

In this procedure, you configure how Cloud Identity Manager searches for a certificate key pair in an LDAP keystore. To perform the search, Cloud Identity Manager compares the value of the certificate subject attribute to the value of the search attribute in each entry in the keystore, looking for a match. For example, if the search attribute is uid, the certificate subject attribute is cn, and the value of cn is “eca360sso”, Cloud Identity Manager searches for and returns entries in the keystore whose search attribute uid has the value of “eca360sso”.

Note: When you specify an SSL certificate provider, you need to import the SSL certificate in your web browser. You also need to import the SSL certificate or its CA into the Cloud Identity Manager keystore. For more information, see the McAfee Cloud Identity Manager Installation Guide.


To configure a Certificate authentication module1. Specify the following fields and settings in the Option configuration area:

Certificate ProviderSpecifies the type of provider that issues the certificate.Value: SSL

SSL PortSpecifies the number of the SSL port.Value: 8445

CRL CheckSpecifies whether to enable CRL checking. The CRL is a list of certificates issued by the certificate provider that have been revoked and are no longer valid.Note: CRL is an acronym for Certificate Revocation List.Default: Disable

CRL Distribution PointsSpecifies the location from which to download the most recent CRL:• Selecting the Specify checkbox allows you to type the location of the Certificate Distribution

Point (CDP) in the URL field.• (Default) Deselecting the Specify checkbox configures Cloud Identity Manager to read the

CDP from the certificate.Note: When viewing a certificate in your browser, you can see the CDPs in the Details tab.

URL(Optional) Specifies the location of the Certificate Distribution Point.

OCSP CheckSpecifies whether to enable OCSP checking. When OCSP checking is enabled, an OCSP request for the status of the certificate is sent to the certificate provider.Note: OCSP is an acronym for Online Certificate Status Protocol.Default: Disable

OCSP ServerSpecifies the location of the OCSP server:• Selecting the Specify checkbox allows you to type the location of the OCSP server in the

URL field.• (Default) Deselecting the Specify checkbox configures Cloud Identity Manager to read the

OCSP server from the certificate.Note: When viewing a certificate in your browser, you can see the OCSP server listed in the Details tab.

URL(Optional) Specifies the location of the OCSP server.


Keystore TypeSpecifies the keystore:• LDAP — Selecting the LDAP keystore populates the fields in the LDAP Options

Configuration area with default values that you can modify.• Built-in — Selecting the Built-in keystore disables the LDAP Options Configuration area.Note: Cloud Identity Manager uses information in the keystore to verify the certificate.

2. Specify the following fields and settings in the LDAP keystore configuration area:

Certificate Subject AttributeSpecifies the subject attribute whose value is used to search the LDAP keystore for a certificate.Default: cn

Identity StoreSpecifies an LDAP identity store.

BaseDNSpecifies the Distinguished Name (DN) of the entry in the LDAP keystore at which to start searching for a certificate.Example: ou=certs,ou=system

Search AttributeSpecifies the subject attribute whose value must match the value of the certificate subject attribute when searching the LDAP keystore for a certificate.Default: uid


Note: To create a new LDAP identity store and add it to the Identity Store drop-down list, click New LDAP.



5.5.15 Configure a SiteMinder Authentication Module

Before you can configure SiteMinder as an authentication source in the Management Console, the SiteMinder administrator must configure a 4.x-compatible custom SiteMinder agent in the SiteMinder Administrative UI. You need the SiteMinder agent name and shared secret to complete the Authentication Options step of the Authentication Module wizard. On the Authentication Options step, you also configure connections to one or more SiteMinder Policy Servers.

To configure a SiteMinder authentication module1. In the Option configuration area, complete the following fields:

Agent NameSpecifies the name configured for the custom SiteMinder agent that is embedded with Cloud Identity Manager.Note: The SiteMinder administrator configures the agent name in the Administrative UI when the custom agent object is created.

Agent Shared SecretSpecifies the shared secret configured for the custom SiteMinder agent that is embedded with Cloud Identity Manager.Note: The SiteMinder administrator configures the shared secret in the Administrative UI when the custom agent object is created.

2. In the SiteMinder Policy Servers area, select one of the following options:— Add — Opens the Configure SiteMinder Policy Server dialog box, where you can configure a

Policy Server and add it to the SiteMinder authentication module.— Edit — Opens the Configure SiteMinder Policy Server dialog box, where you can modify the

configuration of a Policy Server selected from among those previously added to the SiteMinder authentication module.

— Remove — Deletes the selected Policy Server from the SiteMinder authentication module.— Remove All — Deletes all Policy Servers from the SiteMinder authentication module.


3. (Add/Edit) On the Configure SiteMinder Policy Server dialog box, complete or modify the following fields, and click Save:

Policy Server HostSpecifies the host name or IP address of the Policy Server.

Policy Server Accounting PortSpecifies the port number of the Policy Server accounting service.Default: 44441

Policy Server Authentication PortSpecifies the port number of the Policy Server authentication service.Default: 44442

Policy Server Authorization PortSpecifies the port number of the Policy Server authorization service.Default: 44443

4. To test the connection to the selected Policy Server, click Test Policy Server Connection.5. Repeat steps 2 through 4 as needed to configure all Policy Servers.


6. (Optional) Select the Advanced Configuration Options checkbox, and complete the following fields:

Multi-Server BehaviorSelect one of the following options:Failover

Specifies that all Policy Server requests are sent to one Policy Server. If that Policy Server fails, all requests are sent to the next Policy Server, and so on in a chain of configured Policy Servers.

Round-RobinSpecifies that Policy Server requests are distributed dynamically among the configured Policy Servers.

Connection TimeoutSpecifies the number of seconds to wait for a connection to the Policy Server before a timeout occurs.Default: 30

Initial Number of Policy Server ConnectionsSpecifies the initial number of connections to the Policy Server that the SiteMinder agent creates.Default: 2

Maximum Number of Policy Server ConnectionsSpecifies the maximum number of connections to the Policy Server that the SiteMinder agent creates.Default: 20

Policy Server Connections Increment StepSpecifies the number of Policy Server connections that the SiteMinder agent adds each time more connections are needed.Default: 2



5.5.16 Configuring an OTP Authentication Module

Cloud Identity Manager supports the following one-time password delivery methods:• Mail — The OTP server sends the one-time password to an email address by an email service.• SMS — The OTP server sends the one-time password to a mobile phone number by SMS, the Short

Message Service (a text message service).• OTP client on a mobile device — The one-time password is generated by an OTP client running on a

mobile device.

Cloud Identity Manager supports the OTP clients: Pledge and Yubico Key (YubiKey). In this delivery method, the OTP client on the mobile device generates the one-time password and the user submits the password to the OTP server. The server locates the user’s OATH key in the server’s database and verifies the one-time password.

The delivery method depends on the following values which are configured in the OTP server:• The HOTP setting• The target OTP attribute• The mail and SMS delivery method settings

Note: When HOTP is enabled and the target OTP attribute is set to UID, the OTP server uses HMAC to verify the one-time password. HMAC is an acronym for Hash-based Message Authentication Code, and HOTP is an acronym for HMAC-based One Time Password.

HOTP Setting Target OTP Attribute= Mail or Mobile Target OTP Attribute = UID

Enabled

The HOTP setting has no effect, and the mail and SMS delivery methods are supported when they are enabled in the OTP server.

Delivery of a one-time password by an OTP client on a mobile device is supported. Mail and SMS delivery are not supported.

Disabled




The following table summarizes attribute mapping for the three target OTP attribute types: mail, mobile, and uid. The mobile target attribute refers to a mobile phone number and the SMS delivery method and not to a mobile device.

Note: One-time password integration involves configuration on the OTP server side as well as in the Management Console. For more information, see Appendix A: Integrating External One Time Password Servers with Cloud Identity Manager and Appendix B: Integrating RCDevs OpenOTP Server with Cloud Identity Manager.

Target OTP Attribute

Source Attribute OTP Mapping Use Case

MAIL email address

The end user sends a request to the OTP server for a one-time password. The request includes the email address specified by the source attribute. The OTP server sends the one-time password to the specified email address.

Note: Verify that mail delivery is enabled in the OTP server. The HOTP setting in the OTP server has no effect.

MOBILEmobile phone number

The end user sends a request to the OTP server for a one-time password. The request includes the mobile phone number specified by the source attribute. The OTP server sends the one-time password to the mobile phone number using SMS, the Short Message Service.

Note: Verify that SMS delivery is enabled in the OTP server. The HOTP setting in the OTP server has no effect.

UID identifier

If HOTP is enabled, the end user sends a request containing the one-time password generated by the OTP client on a mobile device to the OTP server. The request includes the identifier specified by the source attribute. The OTP server uses the specified identifier to locate the user and the user’s OATH key in the server’s database. The server then uses the OATH key to verify the one-time password.

If HOTP is disabled, the end user sends a request to the OTP server for a one-time password. The request includes the identifier specified by the source attribute. The OTP server uses the specified identifier to locate the user in the server’s database.• If the target OTP attribute is set to mail and mail delivery

is enabled in the OTP server, the server sends the one-time password to the email address in the user’s account.

• If the target OTP attribute is set to mobile and SMS delivery is enabled in the OTP server, the server sends the one-time password to the mobile phone number in the user’s account.


5.5.16.1 Configure an OTP Authentication Module

Configure the OTP fields and settings on the Authentication Options step of the Authentication Module wizard.

To configure an OTP authentication module1. Select one of the following options in the Option configuration dialog box:

— To specify an existing OTP connector — Select an option from the OTP Connector drop-down list.

— To create a new OTP connector — Click New OTP Connector.The OTP Connector dialog box opens.

— To delete the OTP connector shown in the OTP Connector field — Click Delete OTP Connector, and then click OK to confirm.Note: If you try to delete an OTP module that is used by another authentication chain, an error message displays.

2. (Optional) In the OTP Connector dialog box, create a new OTP connector:

a. Specify the following fields:Server Host

Specifies the host name or IP address of the OTP server.Server Port

Specifies the port number of the OTP server.b. (Optional) To test the OTP server configuration, click Test Connection.c. Click Save OTP Connector.

The OTP connector is saved and automatically selected in the OTP Connector field.


3. Configure the fields in the OTP Mapping group box:a. Select an attribute from the list of attributes output by the preceding authentication module from

the Source drop-down list. The value of the source attribute is mapped to the target OTP attribute.LDAP example: mail

b. Select one of the following options from the Target OTP Attribute drop-down list:• MAIL — (Default) Select MAIL as the target OTP attribute when the OTP server sends the

one-time password to the email address specified by the source attribute.• MOBILE — Select MOBILE as the target OTP attribute when the OTP server sends the one-

time password to the mobile phone number specified by the source attribute.• UID — Select UID as the target OTP attribute when the OTP server uses the identifier specified

by the source attribute to locate the user in the database.

c. Click Save OTP Connector.The OTP Connector configuration is saved.



5.5.17 Configure an OTP Self-service Authentication Module

Using the built-in OTP server and the OTP Self-service authentication module, you can specify which OTP delivery methods are available to the end user. For the Email and Mobile delivery methods, you can select the self-service option which allows the end user to specify the email address and mobile phone number, respectively. Alternatively, you can specify an attribute output by the preceding authentication module as the source of the email address or mobile phone number.

Note: The Pledge and Email OTP delivery methods require HTTP and SSL proxy addresses. For information about how to configure these, see section 12.2 Configure Network Proxy Addresses.

To configure an OTP Self-service authentication module1. Select all OTP delivery methods that are available to the end user:

— Pledge — The Pledge software token generates a one-time password on a mobile device. The end user sends the one-time password to the OTP server, which verifies the password.

— Email — The OTP server sends the one-time password to an email address using an email service.

— Mobile — The OTP server sends the one-time password to a mobile phone number using a text message service.

2. To configure email deliverya. Select one of the following sources for the email address:

• To obtain the email address from the preceding module in the authentication chain, select an output attribute from the drop-down list.

• To prompt the user for the email address, select the Self-service checkbox.b. To configure the email service, click Config SMTP.

The SMTP Setting dialog box opens.

Note: SMTP is an acronym for Simple Mail Transfer Protocol.


c. Configure the following fields, and click OK:SMTP Host

Specifies the host name or IP address of the SMTP server that sends the email messages.Default: smtp.intel.com

SMTP PortSpecifies the port number of the SMTP server that sends the email messages.Default: 25

Email SenderSpecifies the email address from which the email messages are sent.Default: [email protected]

3. To configure mobile deliverya. Select one of the following sources for the mobile phone number:

• To obtain the mobile phone number from the preceding module in the authentication chain, select an output attribute from the drop-down list.

• To prompt the user for the mobile phone number, select the Self-service checkbox.b. To configure the text message service, click Config SMS Gateway.

The SMS Gateway Setting dialog box opens with Nordic Edge SMS Gateway selected from the SMS Gateway drop-down list.

Note: SMS is an acronym for Short Message Service.c. Click OK.

4. From the Attribute as key drop-down list, select the output attribute to use when looking up the user in the OTP server’s database.

5.5.17.1 OTP Server Considerations for OTP Self-service Authentication

If you plan to modify the configuration of the built-in OTP server using the McAfee remote OTP configuration tool that comes with Cloud Identity Manager, review the following considerations:

• Databases — “Intel SSO User Store” is a built-in database used by the OTP Self-service authentication module. Do not modify or delete this database when configuring the built-in OTP server using the remote configuration tool.

• Clients — If you use the remote configuration tool to create a client with the same IP address as the built-in “Intel SSO User Store” database, specify a name for the client in the Client Display name field. This setting prevents the new client from conflicting with the built-in database used by the OTP self-service authentication module.

Note: For more information about remote OTP configuration, see section 12.13 Configuring Remote OTP Settings.


5.5.18 Configure a TPM Authentication Module

On the Authentication Options step of the Authentication Module wizard, you upload one or more TPM public key files and add them to the TPM authentication module configuration.

To configure a TPM authentication module1. In the Option configuration dialog box, click Add.

The Import TPM public key dialog box opens.

2. Browse for the TPM public key file, and click Upload.The TPM public key file name and contents are added to the Option configuration dialog box.

3. To add another TPM public key file to the TPM authentication module configuration, repeat steps 1 and 2.


5.5.19 Configure a KCD Authentication Module

KCD is an acronym for Kerberos Constrained Delegation. Kerberos is the network authentication protocol used by Integrated Windows Authentication (IWA). Cloud Identity Manager manages Kerberos authentication for users who want access to enterprise applications in the cloud. Managing Kerberos authentication is called impersonation. When managing Kerberos authentication for a user, Cloud Identity Manager impersonates that user.

Constrained delegation is configured on the domain controller to specify which applications Cloud Identity Manager can access when impersonating a user. The domain controller is the server on which Active Directory is running. This server responds to authentication requests made within the Windows Server domain. All enterprise applications and host computers must be in the Windows Server domain.


Before you configure a KCD authentication module, verify that the following requirements are met:• Cloud Identity Manager is installed on a Windows Server that is connected to an Active Directory

user store. The Authentication Module wizard automatically detects the Active Directory connection and verifies that the user store is in the enterprise domain.

• The authentication source for the KCD authentication module is provided by the user attributes output by the preceding module in the authentication chain.

To configure a KCD authentication module1. Select an attribute output by the preceding module in the authentication chain from the Source

drop-down list.2. Select an existing Active Directory identity store from the Identity Store drop-down list, or click

New Active Directory to create a new Active Directory identity store.Note: For more information about creating a new Active Directory identity store, see section 4.8 Create an Active Directory Identity Store.

3. The remaining Active Directory fields autocomplete:Base DN

Specifies where to start searching in the LDAP tree.Search Attribute

Specifies the user attribute to retrieve from the identity store.Search Scope

Specifies how many levels to search in the LDAP tree below the Base DN.4. Click Next.



5.6 Customize the Authentication Module Output AttributesOn the Authentication Output step of the Authentication Module wizard, you can customize the attributes output by the authentication module that you are configuring. When the Enable output setting checkbox is selected, the preconfigured output attributes, if any, are displayed as target-source pairs.

The following screenshot shows the preconfigured output attributes for a built-in LDAP authentication module. You can add attributes to and remove attributes from the table of output attributes. You can also edit attributes in the table.

The next module in the authentication chain refers to the output attributes by the target names shown on the Authentication Output table. The target name is also the name of the attribute in the Cloud Identity Manager system. The source name is the name of the attribute in the identity store or authentication source or the name of the attribute output by the preceding module in the chain.

If you are customizing the output attributes for:• Built-in authentication module types — The preconfigured output attributes are the default

attributes configured for the built-in type.• User-defined authentication module types — The preconfigured output attributes are the default

attributes configured for the user-defined type using the SDK provided with Cloud Identity Manager. For more information, see the McAfee Cloud Identity Manager Developer’s Guide.

Note: When configuring output attributes for a Certificate authentication module, remember that the source must be output attributes from the preceding module in the chain and not login credentials. For Certificate authentication modules, the Login credential option is not available in the Select source dialog box of the Authentication Output step. For more information about the default output attributes preconfigured for a certificate authentication module, see section 5.6.1 Default Output Attributes for a Certificate Authentication Module.

To customize the authentication module output attributes1. Select the Enable output setting checkbox if it is not already selected.

The preconfigured output attributes, if any, are displayed.2. To add an attribute to the table of output attributes, click Add.

The New attribute dialog box opens.


a. Type the name of the output attribute in the Target name field. This name is used by succeeding modules in the chain to refer to the attribute.

b. To configure the Source name, click Edit. The source name is the name of the attribute output by the preceding module in the chain.The Select source dialog box opens.

Note: If the only option is Authentication result, this dialog box does not display, and you can go to step c. If the only option is Login credential, this dialog box does not display, and you can go to step d.

c. To specify an attribute output by the preceding authentication module as the source, select the Authentication result option:

i. From the Select authentication result drop-down list, select the source attribute that you want to map to the target attribute.

ii. (Optional) To extract a value from the source attribute, select the Extract value from entry checkbox, and type an expression in the Expression field that opens.Certificate Example: The following expression extracts the email address from the subject field of an X.509 certificate: EMAILADDRESS=([\d\w\.]+@[\d\w\.]+), CN=.


d. To specify a login credential entered by the user as the source, select the Login credential option, and select a credential from the drop-down list:

e. Click Ok.The source is selected, and the Select source dialog box closes.

f. To specify that the target attribute name-value pair is output by the authentication chain overall, select the Final result checkbox.Note: An output attribute that is specified as the final result of an authentication chain cannot be output by any succeeding authentication module in the chain. This requirement is enforced during configuration of the authentication chain, and an error message is displayed.

g. To close the New attribute dialog box and add the target-source pair to the table of output attributes, click Save.

3. To edit an attribute in the table of output attributes, select it, and click Edit.The Edit attribute dialog box opens. For configuration details, see step 2.

4. To remove an attribute from the table of output attributes, select it, click Remove, and click OK.5. Repeat steps 2, 3, and 4, as needed.6. Click Next.

The Policy Setting step of the Authentication Module wizard opens.


5.6.1 Default Output Attributes for a Certificate Authentication Module

The contents of an X.509 certificate are the source of the default output attributes configured for a Certificate authentication module, as follows:

Serial NumberSpecifies a number that uniquely identifies the X.509 certificate.

SubjectSpecifies the name of the entity that is authenticated. An entity can be an individual or an organization.

IssuerSpecifies the name of the X.509 certificate issuer.

Subject Unique IdentifierSpecifies an identifier that is unique to the subject.Note: This optional attribute can be set to null.

Issuer Unique IdentifierSpecifies an identifier that is unique to the issuer.Note: This optional attribute can be set to null.

VersionSpecifies the version of the X.509 certificate.Value: 3


5.7 Configuring a Policy for the Authentication ModuleConfiguring an authentication policy on the Policy Setting step of the Authentication Module wizard involves the following settings. For more information, see the corresponding sections:

• Policy Type — See section 5.7.1 Configuring the JAAS Policy Type.• Policy Conditions — See section 5.7.2 Configuring the Policy Conditions.• Determined by Cloud Connector — See section 5.7.3 Determined by Cloud Connector: Use Cases.


5.7.1 Configuring the JAAS Policy Type

To configure a policy for the authentication module, you specify one of four JAAS policy types. The policy type determines whether:

• Successful authentication by the authentication module is required for overall authentication by the chain.

• Processing of the authentication modules in the authentication chain continues or stops.

Overall authentication by the chain succeeds if authentication by all Requisite and Required modules succeeds. If authentication by a Sufficient module succeeds, processing stops. In this case, successful authentication is required by Requisite and Required modules that occur before the Sufficient module in the chain, but not by those modules that occur later in the chain. If there are no Requisite or Required modules in the chain, authentication by at least one Sufficient or Optional module must succeed for successful authentication by the chain overall to take place.

5.7.2 Configuring the Policy Conditions

In addition to configuring the policy type, which is required, you can optionally add one or more of the following conditions to the authentication policy. Each condition corresponds to a Boolean expression that evaluates to TRUE or FALSE. For example, if the time of access falls within the specified time range, the Time condition evaluates to TRUE.

Authentication context is based on a Boolean expression, which has two parts and an operator, that you build in the expression editor. The first part is the authentication result output by the preceding module in the authentication chain.

In the following example, mail is the result output by the preceding module in the authentication chain, and contains is the operator. In the example, the overall expression tests whether the email address retrieved from the user store contains the string value “intel.com”. Users whose email address does contain the specified string value are granted access to the resource. Other users are denied access.$AuthnResult.getField("mail") contains "intel.com"

Note: For more information about Cloud Identity Manager expressions, see section Appendix H: Expression Language Support.

Policy Type Is Authentication by the Module Required for Overall Success? Processing of the Chain

Requisite Required Stops when authentication by the module fails

Required Required Continues

Sufficient Optional Stops when authentication by the module succeeds

Optional Optional Continues

Condition Boolean Expression

Time of access The time of access falls within the specified time range.

Day of week The day of the week belongs to the specified set of days.

IP address The IP address falls within the specified address range.

Browser type The browser type matches the type specified.

Authentication contextA Boolean expression that is based on an authentication result from the preceding authentication module evaluates to TRUE.


5.7.3 Determined by Cloud Connector: Use Cases

Selecting the Determined by Cloud Connector checkbox lets you enable or disable the authentication module in the Cloud Connector configuration. This flexibility allows you to use the same authentication chain with a wider variety of Cloud Connectors and applications.

Consider an LDAP-OTP authentication chain. While some applications only require LDAP authentication, other applications require both LDAP and OTP authentication, which is called two-factor or strong authentication. To use the same authentication chain for both use cases, select the Determined by Cloud Connector checkbox when you configure the OTP authentication module. Then when you configure a Cloud Connector for an application that requires two-factor authentication, enable the OTP authentication module on the Identity Connector step of the Cloud Connector wizard.

In another use case, you can create an authentication chain consisting of one LDAP module and two different OTP modules and select the Determined by Cloud Connector checkbox for both OTP modules. Configure one OTP module for email delivery of the one-time password and the other OTP module for delivery to a mobile device. Then when configuring Cloud Connectors, such as Google and Salesforce, you can enable one type of OTP authentication for a Google app and another type of OTP authentication for a Salesforce application.


5.7.4 Configure a Policy for the Authentication Module

In this procedure, you configure the policy type and condition settings for the authentication module.

To configure a policy for the authentication module1. Select one of the following policy flags:

— Requisite — Successful authentication is required. Failure stops processing of the authentication chain.

— Required — Successful authentication is required. Processing continues, success or failure.— Sufficient — Successful authentication is not required. Success stops processing of the

authentication chain.— Optional — Successful authentication is not required. Processing continues, success or failure.

2. (Optional) Select the Condition checkbox.The condition options open.

3. To let the administrator enable the authentication module when configuring a Cloud Connector, select the Determined by Cloud Connector checkbox.

4. To add time as a condition to the policy, select the Time restriction checkbox.The Time restriction dialog box opens.

5. To restrict the Access time to a specified time range, provide values for the following fields.— Range — Specify whether the restricted times are inside or outside the time range.

• Between — Selecting Between specifies that the time of access must fall within the specified time range.

• Not Between — Selecting Not Between specifies that the time of access must fall outside the specified time range.

— from — Specify a starting time for the time range.• HH — Select the hour from the HH drop-down list.

Range: 0-23• MM — Select the number of minutes from the MM drop-down list.

Range: 0-55 (in five-minute increments)— to — Specify an ending time for the time range.

• HH — Select the hour from the HH drop-down list.Range: 0-23

• MM — Select the number of minutes from the MM drop-down list.Range: 0-55 (in five-minute increments)

6. To add days of the week as a condition to the policy: a. Select the Date restriction checkbox.

The Date restriction dialog box opens.

b. Select one or more days of the week on which access to the resource is allowed.


7. To add the IP address as a condition to the policy:a. Select the IP restriction checkbox.

The IP restriction dialog box opens.

b. To specify the range of IP addresses that are permitted to access the resource, provide values for the following fields:i. Type the beginning value of the IP address range in the From field.ii. Type the ending value of the IP address range in the To field.

Note: The IP address is the address of the server that sent the request for access to the protected resource.

8. To add browser type as a condition to the policy:a. Select the Browser restriction checkbox.

The Browser restriction dialog box opens.

b. To specify the type of browser allowed to access the application, select one of the following options:• Personal Computer — Browsers on a personal computer are allowed to access the

application.• Mobile device — Browsers on a mobile device are allowed to access the application.

9. To add an expression as a condition to the policy:a. Select the Authentication context checkbox.

The Authentication context dialog box opens.

b. Click Edit to open the expression editor and create an expression. Note: For more information, see Appendix H: Expression Language Support.

10. Click Finish.The authentication module configuration is saved, and the module is added to the table of authentication modules in the authentication chain.


5.8 Registering a User-defined Authentication ModuleYou can create your own authentication module and register it in the Management Console. For information about how to create a user-defined authentication module, see the McAfee Cloud Identity Manager Developer’s Guide.

To register a user-defined authentication module, open the Authentication Module wizard and click Register new module. You can navigate to the Authentication Module wizard in one of two ways:

• Cloud Connectors tab — Create a new or edit an existing Identity Connector having the authentication chain type. In the Identity Connector dialog box, click New. The Authentication Module wizard opens.

• Application Adapters tab — Create a new or edit an existing Cloud Authenticator. In the Cloud Authenticator dialog box, click New. The Authentication Module wizard opens.

Clicking Register new module in the Authentication Module wizard opens the New Authentication Module wizard, which consists of four steps:1. Module name — In this step, you provide the full class name and a description of the new

authentication module, and upload the .jar file containing the authentication module.2. Option configuration — In this step, you configure the authentication service.3. Callback configuration — (Optional) In this step, you upload the XML file containing the

credential configuration. Cloud Identity Manager uses this information to render the login page. You can omit this step when the authentication module provides the user credentials itself.

4. Review — In this step, you review the new authentication module’s configuration.


5.8.1 Name the New Authentication Module

In this step of the New Authentication Module wizard, you specify the full class name and a description of the new authentication module, and upload the .jar file containing the authentication module.

To specify the name of the new authentication module1. Copy and paste the new authentication module’s full class name in the Full class name field.

Format: com.intel.e360.identityservice.authn.spi.<module_name>AuthnLoginModule<module_name>

Specifies the name of the authentication module.2. Browse for the .jar file containing the user-defined authentication module.

Note: The name of the .jar file must match the class name in step 1.Format: <module_name>AuthnLoginModule.jar

3. Click Upload.4. (Optional) Type a description of the authentication module in the Description field.5. Click Next.

The Option configuration step opens.


5.8.2 Configure the Authentication Service and the Output Attributes

In this step of the New Authentication Module wizard, you configure the authentication service and the shared and output attributes. The values that you specify in this procedure must match the implementation of the authentication module.

On this step of the wizard, there are two areas:• Option configuration — The Option configuration area is where you configure the

authentication service.• Output attributes — The Output attributes area is where you configure the shared and output

attributes.

To configure the authentication service and the output attributes1. In the Option configuration area, specify the authentication service configuration. For each

configuration option:a. Type the name of the option in the Option name field.

Note: Option names must be unique.Example: service

b. Select the Property checkboxes that apply:• isRequired — Specifies that the option is required.• isListValue — Specifies that the option is a list value having a string type.• attributes from preceding module — Specifies that the option is passed to the

authentication module from the preceding module in the authentication chain.


c. If the Option type field is active, select one of the following data types for the configuration option:• string — Specifies a string value.• password — Specifies a password.• boolean — Specifies a boolean value.• integer — Specifies an integer.• enum — Specifies a list of constant values.

d. Click Add.The configuration option is added to the option list.

e. To configure another option for the authentication service, repeat steps a through d.

2. In the Output attributes area, configure the shared and output attributes. For each attribute:a. Type the name of the output attribute in the Add field.

Example: cnb. To specify that the output attribute is to be shared with the next module in the authentication

chain, select the Shared to succeeding modules checkbox.c. Click Add to add the attribute to the list of output attributes.d. To add another attribute to the list of output attributes, repeat steps a through c.

Note: To remove an attribute from the list of output attributes, you can select it, and click Remove.

3. Click Next.The Callback configuration step opens.


5.8.3 Specify the Callback Configuration

In this step of the New Authentication Module wizard, you specify the callback configuration. The Callback configuration defines the credentials required for authentication and how the login page is rendered.

When authentication is delegated to a custom Identity Provider or authentication service or credentials are extracted from HttpServletRequest or HttpServletResponse, the callback configuration is not needed. In this case, you can omit this step, and the value of the callback configuration is null.

To specify the callback configuration1. Select the Upload callback configuration checkbox.

The callback configuration area opens.2. Browse for the XML file containing the callback configuration.3. Click Upload.

The contents of the callback configuration file are displayed in the Callback configuration area.4. Click Next.

The Review step opens.


5.8.4 Review the New Authentication Module Configuration

On this step of the wizard, you can review the configuration of the new authentication module. The following screenshot shows a sample configuration for an LDAP authentication module.

Note: Before you can apply the authentication module, you must restart the Cloud Identity Manager service.


To review the new authentication module configuration1. Review the configuration, and click Finish.

The following prompt opens.

2. Select one of the following options:— Yes — Selecting Yes saves the configuration and restarts the Cloud Identity Manager service.— No — Selecting No saves the configuration and returns to the Authentication Module wizard,

where you can configure a new authentication module using the authentication module type that you just registered.


6.0 Authentication Reference

Some Identity Connectors and authentication modules require configuration that is external to Cloud Identity Manager, have additional considerations for you to review, or both. The Authentication Reference covers the external configuration and additional considerations for these Identity Connectors and authentication modules and includes the following sections:

• CAS authentication — See section 6.1 Integrating CAS with Cloud Identity Manager.• Facebook authentication — See section 6.2 Integrating Facebook Authentication with Cloud Identity

Manager.• IWA authentication — See section 6.3 Integrating IWA with Cloud Identity Manager.• LinkedIn authentication — See section 6.4 Integrating LinkedIn Authentication with Cloud Identity

Manager.• OpenID authentication — See section 6.5 Integrating OpenID Authentication with Cloud Identity

Manager.• Salesforce authentication — See section 6.6 Integrating Salesforce Authentication with Cloud

Identity Manager.• SiteMinder authentication — See section 6.7 Integrating SiteMinder with Cloud Identity Manager.• Twitter authentication — See section 6.8 Integrating Twitter Authentication with Cloud Identity

Manager.• Cloud Identity Manager in the cloud and the enterprise — See section 6.9 Integrating Cloud Identity

Manager in the Cloud and the Enterprise.

6.1 Integrating CAS with Cloud Identity ManagerThe Central Authentication Service (CAS) is an SSO authentication protocol for the web conceived and developed at Yale University. CAS allows users to access multiple SaaS and web applications after providing their credentials only once. It also allows SaaS and web applications to authenticate users without having access to their credentials. CAS supports a number of identity store options, including LDAP directories and databases.

Cloud Identity Manager and CAS work together to implement SSO and SLO and to provision enterprise users to SaaS or web applications. Provisioning takes place when Cloud Identity Manager maps the user attributes from an identity store to the user attributes in an application account and creates an account for the user in the application. Provisioning takes place once, when the user signs on for the first time.

Note: For information about how to configure a CAS Identity Connector in the Management Console, see section 4.9.2 Configure a CAS Identity Connector.


6.1.1 CAS Overview

The following diagram shows a more detailed view of how Cloud Identity Manager and CAS work together to implement SSO and SLO for the user and an application.

Figure 6. Central Authentication Service (CAS)

The SSO and SLO process takes place as follows:1. The user requests an application service through the browser.2. The application redirects the user’s request to Cloud Identity Manager.3. Cloud Identity Manager delegates authentication to CAS.4. CAS presents a login page to the user and gathers the user's credentials. CAS authenticates the

user’s credentials against the user’s enterprise identity in an LDAP directory or a database. On successful authentication, CAS issues a Service Ticket (ST) and redirects the user’s request to Cloud Identity Manager.Note: The Service Ticket is used to validate the user’s identity and establish an authenticated identity across multiple applications for single sign-on.

5. Cloud Identity Manager sends the Service Ticket back to CAS for validation.6. CAS validates the Service Ticket and sends the validated result to Cloud Identity Manager.7. Cloud Identity Manager maps the user's identity to the application, and the user is signed on.8. Cloud Identity Manager manages the user’s session and authenticated identity. While the session is

active, Cloud Identity Manager manages additional sign-on requests to other applications made by the user, so that the user only needs to authenticate once.

9. When the user logs out of an application, Cloud Identity Manager manages the user's active CAS and application sessions and the single log-out process.


6.1.2 CAS Considerations

When integrating CAS with Cloud Identity Manager, review the following considerations:• Credential mapping and user provisioning — As an authentication service, CAS provides an

authentication result. For this reason, select AUTHN_RESULT_FIELD as the subject or source type when configuring credential mapping and user provisioning for CAS in Cloud Identity Manager.

• Network proxy — If Cloud Identity Manager can connect directly to CAS without first going through a network proxy, you can bypass the proxy and improve network performance. For information about how to bypass the network proxy, see section 6.1.3 Bypass the Network Proxy for CAS.

• User attributes for provisioning — When provisioning users, Cloud Identity Manager expects the following user attributes: uid, sn, cn, mail, and givenName. Configure user provisioning on the CAS server to provide the expected user attributes. For instructions on how to configure CAS for user provisioning, see section 6.1.4 Configure CAS for User Provisioning.

6.1.3 Bypass the Network Proxy for CAS

How you configure the network proxy for Cloud Identity Manager and CAS depends on your network. In some networks, Cloud Identity Manager can connect to CAS directly without going through a network proxy first. In this case, you can configure Cloud Identity Manager to bypass the network proxy when connecting to CAS server addresses. Bypassing the network proxy also improves network performance.

To bypass the Network Proxy for CAS1. Select the Admin tab in the Management Console, and click Proxy Management.

The Network window opens.2. Select the Route Proxy tab.

3. Type the host name of the CAS server in the No Proxy for field.4. Click Save Settings.

The setting to bypass the network proxy for CAS server addresses is saved.


6.1.4 Configure CAS for User Provisioning

Configure CAS with the user attributes that Cloud Identity Manager requires to perform user provisioning. For more information about user provisioning, see section 4.10 User Provisioning.

To configure CAS for user provisioning1. Locate the following file on the CAS server:

deployerConfigContext.xml

2. Open the XML file, and add the following property to the “attributeRepository” section of the file:<property name="resultAttributeMapping">

<map>

<entry key="uid" value="uid" />

<entry key="sn" value="sn" />

<entry key="cn" value="cn" />

<entry key="mail" value="mail" />

<entry key="givenName" value="givenName" />

</map>

</property>

3. Save and close the XML file.4. In CAS Services Management, edit the HTTPS service, so that the attribute list matches the

attributes configured in the XML file and required by Cloud Identity Manager for user provisioning.

6.2 Integrating Facebook Authentication with Cloud Identity ManagerFor users who do not have a domain account, you can configure Facebook as the authentication service. In this implementation, Cloud Identity Manager delegates authentication to Facebook. Facebook authentication requires configuration in Facebook, in the Management Console, and in the SaaS or web application. For more information, see the following references:

• Facebook Configuration — See sections 6.2.2 Facebook Configuration and 6.2.3 Setting Up Cloud Identity Manager on Facebook.

• Configuration in the Management Console — See section 5.5.3 Configure a Facebook Authentication Module.

• Configuration in the SaaS or Web Application — See the McAfee Cloud Identity Manager Integration Guide.

Note: Facebook authentication is based on the OAuth standard. While a Facebook Identity Connector supports SSO, it does not support SLO as a result.


6.2.1 Facebook Authentication Overview

The following diagram shows how Cloud Identity Manager and Facebook work together to authenticate the user to a SaaS or web application.

Figure 7. Facebook Authentication

1. The user requests access to a SaaS or web application.2. The SaaS or web application redirects the user to Cloud Identity Manager.3. Cloud Identity Manager redirects the user to Facebook with a request for an authorization code.4. If the user is not logged in to Facebook, Facebook issues a login page, and the user provides login

credentials. When the user is authenticated, Facebook sends an authorization request to the user. The user authorizes Cloud Identity Manager.

5. Facebook redirects the user to Cloud Identity Manager with an access token. The access token allows Cloud Identity Manager to access the SaaS or web application on the user’s behalf.

6. Cloud Identity Manager redirects the user to the SaaS or web application and issues a login cookie.7. The SaaS or web application grants access to the user.

Note: When the user is redirected, the redirection takes place through the user’s browser. Redirection is automated and not visible to the user.


6.2.2 Facebook Configuration

Before configuring a Facebook Identity Connector in the Management Console, set up Cloud Identity Manager as a new application on a Facebook account:http://www.facebook.com/developers/apps.php

Setting up Cloud Identity Manager as an application on Facebook only requires specifying values for the following fields:

• Application Name (Basic Information dialog box)• Site URL (Core Settings dialog box)• Site Domain (Core Settings dialog box)

For the remaining fields, the default values can be accepted. Setting up Cloud Identity Manager on Facebook also gives you the values you need to configure a Facebook Identity Connector in the Management Console:

• Application ID (Core Settings dialog box)• Application Secret (Core Settings dialog box)

6.2.3 Setting Up Cloud Identity Manager on Facebook

When setting up Cloud Identity Manager on Facebook, review the following considerations:• Use an existing corporate Facebook account, or create a new Facebook account for professional

use.• On the Basic Information dialog box, the Manage Users section lets you add managers to the

Facebook application. Each manager can have one of four roles:— Administrator— Developer— Tester— Insights User

For more information about Facebook manager roles, visit:http://developers.facebook.com/docs/ApplicationSecurity/

• The Core Settings dialog box displays the Application ID and Application Secret values that you need to configure a Facebook Identity Connector in the Management Console. To navigate to the Core Settings dialog box, select the Web Site menu option.

• On the Core Settings dialog box, specify the following fields:Site URL

Specifies the URL of the Cloud Identity Manager service.Example: https://eca360sso-service.sh.intel.com:8443/

Site DomainSpecifies the name of the website domain.Example: sh.intel.com


http://www.facebook.com/developers/apps.php

http://developers.facebook.com/docs/ApplicationSecurity/

6.3 Integrating IWA with Cloud Identity ManagerIntegrating IWA with Cloud Identity Manager requires configuration on the Active Directory server and in the supported Internet Explorer and Firefox web browsers.

Note: For information about how to configure an IWA-AD Identity Connector in the Management Console, see section 4.9.4 Configure an IWA-AD Identity Connector.

6.3.1 Active Directory Configuration Steps

Active Directory configuration steps consist of three parts:1. Creating an account in Active Directory for Cloud Identity Manager.2. Registering two Service Principal Names (SPNs) for Cloud Identity Manager with the new user

account, one for an HTTP connection and one for an HTTPS connection.3. (Optional) Creating a key table.

Note: The following domain name is used to illustrate the Active Directory configuration steps: e360sso-server.intel.com. If you are using IWA authentication and you rename the Cloud Identity Manager server after the Service Principal Names (SPNs) are registered, you must register them again using the new server name. This step is required even if you are using a virtual IP address or DNS name that does not change.1. Create an account in Active Directory for Cloud Identity Manager:

a. In the New Object - User dialog box, complete the following fields as shown:• First name: eca_svc_acct• Full name: eca_svc_acct• User logon name: eca_svc_acct• Password: eca_svc_acct• Confirm password:

b. Select the Password never expires checkbox.2. Register two Service Principal Names (SPNs) for Cloud Identity Manager with the new user account,

one for an HTTP connection and one for an HTTPS connection:a. In Windows, open a Command Prompt, and enter the following commands:

C:\>setspn -A HTTP/hpt087ad1-win32.splitpoint.ssg.intel.com e360sso-server

C:\>setspn -A HTTPS/hpt087ad1-win32.splitpoint.ssg.intel.com e360sso-serverNote: “HTTP” and “HTTPS” must be uppercase.

b. (Optional) To view the results of the registration commands, enter the following command at the prompt:C:\>setspn -L e360sso-server

3. (Optional) Create a key table:a. In the Command Prompt, enter the following command:

C:\>ktab -a Front123 -k e360sso-server.keytab

b. (Optional) To view the resulting key table, enter the following command at the prompt:C:\>ktab -1 -k e360sso-server.keytab


6.3.2 Internet Explorer Configuration Steps

In Internet Explorer, complete the following configuration steps:1. Select Tools | Internet Options.2. In the Security tab, select Local intranet, and click Sites.3. Add the following websites to the Local intranet security zone.

Note: Replace “intel.com” with the name of your domain.— http://.intel.com— https://.intel.com

4. Click Close.5. In the Advanced tab, select the Enable Integrated Windows Authentication (requires

restart) checkbox.6. Click Ok to save the changes and close the Internet Options dialog box.

6.3.3 Firefox Configuration Steps

In your Firefox browser, complete the following configuration steps:1. Enter “about:config” in the address field.2. Change the value of the following settings to “intel.com,goto”.

Note: Replace “intel.com” with the name of your domain.— network.automatic-ntlm-auth.trusted-uris— network.negotiate-auth.delegation-uris— network.negotiate-auth.trusted-uris

3. Click Ok to save each setting.


6.3.4 Troubleshooting IWA Integration

This section includes information for troubleshooting IWA integration with Cloud Identity Manager.

For more information, see the following resources:• How To Create an Active Directory Server in Windows Server 2003 — Visit:

http://support.microsoft.com/kb/324753

• HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol — Visit:http://msdn.microsoft.com/en-us/library/ms995329.aspx

• Welcome to the SPNEGO SourceForge project — Visit:http://spnego.sourceforge.net/

6.3.4.1 KDC Has No Support for Encryption

Symptom: When Cloud Identity Manager is run, the KDC has no support for encryption login exception occurs.

Solution: For all Cloud Identity Manager users in Active Directory, select the Use DES encryption types for this account checkbox. The checkbox is an option located in the Account tab in the Properties dialog box. To access the Properties dialog box, navigate to the Users directory under Cloud Identity Manager. Locate Cloud Identity Manager in the Users directory, and right-click to open the Cloud Identity Manager Properties dialog box.

Note: KDC is an acronym for Key Distribution Center. DES is an acronym for Data Encryption Standard.

6.3.4.2 Checksum Failed

Symptom: When Cloud Identity Manager is run, the Checksum failed message occurs.

Solution:

Take the following steps:1. Verify that the HTTP and HTTPS Service Principal Names (SPNs) are configured correctly for the

Cloud Identity Manager user account.2. Refresh the Kerberos ticket by using the SPN to log on to a domain machine.

6.3.4.3 IWA Authentication Fails When the Browser Is Running on the KDC Machine

Symptom: IWA authentication fails when the web browser is running on the machine where the Key Distribution Center (KDC) is installed. The KDC is installed as part of the domain controller. The domain controller is the server on which Active Directory is running.

Solution: Run the web browser on a different machine from the KDC machine. This symptom is the result of a known Microsoft issue.

More Information:http://technet.microsoft.com/en-us/library/bb742516.aspxhttp://technet.microsoft.com/en-us/library/cc779070%28WS.10%29.aspxhttp://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

6.3.4.4 IWA Authentication Fails When the Browser Is Running on the Machine Where Cloud Identity Manager Is Installed

Symptom: IWA authentication fails when the web browser is running on the machine where Cloud Identity Manager is installed.

Solution: Run the web browser on a different machine from the machine where Cloud Identity Manager is installed.


http://support.microsoft.com/kb/324753

http://msdn.microsoft.com/en-us/library/ms995329.aspx

http://spnego.sourceforge.net/

http://technet.microsoft.com/en-us/library/cc779070%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/bb742516.aspx

http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

6.3.4.5 Errors Occur When the Cloud Identity Manager Server Is Renamed

Symptom: Errors occur when you are using IWA authentication and you rename the Cloud Identity Manager server.

Solution: If you are using IWA authentication and you rename the Cloud Identity Manager server after the Service Principal Names (SPNs) are registered, you must register them again using the new server name. This step is required even if you are using a virtual IP address or DNS name that does not change.

6.3.4.6 IWA Authentication Fails and a Login Form Is Generated

Symptom: IWA authentication fails, and a login form is generated.

Solution: NTLM is a Windows SSO authentication protocol. Cloud Identity Manager does not support NTLM at this time. If IWA authentication fails for this reason, Cloud Identity Manager generates a login form.


6.4 Integrating LinkedIn Authentication with Cloud Identity ManagerThe LinkedIn authentication module is based on the OAuth standard. OAuth (an abbreviation for Open Authorization) is an open standard for authorization that allows users to share private data stored on one website with another website without having to expose credentials, such as username and password. Instead, specific tokens authorized by the user and granted by LinkedIn give third parties limited access to user information.

An OAuth transaction requires a shared secret, which is a secret shared by the OAuth provider (LinkedIn) and the OAuth consumer (Cloud Identity Manager). To obtain the shared secret, the Cloud Identity Manager administrator registers the third-party SaaS or web application as a new application with LinkedIn.

When registration is complete, LinkedIn assigns an API key and API secret to the application. The API key and secret are the consumer key and secret, respectively. Together, the key and secret are known as the shared secret. The Cloud Identity Manager administrator needs the shared secret to configure the Twitter authentication module in the Management Console.

LinkedIn authentication requires configuration in LinkedIn, in the Management Console, and in the SaaS or web application. For more information, see the following references:

• Configuration in LinkedIn — See section 6.4.2 Registering an Application in Your LinkedIn Developer’s Account.

• Configuration in the Management Console — See section 5.5.4 Configure a LinkedIn Authentication Module.


Note: While a LinkedIn Identity Connector supports SSO, it does not support SLO. This is a limitation of the OAuth standard.


http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

6.4.1 LinkedIn Authentication Overview

The LinkedIn authentication module supports Service Provider (SP)-initiated authentication. The following diagram and steps show how Cloud Identity Manager and LinkedIn work together to authenticate the user to a SaaS or web application.

Figure 8. LinkedIn Authentication

1. The user requests access to a SaaS or web application, such as Salesforce.2. The application delegates authentication to Cloud Identity Manager.3. Cloud Identity Manager sends a request for a Request Token to the OAuth provider, LinkedIn, and

LinkedIn grants an unauthorized Request Token to Cloud Identity Manager.4. Cloud Identity Manager redirects the user to LinkedIn.5. On a login page, LinkedIn notifies the user that Cloud Identity Manager is seeking access to the

user’s LinkedIn account and prompts the user for credentials. The user provides the login credentials and authorizes the Request Token granted to Cloud Identity Manager.

6. LinkedIn authenticates the user and redirects the user to Cloud Identity Manager with a Verifier Token.

7. Cloud Identity Manager sends a request for an Access Token to LinkedIn. The request includes the Verifier Token. LinkedIn grants an Access Token to Cloud Identity Manager. Cloud Identity Manager accesses the user’s LinkedIn credentials.

8. Cloud Identity Manager authenticates the user and sends the authentication result to the application.

9. The application grants access to the user.


6.4.2 Registering an Application in Your LinkedIn Developer’s Account

To register a SaaS or web application with LinkedIn:1. Log on to your LinkedIn developer’s account.2. Click Add New Application.3. Complete the required fields.

To access the LinkedIn Developer Network, visit:https://www.linkedin.com/secure/developer

For more information about LinkedIn OAuth authentication, visit:https://developer.linkedin.com/documents/linkedins-oauth-details

For more information about LinkedIn profile fields, visit:https://developer.linkedin.com/documents/profile-fields


https://www.linkedin.com/secure/developer

https://developer.linkedin.com/documents/linkedins-oauth-details

https://developer.linkedin.com/documents/profile-fields

6.5 Integrating OpenID Authentication with Cloud Identity ManagerCloud Identity Manager works with an OpenID Provider to authenticate end users and supports the following Providers with built-in connectors:

• Google — Visit http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html.

• Yahoo — Visit http://openid.yahoo.com/.• myOpenID — Visit https://www.myopenid.com/.

Cloud Identity Manager also supports any OpenID Provider through the generic OpenID connector option.

While additional configuration in the OpenID Provider is not required, OpenID authentication requires configuration in the Management Console and in the SaaS or web application. For more information, see the following references:

• Configuration in the Management Console — See section 5.5.2 Configure an OpenID Authentication Module.

• Additional Configuration Considerations — See section 6.5.3 OpenID Configuration Considerations.• Configuration in the SaaS or Web Application — See the McAfee Cloud Identity Manager Integration

Guide.

6.5.1 OpenID Authentication Service

Cloud Identity Manager and OpenID Provider Google work together to authenticate end users through the OpenID standard. Both support the OpenID 2.0 specification. OpenID allows end users to authenticate by using an OpenID, which is an Identifier in the form of a URL. To obtain an OpenID, users register with an OpenID Provider, such as Google. To register for a Google OpenID, users must first have a Google account.

For users who want to log in to a SaaS or web application that supports OpenID and who have a Google OpenID, Cloud Identity Manager provides a Google-OpenID connector. In this implementation, Cloud Identity Manager presents a login page with authentication options to the user, including the option to sign on using OpenID. When the user selects the OpenID option and submits a Google OpenID, Cloud Identity Manager sends a login authentication request to the Google OpenID endpoint URL.

The Google OpenID endpoint redirects the user to a Google Federated Login page. There, the user is prompted for a Google account user name and password. After authenticating the user, Google notifies the user that a third-party application is requesting authentication. To log in to the SaaS or web application through the Google account, the user must confirm the third-party authentication.

Google redirects the user to Cloud Identity Manager with five user attributes: country, email, firstname, language, and lastname. Cloud Identity Manager redirects the user to the SaaS or web application. The application grants access to the user. With the authentication result and user attributes received from Google, Cloud Identity Manager then provides SSO and provisioning services as usual.


https://www.myopenid.com/

http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html

http://openid.yahoo.com/

6.5.2 OpenID Authentication Overview

The following diagram shows how Cloud Identity Manager and OpenID Provider Google work together to authenticate the user to a SaaS or web application.

Figure 9. Google OpenID Authentication

1. The user requests access to a SaaS or web application.2. The application redirects the user to Cloud Identity Manager.3. Cloud Identity Manager presents a login page with authentication options to the user, including the

option to sign on using OpenID. The user selects the OpenID option and submits a Google OpenID.4. Cloud Identity Manager sends a login authentication request to the Google OpenID endpoint URL.5. The Google OpenID endpoint redirects the user to a Google Federated Login page, where the user is

prompted for a Google account user name and password. When the user is authenticated, Google displays a confirmation page, which notifies the user that a third-party application is requesting authentication. To log in to the SaaS or web application through a Google account, the user must confirm the third-party authentication.

6. Google redirects the user to Cloud Identity Manager with five user attributes: country, email, firstname, language, and lastname.

7. Cloud Identity Manager redirects the user to the SaaS or web application.8. The application grants access to the user.



6.5.3 OpenID Configuration Considerations

When integrating OpenID Authentication with Cloud Identity Manager, review the following considerations:

• Credential mapping and user provisioning — As an authentication service, OpenID provides an authentication result. For this reason, select AUTHN_RESULT_FIELD as the subject or source type when configuring credential mapping and user provisioning for an OpenID connector.

• Network proxy — As shown in section 6.5.2 OpenID Authentication Overview, Cloud Identity Manager needs to communicate with the OpenID service. To enable communication from Cloud Identity Manager to OpenID, configure the network proxy addresses. For more information, see section 12.2 Configure Network Proxy Addresses.

• User attributes for provisioning — In addition to an authentication result, the OpenID service returns user attributes to Cloud Identity Manager. When configuring user provisioning, map these attributes from the OpenID connector source to the target SaaS or web application. For more information about user provisioning, see section 4.10 User Provisioning.

6.6 Integrating Salesforce Authentication with Cloud Identity ManagerYou can configure Salesforce as the Identity Provider. In this implementation, Cloud Identity Manager delegates authentication to Salesforce. Salesforce authentication requires configuration in Salesforce, in the Management Console, and in the SaaS or web application. For more information, see the following references:

• Salesforce Configuration — See section 6.6.2 Configuring Salesforce as the Identity Provider.• Configuration in the Management Console — See section 5.5.8 Configure a Salesforce

Authentication Module.• Configuration in the SaaS or Web Application — See the McAfee Cloud Identity Manager Integration

Guide.


6.6.1 Salesforce Authentication Overview

The following diagram and steps show how Cloud Identity Manager and Salesforce work together to authenticate the user to a SaaS or web application.

Figure 10. Salesforce as Identity Provider

1. The user requests access to a SaaS or web application.2. The SaaS or web application redirects the user to Cloud Identity Manager.3. Cloud Identity Manager redirects the user to Salesforce.4. If the user is not logged in to Salesforce, Salesforce issues a login page, and the user provides login

credentials.5. When the user is authenticated, Salesforce redirects the user to Cloud Identity Manager with an

encoded SAML response.6. Cloud Identity Manager verifies the SAML response and redirects the user to the SaaS or web

application.7. The SaaS or web application grants access to the user.



6.6.2 Configuring Salesforce as the Identity Provider

Configuring Salesforce as an Identity Provider involves the following three steps:1. Prerequisites — Before you can enable Salesforce as an Identity Provider, you need to meet the

following prerequisites:— A domain name — If you do not already have a domain name, you can learn how to set up a

domain by visiting the following Salesforce location: https://cloud-exress-developer-edition.my.salesforce.com/help/doc/en/domain_name_setup.htm

— A self-signed Salesforce certificate and key pair — If you do not have a self-signed Salesforce certificate and key pair when you enable Salesforce as an Identity Provider, one is automatically generated for you. For more information about Salesforce certificates and keys, visit:https://cloud-exress-developer-edition.my.salesforce.com/help/doc/en/security_keys_about.htm

2. Configuration — To configure Salesforce as an Identity Provider, open the management page in your Salesforce administrator account. From this page, select Setup | Administration Setup | Security Controls | Identity Provider, where you can perform the required configuration steps.

3. Metadata — After you set up Salesforce as an Identity Provider, download the Salesforce SAML2 IdP Metadata by clicking the Download Metadata button. When you configure Salesforce as the Identity Provider in Cloud Identity Manager, you import the Salesforce metadata file that you downloaded.


https://cloud-exress-developer-edition.my.salesforce.com/help/doc/en/domain_name_setup.htm

https://cloud-exress-developer-edition.my.salesforce.com/help/doc/en/security_keys_about.htm

6.7 Integrating SiteMinder with Cloud Identity ManagerSiteMinder can be integrated with Cloud Identity Manager installed at the Identity Provider (IdP) or at the Service Provider (SP). For organizations that use SiteMinder authentication locally, Cloud Identity Manager is installed at the Identity Provider. For organizations that want access to applications that require SiteMinder authentication, Cloud Identity Manager is installed at the Service Provider.

• Identity Provider — When installed at the Identity Provider, Cloud Identity Manager converts valid SMSESSION cookies generated in the Identity Provider domain to federation tokens that enable single sign-on to Service Provider applications outside the domain.

• Service Provider — When installed at the Service Provider, Cloud Identity Manager converts valid federation tokens to SMSESSION cookies that enable single sign-on to applications that require SiteMinder authentication.

Note: An SMSESSION cookie is generated when a user is authenticated and authorized against a SiteMinder Policy Server in the Identity Provider or Service Provider domain.

For more information about integrating SiteMinder with Cloud Identity Manager, see the following sections:

• SiteMinder Use Cases — See section 6.7.1 SiteMinder Use Cases.• Configuration in Cloud Identity Manager — See section 6.7.2 Configuration in the Cloud Identity

Manager Management Console.• Configuration in SiteMinder — See section 6.7.3 Configuration in the SiteMinder Administrative UI.

Note: Configuration is required in both the Cloud Identity Manager Management Console and in the SiteMinder Administrative UI.


6.7.1 SiteMinder Use Cases

Cloud Identity Manager supports three SiteMinder use cases. Two are Identity Provider use cases, and one is a Service Provider use case. Of the two Identity Provider use cases, one is for users who are already SiteMinder-authenticated, and one is for users who are not authenticated.1. Identity Provider Use Case, Authenticated User — In the first use case, the user is already

authenticated and has a valid SMSESSION cookie. To implement single sign-on to Service Provider applications, Cloud Identity Manager generates a federation token.Note: For more information, see section 6.7.1.1 Cloud Identity Manager Installed at the IdP, Authenticated User.

2. Identity Provider Use Case, Unauthenticated User — In the second use case, the user is not authenticated. Cloud Identity Manager collects username and password credentials from the user and forwards them to the SiteMinder Policy Server. The Policy Server authenticates the user and authorizes access to the application. An SMSESSION cookie and SiteMinder response attributes are generated. To implement single sign-on, Cloud Identity Manager generates a federation token.Note: For more information, see section 6.7.1.2 Cloud Identity Manager Installed at the IdP, Unauthenticated User.

In the Service Provider use case, some Service Provider applications require SiteMinder authentication, and Cloud Identity Manager allows users who have a valid federation token to authenticate to SiteMinder using a SMSESSION cookie.3. Service Provider Use Case — Cloud Identity Manager accepts a federation token from any

supported authentication type, extracts the SSO subject, and sends the subject to the SiteMinder Policy Server. The Policy Server looks up the user in the SiteMinder user directory. If the user is found and enabled, a SMSESSION cookie is generated and forwarded to the Service Provider.Note: For more information, see section 6.7.1.3 Cloud Identity Manager Installed at the Service Provider.


6.7.1.1 Cloud Identity Manager Installed at the IdP, Authenticated User

Cloud Identity Manager converts valid SMSESSION cookies generated in the Identity Provider domain to federation tokens that enable single sign-on to Service Provider applications outside the domain.

Figure 11. Identity Provider Use Case, Authenticated User

For an authenticated user, the Identity Provider use case consists of the following steps:1. The user requests access to a SaaS or web application by clicking the application’s icon on the

Cloud Identity Manager portal. The user’s request includes a valid SMSESSION cookie.2. Cloud Identity Manager redirects the user to the application with a federation token.3. The application grants access to the user.


6.7.1.2 Cloud Identity Manager Installed at the IdP, Unauthenticated User

Cloud Identity Manager converts valid SMSESSION cookies generated in the Identity Provider domain to federation tokens that enable single sign-on to Service Provider applications outside the domain.

Figure 12. Identity Provider Use Case, Unauthenticated User

For an unauthenticated user, the Identity Provider use case consists of the following steps:1. The user seeks access to a SaaS or web application by clicking the application’s icon on the Cloud

Identity Manager portal.2. Cloud Identity Manager prompts the user for credentials, which the user provides on a login page.3. Cloud Identity Manager forwards the user’s credentials to the SiteMinder Policy Server. The Policy

Server authenticates the user and authorizes access to the application. The custom SiteMinder web agent embedded in Cloud Identity Manager returns a SMSESSION cookie and SiteMinder response attributes.

4. Cloud Identity Manager generates a federation token and sends it to the Service Provider through the user’s browser.

5. The Service Provider grants the user access to the application.


6.7.1.3 Cloud Identity Manager Installed at the Service Provider

Cloud Identity Manager converts federation tokens generated by any supported authentication method to SMSESSION cookies that enable single sign-on to applications that require SiteMinder authentication.

Figure 13. Service Provider Use Case

For an unauthenticated user, the Service Provider use case consists of the following steps:1. Cloud Identity Manager receives a federation token containing an SSO subject from an

authentication source. The source can be any supported authentication method. For example, it can be an identity store like LDAP or an identity service like Facebook.

2. Cloud Identity Manager forwards the SSO subject to the SiteMinder Policy Server.3. Using the subject, the Policy Server looks up the user in the SiteMinder user directory.4. If the user is found and enabled, the custom SiteMinder web agent embedded in Cloud Identity

Manager returns a SMSESSION cookie and SiteMinder response attributes.5. Cloud Identity Manager forwards the SMSESSION cookie to the Service Provider application.


6.7.2 Configuration in the Cloud Identity Manager Management Console

In the Management Console, configuration details depend on the use case. For more information, see the following sections:

• Identity Provider use case — See section 6.7.2.1 Configuration in the Management Console—Identity Provider Use Case.

• Service Provider use case — See section 6.7.2.2 Configuration in the Management Console—Service Provider Use Case.

Note: Before you configure a SiteMinder authentication module in the Management Console, the SiteMinder administrator must create a custom agent object in the SiteMinder Administrative UI and provide the agent name and shared secret. You need these values when you configure the SiteMinder module. For more information, see section 6.7.3 Configuration in the SiteMinder Administrative UI.

6.7.2.1 Configuration in the Management Console—Identity Provider Use Case

In the Identity Provider use case, you need to configure an Identity Connector and a Cloud Connector, as follows:1. Identity Connector — The Identity Connector is the configuration that allows Cloud Identity

Manager to connect to and communicate with a SiteMinder Policy Server. In this use case, you configure an authentication chain consisting of one authentication module having the type SiteMinder. For more information, see section 5.5.15 Configure a SiteMinder Authentication Module.

2. Cloud Connector configuration — The Cloud Connector is the configuration that allows Cloud Identity Manager to connect to and provide services for a cloud application. Using the Identity Connector configured in step 1, you configure a Cloud Connector for an application in the Service Provider domain. For more information, see section 3.0 Cloud Connectors.

6.7.2.2 Configuration in the Management Console—Service Provider Use Case

In the Service Provider use case, you need to configure an Application Adapter and a Cloud Authenticator, as follows:1. Application Adapter — The Application Adapter is the configuration that allows Cloud Identity

Manager to connect to a cloud application. In this use case, you configure an Application Adapter for an application that requires SiteMinder authentication. For more information, see section 7.5 The Application Adapter Wizard.

2. Cloud Authenticator — The Cloud Authenticator is an authentication chain paired with an Application Adapter. Using the Application Adapter configured in step 1, you configure an authentication chain consisting of two authentication modules. The first module can be any supported authentication type, as long as it matches the type of credentials expected. The second authentication module is a SiteMinder module. For more information, see section 7.4 Cloud Authenticators.


6.7.3 Configuration in the SiteMinder Administrative UI

Cloud Identity Manager communicates with the SiteMinder Policy Server through a custom SiteMinder web agent. The custom web agent is embedded in Cloud Identity Manager and requires no configuration on the Cloud Identity Manager side. However, the SiteMinder administrator must perform the following configuration tasks in the Administrative UI:1. Create a custom agent type — See section 6.7.3.1 Creating a Custom Agent Type.

In this procedure, you have the option of creating one or more custom response attribute types.

2. Create a custom agent object — See section 6.7.3.2 Creating a Custom Agent Object.

When configuring a realm in the Administrative UI, select the custom agent object you created and specify an authentication scheme, as follows:

• Identity Provider use case, authenticated user — Specify any authentication scheme having a protection level that is compatible with the strength of the SMSESSION cookie.

• Identity Provider use case, unauthenticated user — Specify the Basic authentication scheme (username and password authentication).

• Service Provider use case — Specify the custom authentication scheme you install and configure in section 6.7.3.3 Configuring a Custom Authentication Scheme.

When you create a custom agent type, you have the option of creating custom response attribute types for the agent. You can then configure response attributes based on the custom types and add them to responses. Response attributes are generated by the Policy Server and returned by the custom web agent embedded in Cloud Identity Manager. For more information, see section 6.7.3.4 Creating Policy Responses.


6.7.3.1 Creating a Custom Agent Type

In this procedure, you create a custom agent type and have the option of creating one or more custom response attribute types in the SiteMinder Administrative UI.1. Navigate to the SiteMinder Agent Type Dialog.2. Type a meaningful name for the custom agent type in the Name field.

Example: eca-custom-agent3. In the Agent Type Definition tab, click Create to open the New Agent Action dialog box.4. Specify CUSTOM_ECA_ACTION as the name of the action, and click OK.5. To create one or more response attribute types for the custom agent, select the Agent Type

Properties tab.6. For each response attribute type that you want to create, configure the following fields:

a. Click Create.The SiteMinder Agent Attribute Dialog opens.

b. Type a meaningful name for the response attribute type in the Name field.Example: eca-custom-agent-attr-ldap-1

c. Select String from the Data Type drop-down list.d. Type a value in the range 0-150 or 224-255 in the Identifier field.

Note: This value uniquely identifies the custom response attribute type and cannot be assigned to more than one attribute. Values in the range 151-223 are reserved for response attribute types that are built in to SiteMinder.

e. For each of the following Response Behavior options, select from the drop-down list how many response attributes can be included in the response returned by the custom agent:• Access Accept — Includes this attribute type in the response when access is allowed. This

type of attribute can provide information for the Service Provider to use when delivering the service.Example: Zero or One

• Access Reject — Includes this attribute type in the response when access is denied. This type of attribute can provide information for the end user in the form of a message.Example: Not Allowed

• Access Challenge — Includes this attribute type in the response when a challenge/response authentication scheme is configured.Example: Not Allowed

f. Click OK to create the custom response attribute type.7. Click OK to create the custom agent type.


6.7.3.2 Creating a Custom Agent Object

In this procedure, you create a custom agent object in the SiteMinder Administrative UI.1. Navigate to the SiteMinder Agent Dialog.2. Type a meaningful name for the custom agent in the Name field.

Example: eca-custom-agent-1Note: The Cloud Identity Manager administrator needs this value to configure a SiteMinder authentication module in the Management Console. The agent name is not case-sensitive.

3. Select the Support 4.x agents checkbox.4. In the Agent Type area, select the SiteMinder option and the name of the custom agent type you

created from the drop-down list.Example: eca-custom-agent

5. In the IP Address or Host Name field, type the IP address or host name of the server where Cloud Identity Manager is installed.Note: The Cloud Identity Manager administrator needs this value to configure a SiteMinder authentication module in the Management Console.

6. In the Shared Secret area, type the shared secret in the Secret and Confirm Secret fields.7. Click OK to create the custom agent object.

6.7.3.3 Configuring a Custom Authentication Scheme

The Service Provider use case requires a custom SiteMinder authentication scheme and library. The library is built using the SiteMinder Java Authentication API and saved in the following .jar file: eca360ssoauth.jar. To deploy the custom authentication scheme, the SiteMinder administrator must first install the library and then configure the custom authentication scheme, as follows.

To install the library1. Add the .jar file to the Policy Server’s jar file directory:

— Windows location — NETE_PS_ROOT\bin\jars— Linux location — NETE_PS_ROOT/bin/jars

2. Add the .jar file to the Policy Server’s NETE_JVM_OPTION_FILE environment variable in the JVMOptions.txt file.

To configure the custom authentication scheme1. In the Administrative UI, navigate to the SiteMinder Authentication Scheme Dialog.2. Type a meaningful name for the authentication scheme in the Name field.

Example: ECAAuth3. Select Custom Template from the Authentication Scheme Type drop-down list.4. Type a value in the permitted range in the Protection Level field.

Example: 55. Select the Password Policies Enabled for this Authentication Scheme checkbox.6. In the Scheme Setup tab:

a. Type smjavaapi in the Library field.b. Type the full class name of the authentication scheme in the Parameter field:

com.intel.e360.siteminder.auth.ECA360SiteMinderAuthScheme

7. Click OK to save the configuration.


6.7.3.4 Creating Policy Responses

When you create a custom agent type, you have the option of creating custom response attribute types for the agent. You can then configure response attributes based on the custom types and add them to responses. Response attributes are generated by the Policy Server and returned by the custom web agent embedded in Cloud Identity Manager.

In this procedure, you create response attributes and add them to a response. The response attributes are based on the custom response attribute types created for the custom agent.1. In the Administrative UI, navigate to the SiteMinder Response Dialog.2. Type a meaningful name for the response in the Name field.3. Select the custom agent you created from the Agent Type drop-down list.

Example: eca-custom-agent4. To create a response attribute, click Create.

The SiteMinder Response Attribute Editor opens.5. Select a custom response attribute type from the Attribute drop-down list.6. In the Attribute Setup tab, select the Static or User Attribute option for the Attribute Kind.7. In the Variable Value or Attribute Name field, specify a value using the following format:

Format: custom_eca_response_<resp-name>=<%userattr="<attr-name>"%>Example: custom_eca_response_email=<%userattr="mail"%><resp-name>

Specifies a name for the SiteMinder module’s output attribute.Example: email

<attr-name>Specifies the name of the Policy Server response attribute that you want the custom agent to return.Example: mail

8. Click OK to create the response attribute.9. Repeat steps 4 through 8 to create another response attribute.10. Click OK to create the response.

6.7.4 Troubleshooting SiteMinder Integration

This section includes tips for troubleshooting SiteMinder integration.

6.7.4.1 The Universal ID Attribute Must Exist in the SiteMinder User Directory

Symptom: A login exception occurs.

Solution: Verify that the Universal ID attribute exists in the SiteMinder user directory configured for Cloud Identity Manager.

6.7.4.2 The SiteMinder Authentication Module Fails to Start

Symptom: When the SiteMinder Policy Server is running on a Windows 32-bit system, it fails to start the SiteMinder authentication module in Cloud Identity Manager.

Solution: This failure is a limitation of the SiteMinder Policy Server.


6.8 Integrating Twitter Authentication with Cloud Identity ManagerThe Twitter authentication module is based on the OAuth standard. OAuth (an abbreviation for Open Authorization) is an open standard for authorization that allows users to share private data stored on one website with another website without having to expose credentials, such as username and password. Instead, specific tokens authorized by the user and granted by Twitter give third parties limited access to user information.

An OAuth transaction requires a shared secret, which is a secret shared by the OAuth provider (Twitter) and the OAuth consumer (Cloud Identity Manager). To obtain the shared secret, the Cloud Identity Manager administrator registers the third-party SaaS or web application as a new application in Twitter.

When registration is complete, Twitter assigns an API key and API secret to the application. The API key and secret are the consumer key and secret, respectively. Together, the key and secret are known as the shared secret. The Cloud Identity Manager administrator needs the shared secret to configure the Twitter authentication module in the Management Console.

Twitter authentication requires configuration in Twitter, in the Management Console, and in the SaaS or web application. For more information, see the following references:

• Configuration in Twitter — See section 6.8.2 Registering an Application in Your Twitter Developer’s Account.

• Configuration in the Management Console — See section 5.5.5 Configure a Twitter Authentication Module.


Note: While a Twitter Identity Connector supports SSO, it does not support SLO. This is a limitation of the OAuth standard.


6.8.1 Twitter Authentication Overview

The Twitter authentication module supports Service Provider (SP)-initiated authentication. The following diagram and steps show how Cloud Identity Manager and Twitter work together to authenticate the user to a SaaS or web application.

Figure 14. Twitter Authentication

1. The user requests access to a SaaS or web application, such as Salesforce.2. The application delegates authentication to Cloud Identity Manager.3. Cloud Identity Manager sends a request for a Request Token to the OAuth provider, Twitter, and

Twitter grants an unauthorized Request Token to Cloud Identity Manager.4. Cloud Identity Manager redirects the user to Twitter.5. On a login page, Twitter notifies the user that Cloud Identity Manager is seeking access to the

user’s Twitter account and prompts the user for credentials. The user provides the login credentials and authorizes the Request Token granted to Cloud Identity Manager.

6. Twitter authenticates the user and redirects the user to Cloud Identity Manager with a Verifier Token.

7. Cloud Identity Manager sends a request for an Access Token to Twitter. The request includes the Verifier Token. Twitter grants an Access Token to Cloud Identity Manager. Cloud Identity Manager accesses the user’s Twitter credentials.

8. Cloud Identity Manager authenticates the user and sends the authentication result to the application.



6.8.2 Registering an Application in Your Twitter Developer’s Account

To register a SaaS or web application with Twitter:1. Log on to your Twitter developer’s account.2. Click Settings.3. Click Connections.4. Under Developers, click here.5. Click Register a new application.6. Complete the required fields.

To sign up for a Twitter developer’s account, visit:https://dev.twitter.com/apps

For more information about Twitter OAuth authentication, visit:https://dev.twitter.com/docs/auth/oauth

For more information about Twitter attributes, you can visit the following links:• For information about user account credentials, visit:

https://dev.twitter.com/docs/api/1/get/account/verify_credentials

• For information about tweet entities, visit:https://developer.linkedin.com/documents/profile-fields

• For information about REST API resources, visit:https://dev.twitter.com/docs/api

6.9 Integrating Cloud Identity Manager in the Cloud and the EnterpriseBy deploying Cloud Identity Manager in the cloud and the enterprise, you can enable SAML SSO to SaaS and web applications from both inside and outside the enterprise. In a typical installation, Cloud Identity Manager is deployed inside the enterprise, enabling SSO to SaaS and web applications for end users inside the organization’s intranet. In a dual installation, Cloud Identity Manager is also deployed in the cloud, thereby enabling SSO to SaaS and web applications for end users outside the intranet through a corporate public portal.

In this implementation, authentication is initiated in the cloud. Cloud Identity Manager in the cloud is the primary Identity Provider (IdP) and delegates authentication to the secondary IdP, which is Cloud Identity Manager in the enterprise. The secondary IdP authenticates the user against an LDAP or Active Directory user store in the enterprise. For an overview, see section 6.9.1 Overview of Cloud Identity Manager in the Cloud and the Enterprise.

Deploying Cloud Identity Manager in the cloud and the enterprise requires configuration in the Management Console and in the SaaS or web application. For more information, see the following references:

• Configuration in the Management Console — See sections 6.9.2 Configuring Cloud Identity Manager in the Cloud and the Enterprise and 6.9.3 SAML2 Proxy Configuration Summary. Also see the McAfee Cloud Identity Manager SAML2 Proxy Cloud Connector Guide.



https://developer.linkedin.com/documents/profile-fields

https://dev.twitter.com/apps

https://dev.twitter.com/docs/auth/oauth

https://dev.twitter.com/docs/api/1/get/account/verify_credentials

https://dev.twitter.com/docs/api

6.9.1 Overview of Cloud Identity Manager in the Cloud and the Enterprise

Cloud Identity Manager in the cloud and the enterprise work together to enable SAML SSO for users outside the enterprise through a corporate public portal.

Figure 15. Cloud Identity Manager Deployed in the Cloud and the Enterprise

The SAML SSO steps are:1. The user requests access to a SaaS or web application through a corporate public portal outside the

enterprise.2. The request is forwarded to Cloud Identity Manager in the cloud.3. If the user is not authenticated, Cloud Identity Manager in the cloud presents a login page to the

user and collects the user’s credentials.4. Cloud Identity Manager in the cloud then redirects the user to Cloud Identity Manager in the

enterprise with a SAML authentication request containing the encrypted credentials.5. Cloud Identity Manager in the enterprise authenticates the user against a user store in the

enterprise.6. Cloud Identity Manager in the enterprise then redirects the user to Cloud Identity Manager in the

cloud with a SAML response in an HTTP POST Binding.7. Cloud Identity Manager in the cloud verifies the SAML response, sets a session cookie, and redirects

the user to the requested SaaS or web application.



6.9.2 Configuring Cloud Identity Manager in the Cloud and the Enterprise

The dual deployment model of Cloud Identity Manager supports SAML authentication through two SAML2 Proxy connectors, one an Identity Connector and the other a Cloud Connector:

• SAML2 Proxy Identity Connector — The SAML2 Proxy Identity Connector allows an instance of Cloud Identity Manager in the cloud to delegate authentication to an instance of Cloud Identity Manager in the enterprise. For more information, see section 4.9.6 Configure a SAML2 Proxy Identity Connector.

• SAML2 Proxy Cloud Connector — The SAML2 Proxy Cloud Connector allows an instance of Cloud Identity Manager in the enterprise to connect to an instance of Cloud Identity Manager in the cloud. For more information, see the McAfee Cloud Identity Manager SAML2 Proxy Cloud Connector Guide.

As the word “proxy” suggests, these connectors allow Cloud Identity Manager in the enterprise to serve as an Identity Provider in place of Cloud Identity Manager in the cloud.

In a typical installation, Cloud Identity Manager in the enterprise provides an authentication result directly to the Service Provider in the cloud. In the SAML2 Proxy use case, Cloud Identity Manager in the enterprise sends the authentication result to Cloud Identity Manager in the cloud. In turn, Cloud Identity Manager in the cloud redirects the user to the SaaS or web application. In this way, Cloud Identity Manager in the cloud is performing a proxy service also.

In the SAML2 Proxy use case, you configure an Identity Connector and Cloud Connector for each Cloud Identity Manager instance, specifying the following types:

The SAML2 Proxy model of Cloud Identity Manager supports an LDAP or Active Directory identity store in the enterprise, for which you configure an LDAP or IWA-AD Identity Connector, respectively. To connect Cloud Identity Manager in the cloud to the SaaS or web application, you configure a SAML2 Cloud Connector as usual.

Cloud Identity ManagerInstance

Identity ConnectorType

Cloud ConnectorType

In the Enterprise LDAP or IWA-AD SAML2 Proxy

In the Cloud SAML2 Proxy SAML2


6.9.3 SAML2 Proxy Configuration Summary

To deploy Cloud Identity Manager in the enterprise as an Identity Provider for Cloud Identity Manager in the cloud, configure the following connectors in the Cloud Identity Manager Management Console.

• For Cloud Identity Manager in the Enterprise:— Configure a SAML2 Proxy Cloud Connector — Allows Cloud Identity Manager in the enterprise to

connect to Cloud Identity Manager in the cloud.Note: For more information, see the McAfee Cloud Identity Manager SAML2 Proxy Cloud Connector Guide.

— Configure an LDAP or IWA-AD Identity Connector — Allows Cloud Identity Manager in the enterprise to authenticate users against an enterprise identity store.Note: For more information, see sections 4.9.5 Configure an LDAP Identity Connector and 4.9.4 Configure an IWA-AD Identity Connector.

• For Cloud Identity Manager in the Cloud:— Configure a SAML2 Cloud Connector — Allows Cloud Identity Manager in the cloud to connect to

a SaaS or web application.Note: For more information, see the McAfee Cloud Identity Manager SAML2 Cloud Connector Guide.

— Configure a SAML2 Proxy Identity Connector — Allows Cloud Identity Manager in the cloud to delegate authentication to Cloud Identity Manager in the enterprise.Note: For more information, see section 4.9.6 Configure a SAML2 Proxy Identity Connector.

Note: We recommend that you configure Cloud Identity Manager in the enterprise before you configure Cloud Identity Manager in the cloud. When you configure the SAML2 Proxy Identity Connector for Cloud Identity Manager in the cloud, you need several values that are provided when you configure the SAML2 Proxy Cloud Connector for Cloud Identity Manager in the enterprise. These values are displayed on the SAML Assertion step of the SAML2 Proxy Cloud Connector wizard: SignIn URL, SignOut URL, and Assertion Issuer.


7.0 Cloud Application Trust Profile

In the Cloud Application Trust Profile use case, Cloud Identity Manager can support multiple Identity Providers (IdPs) and Service Providers (SPs) at one time. In this use case, Cloud Identity Manager presents the end user with one or more options on the application portal. For each application, Cloud Identity Manager presents one or more options on the login page.

The Cloud Application Trust Profile use case consists of two modes as well as a combined mode, as follows:

• Identity Provider Mode• Service Provider Mode• Connected Modes

7.1 Cloud Application Trust Profile — Identity Provider ModeIn the Identity Provider mode, one Identity Connector can be used by multiple Cloud Connectors. Each Cloud Connector is configured for one cloud application.

Figure 16. Cloud Application Trust Profile — Identity Provider Mode


7.2 Cloud Application Trust Profile — Service Provider ModeIn the Service Provider mode, one Application Adapter can be used by multiple Cloud Authenticators. Each Cloud Authenticator is configured for one identity store or authentication service. While the Cloud Authenticator and Application Adapter are similar to an Identity Connector and Cloud Connector, respectively, there are some differences.

• Cloud Authenticator

The Cloud Authenticator is an authentication chain. Unlike an Identity Connector which can be used by more than one Cloud Connector, the Cloud Authenticator is configured for a specific Application Adapter.

• Application Adapter

The Application Adapter produces a custom assertion containing an ECA360 token. Unlike Cloud Connectors which can connect to many types of applications, the Application Adapter can only connect to cloud applications or services that can consume the custom ECA360 token.

To expand the functionality of the Application Adapter, you can add an ECA360 Token Authenticator to the Cloud Identity Manager system. The ECA360 Token Authenticator is a type of Identity Connector that consumes ECA360 tokens. When configuring the Cloud Connectors in the Cloud Identity Manager system, you select an Identity Connector having the type ECA360 Token.

Note: For more information, see section 7.3 Cloud Application Trust Profile — Connected Modes.

Figure 17. Cloud Application Trust Profile — Service Provider Mode


7.3 Cloud Application Trust Profile — Connected ModesTo connect multiple Identity Providers and multiple Service Providers in one integrated system, you need to configure the following connector types in the Cloud Identity Manager Management Console:

• Cloud Authenticator — For each Identity Provider, configure one Cloud Authenticator. The Cloud Authenticator configuration requires an Application Adapter. For more information, see section 7.4 Cloud Authenticators.

• Application Adapter — Configure one Application Adapter. For more information, see section 7.5 The Application Adapter Wizard. You need an Application Adapter when configuring the Cloud Authenticator.

• ECA360 Token Authenticator — Configure one ECA360 Token Authenticator. An ECA360 Token Authenticator is an Identity Connector having the type ECA360 Token. For more information, see section 4.0 Identity Connectors.

• Cloud Connectors — For each cloud application, configure one Cloud Connector. The Cloud Connector configuration requires an ECA360 Token Identity Connector. For more information, see section 3.0 Cloud Connectors.

The following diagram shows how Cloud Authenticators and Cloud Connectors are connected through an Application Adapter that produces a custom ECA360 token and an ECA360 Token Authenticator that consumes the token.


7.4 Cloud AuthenticatorsTo view, edit, create, and delete Cloud Authenticators, select the Cloud Authenticators option from the Application Adapters tab drop-down list. The Cloud Authenticators window opens and lists all configured Cloud Authenticators, the status of each one, and the Application Adapter paired with each one.

A Cloud Authenticator is a chain of authentication modules. You can add modules to and remove modules from the authentication chain. You can also change the order of the modules in the chain. Modules are processed in the order that they are configured. Changing the order affects the outcome of processing and the authentication result.

Note: For more information about authentication chains and modules, see section 5.0 Authentication Chains.


7.4.1 How to Configure a Cloud Authenticator

Configuring a Cloud Authenticator involves the following steps on the New Cloud Authenticator screen:1. Specify a name for the Cloud Authenticator.2. Select an existing Application Adapter or create a new one for the Cloud Authenticator.3. Configure a chain of authentication modules for the Cloud Authenticator.4. Configure attribute mapping for the Application Adapter selected in step 2.


7.4.2 Configure a Cloud Authenticator

This procedure takes you through the configuration steps for a Cloud Authenticator.

To configure a Cloud Authenticator1. Select Cloud Authenticators from the Application Adapters tab drop-down list, and click New

Cloud Authenticator.The New Cloud Authenticator dialog box opens.

2. Type a name for the Cloud Authenticator in the Cloud Authenticator Name field.3. Select a preconfigured Application Adapter from the Associated Adapter drop-down list.

Token attributes corresponding to the selected Application Adapter are populated as target attributes in the Attribute Mapping for Adapter area.Note: To configure a new Application Adapter, click New Adapter. For more information, see section 7.5 The Application Adapter Wizard.

4. In the Login Modules in Authenticator area, you can add authentication modules to the Cloud Authenticator and specify the order of the modules.— Up — Moves the selected authentication module up one row in the table of modules configured

for the authentication chain.— Down — Moves the selected authentication module down one row in the table of modules

configured for the authentication chain.— New — Opens the authentication module wizard, where you can select an existing type of

authentication module, register a new type of authentication module, and configure an authentication module for the authentication chain.

Note: For information about how to configure authentication modules and chains, see section 5.0 Authentication Chains.

5. (Optional) In the Attribute Mapping for Adapter area, you can map source attributes to the target attributes configured for the selected Application Adapter.Note: For more information, see section 7.4.2.1 Configure Attribute Mapping for the Cloud Authenticator.

6. Click Save.The Cloud Authenticator configuration is saved.


7.4.2.1 Configure Attribute Mapping for the Cloud Authenticator

Attribute mapping allows you to map user information from an identity source to a target application or service in the cloud. In this procedure, user attributes are mapped from the Cloud Authenticator to the Application Adapter. You configure this mapping in the Attribute Mapping for Adapter area on the New Cloud Authenticator screen.

When you configure an Application Adapter, you have the option of specifying token attributes. If specified, these token attributes are populated as target attributes in the Attribute Mapping for Adapter area. Token attributes are configured on the Token Profile step of the Application Adapter wizard. For more information, see section 7.5.3 Configure a Token Profile for the Application Adapter.

To configure attribute mapping, you provide the name and type of attribute in the identity source that corresponds to the target attribute. The identity source is the Identity Provider or authentication service.

Note: Token attributes are populated automatically. However, their use is optional. You can add and remove attributes from the attribute mapping configuration, as needed.

To configure attribute mapping for the Cloud Authenticator1. Select one or more of the following options:

— Add — To add an attribute mapping to the table, click Add.The New attribute dialog box opens.i. In the Target name field, type the name of the attribute in the custom ECA360 token

produced by the Application Adapter.ii. Select one of the following options from the Source type drop-down list:

• CONSTANT — Select this source type if the source has a constant value, and then type the value in the Constant value field that opens.

• AUTHN_RESULT_FIELD — Select this source type if the source’s value is the result of an authentication decision, and then select an attribute from the Authentication result drop-down list that opens.

• EXPRESSION — Select this source type if the source’s value is the result of an expression, and then type the expression in the Expression value field that opens.

iii. Click Ok.— Edit — To edit an attribute mapping in the table, select it, and then click Edit. The Edit attribute

dialog box opens. Modify the attribute mapping, and click Ok.— Remove — To remove an attribute mapping from the table, select it, and then click Remove.

2. From the Subject for Application Adapter drop-down list, select which of the mapped user attributes uniquely identifies the subject or user.


7.5 The Application Adapter WizardThe Application Adapter produces custom tokens and sends them to the endpoint specified by the cloud application or service. The service can be the ECA360 Token consumer service provided by an ECA360 Token Authenticator. When you select the Application Adapters option in the Application Adapters tab in the Management Console, the Application Adapters window opens and lists all configured Adapters.

The Application Adapters window gives you the option of editing, duplicating, troubleshooting, or deleting existing Application Adapters. It also gives you the option of creating a new Application Adapter in the Application Adapter wizard. After Application Adapters are configured and saved in the Cloud Identity Manager system, they can be used when configuring any number of Cloud Authenticators.

Creating a new Application Adapter in the wizard involves the following steps:1. Application Adapter Name — Select one of the following Application Adapter types, and specify a

name:— ECA360 Token — Select ECA360 Token to configure a custom connection to a cloud

application or service.— AppUp — Select AppUp to enable a connection to an Intel® AppUp service.

2. Custom Connection — Configure a connection between the Application Adapter and the cloud application or service.

3. Token Profile — Configure a custom token for the cloud application or service.

Note: The service can be the ECA360 Token consumer service provided by an ECA360 Token Authenticator.

To access the wizard, you have two options:• Click New Application Adapter in the Application Adapters window.• Click New Adapter in the New Cloud Authenticator dialog.


7.5.1 Specify a Name and Type for the Application Adapter

Specify a name for the Application Adapter, and select the connection type.

To specify a name and type for the Application Adapter1. To open the Application Adapter wizard, perform one of the following steps:

— Click New Application Adapter in the Application Adapters window.— Click New Adapter in the New Cloud Authenticator dialog box.

The Application Adapter wizard opens.

2. Select an Application Adapter type from the cloud options:— ECA360 Token— Select ECA360 Token to configure a custom connection to a cloud

application or service.— AppUp — Select AppUp to enable a connection to an Intel® AppUp service.

3. Type a name in the Application Adapter Name field.4. Click Next.

The Custom Connection step opens.


7.5.2 Configure a Custom Connection for the Application Adapter

Configure a custom connection between the Application Adapter and the cloud application or service. The service can be the ECA360 Token consumer service provided by an ECA360 Token Authenticator.

To configure a custom connection for the Application Adapter1. From the Authn Response Binding drop-down list, select one of the following options:

— HTTP_POST — The authentication response and URL of the cloud application or service are placed in the HTTP body.

— HTTP_REDIRECT — The authentication response and URL of the cloud application or service are placed in the URL query string.

2. (Intel® AppUp) In the AppUp Token Service Endpoint field, type the URL to use when sending an Intel® AppUp session request to Intel® Expressway Service Gateway (Intel® ESG).

3. (Optional) To configure IdP-initiated SLO:a. Select the Cloud App Logout Location checkbox.b. Type the SLO endpoint URL of the cloud application or service in the Location field.

Note: When IdP-initiated SLO is configured, logging out of the Identity Provider also logs the user out of the cloud application or service.

4. (Optional) To configure IdP-initiated SSO:a. Select the Default Cloud App Page checkbox.b. Type the SSO endpoint URL of the cloud application or service in the Endpoint field.

Note: When IdP-initiated SSO is configured, signing in to the Identity Provider also signs the user in to the cloud application or service.

5. Click Next.The Token Profile step opens.


7.5.3 Configure a Token Profile for the Application Adapter

In this procedure, you have the option of configuring a token profile for the cloud application or service. The service can be the ECA360 Token consumer service provided by an ECA360 Token Authenticator.

Use the token profile to specify the names of attributes to pass in the custom token from the Internet Identity Provider to the cloud application or service. Passing user attributes from the Identity Provider to the cloud application or service also requires configuration in the Attribute Mapping for Adapter area in the New Cloud Authenticator dialog box.

To configure a token profile for the Application Adapter1. (Optional) Open the Conditions area:

a. To specify the token’s audience as one or more URLs, type the URL in the Add audience field and click Add audience.The URL is added to the Conditions area.Note: The cloud application or service uses the audience information to verify that it is the intended recipient of the token.

b. In the Clock skew field, type a value to use when calculating the token’s expiration time. This value is designed to offset small differences between clocks in different security domains.Default value: 20Units: seconds

c. In the Lifetime field, type a lifetime value to use when calculating the token’s expiration time. When the expiration time is exceeded, the token is invalidated by the token consumer. When specifying the lifetime value, take into account the estimated transmission latency between security domains.Default value: 60Units: seconds

2. (Optional) Open the Signature area, and specify the following fields:

a. Signature generation method — Specifies the signature generation method to use when signing or verifying the custom token.Value: RSA_WITH_SHA_1Note: The Signature generation method is set to a preconfigured value and cannot be modified.

b. Key name — Specifies the public key/private key pair to use when signing or verifying the custom token.Note: Do not select intel cloud expressway from the drop-down list. Selecting the self-signed key pair that comes with Cloud Identity Manager compromises the security of the Cloud Identity Manager system.


3. Select the Specify Issuer checkbox, and type the URL of the token issuer in the field.

Example: https://localhost:8443/identityserviceNote: The issuer is Cloud Identity Manager. The cloud application or service uses the issuer information to verify that the token it receives is issued by Cloud Identity Manager.

4. (Optional) Open the Token Attributes area, and select one or more of the following options.

— Add — To add a token attribute to the table, click Add.The New Attribute dialog box opens.i. In the Name field, type the name of the token attribute.ii. (Optional) In the Type field, specify the type of token attribute.iii. Click Ok.

— Edit — To edit a token attribute in the table, select it, and click Edit. The Edit Attribute dialog box opens. Modify the attribute’s name, type, or both, and then click Ok.

— Remove — To remove a token attribute from the table, select it, and click Remove.— Clear — To remove all token attributes from the table, click Clear and then Yes to confirm.

5. Click Finish.The Application Adapter configuration is saved.


8.0 Audit Logging

The Cloud Identity Manager auditing feature uses an events-based auditing model that records all events generated by administrator and administrative user actions in the Management Console. Using the auditing feature, administrators can configure auditing policies that support the security and compliance requirements of each organization. For information about transaction and error logging, see section 9.0 Transaction and Error Logging.

You can access audit events through the Audit and Alerts features, which generate the audit log and alert log, respectively. While the audit and alert logs are both based on audit events, they are otherwise independent. To configure the audit log, you configure an auditing policy. The new auditing policy is effective as soon as you save it.

To generate the alert log, you configure one or more alert triggers. Once configured, audit events and alerts are dynamically entered in the audit and alert logs, respectively, as they occur.

When you configure the auditing policy, plan to log every audit event that you might want to see. When you configure the alert triggers, plan to log only those audit events that are most interesting or important to know.

You can access the Audit and Alerts features in the Management Console, as follows:• Select the Logs tab and then the Auditing tab — In the Auditing tab, you can configure an

auditing policy and filter and view the audit log. The auditing policy determines which events are entered in the audit log. You can download the audit log to a file, and purge or clear the log. For more information about audit logs, see section 8.1 The Auditing Tab.

• Select the Alerts option from the Monitoring tab drop-down list — In the Alerts window, you can configure multiple alert triggers and filter and view the alert log. The alert triggers determine which audit events are entered in the alert log. You can download the alert log to a file, and purge or clear the log. For more information about alerts, see section 10.1 Alerts.

In addition to the Audit and Alerts features, Cloud Identity Manager offers built-in measures that summarize system data called metrics. You can access the metrics feature, as follows:

• Select the Metrics option from the Monitoring tab drop-down list — In the Metrics window, you can select measures that summarize system data. You can configure and apply a filter and view the results. You can download the cloud metrics to a file, and purge or clear the cloud metrics. For more information about metrics, see section 10.2 Cloud Metrics.


8.1 The Auditing TabIn the Auditing tab, you have the following options. For more information, see the corresponding sections:

• You can configure and apply a filter to the audit log and view the results. You configure and apply the filter in the upper half of the window, and the results are displayed in the lower half of the window. See section 8.2 Filtering the Audit Log.

• You can configure an auditing policy. See section 8.3 Configure the Auditing Policy.• You can download the audit log from Cloud Identity Manager to a .zip file. See section 8.4 Download

the Audit Log.• You can purge or clear the audit log. See section 8.5 Purge the Audit Log.

Note: Using the download and purge options together, you can archive the audit log and then delete it.

8.2 Filtering the Audit LogSelecting the Logs tab and then the Auditing tab opens the filter configuration area, where you can configure the entries you see when you view the audit log.


The filter configuration area includes six filter settings:• Duration — Select a time interval from the Duration drop-down list, or specify a time interval using

the calendar icon.• Event Name — Select one or more or all event names from the Events drop-down list.• User ID — Type one or more user IDs in the User field separated by semicolons, or type a matching

value in the field. Select a preconfigured user store from the User Store drop-down list.• Message Text — Type the message text or a matching value in the Message field.• Event Issuer — Type the name of an event source or a matching value in the Sender field.• Source Component — Select one or more or all source components from the Components drop-

down list.

Note: For more information about Cloud Identity Manager event names and source components, see section 8.6 Audit Event Names and Source Components Reference.

One or more filter settings, taken together, create the filter. Except for Duration, filter settings are optional and allow you to select a condition option and specify a value. When the filter is applied to the audit log, the effect of any given setting depends on the configuration of the condition and the value:

• equal to — Displays only log entries that match the specified value.• not equal to — Displays only log entries that do not match the specified value.• contains — Displays only log entries that contain the specified value.• does not contain — Displays only log entries that do not contain the specified value.

The following table shows the four condition options and the effect on the filter when they are combined with examples of event names or matching string values.

Examples:

Note: The equal to and not equal to options are case-sensitive, while the options contains and does not contain are not case-sensitive.

Message Text Examples:• equal to — To view only successful login events, type the message Login was successful in the

Message field, and select the equal to condition.• contains — To view “create” events only, type “Add new” in the Message field, and select contains

as the condition.

Condition Value Effect

equal to authentication The filter only displays authentication events.

not equal to authorization The filter displays all events except authorization events.

contains auth The filter displays only authentication and authorization events.

does not contain auth The filter displays all events except authentication and authorization events.


8.2.1 Configure Filter Settings for the Audit Log

You configure filter settings for the audit log in the Auditing tab.


To configure filter settings for the audit log1. To limit the display to entries logged in a specified time period, select an option from the Duration

drop-down list, or click the calendar icon and specify a time range. To disable this filter, select ALL the time.— Select an option from the drop-down list:

• Previous minute• Previous 5 minutes• Previous 30 minutes (Default)• Previous day• Previous 2 days• Previous week• Previous month• Previous 3 months• Previous 6 months• ALL the time

— Click the calendar icon, specify the starting date and time and the ending date and time, and click Ok.

2. (Optional) To configure the Event Name setting for the audit log filter, select one or more or all event names from the Events drop-down list.Note: To view a list of event names and source components, see section 8.6 Audit Event Names and Source Components Reference.


3. (Optional) To configure the User ID setting for the audit log filter, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Displays only events generated by the specified user(s).• not equal to — Displays only events not generated by the specified user(s).

b. Type one or more user IDs in the User field separated by semicolons, or type a matching value in the field.

c. Select a preconfigured user store from the User Store drop-down list.4. (Optional) To configure the Message Text setting for the audit log filter, perform the following

steps. The message text describes the event. Login was successful is an example of a message in the audit log.a. Select an option from the drop-down list:

• equal to — (Default) Displays only events having the specified message.• not equal to — Displays only events not having the specified message.• contains — Displays only events having a message that contains the text specified in the

Message field.• does not contain — Displays only events having a message that does not contain the text

specified in the Message field.b. Type one or more messages in the Message field separated by semicolons, or type a matching

value in the field.5. (Optional) To configure the Event Source setting for the audit log filter, perform the following

steps. The event source is the issuer of the event.a. Select an option from the drop-down list:

• equal to — (Default) Displays only events issued by the specified event source.• not equal to — Displays only events not issued by the specified event source.• contains — Displays only events issued by an event source whose name contains the text

specified in the Sender field.• does not contain — Displays only events issued by an event source whose name does not

contain the text specified in the Sender field.b. Type one or more event sources in the Sender field separated by semicolons, or type a matching

value in the field.6. (Optional) To configure the Source Component setting for the audit log filter, select one or more

or all source components from the drop-down list. Source components are system components that execute and log events.Note: To view a list of event names and source components, see section 8.6 Audit Event Names and Source Components Reference.

7. Click Apply Filter.The filtered events are displayed in the Auditing tab.


8.2.2 View the Filtered Audit Log

When you apply a filter to an audit log, log entries like the following are displayed in a table in the lower half of the window:

The filtered log table includes the following headings:Create Time

Specifies the date and time that the event was logged.Example: Feb 14, 2011 2:18:57 PM

Event NameSpecifies the event’s name.Example: CloudAccess360_Login_Attempt

Source ComponentSpecifies the Cloud Identity Manager source component that executed and logged the event.Example: CloudAccess360_System_Config

StatusSpecifies the outcome of the event.Examples: success or fail

MessageDescribes the event and the event’s outcome.Example: Login was successful

Note: For a list of event names and source components, see section 8.6 Audit Event Names and Source Components Reference.

8.3 Configure the Auditing PolicyOn the Auditing Policy Configuration dialog box, you configure the auditing policy. The auditing policy determines which events are entered in the audit log. To configure the policy, you specify the maximum log size, the log archive location, and enable or disable auditing.

You can also enable or disable audit logging of individual event types. For example, to troubleshoot a problem in the system, you could enable logging of authorization events, but disable logging of authentication events. To view a list of event names and source components, see section 8.6 Audit Event Names and Source Components Reference.


To configure the auditing policy1. Click Configure in the Auditing tab.

The Auditing Policy Configuration dialog box opens and displays a table of events containing four columns: Event Name, Source Component, Event Summary, and Enable. Use the scroll bars to view the whole table.Note: You can configure which columns are displayed, as follows. Place the cursor over any column heading to activate the down arrow, and click the arrow. Place the cursor over the Columns option that opens. A menu of column headings opens. To hide a column, deselect the checkbox corresponding to the column’s heading. To show a column, select the checkbox corresponding to the column’s heading.

2. Configure the following fields and settings:Maximum Log Entries

Specifies the maximum number of Audit Log entries to store in the database. When the Audit Log reaches the specified maximum size, the log is archived and the database is cleared.Default: 5000000

Database Archive LocationSpecifies the location of the archived Audit Log.Default: The default archive location is your web browser’s download directory.

Enable Event LoggingSelect one of two values:• TRUE — Enables Event Logging.• FALSE — Disables Event Logging.

3. For each event name in the events table:— Select the corresponding checkbox to enable logging of that event.— Deselect the corresponding checkbox to disable logging of that event.

4. Click Yes.The Auditing Policy is saved.


8.4 Download the Audit LogThe Download option allows you to archive the audit log. In the Download dialog box, you download the audit log from Cloud Identity Manager to the following location and file:Download_Directory/AuditEventLog.zip

Download_DirectorySpecifies your web browser’s download directory.

The .log file name is like the .zip file name except that it includes a date and time stamp, as in the following example:AuditEventLog-2011-02-25T13_29_15.log

The .log file is a text file that contains the audit log data in the XML or CSV format specified when the download is configured. You can also specify a range of dates or an ending date to reduce the number of log entries that are downloaded to the file.

Note: XML is an acronym for eXtensible Markup Language. CSV is an acronym for Comma Separated Values.

To download the audit log1. Click Download in the Auditing tab.

The download dialog box opens.

2. Select a format for the data in the downloaded file.— XML — Specifies saving the data in XML format.— CSV — Specifies saving the data in CSV format.

3. Select a time interval:— Before Date — Select the Before Date option to download all entries logged before a specified

date and time, and select values for the Date, Hour, Minute, and AM|PM settings in the To row.

— Between Dates — Select the Between Dates option to download all entries logged in a specified range of dates and times, and select values for the Date, Hour, Minute, and AM|PM settings in both the From and To rows.

4. Click Ok.The downloading process begins.


8.5 Purge the Audit LogYou can clear the audit log in the Auditing tab by clicking Purge Log. You can specify a range of dates or an ending date to clear only part of the audit log. For example, you can clear only the oldest entries by selecting Before Date and specifying an ending date.

To purge the audit log1. Click Purge Log in the Auditing tab.

The following dialog box opens.

2. Select a time interval:— Before Date — Select the Before Date option to clear all entries logged before a specified date

and time, and select values for the Date, Hour, Minute, and AM|PM settings in the To row.— Between Dates — Select the Between Dates option to clear all entries logged in a specified

range of dates and times, and select values for the Date, Hour, Minute, and AM|PM settings in both the From and To rows.

3. Click Ok.4. Click Yes to confirm.

The entire audit log or specified entries are cleared.


8.6 Audit Event Names and Source Components ReferenceThe following table lists all audit event names and the system components that execute and log each event. For a list of audit event names and actions, see section 10.4 Audit Event Names and Actions Reference.

Event Name Source Component

User_Provisioned CloudAccess360_Identity_Runtime

User_Deprovisioned CloudAccess360_Identity_Runtime

Authentication CloudAccess360_Identity_Runtime

Authorization CloudAccess360_Identity_Runtime

CloudAccess360_IDP_SSO CloudAccess360_Identity_Runtime

CloudAccess360_IDP_SLO CloudAccess360_Identity_Runtime

CloudAccess360_SP_SSO CloudAccess360_Identity_Runtime

CloudAccess360_SP_SLO CloudAccess360_Identity_Runtime

IdentityMapped CloudAccess360_Identity_Runtime

Trust_Broker_Change CloudAccess360_Identity_Config

Identity_Store_Change CloudAccess360_Identity_Config

XACML_Policy_Change CloudAccess360_Identity_Config

XACML_PDP_Change CloudAccess360_Identity_Config

User_Role_Change CloudAccess360_Identity_Config

Provision_Plugin_Change CloudAccess360_Identity_Config

Service_Enable CloudAccess360_System_Config

Service_Disable CloudAccess360_System_Config

CloudAccess360_API_Access CloudAccess360_System_Config

CloudAccess360_Login_Attempt CloudAccess360_System_Config

CloudAccess360_Logout_Attempt CloudAccess360_System_Config

CloudAccess360_User_Management CloudAccess360_System_Config

Proxy_Configuration_Change CloudAccess360_System_Config

ReverseProxy_Configuration_Change CloudAccess360_System_Config

Hibernate_Configuration_Change CloudAccess360_System_Config

OSGI_Configuration_Change CloudAccess360_System_Config

New_Service_Deployed CloudAccess360_WebIDE

Service_Undeployed CloudAccess360_WebIDE

REST_Configuration_Change CloudAccess360_WebIDE

Service_Update CloudAccess360_WebIDE


9.0 Transaction and Error Logging

Cloud Identity Manager keeps a log of transactions. A transaction, such as logging in, is defined as a completed identity service operation. Each transaction is a process with multiple steps. Cloud Identity Manager assigns the transactions unique identifiers and records the transaction steps in the log.

To navigate to the Transaction and Error Logging tab in the Management Console, select the Logs tab. In the Transaction and Error Logging window, you have the following options. For more information, see the corresponding sections.

• Configure and apply a filter to the transaction log, and view the results — See sections 9.1 Configure Filter Settings for the Transaction Log and 9.2 Viewing the Filtered Transaction Log.

• Configure which transaction steps are logged by selecting a minimum log level —See section 9.3 Configure the Transaction Log.

• Download the transaction log to a file — See section 9.4 Download the Transaction Log.• Purge the transaction log — See section 9.5 Purge the Transaction Log.

Note: In addition to transaction and error logging, Cloud Identity Manager features audit logging. For more information, see section 8.0 Audit Logging.


9.1 Configure Filter Settings for the Transaction LogTo filter the transaction log, you configure the filter and apply it to the log.

To configure filter settings for the transaction log1. To limit the display to entries logged in a specified time period, select an option from the Duration




2. From the Log Level drop-down list, select the checkboxes corresponding to the log levels that you want to view in the filtered transaction log. To save the selected log levels, click OK. To select or clear all log levels, you can click All or Clear, respectively.— FATAL — Specifies a fatal error. By definition, a fatal error is an error from which Cloud Identity

Manager cannot recover. As a result of a fatal error, the Cloud Identity Manager server often shuts down.

— ERROR — Specifies an unexpected event from which Cloud Identity Manager can recover.— WARNING — Specifies an unusual event and provides information so that the event can be

studied.— INFO — Provides information for developers to use in understanding or debugging the code.— VERBOSE — Provides more detailed information for developers to use in understanding or

debugging the code.— DEBUG — Provides system information for developers to use in debugging and troubleshooting

the code.— TRACE — Provides detailed system information for developers to use in debugging and

troubleshooting the code.


Note: The log levels are listed by severity from the most severe (FATAL) to the least severe (TRACE).

3. To configure the Class setting for the transaction log filter, perform the following steps. Using this setting, you can narrow the filtered results to transactions logged by the classes you specify.a. Select an option from the drop-down list:

• equal to — (Default) Only transaction steps logged by the specified Java class are displayed.• not equal to — Only transaction steps not logged by the specified Java class are displayed.• contains — Only transaction steps logged by a Java class that contains the specified string

are displayed.• does not contain — Only transaction steps logged by a Java class that does not contain the

specified string are displayed.b. Type a string in the filter class field.

4. To configure the Log Message setting for the transaction log filter, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Only transaction steps having the specified log message are displayed.• not equal to — Only transaction steps not having the specified log message are displayed.• contains — Only transaction steps having a log message that contains the specified string

are displayed.• does not contain — Only transaction steps not having a log message that contains the

specified string are displayed.b. Type a string in the filter message field.

5. To configure the Log Type setting for the transaction log filter, select one or both of the following values. To save the selected log types, click OK. To select or clear both log types, you can click All or Clear, respectively.— Transaction — Only transaction steps without an exception are displayed.

Note: To specify particular transactions, type the transaction IDs in the field separated by semicolons.

— Exception — Only transaction steps with an exception are displayed.6. To configure the Node setting for the transaction log filter, select one or more nodes from the drop-

down list. To save the selected nodes, click OK. To select or clear all nodes, you can click All or Clear, respectively.

7. Click Apply Filter.The filtered transaction log is displayed.


9.2 Viewing the Filtered Transaction LogWhen you apply a filter to a transaction log, entries like the following are displayed in a table format in the Transaction and Error Logging tab. When configuring the transaction log filter in the preceding procedure, you determine which Log Levels, Log Types, Class Names, and Log Messages you want to view in the filtered output.

The filtered log table includes the following headings and information about each log entry. The Transaction ID is only available for the Transaction log type; it is not available for the Exception log type.

Log TimeSpecifies the date and time that the entry was logged.

NodeSpecifies the Cloud Identity Manager instance that logged the entry.

Log LevelSpecifies the log level of the log entry. You configure the levels you want logged when you configure the transaction log. You configure the levels you want to view when you configure the transaction log filter. Log levels include: FATAL, ERROR, WARNING, INFO, VERBOSE, DEBUG, and TRACE. For more information, see sections 9.3 Configure the Transaction Log and 9.1 Configure Filter Settings for the Transaction Log.

Log TypeSpecifies the type of log entry:Transaction

Specifies that the transaction step completed without an exception.Exception

Specifies that the transaction step did not complete without an exception.

Transaction ID(Transaction Log Type) Specifies the transaction ID associated with the transaction step in the log.Note: All steps in one transaction share that transaction’s ID.

Class NameSpecifies the name of the Java class that logged the information about the transaction step.

Log MessageSpecifies the message generated by the Java class that logged the information about the transaction step.


9.2.1 Viewing One Transaction Log Entry

To view a transaction log entry more easily, you can click the log message corresponding to the entry in the filtered output. The Log Detail dialog box opens and includes the following information. The Transaction ID and Transaction Message are only available for the Transaction log type; they are not available for the Exception log type.

Log TimeSpecifies the date and time that the entry was logged.

ComponentSpecifies the system component that executes and logs the transaction step.

ClassSpecifies the full name of the Java class that logged the information about the transaction step.

Log MessageSpecifies the message generated by the Java class that logged the information about the transaction step.

Transaction ID(Transaction Log Type) Specifies the transaction ID associated with the transaction step in the log.Note: All steps in one transaction share that transaction’s ID.

Transaction Message(Transaction Log Type) Specifies detailed information about the transaction step in the log.

9.2.2 Viewing All Log Entries Having the Specified Transaction ID

To easily view all transaction log entries having a specified transaction ID, locate and click the transaction ID in the filtered log table. In the filter configuration area above the table, the Log Type and corresponding field are automatically set to Transaction and the specified transaction ID, respectively:

Configure the remaining filter settings, and click Apply Filter. The filter is applied to the transaction log, and only those log entries associated with the specified transaction ID are output to the filtered transaction log table. For more information about configuring a filter for the transaction log, see section 9.1 Configure Filter Settings for the Transaction Log.


9.3 Configure the Transaction LogTo configure the transaction log, you select a minimum log level. The log levels are listed by severity from the most severe (FATAL) to the least severe (TRACE). Only transaction steps having a log level of the selected severity or higher are logged.

To configure the transaction log1. In the Transaction and Error Logging tab, click Configure.

The Log Configuration dialog box opens.

2. From the Log Level drop-down list, select a minimum log level.Default: INFO— FATAL — Specifies a fatal error. By definition, a fatal error is an error from which Cloud Identity

Manager cannot recover. As a result of a fatal error, the Cloud Identity Manager server often shuts down.

— ERROR — Specifies an unexpected event from which Cloud Identity Manager can recover.— WARNING (Default) — Specifies an unusual event and provides information so that the event

can be studied.— INFO — Provides information for developers to use in understanding or debugging the code.— VERBOSE — Provides more detailed information for developers to use in understanding or

debugging the code.— DEBUG — Provides system information for developers to use in debugging and troubleshooting

the code.— TRACE — Provides detailed system information for developers to use in debugging and

troubleshooting the code.Note: The log levels are listed by severity from the most severe (FATAL) to the least severe (TRACE).

3. Click Yes.The selected log level is saved.


9.4 Download the Transaction LogUsing the Download option, you can save the transaction log to the following location and file:<download_directory>/exception.zip

<download_directory>Specifies your web browser’s download directory.

The .zip file contains the .log file, and the .log file name is the same as the .zip file name with a date and time stamp appended, as shown in the following example:

.zip file name: exception.zip

.log file name: exception-2011-08-09T16_49_04.log

The .log file is a text file that contains the transaction log in the XML or CSV format specified when the download was configured. You can also specify a range of dates or an ending date to reduce the number of log entries that are downloaded to the file.


To download the transaction log1. In the Transaction and Error Logging tab, click Download.



3. Select a time interval:— Before Date — Select the Before Date option to download all entries logged before a

specified date and time, and select values for the Date, Hour, Minute, and AM|PM settings in the To row.


4. Click OK.The downloading process begins.


9.5 Purge the Transaction LogYou can clear the transaction log in the Transaction and Error Logging tab by clicking Purge Log. You can specify a range of dates or an ending date to clear only part of the transaction log. For example, you can clear only the oldest entries by selecting Before Date and specifying an ending date.

To purge the transaction log1. In the Transaction and Error Logging tab, click Purge Log.


2. Select a time interval:— Before Date — Select the Before Date option to download all entries logged before a specified



3. Click OK.4. Click Yes to confirm.

The entire transaction log or specified entries are cleared.


10.0 Alerts and Metrics

The Cloud Identity Manager auditing feature uses an events-based auditing model that records all events generated by administrator and administrative user actions in the Management Console. In the Monitoring tab in the Management Console, you can monitor audit events by using the Alerts feature. In the Monitoring tab, you also have access to the Metrics and Login History features of Cloud Identity Manager.

The Alerts feature allows you to specify which audit events you want logged to the alert log, emailed, or both. You can configure filter settings, apply the filter, and view the filtered log. You can download the alert log to a .zip file, and you can purge or clear the alert log. Alerts are user-defined, and to define them, you configure each alert with specified trigger conditions and notification methods. You can import and use custom alert notification methods. For more information about Alerts, see section 10.1 Alerts.

The Metrics feature allows you to select built-in measures that summarize system data. For each selection, you can configure filter settings, apply the filter, and view the results in the Metrics window. You can download system metrics to a .zip file, and you can purge system metrics, clearing them from the database. For more information about Metrics, see section 10.2 Cloud Metrics.

The Login History feature allows you to filter and view information about login and logout events that Cloud Identity Manager collects and stores for both administrators who are using the Management Console and end users in the enterprise. You can configure and apply the filter, download the login history to a .zip file, and purge or clear the login history from the database. For more information about the Login History, see section 10.3 Login History.

Note: For more information about the Audit feature of Cloud Identity Manager, see section 8.0 Audit Logging.


10.1 AlertsWhen you select Alerts from the Monitoring tab drop-down list, the Alerts window opens with two tabbed options:

• Configure Alerts — In this tab, you can configure alerts with specified alert conditions and notification methods. You can edit or delete existing alerts. You can import custom alert notification methods and add them to alerts. You can also view the filtered alert log. For more information, see section 10.1.1 Configuring an Alert.

• Filter Alerts — In this tab, you can configure filters, apply them to the alert log, and view the results. For more information, see section 10.1.2 Filtering the Alert Log.

Note: Whether you are in the Configure Alerts tab or Filter Alerts tab, the results of filtering the alert log are visible at the bottom of the Alerts window.

In the Alerts window, you also have the following options:• You can download the alert log from Cloud Identity Manager to a .zip file. See section 10.1.3

Download the Alert Log.• You can purge or clear the alert log. See section 10.1.4 Purge the Alert Log.

Note: Using the download and purge options together, you can archive the alert log and then delete it.


10.1.1 Configuring an Alert

In the Configure Alerts tab in the Alerts window, you can create one or more alerts, assigning each one a unique name. To configure an alert, you specify the conditions that trigger the alert and one or more notification methods. The trigger conditions consist of one or more audit events. At least one audit event is required for the alert to have an effect. Alerts are retired when they expire or are removed by an administrator. The following screenshot shows one alert:

Configuring an alert is a three-step process. For more information about each step, see the corresponding sections.

• General Settings — See section 10.1.1.1 Create an Alert.• Trigger Conditions — See sections 10.1.1.2 Configure Trigger Conditions for the

Alert and 10.1.1.3 Add Target Users to the Trigger Conditions.• Notification Setup — See section 10.1.1.4 Configure Notification Methods for the

Alert.

For information about importing and managing custom alert notification methods, see section 10.1.1.5 Import and Manage Custom Alert Notification Methods. For information about viewing an existing alert, see section 10.1.1.6 Viewing an Alert.


10.1.1.1 Create an Alert

On the General Settings step in the New Alert wizard, specify a name and a severity setting for the alert and optionally, a message heading and body. You begin this procedure in the Configure Alerts tab in the Alerts window.

To create an alert1. Click New Alert.

The General Settings step in the New Alert wizard opens.

2. Specify a name for the alert in the Name field.Example: maxAZevents

3. Select one of the following options from the Severity drop-down list:— High— Medium (Default)— Low

4. Type a summary for the alert in the message Head field.5. Type details for the alert in the message Body field.6. Click Next.

The Trigger Conditions step in the New alert wizard opens.


10.1.1.2 Configure Trigger Conditions for the Alert

On the Trigger Conditions step in the New Alert wizard, you add one or more audit events to the conditions that trigger the alert. You must add at least one audit event for the alert to have an effect.

Some audit events have event actions. For example, authorization events have two possible actions: permit and deny. Each authorization event is associated with a single action: permit or deny. Configuring the action associated with an event is optional.

For example, if you add the authorization event to the trigger conditions, but do not specify an action, both permit and deny actions trigger an authorization alert. If you specify the permit or deny action, then only that action triggers an authorization alert. To track both actions, you can create two different alerts and use the Alert Name filter setting to view them separately or together.

Note: To view a list of audit event names and actions, see section 10.4 Audit Event Names and Actions Reference.

After you add one or more audit events to the trigger conditions for this alert, you can modify the scope of the trigger conditions by configuring the following settings:

• Max Occurrence — Limits the total number of alerts generated by the trigger conditions to the number specified.

• Effective Date — Limits the alerts generated by the trigger conditions to the specified dates.• Target Users — Limits the alerts generated by the trigger conditions to the specified users.

To configure trigger conditions for the alert1. Click Add Event.

The Add Auditing Event dialog box opens.2. From the Auditing Event Name drop-down list, select an audit event to add to the trigger

conditions.For some audit events, the Auditing Event Action drop-down list opens.


Note: At least one event is required to configure an alert. Without an event, the alert has no effect.3. (Optional) Select an action from the Auditing Event Action drop-down list.4. Click Ok.

The Add Auditing Event dialog box closes, and the audit event is added to the Trigger Conditions table.

5. To add another event to the trigger conditions, repeat steps 1-4.6. (Optional) In the Max Occurrence field, specify the maximum number of alerts that can be

generated by all trigger conditions that make up this alert.7. (Optional) Select one of the following options from the Effective Date drop-down list:

— Always — (Default) Select the Always option to specify that the alert is always effective.— From — Select the From option to specify a beginning date for the alert.— To — Select the To option to specify an ending date for the alert.— Interval — Select the Interval option to specify a beginning and ending date for the alert.

8. Select one of the two following Target Users options:— Specify — Selecting the Specify option activates the Target Users field and Toggle Users

button and allows you to configure which users trigger alerts. You can add individual users, groups of users, or both to the alert conditions.i. To specify individual users, type one or more user names separated by semicolons in the

Target Users field.ii. To search an identity store for individual users and user groups, click Toggle Users.

The Toggle Users dialog box opens. For information about the Toggle Users dialog box, see section 10.1.1.3 Add Target Users to the Trigger Conditions.

— All Users — (Default) Selecting the All Users option specifies that all users trigger alerts.9. Click Next.

The Notification Setup step in the New Alert wizard opens.

Note: For instructions on how to configure notification methods, see section 10.1.1.4 Configure Notification Methods for the Alert.


10.1.1.3 Add Target Users to the Trigger Conditions

The Target Users dialog box includes two user areas:• Available Users — This area lists the results of searching the selected identity store. Users in this

area are available and can be selected as target users.• Selected Users — This area lists users who have been selected as target users. Using the arrow

keys, you can move one or all users from the Available Users area on the left to the Selected Users area on the right. Selected users also include the individual users specified in the Trigger Conditions dialog box. In the following screenshot, the individual users are named admin1, admin2, and admin3, for example.

To add target users to the trigger conditions1. Select the identity store, where the target user accounts are stored, from the Identity Store drop-

down list.2. In the Base DN field, type a Distinguished Name (DN) to specify the entry in the LDAP tree, where

the search for users begins.Example: ou=users,ou=system

3. Select one or more of the following options:a. Delete — Click the delete icon to remove one user or group from the Selected Users area.b. Clear — Click Clear to remove all users and groups from the Selected Users area.c. > | >> — Click the single or double right-facing arrow to move one or all available users,

respectively, to the Selected Users area.4. Click Ok.

The Target Users dialog box closes, and the selected users are added to the trigger conditions.


10.1.1.4 Configure Notification Methods for the Alert

On the Notification Setup step in the New Alert wizard, you can configure a default email alert, a default log alert, one or more user-defined or custom alerts, or any combination of these. Custom alert notification methods are developed using the SDK provided with Cloud Identity Manager and imported in the Management Console.

Note: For more information about developing custom alert notification methods, see the McAfee Cloud Identity Manager Developer’s Guide. For information about importing and managing custom alert notification methods, see section 10.1.1.5 Import and Manage Custom Alert Notification Methods.

To configure notification methods for the alert1. Select one or both of the following default notification options:

— Send email — Emails the alert message to the email address of the administrator who is logged in.

— Write to alert log — Writes the alert message to the alert log.2. (Optional) To configure a user-defined notification method, click New Notification.

The New Alert Notification dialog box opens.

3. Type a name for the notification method in the Notifier Name field.


4. Select one of the following options from the Notifier Type drop-down list:— Log Notifier — Selecting LogNotifier writes the alert message with the custom name to the

alert log.— Email Notifier — Selecting EmailNotifier emails the alert message with the custom name to

the specified server and recipients.i. Type the name of the email server in the SMTP Server field.ii. Type the email addresses of one or more alert recipients separated by semicolons in the

Email Recipients field.— Custom Notifier — Selecting CustomNotifier allows you to select a custom alert notification

method from the Plugin Name drop-down list.Note: The menu lists the custom methods developed using the SDK and imported in the Management Console.

5. Click Ok.The New Alert Notification dialog box closes, and the alert notification method is added to the table on the Notification Setup step in the New Alert wizard.

6. To add another user-defined notification method to the alert, repeat steps 2-5.7. Click Finish.

The Notification Setup step closes. The trigger conditions, target users, and notification methods are saved, and the alert is added to the Alerts window.

10.1.1.5 Import and Manage Custom Alert Notification Methods

Custom alert notification methods are developed using the SDK provided with Cloud Identity Manager and saved in .jar files. The .jar files are imported in the Management Console, where the imported alert notification methods are called custom notifier plug-ins.

You can import and manage custom alert notification methods by clicking Manage Custom Notifier on the Notification Setup step in the New Alert dialog box. To view this dialog box, see section 10.1.1.4 Configure Notification Methods for the Alert. Management options include viewing, deleting, editing, and activating the imported custom plug-ins. To import a new custom alert notification method, click Import New Plugin.


To import and manage custom alert notification methods1. On the Notification Setup step in the New Alert wizard, click Manage Custom Notifier.

The Custom Notifier Plugins dialog box opens and displays the following information and available actions for each alert notification method imported in the Management Console.

Plugin NameSpecifies the name assigned when the alert notification method is imported in the Management Console.

Plugin FileSpecifies the name of the .jar file imported in the Management Console. The .jar file contains the configuration of the custom alert notification method.

Plugin IDSpecifies a unique identifier for the imported alert notification method.Note: This value is automatically generated by Cloud Identity Manager.

ActionsLists the available actions for each imported alert notification method:• Remove — Select this action to delete the corresponding alert notification method.• Update — Select this action to upload a new .jar file containing the configuration for the

custom alert notification method.• Active — Select this action to activate the corresponding alert notification method.

2. To import a custom alert notification method, click Import New Plugin.The Upload Custom Plug-in dialog box opens.

3. Type a name for the custom alert notification method in the Plug-in Name field.4. Browse for the .jar file containing the configuration for the custom alert notification method.5. Click Submit.

The custom alert notification method is imported, saved, and added to the Custom Notifier Plugins table.


10.1.1.6 Viewing an Alert

In the Configure Alerts tab in the Alerts window, configured alerts are listed in a table format with three headings:

• Alert Name — Shows the name assigned to the alert on the General Settings step in the New Alert wizard.

• Triggers — Summarizes the trigger conditions specified on the Trigger Conditions step in the New Alert wizard.

• Notifications — Summarizes the notification methods specified on the Notification Setup step in the New Alert wizard.

There, you have the option of viewing, editing, or deleting individual alerts. To view an existing alert, select the alert name in the Alert Events column. Summaries of the trigger conditions and notification methods open in the table:

For example, the preceding table shows that an alert named maxAZalerts is triggered when users in the group Intel.CloudExpressway are denied access to resources more than 500 times.


10.1.2 Filtering the Alert Log

Selecting the Filter Alerts tab in the Alerts window opens the filter configuration area, where you can configure the alerts you see when you view the alert log.

The filter configuration area consists of five filter settings. Except for the Duration setting, the four remaining settings correspond to fields on the General Settings step in the New Alert wizard. For more information about these fields, see section 10.1.1.1 Create an Alert.

The filter settings are:• Duration — Select a time interval from the Duration drop-down list, or specify a time interval

using the calendar icon.• Alert Name — Select one or more or all alert names from the Alert Names drop-down list. Alerts

are configured and named by administrative users.• Severity — Select a severity level from the Severity Levels drop-down list, and optionally, select

a condition.• Alert Summary — Type an alert summary or a matching value for one or more summaries in the

filter summary field. When you configure an alert, you have the option of specifying the message Head field. The Alert Summary setting corresponds to the text in the message Head field.

• Alert Detail — Type the alert detail or a matching value for one or more alert details in the filter detail field. When you configure an alert, you have the option of specifying the message Body field. The Alert Detail setting corresponds to the text in the message Body field.

One or more filter settings, taken together, create the filter. Except for the Duration setting, filter settings are optional. Many filter settings allow you to select a condition option and a value. When the filter is applied to the alert log, the effect of any given setting depends on the configuration of the specified condition and value:

• equal to — Displays only those alerts that match the specified value.• not equal to — Displays only those alerts that do not match the specified value.• contains — Displays only those alerts that contain the specified value.• does not contain — Displays only those alerts that do not contain the specified value.

The following table shows the four condition options and their effect on the filter when they are combined with an alert name or matching string value.


Examples:

10.1.2.1 Configure Filter Settings for the Alert Log

You can configure filter settings and apply the filter to the alert log. Select the Filter Alerts tab in the Alerts window.


To configure filter settings for the alert log1. To limit the display to alerts issued in a specified time period, select an option from the Duration




2. (Optional) To configure the Alert Name setting for the alert log filter, select one or more or all preconfigured alerts from the drop-down list. Alert names are user-defined.


equal to auth_block The alert filter only displays alerts having the name auth_block.

not equal to auth_pass The alert filter only displays alerts not having the name auth_pass.

contains auth The alert filter only displays alerts having names that contain the string value “auth”.

does not contain auth The alert filter only displays alerts having names that do not contain the string value “auth”.


3. To configure the Severity setting for the alert log filter, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Displays only alerts having a severity level that matches the selected severity level.Example: When the selected severity level is Medium, the alerts filter only displays alerts having a medium severity level.

• not equal to — Displays only alerts having a severity level that does not match the selected severity level.Example: When the selected severity level is Medium, the alerts filter only displays alerts having a high or low severity level.

• equal or less severe — Displays only alerts having a severity level that is the same as or less severe than the selected severity level.Example: When the selected severity level is Medium, the alerts filter only displays alerts having a medium or low severity level.

• equal or more severe — Displays only alerts having a severity level that is the same as or more severe than the selected severity level.Example: When the selected severity level is Medium, the alerts filter only displays alerts having a medium or high severity level.

b. Select an option from the Severity Levels drop-down list:• High• Medium• Low

4. (Optional) To configure the Alert Summary setting for the alert log filter, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Displays only alerts having a message heading that matches the value typed in the filter summary field.

• not equal to — Displays only alerts having a message heading that does not match the value typed in the filter summary field.

• contains — Displays only alerts having message headings that contain the value typed in the filter summary field.

• does not contain — Displays only alerts with message headings that do not contain the value typed in the filter summary field.

b. Type an alert message heading or matching value in the filter summary field.


5. (Optional) To configure the Alert Detail setting for the alert log filter, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Displays only alerts having message bodies that match the value typed in the filter detail field.

• not equal to — Displays only alerts having message bodies that do not match the value typed in the filter detail field.

• contains — Displays only alerts having message bodies that contain the value typed in the filter detail field.

• does not contain — Displays only alerts having message bodies that do not contain the value typed in the filter detail field.

b. Type the body of an alert message or a matching value in the filter detail field.6. Click Apply Filter.

The filtered alert log is displayed at the bottom of the Alerts window.


10.1.2.2 Viewing the Filtered Alert Log

When you apply a filter to an alert log, the results are displayed in a table format with the following headings:

Alert TimeShows the date and time that the alert was logged.Example: Feb 24, 2011 10:28:37 AM

Alert SeverityShows the severity level of the alert.Values: High | Medium | Low

Alert NameShows the user-defined name of the alert that generated the entry in the alert log.Example: E360ssoServiceShutDown

Alert SummaryShows the alert summary. This can be the user-defined message heading or a default value defined in the system.

Alert DetailShows the alert detail. This can be the user-defined message body or a default value defined in the system.

To view more details about the individual alerts, click the magnifying glass icon corresponding to the alert you want to view. The Alert Detail dialog box opens and shows the time the alert was logged, the Alert Severity, the Alert Summary, and the Alert Detail.


10.1.3 Download the Alert Log

The Download option allows you to archive the alert log. In the download dialog box, you download the alert log from Cloud Identity Manager to the following location and file:Download_Directory/AuditAlertLog.zip


The .log file name is like the .zip file name except that it includes a date and time stamp, as in the following example:AuditAlertLog-2011-02-25T12_58_50.log

The .log file is a text file that contains the alert log data in the XML or CSV format specified when the download is configured. You can also specify a range of dates or an ending date to reduce the number of log entries that are downloaded to the file.


To download the alert log1. Click Download in the Alerts window.



3. Select a time interval:— Before Date — Select the Before Date option to download all alerts logged before a specified


— Between Dates — Select the Between Dates option to download all alerts logged in a specified range of dates and times, and select values for the Date, Hour, Minute, and AM|PM settings in both the From and To rows.



10.1.4 Purge the Alert Log

You can clear the alert log in the Alerts window by clicking Purge Log. You can specify a range of dates or an ending date to clear only part of the alert log. For example, you can clear only the oldest entries by selecting Before Date and specifying an ending date.

To purge the alert log1. Click Purge Log in the Alerts window.


2. Select a time interval:— Before Date — Select the Before Date option to clear all alerts logged before a specified date

and time, and select values for the Date, Hour, Minute, and AM|PM settings in the To row.— Between Dates — Select the Between Dates option to clear all alerts logged in a specified

range of dates and times, and select values for the Date, Hour, Minute, and AM|PM settings in both the From and To rows.


The entire alert log or specified alerts are cleared.

10.2 Cloud MetricsThe Cloud Metrics feature allows you to select built-in measures that summarize system data. The metrics are typically related to end user events: SSO, SLO, authorization results, provisioning, and deprovisioning. For each selection, you can configure filter settings, apply the filter, and view the results in the Cloud Metrics tab.

Depending on the filter settings, the results can include one or more instances of the selected metric and the corresponding counts. For example, if the selected metric is Number of successful authorizations and 50 successful authorizations were recorded in the Cloud Identity Manager system, the metric and the resulting count of 50 are displayed.

If you do not specify the Identity Connector, however, one count of successful authorizations is displayed for each Identity Connector in the system. You can use the filter settings to limit the scope of the results. Only metrics that match the filter are counted.


When you select Metrics from the Monitoring tab drop-down list, the Metrics window opens with two tabbed options:

• General — In the General tab, you can view the total number of SSOs and SLOs for each cloud application. The counts are updated every 15 seconds.

• Cloud Metrics — At the top of the Cloud Metrics tab, you can select a metric and configure a filter. At the bottom of the tab, you can view the results of applying the filter.

In the Metrics window, you also have the following options:• You can download the cloud metrics from Cloud Identity Manager to a .zip file. See section 10.2.4

Download the Cloud Metrics.• You can purge or clear the cloud metrics. See section 10.2.5 Purge the Cloud Metrics.

Note: Using the download and purge options together, you can archive and then delete the cloud metrics.


10.2.1 Configuring a Filter for a Cloud Metric

When you select a cloud metric, Cloud Identity Manager counts the instances of the selected metric recorded in the system. Because only instances that match the filter are counted, you can configure and apply the filter to customize the results. For example, instead of counting every successful SSO recorded in the system, you can count only successful SSOs to a particular application.

The Cloud Metrics tab includes four filter settings:• Identity Connector — Select an option from the Identity Connector drop-down list, or type a

match for one or more Identity Connector names in the Identity Connector field.• User ID — Type a user ID in the User field, or type a match for one or more user IDs in the User

field.• Duration — Select a time interval from the Duration drop-down list, or specify a time interval

using the calendar icon.• Application — Select a cloud application from the Application drop-down list, or type a match for

one or more cloud application names in the Application field.

One or more filter settings, taken together, create the filter. Except for the Counter selection and Duration setting, filter settings are optional and allow you to select a condition option and a value. When the filter is applied to the cloud metric, the effect of any given setting depends on the configuration of the specified condition and value:

• equal to — Counts only instances of the metric that match the specified value.• not equal to — Counts only instances of the metric that do not match the specified value.• contains — Counts only instances of the metric that contain the specified value.• does not contain — Counts only instances of the metric that do not contain the specified value.

The following table shows the four condition options and their effect on the filter when they are combined with a cloud application name or matching string value.

Examples:


equal to salesforce Only instances of the metric associated with the cloud application salesforce are counted.

not equal to salesforce Only instances of the metric not associated with the cloud application salesforce are counted.

contains salesOnly instances of the metric associated with cloud applications whose names contain “sales” are counted.

does not contain salesOnly instances of the metric associated with cloud applications whose names do not contain “sales” are counted.


10.2.2 Configure Filter Settings for a Cloud Metric

You select a metric and configure the filter at the top of the Cloud Metrics window. At the bottom of the window, you can view the results of applying the filter.

To configure filter settings for a cloud metric1. From the Counter drop-down list, select the metric that you want counted:

— Number of successful SSOs (Default)— Number of failed SSOs— Number of successful SLOs— Number of failed single SLOs— Number of successful authorizations— Number of rejected authorizations— Number of alerts— Number of provisioned users— Number of deprovisioned users

2. (Optional) To configure the Identity Connector setting for the cloud metric, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Counts only instances of the metric associated with the Identity Connector name selected from the drop-down list.

• not equal to — Counts only instances of the metric not associated with the Identity Connector name selected from the drop-down list.

• contains — Counts only instances of the metric associated with Identity Connectors whose names contain the value typed in the Identity Connector field.

• does not contain — Counts only instances of the metric associated with Identity Connectors whose names do not contain the value typed in the Identity Connector field.

b. Select an Identity Connector name from the Identity Connector drop-down list, or type a matching value in the Identity Connector field.

3. (Optional) To configure the User ID setting for the cloud metric, perform the following steps. For this filter setting, you can specify one or more user IDs.a. Select an option from the drop-down list:

• equal to — (Default) Counts only instances of the metric associated with the user ID(s) typed in the User field.

• not equal to — Counts only instances of the metric not associated with the user ID(s) typed in the User field.

• contains — Counts only instances of the metric associated with user IDs that contain the value typed in the User field.

• does not contain — Counts only instances of the metric associated with user IDs that do not contain the value typed in the User field.

b. Type one or more user IDs in the user field separated by semicolons, or type a matching value in the field.


4. To limit the counts to instances recorded in a specified time period, select an option from the Duration drop-down list, or click the calendar icon and specify a time range. To disable this filter, select ALL.— Select an option from the drop-down list:

• Previous 30 minutes• Previous day (Default)• Previous 2 days• Previous week• Previous month• Previous 3 months• Previous 6 months• ALL the time


5. (Optional) To configure the Application setting for the cloud metric, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Counts only instances of the metric associated with the cloud application name selected from the drop-down list.

• not equal to — Counts only instances of the metric not associated with the cloud application name selected from the drop-down list.

• contains — Counts only instances of the metric associated with cloud applications whose names contain the value typed in the Application field.

• does not contain — Counts only instances of the metric associated with cloud applications whose names do not contain the value typed in the Application field.

b. Select a cloud application name from the Application drop-down list, or type a value in the Application field.

6. Click Apply Filter.The filtered cloud metric is displayed.


10.2.3 Viewing a Cloud Metric

When you apply a filter to a cloud metric, the results are displayed in a table format with the following headings:

Issue TimeShows the date and time that the metric was counted. Counts are issued every 15 minutes.Example: Jan 27, 2011 12:45:00 PM

Identity ConnectorShows the name of the Identity Connector associated with the metric.

ApplicationShows the name of the cloud application associated with the metric.

Event UserShows the ID of the user associated with the metric.

CountShows the number of times that the metric occurred over the previous 15-minute period.

Every 15 minutes, the number of occurrences of the selected metric over the previous 15-minute period is summed, and the total count and time of the sum are shown on the Cloud Metrics table. Counts are shown even when they equal zero.

Depending on the filter configuration, any number of counts can be displayed at 15-minute intervals for a single cloud metric. If you specify one Identity Connector, one cloud application, and one user when configuring a filter, the filter displays one count that represents all instances of the selected metric over the previous 15-minute period.

If the filter configuration is less selective, however, the filter displays multiple counts, one count for each configuration of the filter settings. For example, if you use the same filter configuration, but add a second user, the filter displays two counts instead of one at 15-minute intervals, as follows:

• The first count represents all instances of the selected metric over the previous 15-minute period that are associated with the Identity Connector, cloud application, and the first user.

• The second count represents all instances of the selected metric over the previous 15-minute period that are associated with the Identity Connector, cloud application, and the second user.


10.2.4 Download the Cloud Metrics

The Download option allows you to archive the cloud metrics. In the Download dialog box, you can download the cloud metrics from Cloud Identity Manager to the following location and file:Download_Directory/EventStatLog.zip


The .log file name is like the .zip file name except that it includes a date and time stamp, as in the following example:EventStatLog-2011-02-25T21_04_59.log

The .log file is a text file that contains the system data in the XML or CSV format specified when the download is configured. You can also specify a range of dates or an ending date to reduce the amount of system data that is downloaded to the file.


To download the system data1. Click Download in the Metrics window.








10.2.5 Purge the Cloud Metrics

You can clear the system data by clicking by clicking Purge Log in the Metrics window. You can specify a range of dates or an ending date to clear only part of the system data. For example, you can clear only the oldest records by selecting Before Date and specifying an ending date.

To purge the system data1. Click Purge Log in the Metrics window.


2. Select a time interval:— Before Date — Select the Before Date option to clear all data recorded before a specified


— Between Dates — Select the Between Dates option to clear all data recorded in a specified range of dates and times, and select values for the Date, Hour, Minute, and AM|PM settings in both the From and To rows.


The entire record of cloud metrics or specified records are cleared.


10.3 Login HistoryCloud Identity Manager collects login and logout data for both administrators who are using the Management Console and end users in the enterprise. You can access this information by selecting the Login History option from the Monitoring tab drop-down list. The Login History window opens and displays the filter configuration area in the upper half of the window, which includes the Apply Filter button. In addition, the filter configuration area includes the Download and Purge Login History options.

The lower half of the Login History window displays the filtered login history. When you first open the Login History window, all login events that occurred in the previous day are displayed by default.


10.3.1 Configure Filter Settings for the Login History

To search and view the login history, you configure a filter using the following six settings and then apply the filter to the history:

• Duration — Limits the login history to events that occur within the specified time interval.• Client IP — Limits the login history to events triggered by requests coming from the specified

source IP address.• Identity Connector — Limits the login history to events triggered by users who are connected to

Cloud Identity Manager through the specified Identity Connector or Connectors.• User ID — Limits the login history to events triggered by the specified user through the specified

Identity Connector.• Login Type — Limits the login history to events of the specified type or types. The options are SLO,

SSO, Console Logout, Portal Login, and Console Login. Console Login and Logout events are triggered by Cloud Identity Manager administrative users.

• Application — Limits the login history to events associated with the specified application or applications.

All filter settings are optional, except for Duration. You can disable the Duration filter by selecting ALL the time from the drop-down list. Each filter setting narrows the filter results. To view all results for any particular setting, leave the setting in its default configuration. For example, the default User ID setting user specifies all users.

To configure filter settings for the login history1. Select an option from the Duration drop-down list, or click the calendar icon and specify a time

range. To disable this filter, select ALL.— Select an option from the drop-down list:

• Previous minute• Previous 5 minutes• Previous 30 minutes• Previous day (Default)• Previous 2 days• Previous week• Previous month• Previous 3 months• Previous 6 months• ALL the time

— Click the calendar icon, specify the starting date and time and the ending date and time, and click OK.


2. (Optional) To configure the Client IP setting for the login history, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Specifies the IP address typed in the Source IP field.• not equal to — Specifies all IP addresses except the one typed in the Source IP field.• contains — Specifies all IP addresses that contain the string typed in the Source IP field.• does not contain — Specifies all IP addresses that do not contain the string typed in the

Source IP field.b. Type the client IP address or a matching string in the Source IP field.

3. (Optional) Select one or more Identity Connectors from the Identity Connector drop-down list, and click OK.

4. (Optional) To configure the User ID setting for the login history, perform the following steps.a. Select an option from the drop-down list:

• equal to — (Default) Specifies the user ID typed in the user field.• not equal to — Specifies all user IDs except the one typed in the user field.• contains — Specifies all user IDs that contain the string typed in the user field.• does not contain — Specifies all user IDs that do not contain the string typed in the user

field.b. Type the user ID or a matching string in the user field.c. Select CloudAccess360 (the default) or an Identity Connector from the drop-down list.

5. (Optional) Select one or more of the following types from the Login Type drop-down list, and click OK:— SLO — Specifies all Single Log Out events.— SSO — Specifies all Single Sign On events.— Console Logout — Specifies all events in which an administrator logs off the Cloud Identity

Manager Management Console.— Portal Login — Specifies all events in which a user logs in to a SaaS or web application from

outside the organization’s intranet.— Console Login — Specifies all events in which an administrator logs in to the Cloud Identity

Manager Management Console.6. (Optional) Select one or more of the configured applications from the Application drop-down list,

and click OK.The login history filter is configured.

7. Click Apply Filter.The filtered login history is displayed.


10.3.2 Viewing the Filtered Login History

Cloud Identity Manager stores the following information about each event in the login history. To view this information, you can apply a filter to the login history and see the results on the lower half of the Login History window:

UserSpecifies the ID of the user that triggered the event.Example: admin

TimeSpecifies the date and time that the event occurred.Example: Apr 1, 2011 2:00:00 PM

Client IPSpecifies the IP address of the user’s computer.Example: 10.250.50.25

Client BrowserSpecifies the name and version of the user’s web browser.Example: Firefox 3

Client PlatformSpecifies the name and version of the user’s operating system platform.Example: Windows 7

Identity ConnectorSpecifies the name of the Identity Connector used to authenticate the user.

ApplicationSpecifies the name of the application to which the user made the login or logout request.

Login TypeSpecifies the type of event: SLO, SSO, Console Logout, Portal Login, or Console Login.

StatusSpecifies the status of the event: success or fail.


10.3.3 Download the Login History

The Download option allows you to archive the login history. In the download dialog box, you can download the login history from Cloud Identity Manager to the following location and file:Download_Directory/LoginHistory.zip


The .log file name is like the .zip file name except that it includes a date and time stamp, as in the following example:LoginHistory-2011-02-25T21_04_59.log

The .log file is a text file that contains the system data in the XML or CSV format specified when the download is configured. You can also specify a range of dates or an ending date to reduce the amount of system data that is downloaded to the file.


To download the system data1. Click Download in the Login History window.






4. Click OK.The downloading process begins.


10.3.4 Purge the Login History

You can clear the system data by clicking by clicking Purge Login History in the Login History window. You can specify a range of dates or an ending date to clear only part of the system data. For example, you can clear only the oldest records by selecting Before Date and specifying an ending date.

To purge the system data1. Click Purge Login History in the Login History window.


2. Select a time interval:— Before Date — Select the Before Date option to clear all data recorded before a specified


— Between Dates — Select the Between Dates option to clear all data recorded in a specified range of dates and times, and select values for the Date, Hour, Minute, and AM|PM settings in both the From and To rows.

3. Click OK.4. Click Yes to confirm.

The entire login history or specified events are cleared.


10.4 Audit Event Names and Actions ReferenceThe following table lists all audit event names and the actions associated with each event. For a list of audit event names and Source Components, see section 8.6 Audit Event Names and Source Components Reference.

Event Name Event Actions

User_Provisioned create, update, delete

User_Deprovisioned none

Authentication pass, block

Authorization permit, deny

CloudAccess360_IDP_SSO none

CloudAccess360_IDP_SLO none

CloudAccess360_SP_SSO none

CloudAccess360_SP_SLO none

IdentityMapped none

Trust_Broker_Change create, update, delete

Identity_Store_Change create, update, delete

XACML_Policy_Change create, update, delete

XACML_PDP_Change create, update, delete

User_Role_Change create, update, delete

Provision_Plugin_Change create, update, delete

Service_Enable none

Service_Disable none

CloudAccess360_API_Access n/a

CloudAccess360_Login_Attempt none

CloudAccess360_Logout_Attempt none

CloudAccess360_User_Management create, update, delete

Proxy_Configuration_Change create, update, delete

ReverseProxy_Configuration_Change create, update, delete

Hibernate_Configuration_Change create, update, delete

OSGI_Configuration_Change none

New_Service_Deployed none

Service_Undeployed none

REST_Configuration_Change none

Service_Update none


11.0 Add-on Services

From the Addons tab drop-down list, you can select the following services:• Identity Proxy

The Identity Proxy is a Cloud Identity Manager service that allows users to sign on to their Salesforce CRM accounts through the Salesforce Connect for Outlook plug-in. Users can access Salesforce through Outlook, and the two applications can share data. Cloud Identity Manager implements SSO through a SAML token and Token Validation Service. After users are authenticated once by the Identity Proxy Service, they do not need to authenticate again.

Selecting the Identity Proxy option in the Addons tab opens the Identity Proxy window, where you can configure the Identity Proxy Service. For more information, see section 11.1 Identity Proxy Configuration.

• OAuth Plugin

The OAuth authorization protocol provides the authorization required for downloading data from a user account in a cloud application. Users who download data can view and manipulate it in other applications, such as SharePoint. Cloud Identity Manager supports the OAuth authorization protocol with an OAuth Service that can be configured in the Management Console.

Selecting the OAuth Plugin option from the Addons tab drop-down list opens the OAuth Management window. For more information, see section 11.2 OAuth Management.

11.1 Identity Proxy ConfigurationSalesforce.com currently offers two ways for users to synchronize their Microsoft Outlook data with their Salesforce CRM:

• Connect for Outlook• Salesforce for Outlook

Connect for Outlook is a plug-in that you install on your computer. Salesforce for Outlook is a stand-alone tool that runs as a Windows service on your computer. While Salesforce for Outlook is the newer product, it does not support SSO. Connect for Outlook is the older feature, and it supports SSO.

Cloud Identity Manager supports Connect for Outlook and SSO. When SSO is configured, Cloud Identity Manager uses enterprise account credentials to authenticate users to their Salesforce CRM accounts.


11.1.1 Configuring SSO for Salesforce Connect for Outlook

The following diagram shows how Cloud Identity Manager accomplishes SSO with Salesforce Connect for Outlook. To implement end-to-end authentication and the single sign-on process, Cloud Identity Manager runs two services:

• The Identity Proxy Service is an authentication service called by Connect for Outlook.• The Token Validation Service is a delegated authentication service called by Salesforce.

Figure 18. Salesforce Connect for Outlook SSO

When the Connect for Outlook plug-in is installed on the user’s computer, the user can access Salesforce.com through Outlook and the two applications can share data. To authenticate the user to Salesforce, the plug-in calls the Identity Proxy Service in Cloud Identity Manager. The Service authenticates the user against the enterprise identity directory. For the authenticated user, the Service maps the enterprise identity to the Salesforce identity and returns a SAML token to the Outlook plug-in.

The plug-in then signs the user in to Salesforce.com using the SAML token to establish the user’s identity. Salesforce verifies the SAML token by calling the Token Validation Service in Cloud Identity Manager. On validation, the sign-on process is complete and the user can access Salesforce.com through Outlook and synchronize Salesforce and Outlook data.


11.1.2 Salesforce Configuration Requirements

To set up SSO for Connect for Outlook, complete the following configuration steps:1. Configure the Identity Proxy and Token Validation Services in Cloud Identity Manager2. Install the Outlook Plug-in3. Configure Delegated Authentication in Salesforce

Before you begin, Salesforce has the following configuration requirements:• The server running Cloud Identity Manager must have a public IP address or host name. Otherwise,

Salesforce cannot call the Cloud Identity Manager Token Validation Service. Salesforce also requires the Token Validation Service to run on a port in the range: 7000 - 10000.

• The delegated authentication feature in Salesforce must be enabled for your organization. To enable delegated authentication, contact Salesforce technical support.

• Both the Outlook plug-in and the Salesforce delegated authentication service enable Server authentication when establishing an SSL connection. As a result, the SSL certificate that Cloud Identity Manager presents must meet the following two requirements:— The SSL certificate’s CN attribute must match the domain name of the Identity Proxy Service.— The SSL certificate must be signed by a commercial CA trusted by Salesforce.

To have an SSL certificate signed by a Salesforce-trusted CA, follow these steps:i. Export the certificate from the SSL keystore used by Cloud Identity Manager. The Cloud

Identity Manager keystore is located in the following directory:$InstallUser/conf/keystore$InstallUser

Specifies the User Application Data Directory configured at the time of installation.ii. Have the certificate signed by a Salesforce-trusted CA. For a complete list of CAs trusted by

Salesforce, visit the following location:http://wiki.apexdevnet.com/index.php/Outbound_Messaging_SSL_CA_Certificates

iii. Import the signed certificate back into the SSL keystore used by Cloud Identity Manager.

Note: For instructions on how to export and import certificates using the Management Console, see sections 12.6.8 Export an X.509 Certificate and 12.6.9 Import an X.509 Certificate. For more information about configuring SSL, visit:

http://docs.codehaus.org/display/JETTY/How+to+configure+SSL


http://docs.codehaus.org/display/JETTY/How+to+configure+SSL

http://wiki.apexdevnet.com/index.php/Outbound_Messaging_SSL_CA_Certificates

11.1.3 The Identity Proxy Window

Selecting the Identity Proxy option from the Addons drop-down list opens the Identity Proxy window. This window lists all Identity Proxy configurations. The name specified for each Identity Proxy configuration is shown in the Domain column. The Status column indicates whether the Identity Proxy-Salesforce connection is active (green check) or inactive (red x).

The following actions are available in the Identity Proxy window:• New Identity Proxy — Opens the Identity Proxy dialog box where you can create a new Identity

Proxy configuration. The Identity Proxy configuration includes both the Identity Proxy Service and the Token Validation Service.

• Delete — Deletes the selected Identity Proxy configuration.• Duplicate — Duplicates the selected Identity Proxy configuration and assigns the duplicate a new

name.• Activate/Deactivate — Updates the status of the selected Identity Proxy-Salesforce connection to

active or inactive, respectively.• Config — Opens the selected Identity Proxy configuration in the Identity Proxy dialog box, where

you can view and edit configuration values.• First | Prev | Next | Last — Allow you to view the list of Identity Proxy configurations when it

exceeds a single page in length.


11.1.4 Configuring Identity Proxy and Token Validation Services

To configure Identity Proxy and Token Validation Services in Cloud Identity Manager, click New Identity Proxy in the Identity Proxy window. The Identity Proxy dialog box opens and consists of the following configuration areas:

• Identity Connector (A) — Configures the source of identity information. See section 11.1.4.1 Configure the Identity Connector for the Identity Proxy Service.

• User Attribute Mapping (B) — Configures rules that map user attributes from the Identity Connector (the source) to Salesforce (the target). See section 11.1.4.2 Configure User Attribute Mapping for the Identity Proxy Service.

• Salesforce Connection (C) — Configures the connection between Salesforce and the Token Validation Service in Cloud Identity Manager. See section 11.1.4.3 Configure a Salesforce Connection for the Token Validation Service.


11.1.4.1 Configure the Identity Connector for the Identity Proxy Service

To configure the Identity Connector, you specify the source of identity information.

Note: The Identity Proxy Service only supports the LDAP Identity Connector.

To configure the Identity Connector for the Identity Proxy Service1. Click Identity Proxy in the Addons tab on the Management Console dashboard.

The Identity Proxy window opens.2. Click New Identity Proxy.

The Identity Proxy dialog box opens.

3. Select LDAP from the Identity Connector Type drop-down list:4. Configure the parameters required for an LDAP Identity Connector.

Note: For more information, see section 4.9.5 Configure an LDAP Identity Connector.


11.1.4.2 Configure User Attribute Mapping for the Identity Proxy Service

To configure user attribute mapping, you specify the rules that map user attributes from the Identity Connector (the source) to Salesforce (the target).

To configure user attribute mapping for the Identity Proxy Service1. Navigate to the Identity Proxy dialog box.

Note: For information about how to navigate to the Identity Proxy dialog box, see section 11.1.4.1 Configure the Identity Connector for the Identity Proxy Service.

2. Click Add to add a row to the User Attribute Mapping table.

3. Double-click the cell in the Target column, and replace target value with the name of the user attribute in Salesforce.

4. (Optional) Double-click the cell in the Target Type column, and specify the target user attribute’s type.

5. Double-click the cell in the Source Type column, and select one of the following options from the drop-down list:— CONSTANTS — Specifies a constant string value.— AUTHN_RESULT_FIELD — Specifies the result of an authentication decision.— EXPRESSION — Specifies the result of an expression.

6. Double-click the cell in the Source column, and replace source value with a value that has the specified Source Type and that corresponds to the user attribute in Salesforce.

7. Repeat steps 2 through 6 to configure each user attribute mapping.


11.1.4.3 Configure a Salesforce Connection for the Token Validation Service

To configure a connection between Salesforce and the Token Validation Service in Cloud Identity Manager, you specify a name and an active or inactive state for the connection. You also specify a lifetime for the SAML token and select a preconfigured signing key pair.

To configure a Salesforce connection for the Token Validation Service1. Navigate to the Identity Proxy dialog box.

Note: For information about how to navigate to the Identity Proxy dialog box, see section 11.1.4.1 Configure the Identity Connector for the Identity Proxy Service.

2. Type a name for the connection between Cloud Identity Manager and Salesforce in the Domain field.Example: salesforce

3. Select one of the following options from the State drop-down list:— ACTIVE — Specifies that the connection between Salesforce and Cloud Identity Manager is

active.— INACTIVE — Specifies that the connection between Salesforce and Cloud Identity Manager is

not active.4. Select www.salesforce.com from the Cloud Service drop-down list.5. Type a value in the Security Token Lifetime (minutes) field.

Recommended value: 60 (1 hour)6. Select a pre-configured key pair form the Please choose key name drop-down list.7. Click Ok.

The Identity Proxy dialog box closes, and the Identity Proxy and Token Validation Services are configured in Cloud Identity Manager.


11.1.5 View the Identity Proxy and Token Validation Service URLs

After you save an Identity Proxy configuration, you can view the Identity Proxy and Token Validation Service URLs. You need the Identity Proxy Service URL when you install the Outlook plug-in. When you configure delegated authentication in Salesforce, you need the Token Validation Service URL. For more information, see sections 11.1.6 Install the Outlook Plug-in and 11.1.7 Configure Delegated Authentication in Salesforce.

Note: The URLs are configured for you and cannot be edited.

To view the Identity Proxy and Token Validation Service URLs1. In the Identity Proxy window in the Management Console, click the Config action corresponding

to the Identity Proxy configuration you want to view.The Identity Proxy dialog box opens and displays configuration values for the selected Identity Proxy, including the Service URLs.Identity Proxy Service URL:

https://eca360sso-server:8443/identityproxyservice/SforceService/domain_nameToken Validation Service URL:

https://eca360sso-server:8443/identityproxyservice/SforceAuthenticationService/domain_name

e360sso-serverSpecifies the name of the server hosting Cloud Identity Manager.

domain_nameSpecifies the name in the Domain field in the Identity Proxy dialog box.

2. Click Ok.The Identity Proxy dialog box closes.


11.1.6 Install the Outlook Plug-in

Download the latest version of Salesforce Connect for Outlook from your Salesforce administrator account and install it on your computer. Then configure a Windows registry key for the Cloud Identity Manager Identity Proxy Service. For this procedure, you need the Identity Proxy Service URL. For more information, see section 11.1.5 View the Identity Proxy and Token Validation Service URLs.

To configure the Outlook plug-in1. Log on to your administrator account on Salesforce.com.2. Click Setup > Desktop Integration > Salesforce for Outlook > Connect for Microsoft Outlook.3. Download the latest installation package and follow the installation instructions.4. Run Regedit to open the Windows Registry Editor.5. Navigate to the following registry key and set its value equal to the URL of the Identity Proxy

Service:HKEY_CURRENT_USER > Software > Salesforce.com > SM > ServerURLNote: The Identity Proxy Service is the Cloud Identity Manager authentication service.

6. Launch Microsoft Outlook, click Tools > Salesforce.com Options, and configure your user name, password, and preferences.Note: The Server field is already configured with the value you specified for the ServerURL registry key in the previous step.

7. Click Verify.Note: This step verifies that Salesforce Connect for Outlook is correctly configured on the user's computer and that when all remaining configuration steps are complete, the user can log in to Salesforce from Outlook.

11.1.7 Configure Delegated Authentication in Salesforce

Configuring delegated authentication in Salesforce involves specifying the Token Validation Service URL and the enterprise IP addresses that Salesforce can trust. For more information about the Token Validation Service URL, see section 11.1.5 View the Identity Proxy and Token Validation Service URLs.

Note: The delegated authentication feature in Salesforce must be enabled for your organization. To enable delegated authentication, contact Salesforce technical support.

To configure delegated authentication in Salesforce1. Log on to your administrator account on Salesforce.com.2. Click Setup > Administration Setup > Security Controls > Single Sign-On Settings.3. Specify the Cloud Identity Manager Token Validation Service URL in the Delegated Gateway URL

field.Note: The Token Validation Service must run on a port in the range: 7000 - 10000. This is a Salesforce requirement.

4. Click Setup > Administration Setup > Security Controls > Network Access.5. Specify your enterprise IP address ranges as the IP address ranges that Salesforce can trust.

Note: The server hosting Cloud Identity Manager must have a public IP address or host name. Otherwise, Salesforce cannot call the Token Validation Service.


11.2 OAuth ManagementOAuth is a popular authorization protocol that secures web APIs without exposing user account credentials. Many users prefer to store data in the cloud rather than locally, downloading the data and manipulating it locally as needed. Many cloud Service Providers use the OAuth interface to enable the downloading and manipulation of data. The OAuth interface allows users to access data in the cloud through an authorized access token rather than by using conventional credentials, such as a user name and password.

An OAuth transaction is based on the authorized access token. Each access token authorizes access selectively. For example, one access token might authorize access to email, but not to a calendar application. The Cloud Identity Manager administrator configures custom access tokens for groups of users in an organization. The Service Provider makes access decisions based on each authorized access token.

An OAuth transaction between Cloud Identity Manager and a cloud Service Provider requires a consumer key and a consumer secret. The shared secret, as the consumer key and consumer secret are sometimes called, allows Cloud Identity Manager to present verifiable signatures to the Service Provider. The shared secret also allows Cloud Identity Manager to exchange and manipulate access tokens securely.

Cloud Identity Manager implements the OAuth protocol through an OAuth service and supports OAuth providers, Google and Salesforce. The OAuth interface allows Cloud Identity Manager to perform a data fetching role without the need for data storage, user credentials, or user provisioning.

For more information about the OAuth standard, visit http://oauth.net.


http://oauth.net

11.2.1 OAuth Overview

Users own data in the cloud and can download the data they own in XML format from a cloud service through the Service Provider. When configuring OAuth for a cloud service, the administrator has the option of specifying the URL of an XML stylesheet. Cloud Identity Manager uses the stylesheet to reformat the data before sending it to the user’s browser.

The Cloud Identity Manager OAuth Service supports data access for the following cloud Service Providers and services:

• Google Services— Google Mail — Google Mail or Gmail is a web-based email service. For more information, visit

mail.google.com/mail/.— Google Calendar — Google Calendar is a web-based calendar application. For more information,

visit calendar.google.com.— Google Docs — Google Docs is a web-based application that allows users to share documents

and collaborate online. For more information, visit docs.google.com.— Google Contacts — Google Contacts is a web-based feature that allows users to manage Gmail

contacts online. This feature is implemented by Cloud Identity Manager through an API.• Salesforce Services

— Sales Cloud 2 — Sales Cloud 2 is a comprehensive web-based application for sales organizations.

— Service Cloud 2 — Service Cloud 2 is a comprehensive web-based application for customer service organizations.

— Chatter — Chatter is a web-based social network application that enables collaboration among co-workers.

— Jigsaw — Jigsaw is a web-based database application that provides access to millions of business contacts.

Note: For more information about Salesforce.com, visit: http://www.salesforce.com/.

Note: The relationship between a cloud service and an OAuth configuration is one-to-one. Therefore, administrators must create one OAuth configuration for each Google or Salesforce service to be accessed using the OAuth authorization protocol.


mail.google.com/mail/

mail.google.com/mail/

calendar.google.com

calendar.google.com

docs.google.com

docs.google.com

http://www.salesforce.com/

11.2.2 OAuth Example

Using the Management Console, administrators can configure the Cloud Identity Manager OAuth Service to manage all aspects of the OAuth interface between a cloud service and an organization. For example, an administrator can configure the OAuth Service to manage all aspects of the OAuth interface between a company’s Google Apps domain and its employees. In this example, the administrator configures the company’s Google profile to give each employee access to Google Calendar. The OAuth Service is completely hidden from the end user.

Figure 19. OAuth for a Cloud Service

1. The Cloud Identity Manager administrator configures an OAuth policy for Google Calendar and the employees in the company.

2. An employee attempts to access Google Calendar.3. Google redirects the employee to the OAuth Service in Cloud Identity Manager.4. If the employee does not have a login session with Cloud Identity Manager, the OAuth Service

presents a login page. If the employee has a login session with Cloud Identity Manager, the OAuth Service redirects the user to Google with the required authorized access token.

5. Google grants the employee access to Google Calendar based on the authorized access token.6. The employee accesses Google Calendar and is authorized to download data for use on a local

computer.


11.2.3 The OAuth Management Window

Selecting the OAuth Plugin option from the Addons drop-down list opens the OAuth Management window. This window lists all OAuth configurations. The name specified for each OAuth configuration is shown in the Id column. The Service URL is the name specified for the OAuth configuration appended to the URL of the OAuth Service in Cloud Identity Manager.

The following actions are available in the OAuth Management window:• New OAuth Driver — Opens the OAuth Creation Data Flow Builder dialog box where you can

configure the Cloud Identity Manager OAuth service for a Google or Salesforce application.• Edit — Opens the selected OAuth configuration in the OAuth Creation Data Flow Builder dialog

box where you can view and edit configuration values.• Delete — Deletes the selected OAuth configuration.• First | Prev | Next | Last — Allow you to view the list of OAuth configurations when it exceeds a

single page in length.

Setting up the OAuth protocol requires configuration in the Management Console and in the cloud Service Provider. For Google Apps, the configuration procedures are:

• 11.2.4 Create an OAuth Configuration for Google Apps• 11.2.5 Configure OAuth Services in Google Apps

For Salesforce applications, the configuration procedures are:• 11.2.6 Create an OAuth Configuration for Salesforce Applications• 11.2.7 Configure OAuth Services in Salesforce


11.2.4 Create an OAuth Configuration for Google Apps

You can create an OAuth configuration for Google Apps on the OAuth Creation Data Flow Builder dialog box. To create an OAuth configuration, specify the domain and the data. The domain is specified by the Consumer Key and Consumer Secret provided by the Service Provider. The data is specified by the Service you select.

You also have the option of specifying the URL of an XML stylesheet. Cloud Identity Manager uses the stylesheet to reformat the data before sending it to the user’s browser. To access this option, click the Advanced button.

To create an OAuth configuration for Google Apps1. Click OAuth Plugin in the Addons tab on the Management Console dashboard.

The OAuth Management window opens.2. Click New OAuth Driver.

The OAuth Creation: Data Flow Builder dialog box opens.

3. Select Google from the Template drop-down list.Google applications are displayed in the table in the dialog box.

4. Type a value in the Consumer Key field.5. Type a value in the Consumer Secret field.

Note: The values in the Consumer Key and Consumer Secret fields are generated by Google Apps. For more information, see section 11.2.5 Configure OAuth Services in Google Apps.


6. (Optional) Click Advanced, type the URL of an XML stylesheet in the Stylesheet URL field, and click Ok. Cloud Identity Manager uses the stylesheet to reformat the data before sending it to the browser.

7. In the table of Google services, click one of the following applications to select a service:— Google Mail — Google Calendar — Google Docs — Google Contacts

8. Type a name for the selected service in the Service Name field.The name is appended to the Cloud Identity Manager OAuth Service URL.Example: https://eca360sso-server:8443/OAuth/service_namee360sso-server

Specifies the name of the server hosting Cloud Identity Manager.service_name

The name you specify in the Service Name field.Note: The URL is generated for you and cannot be edited.

9. Click Ok.The OAuth configuration is added to the list in the OAuth Management window.

11.2.5 Configure OAuth Services in Google Apps

To configure OAuth services in Google Apps for Cloud Identity Manager, enable the OAuth consumer key.

To configure OAuth services in Google Apps1. Log on to Google Apps as the domain administrator.2. Click Advanced tools > Manage OAuth Domain Key.

The Manage OAuth key and secret for this domain page opens and displays Google-generated values for the OAuth consumer key and consumer secret.

3. Copy the Google-generated OAuth consumer key and secret values. Paste them in the corresponding fields on the OAuth Data Flow Builder dialog box when configuring OAuth for Google in the Management Console. To view the Data Flow Builder dialog box, see section 11.2.4 Create an OAuth Configuration for Google Apps.

4. Select the Enable this consumer key checkbox.5. Click Save changes.


11.2.6 Create an OAuth Configuration for Salesforce Applications

You can create an OAuth configuration for Salesforce applications on the OAuth Creation Data Flow Builder dialog box. To create an OAuth configuration, specify the domain and the data. The domain is specified by the Consumer Key and Consumer Secret provided by the Service Provider. The data is specified by the Service you select.

You also have the option of specifying the URL of an XML stylesheet. Cloud Identity Manager uses the stylesheet to reformat the data before sending it to the user’s browser. To access this option, click the Advanced button.

To create an OAuth configuration for Salesforce applications1. Click OAuth Plugin in the Addons tab on the Management Console dashboard.

The OAuth Management window opens.2. Click New OAuth Driver.

The OAuth Creation: Data Flow Builder dialog box opens.

3. Select Salesforce from the Template drop-down list.Salesforce applications are displayed in the table in the dialog box.

4. Type a value in the Consumer Key field.5. Type a value in the Consumer Secret field.

Note: The values in the Consumer Key and Consumer Secret fields are generated by Salesforce. For more information, see section 11.2.7 Configure OAuth Services in Salesforce.


6. (Optional) Click Advanced, type the URL of an XML stylesheet in the Stylesheet URL field, and click Ok. Cloud Identity Manager uses the stylesheet to reformat the data before sending it to the browser.

7. In the table of Salesforce services, click a one of the following applications to select a service:— Leads— Accounts— Contacts

8. Type a name for the selected service in the Service Name field.The name is appended to the Cloud Identity Manager OAuth Service URL.Example: https://eca360sso-server:8443/OAuth/service_namee360sso-server

Specifies the name of the server hosting Cloud Identity Manager.service_name

The name you specify in the Service Name field.Note: The URL is generated for you and cannot be edited.

9. Click Ok.The OAuth configuration is added to the list in the OAuth Management window.

11.2.7 Configure OAuth Services in Salesforce

To configure OAuth services in Salesforce for Cloud Identity Manager, create a new remote access application.

To configure OAuth services in Salesforce1. Log on to Salesforce as the administrator.2. Click the down arrow beside the user name on the upper right, and click Setup in the drop-down

list.The Setup menu opens on the left.

3. Under App Setup in the menu on the left, click Develop.Develop options open in the menu.

4. Click Remote Access.5. Create a new remote access application, and provide values for the fields.

Note: Select OAuth 1.0a for the workflow type. Specify oob for the callback URL. OOB is an acronym for the computing term, out-of-band management.

6. Save the remote access application.The remote access details are displayed along with Salesforce-generated values for the OAuth consumer key and OAuth consumer secret.

7. Copy the Salesforce-generated OAuth consumer key and secret values. Paste them in the corresponding fields on the OAuth Data Flow Builder dialog box when configuring OAuth for Salesforce in the Management Console. To view the OAuth Data Flow Builder dialog box, see section 11.2.6 Create an OAuth Configuration for Salesforce Applications.


12.0 Advanced Configuration

Many administrative tasks need to be performed only once or occasionally, or they are advanced configuration tasks that can performed on an as needed basis. From the Admin tab drop-down list, you can select the following administrative tasks:

• Configure data storage in a file or new database — Use this procedure to configure storage for Cloud Identity Manager runtime data. You can store runtime data in a system file or a MySQL database. When you install a MySQL database, the database connection is configured automatically. Therefore, you only need to configure the database connection in the Management Console when changing to a new database. For more information, see section 12.1 Configure Data Storage in a File or New Database.

• Configure network proxy addresses — In this section, you can configure the following types of network proxies:— Enterprise service proxy — The enterprise service proxy configuration allows Cloud Identity

Manager to pass user data from inside the enterprise to a SaaS or web application.— Route Proxy — The route proxy configuration routes outgoing Cloud Identity Manager

connections to proxy servers that handle cross-domain traffic. To enable communication across Internet domains, you can configure two network proxy addresses, one for each of the following communication protocols: HTTP and HTTPS (SSL).

Note: For more information about network proxy configuration, see section 12.2 Configure Network Proxy Addresses.

• Configure a timeout value for user sessions — Use this procedure to configure a timeout value for the SSO sessions that Cloud Identity Manager establishes with users. The timeout value is a global setting that affects all user sessions. When sessions expire, users are prompted to reauthenticate the next time they log in or log out. For more information, see section 12.3 Configure a Timeout Value for User Sessions.

• Enable your custom portal configuration — To enable the use of your custom login, error, and portal pages, select the Customize Pages setting. For more information, see section 12.4 Enable Your Custom Portal Configuration.

• Managing Admin Accounts — Use these procedures to manage the administrator’s account and to create and manage administrative user accounts. For more information, see section 12.5 Managing Admin Accounts.

• Certificate Management — Signed SAML assertions require an X.509 certificate and corresponding key pair. Use the procedures in this section to generate a new key pair, import a trusted certificate, and enable certificate validation. In addition, you can view, delete, export, update, and validate the configured X.509 certificates in the Cloud Identity Manager system. For more information, see section 12.6 Certificate Management.

• Connector Management — The Connector Management option opens the Connector Plugins window, where you can view and manage all Cloud Connectors in the Cloud Identity Manager system that are plug-ins. In this window, you can also install custom connector plug-ins. For more information, see section 12.7 Managing Cloud Connector Plug-ins.

• Exporting System Configuration Settings — Use this procedure to export system configuration settings to a .zip file, where the settings are saved and can later be imported back into Cloud Identity Manager. For more information, see section 12.8 Export System Configuration Settings.

• Importing System Configuration Settings — Use this procedure to import Cloud Identity Manager system configuration settings from a .zip file that was created by the export configuration option. For more information, see section 12.9 Import System Configuration Settings.

• Restart Server — Use this option to restart the Cloud Identity Manager server. For more information, see section 12.10 Restart the Cloud Identity Manager Service.


• Import a License File — Use this procedure to import a license file into Cloud Identity Manager. For more information, see section 12.11 Import a License File.

• Domain Settings — Use this procedure to specify the fully qualified domain name (FQDN) of the machine on which Cloud Identity Manager is installed. Cloud Identity Manager uses this value to generate all Cloud Identity Manager service URLs. By specifying the FQDN, you ensure that users on other machines can access Cloud Identity Manager services. For more information, see section 12.12 Configure the Fully Qualified Domain Name.

• Miscellaneous Settings — Use this procedure to configure settings for email and mobile delivery of one-time passwords. For more information, see section 12.13 Configuring Remote OTP Settings.

• Language Settings — Use this option to specify the language displayed in the Management Console. For more information, see section 12.14 Language Settings.

12.1 Configure Data Storage in a File or New DatabaseCloud Identity Manager stores runtime data, such as audit logs, in a system file or a MySQL database. You can access the File or Database option from the Admin tab drop-down list. To configure data storage in a system file, select the File option, click Save Settings, and restart Cloud Identity Manager for the configuration to take effect. No further configuration is needed.

To configure data storage in a MySQL database, install and start MySQL before logging in to Cloud Identity Manager. The MySQL database can be installed on the same machine as Cloud Identity Manager or on another machine in the network. Installing the MySQL database automatically configures the database connection in Cloud Identity Manager. No further configuration is needed.

Note: For more information about installing a MySQL database server, see the McAfee Cloud Identity Manager Installation Guide.

The only time you need to configure a database connection in the Management Console is when changing to a new MySQL database server. To configure the database connection for a new database server, select the Database option, configure the connection fields, click Save Settings, and restart Cloud Identity Manager for the configuration to take effect.


To configure data storage in a file or new database1. From the Admin tab drop-down list, select Database Management.

The Storage window opens.

2. Select one of the following Storage Type options:— Database — Select the Database option to configure a connection to a new MySQL database

server.— File — Select the File option to store all Cloud Identity Manager runtime data in a system file.

3. (Database option) Specify database connection values for the following fields, and optionally, click Test Connection to test the database connection.Connection String

Specifies the address of the MySQL database server.Format: jdbc:mysql://<IP_address or hostname>/<database_name>Note: If the port number of the MySQL Server has the default value of 3306, you can omit the port number when specifying the connection string. Otherwise, you must specify the port number in the string.

Username(Optional) Specifies the user name for the root user account created when the MySQL database is installed.Format: <root_user_name>

Password(Optional) Specifies the password for the root user account created when the MySQL database is installed.Format: <database_password>

4. Click Save Settings.The data storage configuration is saved.

5. Restart Cloud Identity Manager.The new data storage configuration takes effect.


12.2 Configure Network Proxy AddressesWhen you select Proxy Management from the Admin tab drop-down list, the Network window opens to the following tabs:

• Enterprise Service Proxy — Select the Enterprise Service Proxy tab to enable and configure the enterprise service proxy used by Cloud Identity Manager to pass user data from inside the enterprise to a SaaS or web application. For more information, see section 12.2.1 Configure the Enterprise Service Proxy.

• Route Proxy — Select the Route Proxy tab to configure two network proxy addresses - one for the HTTP and one for the HTTPS (SSL) communication protocol - that allow Cloud Identity Manager to communicate across Internet domains. The network proxy addresses route outgoing Cloud Identity Manager connections to proxy servers that handle cross-domain traffic. For more information, see section 12.2.2 Configure the Route Proxy.

12.2.1 Configure the Enterprise Service Proxy

In this procedure, you enable and configure the enterprise service proxy used by Cloud Identity Manager to pass user data from inside the enterprise to a SaaS or web application.

To configure the enterprise service proxy1. In the Management Console, select Proxy Management from the Admin tab drop-down list.

The Network window opens with the Enterprise Service Proxy tab selected.2. Select the Enable checkbox.

The enterprise service proxy configuration opens.

3. Type the name of the proxy in the Proxy Name field.Note: When calling the enterprise service, the SaaS or web application uses the proxy name as the user name.

4. Type the number of the TCP listening port used by the service proxy in the Proxy listening port field.

5. In the Encryption Key field, type the encryption key used by the SaaS or web application to encrypt the custom token before sending it to Cloud Identity Manager.Note: When calling the enterprise service, the SaaS or web application uses the encrypted token as the password.Limit: Only AES_128_CBC encryption is supported.


6. In the Clock Skew field, type a value to use when calculating the expiration time. This value is designed to offset small differences between clocks in different security domains.Units: seconds

7. Click Save Settings.The enterprise service proxy configuration is saved.

12.2.2 Configure the Route Proxy

In this procedure, you configure two network proxy addresses - one for HTTP and one for HTTPS (SSL) - that allow Cloud Identity Manager to communicate across Internet domains. The network proxy addresses route outgoing Cloud Identity Manager connections to proxy servers that handle cross-domain traffic.

To configure the route proxy1. From the Admin tab drop-down list, select Proxy Management.

The Network window opens with the Enterprise Service Proxy tab selected.2. Select the Route Proxy tab.

The route proxy configuration opens.

3. Type values in the following fields for the HTTP and SSL proxy servers:Server

Specifies the host name of the HTTP or SSL proxy server.Port

Specifies the port number of the HTTP or SSL proxy server.User Name

(Optional) Specifies a user name for access to the proxy server.Password

(Optional) Specifies a password for access to the proxy server.4. To allow Cloud Identity Manager to connect to a server directly without going through the network

proxy, type the server’s host name in the No proxy for field.5. Click Save Settings.

The route proxy configuration is saved.


12.3 Configure a Timeout Value for User SessionsFrom the Admin tab in the Management Console, you can configure a timeout value for the SSO sessions that Cloud Identity Manager establishes with users. The timeout value is a global setting that affects all user sessions. When sessions expire, users are prompted to reauthenticate the next time they log in or log out.

To configure a timeout value for user sessions1. From the Admin tab drop-down list, select Session Management.

The Session dialog box opens.

2. Select one of the following options from the Timeout value drop-down list:— 5 minutes — 15 minutes — 30 minutes — 1 hour — 2 hours — 4 hours (Default)— 8 hours

3. Click Save Setting.The timeout value for user sessions is saved.

12.4 Enable Your Custom Portal ConfigurationYou can enable and disable the use of your custom login, error, and portal pages on the Portal Configuration dialog box.

To enable your custom portal configuration1. From the Admin tab drop-down list, select Portal Configuration.

The Portal Configuration dialog box opens.2. Select the Customize Pages checkbox, and click Save Setting.

Use of your custom login, error, and portal pages is enabled.


12.5 Managing Admin AccountsWhen Cloud Identity Manager is installed, an administrator account is created with the user name admin and password passwd. The administrator uses these initial credentials to log on to the Management Console for the first time. While the administrator account is integral to the system and cannot be deleted, you can personalize the initial account settings to include first and last names, an email address, and an updated password.

Note: To keep Cloud Identity Manager secure, we recommend changing the administrator password at initial login and updating it at regular intervals.

You can access the Administrative Users window, where you can manage all admin accounts, by selecting Admin Accounts from the Admin tab drop-down list in the Management Console. In the Administrative Users window, you can view all administrative users. You can create a new administrative user account, delete an existing one, or modify the account settings for an existing administrative user.

Administrative user accounts are configured with privileges to log on to the Management Console, where administrative users configure Cloud Identity Manager system parameters and services. Any administrative user can create or modify another administrative user account. To monitor the actions of administrators in the Management Console, you can configure the auditing policy and create one or more alerts. For more information about the audit log and alerts, see sections 8.0 Audit Logging and 10.0 Alerts and Metrics.


12.5.1 Create Administrative User Accounts

To administer Cloud Identity Manager, you can add administrative user accounts to the primary administrator account that is preconfigured with the system.

To create administrative user accounts1. From the Admin tab drop-down list, select Admin Accounts.

The Administrative Users window opens.

2. Click New Admin User.The Adding New Administrator dialog box opens.

3. Type values in the following fields:Username

Specifies the administrative user’s name in the Cloud Identity Manager system.Password

Specifies the administrative user’s password.FirstName

(Optional) Specifies the administrative user’s first name.LastName

(Optional) Specifies the administrative user’s last name.Email

(Optional) Specifies the administrative user’s email address.Note: The Creation Date and Modification Date fields are system-generated and cannot be modified.

4. Click Ok.The administrative user account is created and added to the table in the Administrative Users window.


12.5.2 Manage Administrative User Accounts

You can delete and modify administrative user accounts in the Administrative Users window.

To manage administrative user accounts1. From the Admin tab drop-down list, select Admin Accounts.

The Administrative Users window opens.

2. Select one of the following actions in the Actions column in the table:— Remove — Click the Remove action to delete the selected administrative user account, and

click Ok to confirm.The administrative user account is deleted and removed from the table in the Administrative Users window.

— Config — Click the Config action to edit the account settings for the selected administrative user account, update the settings, and click Ok to save the modified configuration.The modified administrative user account settings are saved.

3. To remove or edit additional administrative user accounts, repeat step 2.


12.6 Certificate ManagementMany cloud applications, including Google Apps and Salesforce, require signed SAML assertions. Cloud Identity Manager signs SAML assertions by binding X.509 certificate data to the assertion. Before accepting the assertion, the cloud application verifies the signature.

An X.509 certificate contains a public key and is signed by a Certificate Authority (CA). Signing an X.509 certificate requires an X.509 certificate key pair, which consists of an X.509 certificate containing a public key and a separate private key. The CA uses its private key and the certificate’s public key to generate the certificate’s signature.

Signature verification only requires the signature and the X.509 certificate containing the CA’s public key. If the X.509 certificate is not trusted, however, signature verification involves traversing a chain of X.509 certificates until a trusted X.509 certificate is reached.

12.6.1 Certificate Validation

Certificate validation involves traversing a certificate chain from the certificate you are validating to a trusted intermediate or root CA. The CA can be an intermediate CA or a root CA, as long as it is trusted. The certificate chain is also known as a certification path.

Traversing a certification path is sometimes called name chaining, because it involves matching the Issuer Name in one certificate with the Subject Name in the parent certificate that signed it. This process is continued until the parent certificate is a trusted or root CA. Both the Issuer Name and Subject Name values are Distinguished Names (DNs).

Some certificates are self-signed. For example, the certificate named intel cloud expressway that comes installed with Cloud Identity Manager is self-signed. Certificates that are issued and held by a Root CA are self-signed by the Root CA. When certificates are self-signed, the Issuer Name and Subject Name are the same.

Cloud Identity Manager also includes Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) checking in the validation process:

• CRL Checking — A CA publishes a CRL or list of certificates that it issued, but that have been revoked and are no longer valid. CRL entries identify the subscriber for whom the certificate was issued, the certificate status, one or more reasons for revocation, the date of issue, the issuing entity, the date of revocation, and the next issue date. When a user attempts to access a server, the server checks the CRL and allows or denies access based on that user’s CRL entry.

• OCSP Checking — CRL checking requires frequent downloading of the most recent CRL. OCSP checking is an alternative to CRL. When a user attempts to access a server, the server sends an OCSP request for the user’s certificate status to the CA. The CA responds with a certificate status of current, expired, or unknown. OCSP also allows users with expired certificates a grace period, during which they can access servers for a limited time before having to renew.


12.6.2 How to Acquire an X.509 Certificate

In Cloud Identity Manager, there are three ways to acquire an X.509 certificate:• You can use the preconfigured X.509 certificate key pair that comes installed with Cloud Identity

Manager.• You can generate a new X.509 certificate key pair in the Management Console. For more

information, see section 12.6.11 Generate a New Key Pair.• You can import an X.509 certificate. In the Cloud Identity Manager system, there are two types of

certificates and different procedures for importing them.— X.509 Certificate Key Pair — An X.509 certificate key pair consists of an X.509 certificate

containing a public key paired with its private key. Cloud Identity Manager uses X.509 certificate key pairs to sign outgoing SAML assertions. For information about how to import public-private key pairs, see section 12.6.9 Import an X.509 Certificate.

— Trusted X.509 Certificate — A trusted X.509 certificate contains a public key that is trusted by the Cloud Identity Manager administrator. Cloud Identity Manager uses trusted certificates to verify incoming signatures. For information about how to import a trusted certificate, see section 12.6.13 Import a Trusted Certificate.

12.6.3 Cloud Identity Manager Certificates

The preconfigured key pair that comes installed with Cloud Identity Manager is a self-signed X.509 certificate with the alias intel cloud expressway. The alias is the name of the X.509 certificate in the Cloud Identity Manager system.

To have this default X.509 certificate signed by a CA, you first export it following the instructions in section 12.6.8 Export an X.509 Certificate. After the certificate is signed by the CA, you then import it following the instructions in section 12.6.9 Import an X.509 Certificate. The signed certificate replaces the original certificate in the Cloud Identity Manager keystore, but retains the alias intel cloud expressway.

Cloud Identity Manager also comes installed with the following demo certificate files:intel_demo_cert.crt

intel_demo_cert_ca.crt

You can locate these demo certificate files in the following folder:<install_dir>\current\configuration\templates\security\certificates

<install_dir>Specifies the name of the directory where Cloud Identity Manager is installed.


12.6.4 The Certificate Management Window

To view all certificate management options, select Certificate Management from the Admin tab drop-down list. The Certificate Management window opens:

In the Certificate Management window, you have the following options. For more information, see the corresponding sections.

• Viewing all certificates — See section 12.6.5 Viewing All X.509 Certificates.• View one certificate — See section 12.6.6 View One X.509 Certificate.• Delete certificates — See section 12.6.7 Delete an X.509 Certificate.• Export certificates — See section 12.6.8 Export an X.509 Certificate.• Import certificates — See section 12.6.9 Import an X.509 Certificate.• Validate certificates — See section 12.6.10 Validate an X.509 Certificate.• Generate a new key pair — See section 12.6.11 Generate a New Key Pair.• Import a keystore file containing key pairs — See section 12.6.12 Import Key Pairs.• Import a trusted certificate — See section 12.6.13 Import a Trusted Certificate.• Replace the SSL key pair — See section 12.6.14 Replace the SSL Key Pair.• Enabling certificate validation — See section 12.6.15 Enabling Certificate Validation.


12.6.5 Viewing All X.509 Certificates

In the Certificate Management window, you can view the configured and imported X.509 certificates in a table format. The table has the following headings and lists the following information and options for each certificate:

• Name — Lists the name of the X.509 certificate in the Cloud Identity Manager system. This value is also known as the alias.

• SN — Lists the serial number of the X.509 certificate. This value corresponds to the Serial Number in the certificate data and is assigned by the entity that created the certificate.

• DN — Lists the Distinguished Name of the X.509 certificate. This value corresponds to the Subject Name in the certificate data and uniquely identifies the certificate holder. When Cloud Identity Manager generates a new key pair, it forms the DN by combining the values specified for the following fields in the Generate New Key Pair dialog box:— CN — Common Name— OU — Organizational Unit— O — Organization— L — Locality— ST — State— C — Country

• Expiration Date and Time — Lists the expiration day, month, and year of the X.509 certificate.• Type — Lists the type of X.509 certificate:

— X.509 Certificate Key Pair — X.509 certificate key pairs are identified by the tools icon and consist of an X.509 certificate containing a public key paired with its private key. Cloud Identity Manager uses this type of certificate to sign outgoing SAML assertions.

— Trusted X.509 Certificate — Trusted X.509 certificates are identified by the folder icon and contain a public key that is trusted by the Cloud Identity Manager administrator. Cloud Identity Manager uses trusted certificates to verify incoming signatures.

• Status — Lists the status of the X.509 certificate:— Green check — The status of the X.509 certificate is valid.— Blue i — The status of the X.509 certificate is self-signed. Cloud Identity Manager returns this

status when the X.509 certificate is self-signed or the CRL or OCSP distribution point URL is not found in the X.509 certificate, respectively.

— Red x — The status of the X.509 certificate is invalid. Cloud Identity Manager returns the invalid status when the certificate is expired or there is a validation error.

• Actions — Lists the following action options:— View — Select this option to view details about the corresponding X.509 certificate.— Delete — Select this option to delete the corresponding X.509 certificate.— Export — Select this option to export the corresponding X.509 certificate.— Import — Select this option to replace the corresponding X.509 certificate with the imported

certificate. The imported certificate retains the alias of the certificate that it replaces.— Validate — Select this option to validate the corresponding X.509 certificate. Validation updates

the status of the X.509 certificate.


12.6.6 View One X.509 Certificate

To view one X.509 certificate, click the corresponding View icon in the Certificate Management window. The Certificate Detail dialog box opens, as follows. Click Ok to close the dialog box.

AliasSpecifies the name of the X.509 certificate that you are viewing. This name is used to reference the certificate in the Management Console.Example: intel cloud expressway

Item TypeSpecifies whether the X.509 certificate is paired with the private key and has one of the following two values:CERTIFICATE

Specifies that the X.509 certificate is not paired with the private key.KEY_PAIR

Specifies that the X.509 certificate is paired with the private key.Subject

Specifies the Distinguished Name of the X.509 certificate. This value corresponds to the Subject Name in the certificate data and uniquely identifies the certificate holder.CN

Specifies the full name of the server where Cloud Identity Manager is installed.Example: mcim-server.intel.com

OUSpecifies the name of the division within the organization.Example: Software Services

OSpecifies the name of the organization.Example: Intel Corporation


IssuerSpecifies the Distinguished Name of the X.509 certificate issuer. When the Issuer name and Subject name are the same, the certificate is self-signed.CN

Specifies the Common Name of the X.509 certificate issuer.OU

Specifies the name of the division within the organization.O

Specifies the name of the organization.Validity

Specifies the range of dates during which the certificate is valid.Issued On

Specifies the issue date or date when the certificate becomes valid.Issued To

Specifies the expiration date or date when the certificate is no longer valid.Algorithm

Specifies the algorithm used to generate the key pair.Note: RSA is the only algorithm supported in the current release.

Serial NumberSpecifies the serial number assigned to the X.509 certificate by the entity that created it.

12.6.7 Delete an X.509 Certificate

To delete an X.509 certificate, click the corresponding Delete icon, and click Ok to confirm. The X.509 certificate is deleted.

12.6.8 Export an X.509 Certificate

When you export an X.509 certificate, you have two options:• Export the certificate only — The certificate is saved in a Security Certificate (.crt) file in your web

browser’s Downloads folder. While an X.509 certificate contains a public key, it does not contain the associated private key that, together with the public key, makes up the key pair.

• Export the key pair — The key pair is saved in a PKCS #12 (.p12) file in your web browser’s Downloads folder. PKCS is an acronym for Public-Key Cryptography Standards, which are published by RSA Laboratories. The standards define a file format used to store X.509 private keys with their public key certificates. A .p12 file is protected by a password which the party encrypting the file shares with parties that need to decrypt the file.

Note: If the certificate that you are exporting is a trusted certificate, your only option is Export the certificate only.

The .crt and .p12 file names have the format alias.crt and alias.p12, respectively, where alias is the name of the X.509 certificate in the Cloud Identity Manager system. If the alias contains spaces, Cloud Identity Manager converts the spaces to hyphens. For example, if the alias is “cloud access 360”, the corresponding .crt file name is cloud-access-360.crt.

There are two reasons for choosing to export an X.509 certificate:• X.509 certificates generated by Cloud Identity Manager are self-signed. To generate a Certificate

Signing Request (CSR) and have the certificate signed by a trusted CA, you first export the certificate.

• You can export an X.509 certificate for publishing to a third party.


To export an X.509 certificate1. Click the Export icon corresponding to the X.509 certificate you want to export.

The Export Certificate dialog box opens.

2. Select one of the following Export Type options:— Export Certificate only — Select this option to save the certificate in a .crt file. Click Export,

and then click Save File on the dialog box that opens:

The .crt file is saved in your web browser’s Downloads folder. — Export KeyPair — Select this option to save the public certificate and associated private key in

a .p12 file. Specify the password that protects the file in the Passphrase field, click Export, and then click Save File in the dialog box that opens:

The .p12 file is saved in your web browser’s Downloads folder and protected by the password that you specified.


12.6.9 Import an X.509 Certificate

X.509 certificate key pairs generated by Cloud Identity Manager are self-signed. To generate a Certificate Signing Request (CSR) and have the certificate signed by a trusted CA, you first export the certificate to a Security Certificate (.crt) file.

After the certificate is signed by a trusted CA, you can import the certificate file. In this procedure, you replace the existing X.509 certificate with the signed certificate. The imported certificate retains the original certificate’s alias.

To import a trusted X.509 certificate and add it to the certificate list in the Certificate Management window, follow the instructions in section 12.6.13 Import a Trusted Certificate. A trusted certificate is any certificate that contains a public key trusted by the Cloud Identity Manager administrator.

Note: For more information about certificate types, see sections 12.6.2 How to Acquire an X.509 Certificate and 12.6.5 Viewing All X.509 Certificates.

To import an X.509 certificate1. Click the Import icon corresponding to the X.509 certificate you want to replace.

The Import Certificate Chain dialog box opens.2. Type values in the following fields, or use the browser buttons to locate the certificate files.

X509 CertificateSpecifies the name of the X.509 certificate that you want the imported certificate to replace. This name is used to reference the certificate in the Management Console.Example: intel cloud expressway

Interim CA(Optional) Specifies the name of the certificate file corresponding to an intermediate CA.

Root CA(Optional) Specifies the name of the certificate file corresponding to a trusted root CA.

3. Click Upload Certificates, and then click Ok.The X.509 certificate is imported, replacing the original certificate in the Certificate Management window.


12.6.10 Validate an X.509 Certificate

Before you validate an X.509 certificate, verify that certificate validation is enabled in the Certificate Management window. To validate an X.509 certificate, click the Validate option that corresponds to the certificate. Click Ok in the Validating Result dialog box that opens. The certificate status is updated to one of the following values:

• Green check — The status of the X.509 certificate is valid.• Blue i — The status of the X.509 certificate is self-signed.• Red x — The status of the X.509 certificate is invalid.

Note: For information about enabling certificate validation, see section 12.6.15 Enabling Certificate Validation. For information about X.509 certificate status, see section 12.6.5 Viewing All X.509 Certificates.

12.6.11 Generate a New Key Pair

You can generate a new X.509 certificate key pair in the Certificate Management window and use it to sign SAML assertions. X.509 certificate key pairs generated by Cloud Identity Manager are self-signed.

To generate a new key pair1. In the Certificate Management window, click New KeyPair.

The Generate New Key Pair dialog box opens.

2. Specify values for the following fields:Alias

Specifies the name of the key pair in the Cloud Identity Manager system. This name is used to reference the key pair in the Management Console.Example: intel expressway cloud access 360

CN(Optional) Specifies the full name of the server where Cloud Identity Manager is installed.Example: e360sso-server.intel.com

OU(Optional) Specifies the name of the division within the organization.Example: Software Services

O(Optional) Specifies the name of the organization.Example: Intel Corporation


L(Optional) Specifies a location, such as a city.Example: Boston

ST(Optional) Specifies a state.Example: Massachusetts

C(Optional) Specifies a two-character country code.Example: US

Valid TillClick the calendar icon to specify the month, day, and year that the newly generated certificate expires.

Algorithm(Optional) Specifies the algorithm to use when generating the key.Note: RSA is the only algorithm supported in the current release.

Length(Optional) Specifies the key length in bits.Note: Two key lengths are supported: 1024 and 2048.

3. Click Ok.The new key pair is saved.


12.6.12 Import Key Pairs

A key pair is an X.509 certificate containing a public key paired with its private key. Key pairs are stored as entries in files known as keystores. You import key pairs by importing a keystore file. The following file types store key pairs and are supported by Cloud Identity Manager:

• JKS — Specifies a Java keystore file.• P12 — Specifies a file format based on the PKCS #12: Personal Information Exchange Syntax

Standard. • PFX — Specifies a file based on the PKCS #12: Personal Information Exchange Syntax Standard.

PKCS is an acronym for Public-Key Cryptography Standards, which are published by RSA Laboratories. While the P12 and PFX file formats are the same, the PFX format was developed first. Since its introduction, the P12 file format has largely replaced the PFX file format.

To import key pairs1. Click Import KeyPairs.

The Import Key Pairs dialog box opens.

2. Browse for the keystore file containing the key pairs. It can be a .jks, .p12, or .pfx file.3. Type the password protecting the selected file in the Password field.4. Click Upload Key Pairs.

The keystore file is uploaded.5. Click Ok.

The keystore file is saved.


12.6.13 Import a Trusted Certificate

Use this procedure to import trusted certificates. A trusted certificate is an X.509 certificate containing a public key which is trusted by the Cloud Identity Manager administrator. The X.509 certificate is imported from a Security Certificate (.crt) file and used to verify incoming signatures.

Note: For instructions on how to import X.509 certificate key pairs, see section 12.6.9 Import an X.509 Certificate. For more information about certificate types, see sections 12.6.2 How to Acquire an X.509 Certificate and 12.6.5 Viewing All X.509 Certificates.

To import a trusted certificate1. In the Certificate Management window, click Import Trusted Certificate.

The Import Trusted Certificate dialog box opens.

2. Type a name for the trusted certificate in the Alias field.3. Click Browse to search for the .crt file corresponding to the trusted certificate.4. Click Upload Certificate, and then click Ok.

The trusted certificate is imported.5. Click Ok.

The trusted certificate is saved and added to the certificate table in the Certificate Management window. The folder icon in the Type column indicates that the certificate type is trusted. The i symbol in the Status column indicates that the status of the trusted certificate is self-signed or unknown.

6. To update the status of the trusted certificate, click Validate.The green check in the Status column indicates that the trusted certificate status is updated from unknown to valid.


12.6.14 Replace the SSL Key Pair

In this procedure, you can replace the SSL key pair or certificate that Cloud Identity Manager uses to secure connections between its web server and web browsers with your own custom SSL certificate file.

To replace the SSL key pair1. In the Certificate Management window, click Replace SSL KeyPair.

The Replace SSL KeyPair dialog box opens.

2. Click Browse to locate and select your custom SSL certificate file.Note: The file format must be JKS (a Java keystore file) or P12 (based on the PKCS #12 standard).

3. Type the password that secures the file in the Password field.Cloud Identity Manager uses this password to decrypt the SSL certificate file.

4. Click Upload KeyPairs.The SSL certificate file is uploaded.

5. Click Ok.The SSL certificate file is saved.

6. Restart the Cloud Identity Manager service.Note: This step is necessary for your SSL certificate to take effect.

12.6.15 Enabling Certificate Validation

For system performance reasons, certificate validation is disabled by default. To validate the status of an X.509 certificate, first enable certificate validation. The enabled and disabled certificate validation states and options are shown in the Certificate Management window, as follows.

When certificate validation is disabled, the Enable Certificate Validation option is shown:

To enable certificate validation, click the Enable Certificate Validation option. When certificate validation is enabled, the Disable Certificate Validation option is shown:


12.7 Managing Cloud Connector Plug-insThe Connector Plug-ins window displays all Cloud Connectors in the Cloud Identity Manager system that are plug-ins. In this window, you can install a custom connector plug-in in the Cloud Identity Manager system. Or you can disable, enable, modify, or delete an existing connector plug-in already in the system. For more information, see the following sections:

• The Connector Plug-ins window — See section 12.7.1 The Connector Plug-ins Window.• Installing a custom connector plug-in — See section 12.7.2 Install a Custom Connector Plug-in.• Managing an existing connector plug-in — See section 12.7.3 Managing an Existing Connector Plug-

in.

Note: Plug-in Cloud Connectors are different from the built-in Cloud Connectors, which are built in to the Cloud Identity Manager system and cannot be disabled and enabled, modified or deleted. For more information about the built-in Cloud Connectors, see section 3.0 Cloud Connectors.

12.7.1 The Connector Plug-ins Window

In the Connector Plug-ins window, you can view the following information about the plug-ins in the Cloud Identity Manager system.

Plugin NameSpecifies the name of the plug-in. For custom plug-ins, you specify the name when you install the plug-in.

Connector TypeSpecifies the cloud application type.

SSO ProtocolSpecifies the SSO method used by the plug-in. SAML and HTTP POST are examples of SSO methods.

VersionSpecifies the version number of the plug-in currently installed. When a newer version of the plug-in is installed, the version number is automatically updated.


ProviderSpecifies the name of the Service Provider that is providing the plug-in.

ActionShows which of the following plug-in management options are available: disable, enable, modify, delete.

12.7.2 Install a Custom Connector Plug-in

In this procedure, you install a custom connector plug-in in the Cloud Identity Manager system.

To install a custom connector plug-in1. Click Install.

The Install Custom Connector dialog box opens.

2. Type a name for the plug-in in the Plug-in Name field.Note: The plug-in name can only contain uppercase and lowercase alphabetic characters.

3. Browse for the .jar file containing the plug-in configuration, and click Submit.Note: The .jar file can be uploaded from a local or remote file system.The custom connector plug-in is installed in the Cloud Identity Manager system and enabled.

12.7.3 Managing an Existing Connector Plug-in

In the Connector Plugins window, you have the following management options:• Disable — To disable a plug-in, first delete any instances of that plug-in type. Click the Disable

link corresponding to the plug-in, and then click Yes to confirm. • Enable — To enable a plug-in, click the Enable link corresponding to the plug-in.• Modify — To modify a plug-in, first delete any instances of that plug-in type, and then disable the

plug-in. Click the Modify link corresponding to the plug-in. The Install Custom Connector dialog box opens. Browse for the new version of the .jar file, and click Submit. The version number is updated in the Connector Plug-ins window.

• Delete — To delete a plug-in, first delete any instances of that plug-in type. Click the Delete link corresponding to the plug-in, and then click Yes to confirm.


12.8 Export System Configuration SettingsYou can export the current Cloud Identity Manager system configuration settings to a .zip file. The .zip file contains folders, and the folders contain XML files, where the settings are saved and can later be imported back into Cloud Identity Manager and reused. For more information about importing Cloud Identity Manager configuration settings from a file, see section 12.9 Import System Configuration Settings.

To export the Cloud Identity Manager system configuration settings1. From the Admin tab drop-down list, select Export Configuration.

The Opening SplitPointConfiguration.zip dialog box opens.

2. Select one of the following options:— Open with — To open the .zip file containing the exported configuration, select the Open with

option. Accept the default program (WinZip) or specify another program by selecting Other from the drop-down list. Click Ok.The WinZip (or other) window opens showing the folder structure of the exported configuration:

— Save File — To save the .zip file containing the exported configuration, select the Save File option, and click Ok.The .zip file is saved in your web browser’s Downloads folder: C:\Users\username\Downloads.

The Cloud Identity Manager system configuration settings are exported to the .zip file.


12.9 Import System Configuration SettingsYou can import Cloud Identity Manager system configuration settings from a .zip file that was created by the Cloud Identity Manager export configuration option. For more information about exporting Cloud Identity Manager configuration settings to a file, see section 12.8 Export System Configuration Settings.

To import the Cloud Identity Manager system configuration settings1. From the Admin tab drop-down list, select Import Configuration.

The System Configuration Upload dialog box opens.

2. Type the .zip file’s path and name in the File field, or click Browse to locate and open the .zip file for uploading.

3. Click Submit.An Upload Success message is displayed.

4. Click Ok.The Cloud Identity Manager system configuration settings are imported from the .zip file into Cloud Identity Manager.

12.10 Restart the Cloud Identity Manager ServiceYou can restart the Cloud Identity Manager service from the Admin tab drop-down list.

To restart the Cloud Identity Manager service1. From the Admin tab drop-down list, select Restart Server.

The Confirm Restart dialog box opens.2. To restart, click Ok.

Your session is terminated, the server is restarted, and the Management Console Log in page opens.

3. Type your user name and password in the fields on the Log in page, and click Log in.The Management Console opens.


12.11 Import a License FileWhen you purchase a license for Cloud Identity Manager, you receive a license file. The license file is a text file named e360sso.lic that contains your license number. Before importing your license file, save it in a location of your choice on your computer.

There are two ways to import a license file into Cloud Identity Manager:• You can import the license file when you install Cloud Identity Manager. For more information, see

the McAfee Cloud Identity Manager Installation Guide.• You can import the license file in the Management Console. For instructions, see the following

procedure.

To import a license file1. From the Admin tab drop-down list, select License.

The License option opens.— If you are using an evaluation or valid license, the following dialog box is displayed:

— If you are not using an evaluation or valid license, the following dialog box is displayed:

2. Click Change license.The Import License dialog box opens.

3. Browse for and select the license file, and click Upload License.The Upload Successful message is displayed.

4. Click Ok to exit the Import License dialog box.The license file is imported.


12.12 Configure the Fully Qualified Domain NameWhen you access the Management Console in your web browser, Cloud Identity Manager saves the host name or IP address that you enter and uses it to generate all Cloud Identity Manager service URLs. So that users on other machines can access Cloud Identity Manager services, we strongly recommend that you take the following steps:1. Install Cloud Identity Manager on a machine that has a fully qualified domain name (FQDN).2. Specify the FQDN in the Management Console.

Without the FQDN, Cloud Identity Manager uses the local name for the installation machine when generating the service URLs, and users on other machines may not be able to access Cloud Identity Manager services. By specifying the FQDN, you ensure that users on other machines can access Cloud Identity Manager services.

In this procedure, you also have the option of specifying one or more alternative domain names based on the FQDN. Alternative domain names are also called service binding domain names. For example, if the FQDN is eca360sso-service.com, cloudapp1.eca360sso-service.com is one of many possible service binding domain names.

To configure the fully qualified domain name1. From the Admin tab drop-down list, select Domain Settings.

The Domain Settings window opens.2. Select the Specify fully qualified domain name checkbox if it is not already selected.

3. Type the FQDN of the machine on which Cloud Identity Manager is installed in the Domain Name field, or click Default to specify the default value for the FQDN.


4. (Optional) Specify one or more alternative domain names, as follows:a. To add an alternative domain name, click Add, type the name of the new domain in the Domain

field on the New Domain dialog box that opens, and click Save.

b. To edit an alternative domain name, click Edit, modify the name in the Domain field in the Edit Domain dialog box that opens, and click Save.

c. To remove an alternative domain name, select the name, click Remove, and then click Yes.5. Click Save Setting.

The domain name setting is saved.


12.13 Configuring Remote OTP SettingsWhen you configure an OTP Self-service authentication module, you select email, mobile, or Pledge as the OTP delivery methods available to the end user, singly or in combination. To support email, mobile, and Pledge delivery of one-time passwords, you configure the following remote OTP settings.

For more information about the email, Pledge, and mobile settings, see the following points:• SMTP settings — SMTP is an acronym for Simple Mail Transfer Protocol, a widely-used protocol for

sending email. In email delivery of one-time passwords, the OTP server sends the one-time password to an email address using an email service.

• Pledge settings — Pledge is a software token that generates a one-time password on a mobile device. The end user submits the one-time password and an identifier to the OTP server. Using the identifier, the OTP server locates the user’s OATH key in its database. The server then uses the OATH key to verify the one-time password.

• SMS Gateway settings — SMS is an acronym for Short Message Service, a text message service to a mobile phone. In mobile delivery of one-time passwords, the OTP server sends the one-time password to a mobile phone number using the McAfee SMS Gateway service.

Note: For more information about remote OTP configuration, see section 5.5.17.1 OTP Server Considerations for OTP Self-service Authentication, or visit:http://support.nordicedge.com/knowledge-database/


http://support.nordicedge.com/knowledge-database/

12.13.1 Configure Remote OTP Settings

To support email, Pledge, and mobile delivery of one-time passwords, configure the remote OTP settings.

To configure remote OTP settings1. Configure the following setting:

OTP Remote PasswordSpecifies the password that allows access to the OTP server which is built in to Cloud Identity Manager.

Note: An administrator can update this password in the OTP server using the McAfee remote OTP configuration tool. If the password is updated in the OTP server, it must also be updated in the Management Console. When this setting is up to date, Cloud Identity Manager can connect to the built-in OTP server.

2. Configure the following settings for email delivery of the one-time password:SMTP Host

Specifies the host name or IP address of the SMTP server that sends the email messages.Default: smtp.intel.com

SMTP PortSpecifies the port number of the SMTP server that sends the email messages.Default: 25

Email SenderSpecifies the email address from which the email messages are sent.Default: [email protected]

3. Configure the following settings for Pledge delivery of the one-time password:Pledge User

Specifies the username that Cloud Identity Manager uses to set up a web service account with Nordic Edge.

Pledge PasswordSpecifies the password that Cloud Identity Manager uses to set up a web service account with Nordic Edge.

Note: The web service account is required before end users can complete the Pledge Enrollment process. If the settings are omitted, default values are used.

4. Configure the following settings for mobile delivery of the one-time password:SMS Gateway User

Specifies the username that Cloud Identity Manager uses to set up an SMS Gateway account with Nordic Edge.

SMS Gateway PasswordSpecifies the password that Cloud Identity Manager uses to set up an SMS Gateway account with Nordic Edge.

Note: The SMS Gateway account is required before the OTP server can deliver one-time passwords using the SMS Gateway service. If the settings are omitted, default values are used.

5. Select an administrator from the Contact Admin drop-down list.Note: The specified administrator is the OTP technical support contact and must have an email address configured in the Cloud Identity Manager system. If not, you can specify one by selecting Admin Accounts from the Admin tab drop-down list. For more information, see section 12.5 Managing Admin Accounts.

6. Click Save.The remote OTP settings are saved.


12.14 Language SettingsTo specify the language displayed in the Management Console, select an option from the Language Setting drop-down list, and click Save.


Appendix A: Integrating External One Time Password Servers with Cloud Identity Manager

Cloud Identity Manager comes with a McAfee® One Time Password Server (One Time Password Server) fully integrated. However, in some cases, you might want to integrate one or more external One Time Password Servers with the Cloud Identity Manager product. This section includes information about adding one-time password (OTP) to authentication methods and authorization policies and about configuring an external One Time Password Server.

Cloud Identity Manager supports the addition of one-time password to authentication methods and authorization policies:

• Two-factor authentication — In this implementation, one-time password provides a secondary authentication method that can be added to any of the primary authentication methods supported by the Authentication Chain Identity Connector type. For more information about authentication chains, see section 5.0 Authentication Chains.

• Authorization condition — In this implementation, one-time password is a condition that can be added to an authorization policy.

One-time passwords are generated by standard OTP algorithms that modify them at time intervals, such as every 30 seconds, or after each use. OTP generation is configured entirely in the external One Time Password Server interface and is not visible to Cloud Identity Manager, which accepts one-time passwords regardless of the algorithm used to generate them.

One-time passwords address some of the vulnerabilities associated with traditional passwords. OTP technology, however, is generally used to implement two-factor authentication, which is stronger than authentication based on a single factor alone. Likewise, one-time password can be added as a condition to authorization policies, thereby strengthening them.

Integrating an external One Time Password Server with Cloud Identity Manager requires configuration in One Time Password Server, in the Management Console, and in the SaaS or web application. For more information, see the following references:

• Configuration in One Time Password Server — See section A.3 One-time Password Server Configuration Overview.

• Configuration in the Management Console — See section 5.5.16 Configuring an OTP Authentication Module.


Note: For information about integrating other OTP solutions with Cloud Identity Manager, see section Appendix B: Integrating RCDevs OpenOTP Server with Cloud Identity Manager.


A.1 Two-factor Authentication Using One-time PasswordThe following two sections show two of the many possible implementations of two-factor authentication in Cloud Identity Manager:

• A.1.1 LDAP-OTP Authentication — In this section, LDAP authentication is the primary authentication method, while one-time password is the secondary authentication method making up two-factor authentication.

• A.1.2 OpenID-OTP Authentication — In this section, OpenID authentication is the primary authentication method, while one-time password is the secondary authentication method making up two-factor authentication.


A.1.1 LDAP-OTP Authentication

The following diagram and steps show how OTP authentication can be added to an LDAP Identity Connector configuration to create two-factor authentication.

Figure 1. LDAP-OTP Authentication1. The user requests access to a SaaS or web application.2. The SaaS or web application redirects the user to Cloud Identity Manager.3. Cloud Identity Manager prompts the user for credentials, which the user provides.4. Cloud Identity Manager validates the user’s credentials against the LDAP directory.5. Cloud Identity Manager sends a message requesting One Time Password Server to generate a one-

time password for the user.6. One Time Password Server sends the one-time password to the user.7. The user types the one-time password in the prompt from Cloud Identity Manager and clicks Verify.8. Cloud Identity Manager sends the one-time password to One Time Password Server for verification,

which the Server confirms.9. Cloud Identity Manager sends the authentication result to the SaaS or web application.10. The SaaS or web application grants access to the user.

Note: To configure two-factor authentication, create an Authentication Chain Identity Connector. Configure an LDAP authentication module and add it to the authentication chain. Next, configure an OTP authentication module and add it to the authentication chain to create two-factor authentication.


A.1.2 OpenID-OTP Authentication

The following diagram and steps show how OTP authentication can be added to an OpenID Identity Connector configuration to create two-factor authentication. In this example, Google is the OpenID Provider.

Figure 2. OpenID-OTP Authentication1. The user requests access to a SaaS or web application.2. The SaaS or web application redirects the user to Cloud Identity Manager with an authentication

request.3. Cloud Identity Manager redirects the authentication request to Google.4. Google prompts the user for credentials, which the user provides.5. Google sends the authentication result to Cloud Identity Manager.6. Cloud Identity Manager sends a message requesting One Time Password Server to generate a one-

time password for the user.7. One Time Password Server sends the one-time password to the user.8. The user types the one-time password in the prompt from Cloud Identity Manager and clicks Verify.9. Cloud Identity Manager sends the one-time password to One Time Password Server for verification,


Note: To configure two-factor authentication, create an Authentication Chain Identity Connector. Configure a Google-OpenID authentication module and add it to the authentication chain. Next, configure an OTP authentication module and add it to the authentication chain to create two-factor authentication.


A.2 Stronger Authorization Using One-time PasswordThe following diagram and steps show how Cloud Identity Manager authorizes a user to access a SaaS or web application when one-time password is a condition of the authorization policy. This example assumes that the user is already authenticated and has a session with Cloud Identity Manager.

Figure 3. One-time Password as a Condition of an Authorization Policy1. The user requests access to a SaaS or web application.2. The SaaS or web application redirects the user to Cloud Identity Manager.3. Cloud Identity Manager applies an authorization policy that includes one-time password as a

condition of authorization to the user’s request. If the user is permitted to access the application, Cloud Identity Manager sends a message requesting One Time Password Server to generate a one-time password for the user. Cloud Identity Manager also prompts the user to enter a one-time password.

4. One Time Password Server sends the one-time password to the user.5. The user types the one-time password in the prompt from Cloud Identity Manager and clicks Verify.6. Cloud Identity Manager sends the one-time password to One Time Password Server for verification,


Note: When you configure an authorization policy, you can add OTP authentication as a condition to the policy.


A.3 One-time Password Server Configuration OverviewConfiguring an external One Time Password Server for integration with Cloud Identity Manager consists of the following steps:1. Server — Select the Server category on the left pane of the OTP console, and configure the general

settings on the right pane. These include the fields in the Server Settings area, OTP Length, and the fields in the Client Settings area.Note: In the Client Settings area, select the Allow remote configuration checkbox. This setting allows Cloud Identity Manager to retrieve configuration information from the One Time Password Server.

2. RADIUS — If the One Time Password Server is acting as a RADIUS server for integration with Cloud Identity Manager, select the RADIUS category on the left pane of the OTP console, and configure the settings on the right pane.

3. Databases — To create and configure a database, select the Databases category on the left pane of the OTP console. The Databases category expands to include multiple database options. Select one of these, and configure the settings that open on the right pane. These settings allow the One Time Password Server to authenticate users against the user stores configured in this step.

4. Clients — To create and configure a client, select the Clients category on the left pane. You can create a Native client, a RADIUS client, or duplicate an existing client. Native clients use the One Time Password Server API to communicate with the One Time Password Server. RADIUS clients use the RADIUS protocol to communicate with the One Time Password Server. Client configuration includes the database the client uses to authenticate users.Note: When creating a Native client, select the Accept User Lookup only checkbox. Selecting this checkbox allows authentication by username and one-time password only. When the password field is empty, a database lookup is performed only on the username and not the password.

5. Delivery Methods — Select the Delivery Methods category on the left pane of the OTP console. The Delivery Methods category expands to include multiple options. Select one of these, and configure the settings that open on the right. Cloud Identity Manager supports SMS and SMTP.

6. Logs and Alerts — To configure Logs and Alerts, select these categories on the left pane of the OTP console, and configure the settings that open on the right.

7. Miscellaneous — Select the Misc category in the left pane of the OTP console. The category expands to include multiple configuration options. Optionally, select one or more of these, and configure the settings on the right.

8. Save — At the end of each step, click Save Config to save the configuration before moving on to the next step.


Appendix B: Integrating RCDevs OpenOTP Server with Cloud Identity Manager

This section shows how to integrate just one of many available OTP solutions with Cloud Identity Manager: RCDevs OpenOTP Server. Using the SDK provided with Cloud Identity Manager, you can write a custom OTP authentication module for any OTP solution and then register and configure it in the Management Console. For more information about the built-in OTP authentication module, see section Appendix A: Integrating External One Time Password Servers with Cloud Identity Manager.

RCDevs OpenOTP Server provides the following two-factor authentication schemes for LDAP users:• Mobile-OTP (mOTP) Software Tokens• OATH Event-based (HOTP) Hardware and Software Tokens• OATH Time-based (TOTP) Hardware and Software Tokens• OATH Challenge-response (OCRA) Hardware and Software Tokens• Mail and Secure Mail One Time Passwords• Printed OATH One-Time Password Lists• SMS One Time Passwords• Yubico Key hardware tokens

Note: OATH is an abbreviation for Initiative for Open Authentication.

To configure two-factor authentication in Cloud Identity Manager, create an Authentication Chain Identity Connector. Configure two authentication modules and add them to the chain. The first and second modules are the primary and secondary authentication methods, respectively. For example, you can configure an LDAP authentication module and add it to the authentication chain first as the primary authentication method.


To create two-factor authentication with OTP as the second factor, you add an OTP authentication module to the authentication chain after you add the first authentication module to the chain. When selecting an OTP authentication module, you have the following options:

• Select the built-in OTP authentication module type — Select this option when you are using the One Time Password Server. For more information about OTP authentication in general and authentication with the One Time Password Server in particular, see Appendix A: Integrating External One Time Password Servers with Cloud Identity Manager.

• Select an existing user-defined OTP authentication module type — Select this option when you are using an OTP server other than McAfee and the custom OTP authentication module has been created using the SDK provided with Cloud Identity Manager, registered in the Management Console, and added to the list of available authentication module types.

• Register a new user-defined OTP authentication module type — Select this option when you are using an OTP server other than McAfee and you want to register and select a custom OTP authentication module type that has been created using the SDK provided with Cloud Identity Manager.

For more information about authentication chains and modules, including how to configure an OTP authentication module, see section 5.0 Authentication Chains.

B.1 RCDevs OpenOTP Server Overview The RCDevs OpenOTP Server solution includes VMware appliances that are installed on a Linux operating system and that come preconfigured with the following services and applications:

• LDAP• MySQL• OpenOTP Radius Bridge• RCDevs WebADM

WebADM (an abbreviation for Web-based Directory Administrator) is a web-based management console for LDAP administrators. WebADM applications include OpenOTP.

Integrating RCDevs OpenOTP Server with Cloud Identity Manager requires the following steps. For more information, see the corresponding sections or guide.

• Installing and configuring the RCDevs OpenOTP Server — See sections B.2 Installing RCDevs OpenOTP Server and B.3 Configuring RCDevs OpenOTP Server.

• Creating an OpenOTP authentication module using the SDK provided with Cloud Identity Manager — See the McAfee Cloud Identity Manager Developer’s Guide.

• Registering the OpenOTP authentication module in the Cloud Identity Manager Management Console — See section 5.8 Registering a User-defined Authentication Module.

• Configuring two-factor authentication in the Cloud Identity Manager Management Console — See section 5.0 Authentication Chains.

Note: For more information about OpenOTP and the other RCDevs products, visit the RCDevs Documentation Library: http://www.rcdevs.com/downloads/documents.php.


http://www.rcdevs.com/downloads/documents.php

http://www.rcdevs.com/downloads/documents.php

B.2 Installing RCDevs OpenOTP ServerTo install the RCDevs OpenOTP Server, follow these steps:1. Download and install VMware on a Linux server. VMware is downloaded and installed as part of an

OVF package. OVF is an acronym for Open Virtualization Format.2. Start VMware on Oracle VM VirtualBox. VirtualBox is virtualization software that is installed on a

host operating system such as Linux and that then allows guest operating systems to run in separate virtual environments.

3. The first time Linux is started, the WebADM set-up script runs automatically and prompts you for the following information:Server Fully Qualified Host Name (FQHN)

Specifies the host name and domain name of the server on which VMware is installed. This is also where OpenOTP is installed.Example: domainname.www.hostname.com

Organization NameSpecifies the name of your certificate authority (CA).Example: MyOrg

Add scripts that start when WebADM is started?Enter y in response to this prompt.

Register the WebADM logrotate script?Enter y in response to this prompt.

Generate a new LDAP data encryption key in /opt/webadm/conf/webadm.conf?Enter y in response to this prompt.

4. When the prompts are completed, the set-up script starts all VMware services. The LDAP directory and MySQL database are set up and ready to use, and the WebADM graphical setup is complete:— LDAP Server— MySQL Server— Radius Bridge Service— WebADM Services including HTTP, PKI, SOAP, and Session Manager Services

Note: PKI is an acronym for Public Key Infrastructure. SOAP is an acronym for Simple Object Access Protocol.

5. To open WebADM, visit: https://your_server_address.your_server_address

Specifies the host name or IP address of the server on which VMware is installed. This is also where OpenOTP is installed.

6. Log on with user name “admin” and password “password”.


B.3 Configuring RCDevs OpenOTP ServerTo configure the RCDevs OpenOTP Server, you create and edit a sample user in the WebADM management console:1. To open the WebADM management console, visit: https://your_server_address.

your_server_addressSpecifies the host name or IP address of the server on which VMware is installed. This is also where OpenOTP is installed.

2. Log on with your user name and password.3. Click Create on the menu at the top of the management console.

The Create New Object pane opens.4. Select the WebADM Account option, and click Proceed.

The Create object of Type WebADM Account pane opens.5. Specify values for the Mandatory attributes in the following fields: Container, Common Name,

Login Name, and Last Name.6. Specify a value in the Email Address field, and click Proceed.

The new user account is created.7. Click Applications on the menu at the top of the management console.

The Web Services pane opens and lists the installed web services, including the OTP Authentication Server.

8. To configure the OTP Authentication Server, click Configure.The Authentication Settings pane opens.

9. Select the Login Mode checkbox, and select OTP from the drop-down list.10. Select the OTP Type checkbox, and select one of the following values from the drop-down list:

— MAIL — Select this option to receive the one-time password by email.— TOKEN (Default) — Select this option to receive the one-time password from a hardware or

software token.11. Open the user account that you created in the object editor.12. Click OTP Authentication Server on the Application Actions box.13. Click Register/Unregister Token.

The Register/Unregister Token pane opens for the user whose account you are editing.14. Select a type from the Token Type drop-down list.15. Select one of the following options from the Key Mode drop-down list:

— Key generated by Token (Default)— Key generated by Server

16. Select a format from the Key Format drop-down list.Default: Hex

17. Type the key value in the Token Key field using the key format selected from the drop-down list.18. Click Register.


Appendix C: Integrating Microsoft SharePoint with Cloud Identity Manager

Enterprise administrators who want to allow SaaS or web applications to access user data stored on a SharePoint server inside the enterprise can do so securely by using Cloud Identity Manager. SharePoint provides a WS API that can be accessed using IWA authentication. In addition to the SharePoint server, the enterprise domain includes an Active Directory user store.

Cloud Identity Manager implements this use case by serving as a proxy between SharePoint and the SaaS or web application. In this implementation, Cloud Identity Manager transfers user data from SharePoint to the SaaS or web application using the SPNEGO protocol.

Note: WS is an acronym for web services, API is an acronym for application programming interface, and IWA is an acronym for Integrated Windows Authentication. SPNEGO is an acronym for Simple and Protected GSSAPI Negotiation Mechanism. GSS is an acronym for General Security Service. GSS offers API developers uniform access to security services on top of a variety of underlying cryptographic mechanisms.


C.1 Overview of SharePoint IntegrationThe following diagram shows how Cloud Identity Manager can serve as a proxy between a SaaS or web application outside the enterprise and a SharePoint server inside the enterprise.

Figure 4. Integrating SharePoint with Cloud Identity Manager

1. Cloud Identity Manager authenticates an individual user against the Active Directory user store. The resulting Kerberos ticket is stored in the Key Distribution Center (KDC) on the Active Directory server. Cloud Identity Manager establishes an SSO session with the individual user and caches the Kerberos ticket.

2. Cloud Identity Manager sends the SaaS or web application a custom session token. The SaaS or web application sends a request to Cloud Identity Manager for access to the user’s data in SharePoint and an access token that is based on the session token.

3. Cloud Identity Manager validates the access token and forwards the application’s request for SharePoint services to the Active Directory server using the IWA protocol. The Active Directory server sends a SharePoint ticket to Cloud Identity Manager.

4. Cloud Identity Manager sends the SharePoint ticket to SharePoint, and SharePoint grants the SaaS or web application access to the user’s data through Cloud Identity Manager.

Note: To successfully integrate SharePoint with Cloud Identity Manager, the Cloud Identity Manager service account in Active Directory must be enabled for delegated access. For more information, see section C.2.4 Configuring the Active Directory Domain Controller.


C.2 Configuring SharePoint IntegrationIntegrating SharePoint with Cloud Identity Manager requires configuration in the following areas. For more information about each one, see the corresponding section.

• Cloud Identity Manager — See section C.2.1 Configuring Cloud Identity Manager for SharePoint Integration.

• SaaS or Web Application — See section C.2.2 Configuring the SaaS or Web Application for SharePoint Integration.

• Web Browser — See section C.2.3 Configuring the Web Browser for SharePoint Integration.• Active Directory Domain Controller — See section C.2.4 Configuring the Active Directory Domain

Controller.• SharePoint — See section C.2.5 Installing and Configuring SharePoint.

C.2.1 Configuring Cloud Identity Manager for SharePoint Integration

Configuring Cloud Identity Manager for SharePoint integration includes the following steps:1. Create an Identity Connector of type IWA-AD for the enterprise Windows domain. For instructions

on how to create an IWA-AD Identity Connector, see section 4.9.4 Configure an IWA-AD Identity Connector.

2. Create a Custom Cloud Connector for the SaaS or web application. For more information about creating a Custom Cloud Connector, see the McAfee Cloud Identity Manager Token Cloud Connector Guide.

3. Configure the Enterprise Service Proxy. For instructions, see section 12.2.1 Configure the Enterprise Service Proxy.

C.2.2 Configuring the SaaS or Web Application for SharePoint Integration

When configuring the SaaS or web application for SharePoint integration, review the following considerations. For more information about each consideration, see the corresponding section:

• User Name and Password — See section C.2.2.1 User Name and Password for SharePoint Access.• Configuring the web.config File — See section C.2.2.2 Configuring the web.config File.

Note: For more information about configuring the SaaS or web application, see the McAfee Cloud Identity Manager Integration Guide.


C.2.2.1 User Name and Password for SharePoint Access

All HTTP/HTTPS requests for SharePoint services must be sent through the Cloud Identity Manager enterprise service proxy with the following user name and password settings:

• User name — The user name must be set to the proxy’s configured name.Note: The enterprise service proxy is configured in the Management Console. For more information, see section C.2.2 Configuring the SaaS or Web Application for SharePoint Integration.

• Password — The password must be set to the encrypted custom token.Note: The Cloud Identity Manager SDK library contains all functions needed for custom token operations. For information about how to integrate .NET web applications with Cloud Identity Manager, see the McAfee Cloud Identity Manager Integration Guide.

C.2.2.2 Configuring the web.config File

Configure the following parameters in the web.config file for SharePoint integration. To view the values that correspond to the web.config parameters in the Management Console, locate the custom Cloud Connector that you configured for integrating the SaaS or web application and SharePoint in the Cloud Connectors tab. Click the troubleshooting icon, and select the General Info tab, where you can view configuration information for the specified Cloud Connector.

iceServerSSOUrlSpecifies the URL of the Cloud Identity Manager SSO service.Note: This parameter corresponds to the Application Endpoint Location SSO Service field shown in the General Info tab corresponding to the Custom Cloud Connector. This field specifies the SSO URL of the Custom Cloud Connector that you configured for integrating the SaaS or web application and SharePoint.

iceServerSLOUrlSpecifies the URL of the Cloud Identity Manager SLO service.Note: This parameter corresponds to the Service Connection Endpoint Location SLO Service field shown in the General Info tab corresponding to the custom Cloud Connector. This field specifies the SLO URL of the custom Cloud Connector that you configured for integrating the SaaS or web application and SharePoint.

serviceURLSpecifies the URL of the SharePoint installation.

authenticationFailedUrlSpecifies the SaaS or web application’s login failure URL.

serviceLogoutRequestUrl(Optional) Specifies the SaaS or web application’s logout URL.Note: This value is specified on the Custom Connector step of the Custom Cloud Connector wizard.

issuerForIceToken(Optional) Specifies the URL of the custom token issuer.Note: This value is configured on the Token Profile step of the Custom Cloud Connector wizard.Default: https://localhost:8443/identityservice

Note: For more information about configuring the web.config file, see the McAfee Cloud Identity Manager Integration Guide


C.2.3 Configuring the Web Browser for SharePoint Integration

To integrate SharePoint with Cloud Identity Manager, the web browser must be configured for the SPNEGO protocol. Internet Explorer uses the SPNEGO protocol by default and requires no additional configuration. For information about how to configure Firefox for the SPNEGO protocol, visit: http://people.redhat.com/mikeb/negotiate/.

Internet Explorer logs in to SharePoint automatically. If there is a password prompt, you can remove it by modifying the IE security settings. From the Start menu, select Control Panel | Internet Options | Security, and select the Local intranet zone, where you can add websites to your local intranet security zone. To add SharePoint and Cloud Identity Manager, specify the URLs of their servers.

C.2.4 Configuring the Active Directory Domain Controller

To integrate SharePoint with Cloud Identity Manager, configure the Active Directory Domain Controller, as follows:1. Create a service account for Cloud Identity Manager.2. In the Account options area, select the Account is trusted for delegation checkbox.

Note: To successfully integrate SharePoint with Cloud Identity Manager, the Cloud Identity Manager service account in Active Directory must be enabled for delegated access.

3. Install Windows Server 2003 Support Tools.4. Open adsiedit.msc, the Active Directory Service Interfaces Editor (ADSI Edit). The Editor provides a

view of every object and attribute in the Active Directory forest.5. Under CN=Users, locate Cloud Identity Manager.6. Open the Cloud Identity Manager Properties dialog box.7. From the Attribute Editor tab, select the servicePrincipalName attribute, and click Edit.8. Specify a Service Principal Name (SPN) for the Cloud Identity Manager account in the Value to add

field, and click Add.Format: <service>/<machine><@realm><service>

Specifies the name of the service provided by Cloud Identity Manager.Example: HTTP

<machine>Specifies the host name or IP address of the server running the Cloud Identity Manager service.

<@realm>(Optional) Specifies the name of the Kerberos security realm that protects the Cloud Identity Manager service.Note: The realm name is the same as the machine name. By Active Directory convention, the machine name is shown in lower case, while the realm name is shown in upper case.Example: HTTP/eca360sso-service@ECA360SSO-SERVICE

9. Create additional user accounts for credential mapping.


http://people.redhat.com/mikeb/negotiate/

http://people.redhat.com/mikeb/negotiate/

C.2.5 Installing and Configuring SharePoint

Installing and configuring SharePoint for integration with Cloud Identity Manager includes the following steps:1. Join SharePoint Server 2007 to the Windows domain.2. Install IIS, FrontPage Extensions, .NET Framework 3.0.

Note: IIS is an acronym for Internet Information Services.3. To enable ASP.NET 2.0 for IIS, go to the following directory and execute the command:

aspnet_regiis.exe -iC:\Windows\Microsoft.NET\Framework\v2.0.50727Note: ASP is an acronym for Active Server Pages.

4. Install SharePoint Server 2007, and accept the default options.5. To verify that Kerberos authentication is enabled:

a. Open Central Administration in the Start menu.b. Log on using the domain administrator account.c. Go to Application Management > Authentication Providers > Edit Authentication.d. In the IIS Authentication Settings area, select the Integrated Windows authentication checkbox

and the Negotiate (Kerberos) option.6. To add domain users to the SharePoint site, log on to the site using the domain administrator

account. In the Home tab, open People and Groups, and add domain user accounts to the Home Members group.


Appendix D: Integrating McAfee Web Gateway and McAfee Web Protection Service

This appendix is a guide to integrating Cloud Identity Manager with the following McAfee products:• McAfee Web Gateway — Web Gateway is an on-premise web security software appliance that

provides threat protection and guards against data loss. Configuring Cloud Identity Manager and Web Gateway to work together combines the SSO role of Cloud Identity Manager with the enhanced web security provided by Web Gateway.

• McAfee Web Protection Service — Web Protection Service is a SaaS application that is deployed on a McAfee server. Through the application of custom Internet-use policies, web traffic and webpage analysis, web filtering, and comprehensive data analysis, Web Protection Service protects an organization’s computer systems and networks from threats that enter through web browsers. Configuring Cloud Identity Manager and Web Protection Service to work together combines the SSO role of Cloud Identity Manager with the sophisticated web filtering capability provided by Web Protection Service.

D.1 Integrating Web Protection Service with Cloud Identity ManagerBecause Web Protection Service is a web service, it is not installed. It is preconfigured as a proxy, and the proxy URL and port number are provided with the service. When configuring the outgoing Cloud Identity Manager connection to Web Protection Service, specify these values. For more information, see section D.3 Configuring Outgoing Cloud Identity Manager Connections.

D.2 Integrating Web Gateway with Cloud Identity ManagerFor information and guidelines about how to integrate Web Gateway with Cloud Identity Manager, see the following topics in this section:

• D.2.1 Dual Installation Guidelines• D.2.2 Configuring Web Gateway to Run in Explicit Proxy Mode• D.2.3 Configuring Cloud Identity Manager as the Upstream Proxy in Web Gateway• D.2.4 Modifying SSL Scanner Rule Sets in Web Gateway• D.2.5 Exporting the Default Web Gateway CA Certificate


D.2.1 Dual Installation Guidelines

You can install and run Web Gateway and Cloud Identity Manager by following these guidelines:1. Install a Web Gateway 7.1 ISO image on a naked server having a dual-core Central Processing Unit

(CPU) and four gigabytes (GB) of memory with custom Linux kernel 2.6 and JRE 1.6.22 installed.2. Install Cloud Identity Manager on the same server or a different server.3. Reserve the following port numbers for Cloud Identity Manager use:

— Port 8443 — Cloud Identity Manager listens for Management Console messages.— Port 9999 — Cloud Identity Manager listens for Java Management Extensions (JMX) messages.— Port 11111 — When configured as a proxy server, Cloud Identity Manager listens for incoming

network messages.

D.2.2 Configuring Web Gateway to Run in Explicit Proxy Mode

Configuring Cloud Identity Manager as the upstream proxy for Web Gateway allows Web Gateway to access the Internet from within the intranet hosting Cloud Identity Manager. Before configuring Cloud Identity Manager as the upstream proxy, configure Web Gateway to run in explicit proxy mode:1. Open the Web Gateway management console.2. Select the Configuration tab; then select the Appliances tab.3. In the Appliances folder on the left, click Proxies.

The proxy page opens.4. In the Network Setup area, select the Proxy option.5. In the HTTP Proxy area, select the Enable HTTP proxy checkbox.6. In the HTTP port definition list, add an HTTP proxy rule for default HTTP port 9090.

D.2.3 Configuring Cloud Identity Manager as the Upstream Proxy in Web Gateway

After you configure Web Gateway to run in explicit proxy mode, you can configure Cloud Identity Manager as the upstream proxy in Web Gateway. The following steps outline the configuration process:1. In the Web Gateway management console, go to Policy > Rule Sets.2. From the built-in rule sets, select the rule set named Next Hop Proxy.3. For the selected rule set, configure the IP range list to include the Cloud Identity Manager server.4. Go to Policy > Settings.5. On the Engines branch of the Settings tree, select Next Hop Proxy, and configure the settings for

this rule set.6. Save the changes.


D.2.4 Modifying SSL Scanner Rule Sets in Web Gateway

If authorization is enabled in Cloud Identity Manager, then modify the following SSL Scanner rule sets in the Web Gateway management console:

• Go to SSL Scanner > Handle Connect Call > Set Client Context, and select Always > Continue — Enable SSL Client Context with CA <Default CA>. This setting enables the use of a server certificate and specifies Web Gateway as the root certificate authority (CA) and default certificate issuer on the Web Gateway server.

• Go to SSL Scanner > Content Inspection > Enable Content Inspection. When enabled, this rule set completes the handling of a CERTVERIFY call. It allows some requests to skip content inspection, and enforces content inspection of other requests.

D.2.5 Exporting the Default Web Gateway CA Certificate

Export the default Web Gateway CA certificate, so that it can be imported into the default trusted CA keystore used by Cloud Identity Manager.1. In the Web Gateway management console, go to Policy > Settings.2. On the Engines branch of the Settings tree, go to Default CA.3. Click Save Certificate.

To import the default Web Gateway certificate into the default trusted CA keystore used by Cloud Identity Manager, run the Java tool named keytool.exe, as follows:keytool -import -keystore <JRE_HOME>/lib/security/cacerts –file MWG_CA.cer -alias MWG

Note: The default keystore password is “changeit”.


D.3 Configuring Outgoing Cloud Identity Manager ConnectionsTo route outgoing Cloud Identity Manager connections to Web Gateway or Web Protection Service, configure the network proxy addresses in the Cloud Identity Manager Management Console:1. Select the Proxy Management option from the Admin tab drop-down list.

The Network window opens.2. In the Route Proxy tab, configure the following fields:

Http ProxySpecifies the route proxy for outgoing HTTP connections. Type the host name or IP address of the Web Gateway or Web Protection Service server in this field.

PortSpecifies the port number of the route proxy for outgoing HTTP connections.Default Web Gateway value: 9090Default Web Protection Service value: 8080

SSL ProxySpecifies the route proxy for outgoing HTTPS connections. Type the host name or IP address of the Web Gateway or Web Protection Service server in this field.

PortSpecifies the port number of the route proxy for outgoing HTTPS connections.Default Web Gateway value: 9090Default Web Protection Service value: 8080

No Proxy forSpecifies the servers to which Cloud Identity Manager can connect directly without going through a network proxy. Type the host name or IP address of the Web Gateway or Web Protection Service server in this field.

3. After configuring the network proxy addresses in the Management Console, set the web browser’s route proxy to the Cloud Identity Manager listening port 11111.

Note: For more information about configuring the network proxy addresses in the Management Console, see section 12.2 Configure Network Proxy Addresses.


Appendix E: Integrating Salesforce Chatter Mobile with Cloud Identity Manager

When Salesforce Chatter is configured to delegate authentication to Cloud Identity Manager, enterprise users can access their Salesforce Chatter accounts on an Apple iPhone or Android mobile device through SAML2 federation with their enterprise account. When you configure authentication in Cloud Identity Manager, you have the option of configuring two-factor authentication.

For example, you can configure LDAP authentication using an LDAP identity store as the primary authentication method and OTP authentication as the secondary authentication method. Cloud Identity Manager supports OTP authentication through One Time Password Server and Pledge, a mobile OTP client installed on the mobile device.

Although two-factor authentication is not required, it is recommended when enterprise users access resources, such as Salesforce Chatter, from outside their organization’s intranet. As a result, this appendix provides overview and configuration sections that cover two-factor authentication with OTP. If you are configuring a single authentication method, you can ignore this supplementary information.


E.1 Salesforce Chatter Mobile OverviewTo integrate Salesforce Chatter Mobile and Cloud Identity Manager, you configure Salesforce Chatter to delegate authentication to Cloud Identity Manager. In Cloud Identity Manager, you configure two-factor authentication using an enterprise LDAP identity store and Pledge, a mobile OTP client, installed on the mobile device.

Note: Two-factor authentication is an option, not a requirement.

Figure 5. Salesforce Chatter Mobile Overview1. An enterprise user requests access to an organization’s Salesforce Chatter domain through the

Salesforce Chatter Mobile client installed on a mobile device. The Chatter Mobile client is configured to forward the request to the organization’s custom Salesforce domain.

2. Salesforce is configured to redirect the request to Cloud Identity Manager for authentication. The redirect takes place through the Salesforce Chatter Mobile client.

3. Cloud Identity Manager prompts the user for enterprise credentials, which the user provides.4. Cloud Identity Manager authenticates the user’s credentials against an LDAP identity store.5. Cloud Identity Manager prompts the user for a one-time password, which the user provides.6. Cloud Identity Manager validates the one-time password against the One Time Password Server.7. Cloud Identity Manager redirects the user to Salesforce with the authentication result. The redirect

takes place through the Salesforce Chatter Mobile client.8. Salesforce grants the user access to the enterprise Salesforce Chatter domain.


E.2 Salesforce Chatter Mobile ConfigurationFor configuration details, see the following sections:

• Cloud Identity Manager Configuration — See section E.2.1 Configuring Cloud Identity Manager for Salesforce Chatter Mobile.

• Salesforce Configuration — See sections E.2.2 Configuring SSO and SLO in Salesforce and E.2.3 Creating a Custom Domain Name in Salesforce.

• Apple iPhone or Android Mobile Device Configuration — See section E.2.4 Setting Up Salesforce Chatter on an Apple iPhone or Android Mobile Device and E.2.5 Setting Up Pledge on an Apple iPhone or Android Mobile Device.

Note: If you are configuring two-factor authentication with OTP, you also need to configure One Time Password Server. For more information, see Appendix A: Integrating External One Time Password Servers with Cloud Identity Manager.

After configuration is complete, you can access Salesforce Chatter from your Apple iPhone or Android mobile device. For more information, see section E.3 Accessing Salesforce Chatter from an Apple iPhone or Android Mobile Device.

E.2.1 Configuring Cloud Identity Manager for Salesforce Chatter Mobile

Before configuring Cloud Identity Manager for Salesforce Chatter Mobile, review the following requirements and considerations:

• Configuration in the Management Console

In the Management Console, create a Salesforce Cloud Connector. On the Identity Connector step of the Cloud Connector wizard, create a new or select an existing Identity Connector of type authentication chain that consists of two authentication modules: LDAP and OTP. When configuring the OTP authentication module, select the UID option from the Target OTP Attribute menu. For more information, see the McAfee Cloud Identity Manager Salesforce Cloud Connector Guide and section 5.0 Authentication Chains.

Note: Two-factor authentication is an option, not a requirement.• Modifying the Cloud Identity Manager bootstrap.xml File

Comment out the code in the bootstrap.xml file that enables SSL in Cloud Identity Manager. When SSL is enabled, the Chatter login fails. This login failure occurs, because Chatter does not allow self-signed certificates, and the SSL certificate is self-signed.

Locate the bootstrap.xml file in the following directory:C:\Program Files\Intel\ECA360SSO\configuration

Open the file in a text editor, and comment out the following lines of code:<SSLConfiguration>

<certificateAlias>jetty</certificateAlias>

<keystore>keystore</keystore>

<keystorePassword> . . . </keystorePassword>

</SSLConfiguration>


E.2.2 Configuring SSO and SLO in Salesforce

To configure SSO and SLO in your Salesforce administrator’s account, you need the values you configured for the following settings on the SAML Assertion step of the Salesforce Cloud Connector wizard in the Management Console:

• SAML assertion issuer• Identity Provider Login URL• Identity Provider Logout URL

In your Salesforce administrator’s account, perform the following steps:1. Select Setup | Administration Setup | Security Controls | Single Sign-On Settings.

The Single Sign-On Settings page opens.2. Click Edit, and select SAML Version 2.0.3. To specify the SAML User ID Type, select the Assertion contains the Federation ID from the

User object option.4. To specify the SAML User ID Location, select the User ID is in an Attribute element option.5. Copy the name from the SAML assertion issuer field on the SAML Assertion step of the Salesforce

Cloud Connector wizard to the Issuer field in your Salesforce account.6. Upload the public certificate to Salesforce. The public certificate corresponds to the signing key pair

you selected in the SAML Assertion step of the Salesforce Connector wizard.The Identity Provider Certificate field is populated with the certificate information.

7. Specify mail in the Attribute name field.8. Copy and paste the Identity Provider Login URL from the SAML Assertion step of the Salesforce

wizard to the corresponding field in your Salesforce account.SSO Example:http://<eca360sso-server>/identityservice/package/idpchatter/saml2/SSO?SpEntity=OTPChatter<eca360sso-server>

Specifies the name of the server on which Cloud Identity Manager is installed.9. Copy and paste the Identity Provider Logout URL from the SAML Assertion step of the

Salesforce wizard to the corresponding field in your Salesforce account.SLO Example:http://<eca360sso-server>/identityservice/package/idpchatter/saml2/SLO?SpEntity=OTPChatter<eca360sso-server>

Specifies the name of the server on which Cloud Identity Manager is installed.10. Save the settings.

SSO and SLO are enabled on Salesforce.


E.2.3 Creating a Custom Domain Name in Salesforce

Create a custom Salesforce domain name for your organization. When members of your organization log on to Salesforce and use Salesforce applications, your domain name appears in the URLs.

In your Salesforce administrator’s account, perform the following steps:1. Select Setup | Administration Setup | Company Profile | My Domain.

The My Domain page opens.• Select, register, test, and deploy a custom Salesforce domain name for your organization.

Format: https://<your-domain-name>.my.salesforce.com<your-domain-name>

Specifies the domain name you select.Example: https://eca360-sso-org.my.salesforce.com

E.2.4 Setting Up Salesforce Chatter on an Apple iPhone or Android Mobile Device

Download the Salesforce Chatter Mobile application to your Apple iPhone or Android mobile device from the Salesforce store. The setup details depend on the particular mobile device, but in general, setup is similar for both the Apple iPhone and an Android mobile device. To set up the Apple iPhone for Salesforce Chatter, you go to Chatter Settings, select Custom Host for the Login Host, and provide the full domain name that you registered in Salesforce.

E.2.5 Setting Up Pledge on an Apple iPhone or Android Mobile Device

Configuring two-factor authentication with OTP is optional. For information about how to download and configure Pledge, the mobile OTP client supported by Cloud Identity Manager, on your Apple iPhone or Android mobile device, visit:http://support.nordicedge.se/

E.3 Accessing Salesforce Chatter from an Apple iPhone or Android Mobile Device

When configuration is complete, you can log in to Salesforce Chatter from your Apple iPhone or Android mobile device. On your mobile device, Cloud Identity Manager presents an LDAP login page and you enter your enterprise credentials, such as user name and password. After you are authenticated against the LDAP identity store, Cloud Identity Manager presents a one-time password prompt on your mobile device. After you enter the one-time password and it is verified, you are granted access to your organization’s domain on Salesforce Chatter.

Note: Two-factor authentication is an option, not a requirement.


http://support.nordicedge.se/


Appendix F: Integrating Active Directory Federation Services 2.0 with Cloud Identity Manager

Microsoft Active Directory Federation Services (AD FS) 2.0 simplifies access to services and applications with an open claims-based identity federation model. The AD FS 2.0 platform provides Windows-based Federation Services that support WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. Using the SAML 2.0 protocol and SAML 2.0 HTTP POST binding, you can integrate AD FS 2.0 and Cloud Identity Manager.

F.1 AD FS 2.0 Identity Federation TermsBecause AD FS 2.0 is integrated with Cloud Identity Manager using the SAML 2.0 protocol, AD FS 2.0 and SAML 2.0 terms overlap in this section of the documentation. For example, a SAML assertion is a claim or statement about a user’s identity. The terms, Identity Provider and Service Provider, are also defined more narrowly in the AD FS 2.0 context than they are elsewhere in the Cloud Identity Manager documentation. The following terms are used to describe AD FS 2.0 identity federation:

ClaimA claim is a statement about a user, such as the user’s name or identifier. Claims have one or more values and are packaged in security tokens and issued by a Security Token Service (STS).

Claims ProviderA Claims Provider is the Federation Service that issues claims and enables SSO between organizations, Relying Parties, and Identity Providers. Claims are issued in security tokens.

Identity ProviderThe Identity Provider (IdP) manages identity information, provides authentication services, and issues claims about a user’s identity in a security token. The Identity Provider is also the Claims Provider.

Relying PartyThe Relying Party (RP) requests identity information and consumes claims about a user’s identity. The claims are signed by a Claims Provider that the Relying Party trusts. The Relying Party makes decisions and acts on the identity information received. The Relying Party is also the Service Provider.

Security TokenA security token is one or more claims that are cryptographically signed by the Claims Provider. The signature provides proof of the integrity of the claims and identity of the Claims Provider to the Relying Party.

Security Token ServiceThe Security Token Service (STS) is the software component that packages claims in encrypted security tokens and issues them.


For more background information about AD FS 2.0, see the following resources:• AD FS 2.0 Content Map

http://social.technet.microsoft.com/wiki/contents/articles/2735.aspx

• AD FS 2.0 Deployment Guidehttp://technet.microsoft.com/en-us/library/adfs2-deployment-guide(WS.10).aspx

• AD FS 2.0 Terminologyhttp://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx

F.2 Identity Federation with AD FS 2.0AD FS 2.0 is a collection of federation services, including a core security token service that uses Active Directory as the identity store. When integrated with Cloud Identity Manager, AD FS 2.0 can be set up in the role of Identity Provider or in the role of Relying Party:

• AD FS 2.0 as Identity Provider — In this use case, Cloud Identity Manager provides SSO services for a SaaS or web application that supports SAML 2.0 authentication. Cloud Identity Manager delegates authentication to AD FS 2.0. In the Identity Provider role, AD FS 2.0 issues signed SAML tokens which Cloud Identity Manager consumes. To set up this use case, you start by configuring Cloud Identity Manager as the Relying Party in the AD FS 2.0 management console. For more information, see section F.2.1 Use Case 1: AD FS 2.0 as the Identity Provider.

• AD FS 2.0 as Relying Party — In this use case, AD FS 2.0 provides federation services for a WIF application and delegates authentication to Cloud Identity Manager. In the Relying Party role, AD FS 2.0 consumes signed SAML tokens issued by Cloud Identity Manager. To set up this use case, you start by configuring Cloud Identity Manager as the trusted Identity Provider in the AD FS 2.0 management console. For more information, see section F.2.2 Use Case 2: AD FS 2.0 as the Relying Party.


http://social.technet.microsoft.com/wiki/contents/articles/2735.aspx

http://technet.microsoft.com/en-us/library/adfs2-deployment-guide(WS.10).aspx

http://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx

F.2.1 Use Case 1: AD FS 2.0 as the Identity Provider

In Use Case 1, Cloud Identity Manager is connected to a SaaS or web application, which supports SAML2 authentication, by a SAML2 Cloud Connector. In the Relying Party role, Cloud Identity Manager delegates SAML authentication to AD FS 2.0. As the Identity Provider, AD FS 2.0 authenticates the user against an Active Directory identity store.

Figure 6. AD FS 2.0 as the Identity Provider1. The user requests services from a SaaS or web application.2. The SaaS or web application sends a SAML authentication request to Cloud Identity Manager.3. Cloud Identity Manager forwards the SAML authentication request to AD FS 2.0.4. AD FS 2.0 authenticates the user against an Active Directory identity store.5. AD FS 2.0 sends a SAML authentication result to Cloud Identity Manager.6. Cloud Identity Manager forwards the SAML authentication result to the SaaS or web application.7. The SaaS or web application grants access to the user.


F.2.2 Use Case 2: AD FS 2.0 as the Relying Party

In Use Case 2, AD FS 2.0 and Cloud Identity Manager have exchanged roles and places in the diagram. AD FS 2.0 is now federated with a Windows Identity Foundation (WIF) application. The WIF application delegates authentication to AD FS 2.0, and as the Relying Party, AD FS 2.0 delegates authentication to Cloud Identity Manager in the form of a SAML authentication request. As the Identity Provider, Cloud Identity Manager authenticates the user against an Active Directory identity store.

Figure 7. AD FS 2.0 as the Relying Party1. The user requests services from a WIF application.2. The WIF application delegates authentication to AD FS 2.0.3. AD FS 2.0 sends a SAML authentication request to Cloud Identity Manager.4. Cloud Identity Manager authenticates the user against an Active Directory identity store.5. Cloud Identity Manager sends a SAML authentication result to AD FS 2.0.6. AD FS 2.0 sends the authentication result to the WIF application.7. The WIF application grants access to the user.


F.3 Identity Federation with AD FS 2.0 as Identity ProviderWhen configured as the Identity Provider, AD FS 2.0 issues signed SAML tokens which are consumed by Cloud Identity Manager. To configure identity federation with AD FS 2.0 in the Identity Provider role, you create a Relying Party Trust with Cloud Identity Manager in the AD FS 2.0 management console. This process involves the following steps:

• Configuring Cloud Identity Manager as the Relying Party in the AD FS 2.0 management console — See section F.3.1 Configure Cloud Identity Manager as the Relying Party in AD FS 2.0.

• Editing claim rules in the AD FS 2.0 management console — See section F.3.2 Editing Claim Rules in AD FS 2.0: Relying Party Trust Example.

• Configuring Cloud Identity Manager as the Relying Party in the Cloud Identity Manager Management Console — See section F.3.3 Configuring Cloud Identity Manager as RP in the Management Console.

Note: When AD FS 2.0 is the Identity Provider, configure a connection from AD FS 2.0 to an Active Directory attribute store.

F.3.1 Configure Cloud Identity Manager as the Relying Party in AD FS 2.0

When configured as the Identity Provider, AD FS 2.0 issues signed SAML tokens that Cloud Identity Manager consumes. In the AD FS 2.0 management console, you create a Relying Party Trust with Cloud Identity Manager. You begin by opening the Add Relying Party Trust Wizard.

Note: For more information about creating a Relying Party Trust manually, visit:http://technet.microsoft.com/en-us/library/dd807108(WS.10).aspx

To configure Cloud Identity Manager as the Relying Party in AD FS 2.01. Open the AD FS 2.0 management console.2. Under AD FS 2.0 | Trust Relationships, right-click Relying Party Trusts, and then click Add

Relying Party Trust.The Add Relying Party Trust Wizard opens.

3. On the Welcome page, click Start.4. On the Select Data Source page, click Enter data about relying party manually, and then click

Next.5. On the Specify Display Name page, type the name of the server on which Cloud Identity Manager

is installed in the Display name field, and then click Next.6. On the Choose Profile page, click AD FS 2.0 Profile, and then click Next.7. On the Configure Certificate page, click Next.


http://technet.microsoft.com/en-us/library/dd807108(WS.10).aspx

8. On the Configure URL page:a. Select the Enable support for the SAML 2.0 WebSSO protocol checkbox.b. Copy and paste the following SAML service endpoint URL under Relying party SAML 2.0 SSO

service URL:https://<eca360sso-server>/identityservice/package/idp<id_connector_name>/extAuthn/login<eca360sso-server>

Specifies the host name or IP address of the server on which Cloud Identity Manager is installed.

<id_connector_name>Specifies the name of the Identity Connector that you configured for AD FS 2.0 in Cloud Identity Manager.

Note: You can locate this URL in the Cloud Identity Manager Management Console. In the Cloud Connectors tab, click the troubleshooting icon corresponding to the SAML2 Cloud Connector that you created for AD FS 2.0. In the General Info tab, you can find the URL in the Authentication Login field located in the Identity Connector area.

c. Click Next.9. On the Configure Identifiers page, specify the URL of the Cloud Identity Manager identity

service, click Add, and then click Next.Value: https://<eca360sso-server>/identityservice<eca360sso-server>


10. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then click Next.

11. On the Ready to Add Trust page, review the settings, and then click Next.The Relying Party Trust is saved.

12. On the Finish page, click Close.The Edit Claim Rules dialog box opens.

F.3.2 Editing Claim Rules in AD FS 2.0: Relying Party Trust Example

To configure a Relying Party Trust with Cloud Identity Manager in the AD FS 2.0 management console, you edit the claim rules that determine how Active Directory attributes are transformed and output in the claims that are sent to Cloud Identity Manager. In the following example, you edit three rules. The first two rules generate the SAML subject for Cloud Identity Manager. The third rule generates an additional attribute. These steps and values are just one example of how to edit claim rules for a Relying Party Trust with Cloud Identity Manager.

For more information about editing claim rules for a Relying Party Trust, visit:http://technet.microsoft.com/en-us/library/ee913578(WS.10).aspx

1. Open the AD FS 2.0 management console.2. Under AD FS 2.0 | Trust Relationships, click Relying Party Trusts.3. Right-click the Replying Party Trust relationship for which you want to create claim rules, and

then click Edit Claim Rules.The Edit Claim Rules dialog box opens.

4. To configure rules that specify which claims are sent to the relying party, select the Issuance Transform Rules tab, and then click Add Rule.The Issuance Transform Rules wizard opens.

5. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims, and then click Next.Note: Using this rule template, you can configure LDAP attribute values as claims.


http://technet.microsoft.com/en-us/library/ee913578(WS.10).aspx

6. On the Configure Rule page:a. Type a display name for the rule under Claim rule name.

Example: E-Mail from ADb. Select Active Directory under Attribute store.c. Select an LDAP Attribute and Outgoing Claim Type under Mapping of LDAP attributes to

outgoing claim types.LDAP Attribute: E-Mail-AddressesOutgoing Claim Type: E-Mail Address

7. On the Select Rule Template page, under Claim rule template, select Transform an Incoming Claim, and then click Next.Note: Using this rule template, you can map an incoming claim type to an outgoing claim type. The incoming claim is the claim that was retrieved from Active Directory. The outgoing claim is the claim that is sent to the Relying Party or Cloud Identity Manager. Optionally, you can also map an incoming claim value to a different outgoing claim value.


Example: Transform E-Mail to Name IDb. Select a type from the Incoming claim type list.

Incoming claim type: E-Mail Addressa. Select a type from the Outgoing claim type list.

Outgoing claim type: Name IDb. Select the Pass through all claim values option. When this option is selected, incoming claim

values are mapped directly to outgoing claim values.9. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes

as Claims, and then click Next.Note: Using this rule template, you can send LDAP attribute values as claims.


Example: Send AD Attributesb. Select Active Directory from the Attribute store drop-down list.c. Select an LDAP Attribute and Outgoing Claim Type under Mapping of LDAP attributes to

outgoing claim types.LDAP Attribute: Given-NameOutgoing Claim Type: Given Name

11. Click Finish.12. Click OK on the Edit Claim Rules dialog box.

The rule set is saved.


F.3.3 Configuring Cloud Identity Manager as RP in the Management Console

After AD FS 2.0 is configured as the Identity Provider and Cloud Identity Manager is configured as the Relying Party in AD FS 2.0, the remaining configuration tasks take place in the Cloud Identity Manager Management Console. To connect Cloud Identity Manager to AD FS 2.0 in this use case requires a SAML2 Cloud Connector configured with a SAML2 Identity Connector.1. To create and configure the SAML2 Identity Connector — Create an Identity Connector of type

authentication chain. Configure a SAML2 authentication module in the Authentication Module wizard and add it to the Identity Connector. See sections 4.9.1 Configure an Authentication Chain Identity Connector and 5.5.7 Configuring a SAML2 Authentication Module.

2. To create and configure the SAML2 Cloud Connector — Create a SAML2 Cloud Connector. In the Cloud Connector wizard, select the SAML2 Identity Connector that you configured in step 1. For more information, see the McAfee Cloud Identity Manager SAML2 Cloud Connector Guide.

Note: Because Cloud Identity Manager is connecting to the Identity Provider in this use case, the SAML configuration is done in the authentication module wizard. When Cloud Identity Manager is connecting to the Relying Party or Service Provider, as in the second use case, SAML configuration is done in the Cloud Connector wizard.

When you configure the SAML2 authentication module in the wizard, configure the SAML steps as follows:1. On the SAML SSO step:

a. Select the SP Initiated SSO checkbox.Note: As the Relying Party, Cloud Identity Manager is the Service Provider and initiates SSO.

b. Type the URL of the Cloud Identity Manager identity service in the Issuer field.Value: https://<eca360sso-server>/identityservice<eca360sso-server>


c. In the Single Sign On Service area, select HTTP_POST for the Binding type, and specify the URL of the AD FS 2.0 service in the Location field.Note: As the Identity Provider, AD FS 2.0 provides the SSO service. For instructions on how to locate this URL in the AD FS 2.0 management console, see section F.5 Locating the AD FS 2.0 Service URLs.

2. On the Assertion Verification step:a. In the IDP Issuer field, type the URL of the AD FS 2.0 SAML assertion issuer service.

Note: For instructions on how to locate this URL in the AD FS 2.0 management console, see section F.5 Locating the AD FS 2.0 Service URLs.

b. From the X509 Certificate drop-down list, select the certificate to use when verifying the signed SAML assertion from AD FS 2.0.Note: For more information, see section F.6 AD FS 2.0 Integration and Certificate Management.

F.4 Identity Federation with AD FS 2.0 as Relying PartyWhen configured as the Relying Party, AD FS 2.0 consumes signed SAML tokens which are issued by Cloud Identity Manager. To configure identity federation with AD FS 2.0 in the Relying Party role, you create a Claims Provider Trust with Cloud Identity Manager in the AD FS 2.0 management console. This process involves the following steps:

• Configuring Cloud Identity Manager as the Claims Provider in the AD FS 2.0 management console — See section F.4.1 Configure Cloud Identity Manager as the Claims Provider in AD FS 2.0.

• Editing claim rules in the AD FS 2.0 management console — See section F.4.2 Editing Claim Rules in AD FS 2.0: Claims Provider Trust Example.

• Configuring Cloud Identity Manager as the Identity Provider in the Cloud Identity Manager Management Console — See section F.4.3 Configuring Cloud Identity Manager as IdP in the Management Console.


F.4.1 Configure Cloud Identity Manager as the Claims Provider in AD FS 2.0

When configured as the Relying Party, AD FS 2.0 consumes signed SAML tokens that Cloud Identity Manager issues. In the AD FS 2.0 management console, you create a Claims Provider Trust with Cloud Identity Manager. You begin by opening the Add Claims Provider Trust Wizard.

For more information about creating a Claims Provider Trust manually, visit:http://technet.microsoft.com/en-us/library/dd807064(WS.10).aspx

To configure Cloud Identity Manager as the Claims Provider in AD FS 2.01. Open the AD FS 2.0 management console.2. Under AD FS 2.0 | Trust Relationships, right-click Claims Provider Trusts, and then click Add

Claims Provider Trust.The Add Claims Provider Trust Wizard opens.

3. On the Welcome page, click Start.4. On the Select Data Source page, click Enter claims provider trust data manually, and then

click Next.5. On the Specify Display Name page, type the following string in the Display name field, and then

click Next: <eca360sso-server>-idp.<eca360sso-server>


6. On the Choose Profile page, click AD FS 2.0 Profile, and then click Next.7. On the Configure URL page:

a. Select the Enable support for the SAML 2.0 WebSSO protocol checkbox.b. Copy and paste the following SAML service endpoint URL under Claims provider SAML 2.0 SSO

service URL:https://<eca360sso-server>/identityservice/package/idp<id_connector_name>/saml2/SSO?SpEntity=ADFS<eca360sso-server>


<id_connector_name>Specifies the name of the Identity Connector that you configured for AD FS 2.0 in Cloud Identity Manager.

Note: You can locate this URL in the Cloud Identity Manager Management Console. In the Cloud Connectors tab, click the troubleshooting icon corresponding to the SAML2 Cloud Connector that you created for AD FS 2.0. In the General Info tab, you can find the URL in the SSO Service field located in the Service Connection Endpoint Location area.

c. Click Next.8. On the Configure Identifier page, type the URL of the Cloud Identity Manager identity service

under Claims provider trust identifier, and then click Next.Value: https://<eca360sso-server>/identityservice<eca360sso-server>

Specifies the host name or IP address of the server where Cloud Identity Manager is installed.9. On the Configure Certificates page, click Add to locate the Cloud Identity Manager certificate file

and add it to the list of certificates, and then click Next.10. On the Ready to Add Trust page, review the settings, and then click Next.

The Claims Provider Trust is saved.11. On the Finish page, click Close.

The Edit Claim Rules dialog box opens.


http://technet.microsoft.com/en-us/library/dd807064(WS.10).aspx

F.4.2 Editing Claim Rules in AD FS 2.0: Claims Provider Trust Example

To create a Claims Provider Trust with Cloud Identity Manager in the AD FS 2.0 management console, you edit one or more acceptance transform rules. Acceptance transform rules define which claims are accepted from the Claims Provider and later transformed by the issuance transform rules. In the following example, one acceptance transform rule is edited. These steps and values are just one example of how to edit a rule for a Claims Provider Trust with Cloud Identity Manager.

For more information about editing claim rules for a Claims Provider Trust, visit:http://technet.microsoft.com/en-us/library/ee913564(WS.10).aspx

1. Open the AD FS 2.0 management console.2. Under AD FS 2.0 | Trust Relationships, click Claims Provider Trusts.3. Right-click the Claims Provider Trust relationship for which you want to create claim rules, and

then click Edit Claim Rules.The Edit Claim Rules dialog box opens.

4. To configure rules that specify which claims are accepted from the Identity Provider, select the Acceptance Transform Rules tab, and then click Add Rule.The Acceptance Transform Rules wizard opens.

5. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next.


Example: Name ID Ruleb. Select Name ID under Incoming claim type.c. Select Unspecified under Incoming name ID format.d. Select one of the following options depending on the needs of your organization:

• Pass through all claim values • Pass through only a specific claim value • Pass through only claim values that match a specific email suffix value • Pass through only claim values that start with a specific value

7. Click Finish.8. Click OK on the Edit Claim Rules dialog box.

The rule is saved.

F.4.3 Configuring Cloud Identity Manager as IdP in the Management Console

After AD FS 2.0 is configured as the Relying Party and Cloud Identity Manager is configured as the Identity Provider in AD FS 2.0, the remaining configuration tasks take place in the Cloud Identity Manager Management Console. To connect Cloud Identity Manager to AD FS 2.0 in this use case requires a SAML2 Cloud Connector configured with an LDAP Identity Connector.1. To create and configure the LDAP Identity Connector - Create an Identity Connector of type

authentication chain. Configure an LDAP authentication module in the Authentication Module wizard and add it to the Identity Connector. See sections 4.9.4 Configure an IWA-AD Identity Connector and 5.5.10 Configure a CAS Authentication Module.

2. To create and configure the SAML2 Cloud Connector - Create a SAML2 Cloud Connector. In the Cloud Connector wizard, select the LDAP Identity Connector that you configured in step 1. For more information, see the McAfee Cloud Identity Manager SAML2 Cloud Connector Guide.

Note: Because Cloud Identity Manager is connecting to the Relying Party in this use case, the SAML configuration is done in the Cloud Connector wizard. When Cloud Identity Manager is connecting to the Identity Provider, as in the first use case, SAML configuration is done in the authentication module wizard.



When you configure the SAML2 Cloud Connector in the wizard, configure the SAML steps as follows:1. On the SAML Credential Mapping step:

a. Specify AUTHN_RESULT_FIELD as the Subject Type and mail as the SAML Subject Source.b. Specify the attribute mappings that AD FS 2.0 expects to find in the SAML assertion.

Note: To view a list of mappings in the AD FS 2.0 management console, go to Management > Service > Claim Descriptions.

2. On the SAML SSO step:a. Specify the URL of the Assertion Consumer Service (ACS) provided by AD FS 2.0. Specify the

Binding type as HTTP_POST.Note: For instructions on how to locate this URL in the AD FS 2.0 management console, see section F.5 Locating the AD FS 2.0 Service URLs.

b. Select the SP Initiated SSO checkbox.Note: As the Relying Party, AD FS 2.0 is the Service Provider and initiates SSO.

c. Type the URL of the SAML authentication request issuer used by AD FS 2.0 in the Cloud Issuer field.Note: For instructions on how to locate this URL in the AD FS 2.0 management console, see section F.5 Locating the AD FS 2.0 Service URLs.

d. Select the Request Verification checkbox, and select a signing key pair from the Signature Keys drop-down list.Note: Cloud Identity Manager uses the signing key pair to verify the signed SAML2 request from AD FS 2.0.

3. On the SAML Assertion step:a. Select the signing key pair used by Cloud Identity Manager to sign SAML assertions from the

Signature Keys drop-down list. Specify the URL of the Cloud Identity Manager identity service in the SAML assertion issuer field.

b. Add the URL of the AD FS 2.0 service as the audience.Note: AD FS 2.0 requires the audience information to verify the SAML assertion. For instructions on how to locate this URL in the AD FS 2.0 management console, see section F.5 Locating the AD FS 2.0 Service URLs.


F.5 Locating the AD FS 2.0 Service URLsWhen configuring identity federation with AD FS 2.0 in the Cloud Identity Manager Management Console, you need URLs or service endpoints to access the AD FS 2.0 services. You can locate these URLs in the AD FS 2.0 management console, as follows:

• Single Sign On (SSO) and Assertion Consumer Service (ACS)To locate the common URL or endpoint shared by these two services, navigate to Service |Endpoints in the navigation tree in the AD FS 2.0 management console. In the Token Issuance section, look for the endpoint with type SAML 2.0/WS-Federation. Copy the value in this field, and paste it in the target field in the Cloud Identity Manager Management Console.

• SAML Assertion Issuer and SAML Authentication Request IssuerTo locate the common URL or endpoint shared by these two services, right-click the Service node in the tree on the left panel of the AD FS 2.0 management console, and select Edit Federation Service Properties Copy the value in the Federation Service Identifier field, and paste it in the target field in the Cloud Identity Manager Management Console.

F.6 AD FS 2.0 Integration and Certificate ManagementTo integrate AD FS 2.0 with Cloud Identity Manager, you need to prepare the certificates that are required for signing and verifying SAML authentication requests and assertions. Certificate preparation is different for each use case:

• AD FS 2.0 as Identity Provider and Cloud Identity Manager as Relying Party — When AD FS 2.0 is the Identity Provider, you export a certificate from AD FS 2.0 and import it in Cloud Identity Manager. For more information, see section F.6.1 Certificate Preparation: AD FS 2.0 as Identity Provider.

• Cloud Identity Manager as Identity Provider and AD FS 2.0 as Relying Party — When Cloud Identity Manager is the Identity Provider, you export a certificate from Cloud Identity Manager and import it in AD FS 2.0. For more information, see section F.6.2 Certificate Preparation: Cloud Identity Manager as Identity Provider.

Note: For more information about certificate management in Cloud Identity Manager, see section 12.6 Certificate Management.


F.6.1 Certificate Preparation: AD FS 2.0 as Identity Provider

When AD FS 2.0 is the Identity Provider, you export a certificate from AD FS 2.0 and import it in Cloud Identity Manager. Cloud Identity Manager, in turn, uses the certificate to verify SAML assertions issued by AD FS 2.0. Certificate preparation consists of the following steps in the AD FS 2.0 management console, Internet Explorer, and the Cloud Identity Manager Management Console.

In the AD FS 2.0 management console, create the certificate required for integration with Cloud Identity Manager:1. Select Service | Certificates in the navigation tree.2. Click View Certificates in the actions window.

The Certificate dialog box opens.3. Click Install Certificate and select Trusted Root Certification Authorities as the installation

directory.

In Internet Explorer, export the certificate that you created in the AD FS 2.0 management console:1. Select Tools | Internet Options.2. Select the Content tab, and click Certificates.3. Select the Trusted Root Certification Authorities tab, and locate the certificate that you

created.4. Select the certificate, and click Export.

The Certificate Export Wizard opens.5. On the Export File Format step of the wizard, select the Base-64 encoded X.509 (.CER) option.

In the Cloud Identity Manager Management Console, import the AD FS 2.0 certificate that you exported:1. From the Admin tab drop-down list, select the Certificate Management option.2. In the Certificate Management window, click Import Trusted Certificate. For detailed

configuration information, see section 12.6.13 Import a Trusted Certificate.

F.6.2 Certificate Preparation: Cloud Identity Manager as Identity Provider

When Cloud Identity Manager is the Identity Provider, you export a certificate from Cloud Identity Manager and import it in AD FS 2.0. AD FS 2.0, in turn, uses the certificate to verify SAML assertions issued by Cloud Identity Manager. Certificate preparation consists of the following steps in the Cloud Identity Manager and the AD FS 2.0 management consoles.

In the Cloud Identity Manager Management Console, create and export a new signing key pair:1. From the Admin tab drop-down list, select the Certificate Management option.2. To create a new signing key pair, click New Key Pair. Complete the fields on the Generate New

Key Pair dialog box, and click Ok. For more information, see section 12.6.11 Generate a New Key Pair.

3. In the Certificate Management window, click the Export icon that corresponds to the new key pair. For more information, see section 12.6.8 Export an X.509 Certificate.

In the AD FS 2.0 management console, import the Cloud Identity Manager certificate. The certificate is imported on the Configure Certificates step in the Add Claims Provider Trust wizard. For more information, see section F.4.1 Configure Cloud Identity Manager as the Claims Provider in AD FS 2.0.


F.7 Software Requirements for AD FS 2.0 IntegrationTo set up the AD FS 2.0 environment, you need the following software:

• Microsoft Windows Server 2008 Enterprise• Microsoft .NET Framework 3.1 SP1• Microsoft Visual Studio 2008• Microsoft Active Directory Federation Services (AD FS) 2.0• Microsoft Windows Identity Foundation (WIF) SDK

F.8 Configuring AD FS 2.0 Federation with a WIF ApplicationTo configure AD FS 2.0 federation with a WIF application, perform the following steps in order:1. Install and configure AD FS 2.0.2. Install and configure WIF and the application.3. Configure AD FS 2.0 to send claims to the application.4. Access the application.

For a step-by-step guide to installing and configuring AD FS 2.0 with a WIF application, visit the following link:http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(WS.10).aspx

F.9 AD FS 2.0 Considerations and Troubleshooting TipsThe following section contains considerations and troubleshooting tips for integrating AD FS 2.0 with Cloud Identity Manager.

F.9.1 Registering Your Workstation in the Service Principal Name Directory

Problem: The security database on the server is missing the account needed for a trust relationship with your workstation.

Solution: Verify that the Fully Qualified Domain Name (FQDN) of your workstation is registered in the Service Principal Name (SPN) directory. For more information about using the Windows Server tool setspn.exe to register your workstation, visit:http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

F.9.2 Enabling NTLM Authentication in Firefox

NTLM is a Windows SSO authentication protocol. To enable NTLM authentication in Firefox, configure Firefox to accept NTLM authentication information from the URIs that you specify:1. Open Firefox.2. Enter about:config in the address field.

A list of preferences opens.3. Copy network.automatic-ntlm-auth.trusted-uris and paste it in the Filter field.

The specified preference is displayed.4. Double-click the name of the specified preference.

The Enter string value dialog box opens.5. Type the URI of the location that receives the NTLM authentication information in the field on the

dialog box, and click OK. The location can be a SaaS or web application or an identity federation service.Note: To specify more than one URI, separate them with commas.


http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

F.9.3 Sharing AD FS 2.0 Claims with a SAML 2.0 Service Provider

AD FS 2.0 supports a set of default claim types. Each claim type has a name and a description and is represented by a URI that includes the name and a publishing date. The SAML Service Provider ignores the AD FS 2.0 claim name and uses the URI as the SAML claim name instead.

Note: The following table contains examples of AD FS 2.0 claim types:

For more information about the set of default AD FS 2.0 claim types, visit:http://technet.microsoft.com/en-us/library/ee913589(WS.10).aspx

F.9.4 “Authentication Required” Pop Up in Internet Explorer

Problem: The Authentication Required dialog box pops up when AD FS 2.0 is installed on a domain controller that is running a Windows Server operating system and has Active Directory Domain Services installed.

Solution: Internet Explorer does not pass credentials to a website or service outside the intranet or the domain. To solve this problem, add the URL of the website or service to the list of Local intranet sites in Internet Explorer, as follows.1. Select Tools | Internet Options.2. In the Security tab, select Local intranet, and then click Sites.3. In the Local intranet dialog box, click Advanced.4. Add the URL of the website to the Local intranet dialog box, and click Close.5. Click OK to close the Local intranet dialog box.6. Click OK to close the Internet Options dialog box.

F.9.5 “Add STS Reference” Option Is Missing in Visual Studio 2008

Problem: The Add STS Reference option is missing from the application project context menu in Visual Studio 2008. STS is an acronym for Security Token Service.

Solution: To restore this option, follow these steps:1. Close Visual Studio 2008.2. Copy the following file from the source to the destination folder:

File name: Microsoft.IdentityModel.Tools.VS.VSAddin.AddinSource folder: %PROGRAMFILES%\Windows Identity Foundation SDK\v3.5\Visual Studio ExtensionsDestination folder: %USERPROFILE%\Documents\Visual Studio 2008\Addins

3. Restart Visual Studio 2008.

Claim Name Description URI

E-Mail Address The user’s email address http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Given Name The user’s given name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Name A name that uniquely identifies the user

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name



F.9.6 Disabling Certificate Chain Validation

Problem: When Cloud Identity Manager is federated with AD FS 2.0 and a WIF application, the application cannot verify the signature of the SAML token issued by AD FS 2.0.

Solution: Disable certificate chain validation. To disable certificate chain validation, locate the following directory and file in the directory and modify the file:

Directory: %PROGRAMFILES%\Windows Identity Foundation SDK\v3.5File name: Windows.Identity.Foundation.Config.xsd

To modify the file, open it, and add the line shown in bold to the following XML code:<microsoft.identityModel>

<service>

<certificateValidation certificateValidationMode="None">

</service>

</microsoft.identityModel>

F.9.7 Signature Verification Failure

Problem: When a signature verification error occurs, check whether the certificate used to verify the SAML request or response matches the key used to sign the request or response. Cloud Identity Manager always uses the RSA with SHA1 algorithm to generate signatures. By default, AD FS 2.0 expects signatures that are generated by the RSA with SHA256 algorithm.

Solution: To resolve this difference, modify the signature generation algorithm setting in AD FS 2.0, as follows:1. Open the AD FS 2.0 management console.2. Under AD FS 2.0 | Trust Relationships, click Claims Provider Trusts or Relying Party Trusts.3. Right-click the trust relationship, and select Properties.4. In the Properties dialog box, select the Advanced tab.5. In the Advanced tab, select SHA-1.

Note: SHA is an acronym for Secure Hash Algorithm.

F.9.8 Audience Verification Failure

Problem: An audience verification error occurs when AD FS 2.0 is configured as the Relying Party and Cloud Identity Manager is configured as the Identity Provider.

Solution: On the SAML Assertion step of the SAML2 Cloud Connector wizard, verify that the audience is specified as the AD FS 2.0 Assertion Consumer Service URL.

Note: For more information, see sections F.4.3 Configuring Cloud Identity Manager as IdP in the Management Console and F.5 Locating the AD FS 2.0 Service URLs.


Appendix G: Integrating TPM on Microsoft Windows with Cloud Identity Manager

The following steps are required for integrating a Trusted Platform Module (TPM) security chip on Microsoft Windows with Cloud Identity Manager. The term “client machine” refers to the end user’s computer. For more information, see the following sections:1. Enabling TPM on the client machine — See section G.1 Enabling TPM on the Client Machine.2. Preparing the TPM environment on the client machine — See section G.2 Preparing the TPM

Environment on the Client Machine.3. Configuring TPM authentication in Cloud Identity Manager — See section G.3 Configuring TPM

Authentication in Cloud Identity Manager.

G.1 Enabling TPM on the Client MachineTo integrate a Trusted Platform Module (TPM) security chip with Cloud Identity Manager, you first enable TPM on the client machine. Enabling TPM involves activating the TPM security chip and then clearing the TPM ownership in BIOS, the computer’s basic input-output system. The details on how to enable TPM in BIOS vary from machine to machine. Contact your computer manufacturer for more information.

G.2 Preparing the TPM Environment on the Client MachineTo prepare the TPM environment on the client machine, you run a TPM driver that generates the TPM password from the user’s private key and prepares the TPM public key for export. The user enters the TPM password on the TPM login page when authenticating to Cloud Identity Manager. The Cloud Identity Manager administrator imports the TPM public key when configuring the TPM authentication module in the Management Console. For information about how to create the TPM driver, contact the manufacturer of the TPM security chip.

To prepare the TPM environment on the client machine, complete the steps in the following sections:• G.2.1 Add Your Windows Home Directory to the Path Variable• G.2.2 Extracting the Public Key and Encryption Key Wrapper• G.2.3 Modify the Security Policy File for JRE

Note: To view a sample security policy file for JRE, see section G.2.4 Sample Security Policy File for JRE.


G.2.1 Add Your Windows Home Directory to the Path Variable

The Path variable is a system environment variable that specifies a semicolon-separated list of paths to search when locating executable files. In this procedure, you add your Windows home directory to the list of path names specified by the Path variable.

To add your Windows home directory to the Path variable1. From the Start menu, select Control Panel | System | Advanced system settings.2. In the Advanced tab in the System Properties dialog box, click Environment Variables.3. In the System variables area in the Environment Variables dialog box, select the Path variable

and click Edit.4. In the Variable value field on the Edit System Variable dialog box, add your Windows home

directory to the list of path names, and click OK.Format: C:\Users\<default_user_name>Note: You can locate the default user name from the Start menu by selecting Control Panel | System | Advanced system settings. In the Advanced tab in the System Properties dialog box, click Settings in the User Profiles area. In the User Profiles dialog box, the default user name is located in the Name column of the first row.

5. Click OK to save the change and close the Environment Variables dialog box.6. Click OK to save the change and close the System Properties dialog box.

G.2.2 Extracting the Public Key and Encryption Key Wrapper

After you extract the TPM public key and encryption key wrapper from the client machine, complete the following steps:1. Rename the public key file to intel-tpm.pub and the wrapper file to intel-tmp.kw.2. Save the renamed files in your Windows home directory.

Format: C:\Users\<default_user_name>Note: You can locate the default user name from the Start menu by selecting Control Panel | System | Advanced system settings. In the Advanced tab in the System Properties dialog box, click Settings in the User Profiles area. In the User Profiles dialog box, the default user name is located in the Name column of the first row.

G.2.3 Modify the Security Policy File for JRE

To modify the security policy file for JRE, you add a line of code to the end of the file, and restart your web browser.

To modify the security policy file for JRE1. Locate and open the security policy file for JRE.

Example: C:\Program Files\Java\jre6\lib\security\java.policy2. Add the following line to the end of the file:

permission java.security.AllPermission

3. Restart your web browser.

Note: Without this change, the TPM driver cannot sign the random number generated by Cloud Identity Manager with the user’s TPM password.


G.2.4 Sample Security Policy File for JRE

The following code is an example of a JRE security policy file. The last line is the line that is added to the file in section G.2.3 Modify the Security Policy File for JRE.

// Standard extensions have all permissions by default.

grant codeBase "file:${{java.ext.dirs}}/" {

permission java.security.AllPermission;

};

// Default permissions are granted to all domains.

grant {

// Allow any thread to stop by using the java.lang.Thread.stop()

// method without any arguments.

// Note: This permission is granted by default only to remain

// backwards compatible.

// We recommended that you either remove this permission

// from this policy file or further restrict it to code sources

// that you specify, because Thread.stop() is potentially unsafe.

// See "http://java.sun.com/notes" for more information.

permission java.lang.RuntimePermission "stopThread";

// Allow anyone to listen on un-privileged ports.

permission java.net.SocketPermission "localhost:1024-", "listen";

// "Standard" properies can be read by anyone.

permission java.util.PropertyPermission "java.version", "read";

permission java.util.PropertyPermission "java.vendor", "read";

permission java.util.PropertyPermission "java.vendor.url", "read";

permission java.util.PropertyPermission "java.class.version", "read";

permission java.util.PropertyPermission "os.name", "read";

permission java.util.PropertyPermission "os.version", "read";

permission java.util.PropertyPermission "os.arch", "read";

permission java.util.PropertyPermission "file.separator", "read";

permission java.util.PropertyPermission "path.separator", "read";

permission java.util.PropertyPermission "line.separator", "read";

permission java.util.PropertyPermission "java.specification.version", "read";

permission java.util.PropertyPermission "java.specification.vendor", "read";

permission java.util.PropertyPermission "java.specification.name", "read";


permission java.util.PropertyPermission "java.vm.specification.version", "read";

permission java.util.PropertyPermission "java.vm.specification.vendor", "read";

permission java.util.PropertyPermission "java.vm.specification.name", "read";

permission java.util.PropertyPermission "java.vm.version", "read";

permission java.util.PropertyPermission "java.vm.vendor", "read";

permission java.util.PropertyPermission "java.vm.name", "read";

permission java.security.AllPermission;

};

G.3 Configuring TPM Authentication in Cloud Identity ManagerTo configure TPM authentication in the Cloud Identity Manager Management Console, the administrator configures a TPM authentication module and adds it to an authentication chain as the secondary authentication method. When configuring the TPM authentication module, the administrator uploads one or more TPM public key files. For more information, see section 5.5.18 Configure a TPM Authentication Module.

G.4 The TPM Authentication ProcessThis description of the TPM authentication process assumes that the following prerequisites have been met:

• TPM is enabled on the client machine.• The user has the TPM password.• The user’s TPM public key is registered in Cloud Identity Manager.• TPM authentication is configured as the secondary authentication method in Cloud Identity

Manager.

The following description of the TPM authentication process includes behind-the-scenes details that the end user never sees. The end user only sees the TPM login page and the TPM password.1. The user requests access to a SaaS or web application.2. The application requires successful TPM authentication and delegates authentication to Cloud

Identity Manager.3. Cloud Identity Manager generates a random number, which is a time stamp, and sends the number,

a TPM login page, and a Java applet to the user.4. The user enters the TPM password on the TPM login page. The Java applet invokes the TPM driver

on the client machine. The TPM driver signs the random number with the user’s password. The signed random number or signature is sent to Cloud Identity Manager along with the user’s TPM public key.

5. Cloud Identity Manager compares the user’s TPM public key to all registered keys and verifies that the TPM public key is trusted. Cloud Identity Manager uses the trusted TPM public key to verify the signature generated by the TPM driver on the user’s machine and authenticates the user. Cloud Identity Manager sends the authentication result to the SaaS or web application.



Appendix H: Expression Language Support

Cloud Identity Manager provides expression language support for mapping user attributes from an authentication source to a target account in a SaaS or web application. Attribute mapping is used when configuring SSO and user provisioning and is also called credential mapping and account mapping. Cloud Identity Manager expression language support is based on MVEL 2.0.

MVEL 2.0 is a powerful expression language developed for Java-based applications. Its syntax is inspired by Java, but with some notable differences. For example, MVEL is dynamically typed, while Java objects are statically typed.

A MVEL expression consists of one or more statements separated by semi-colons. To return a value, MVEL expressions use the last value out principle in addition to using the Return keyword. MVEL supports scripting through the following control flow operators:

• If-Then-Else• Foreach• For Loop• Do While• Do Until• While• Until

Note: For more information about MVEL 2.0, visit http://mvel.codehaus.org/.

H.1 Attribute Mapping and Expressions in Cloud Identity ManagerCloud Identity Manager provides a predefined variable for you to use when creating expressions. $AuthnResult uses the getField method to retrieve the authentication result. The authentication result can have a String or String list type to match a String or String array result, respectively.

Example 1: Simple Expression Mapping Rule for Credential Mapping

The authentication result is stored in the mail field of an enterprise identity store and has the value: [email protected]. Google Apps is expecting only the name, and not the whole email address, in the SAML response subject. When configuring credential mapping, you can use a MVEL expression that extracts the name from the email string, as follows:

Source:String mail = $AuthnResult.getField("mail");

mail.subString(0, mail.indexof('@'));

Source Type: EXPRESSION


http://mvel.codehaus.org/

Example 2: Complex Control Flow Mapping Rules for User Provisioning

Both the enterprise identity store and Salesforce user account have a role attribute for employees. To convert the enterprise roles to Salesforce roles, you can use the following rules and MVEL expression when configuring user provisioning:

• The enterprise “Sales” role having a grade of 10 corresponds to the Salesforce “SalesManager” role.• The enterprise "Sales" role having a grade of 11 corresponds to the Salesforce "SalesDirector" role.• The enterprise "Sales" role having a grade of 12 or greater corresponds to the Salesforce "SalesGM"

role.

Source:int grade = Integer.parseInt ($AuthnResult.getField("Grade"));

if($AuthnResult.getField("Role").equals("Sales")) {

if(grade == 10) {

return "SalesManager";

} else if(grade == 11) {

return "SalesDirector";

} else if(grade >= 12) {

return "SalesGM";

}

}

Source Type: EXPRESSION


Appendix I: Troubleshooting Tips

This appendix contains tips for troubleshooting common problems that a Cloud Identity Manager administrator might encounter, including known issues.

I.1 Internet Explorer Cannot Download FileSymptom

Internet Explorer cannot download a file from Cloud Identity Manager.

Solution

Allow Internet Explorer to save encrypted pages to the disk, as follows:1. In Internet Explorer, select Tools | Internet Options.2. In the Advanced tab, locate the Security section, and deselect the Do not save encrypted

pages to disk checkbox.

I.2 The Upgrade Process Does Not Migrate HTTP POST CredentialsSymptom

When upgrading Cloud Identity Manager from v2.5 to v3.0 or greater, the upgrade process does not migrate the credentials in the HTTP POST credential store. As a result, the credentials are not available and must be reentered by the end user when using an HTTP POST Cloud Connector for the first time.

Solution

This is a known issue. Contact McAfee Support for a tool that migrates HTTP POST credentials from a v2.5 credential store to a v3.0 credential store or greater.

I.3 Not All Settings Are Exported from a MySQL DatabaseSymptom

When you export system configuration settings from a MySQL database, not all settings are exported. Settings that are not exported include Identity Connector, Cloud Connector, and alert configurations.

Solution

This is a known issue in Cloud Identity Manager v3.1. Contact McAfee Support for more information.

I.4 AdminiTrack Connector Does Not Support SSO to v3.0Symptom

The Cloud Identity Manager AdminiTrack Cloud Connector supports SSO to AdminiTrack v2.6, but does not support SSO to AdminiTrack v3.0.

Solution

This is a known issue in Cloud Identity Manager v3.1. Contact McAfee Support for more information.



Order Number: 326713-004US[Revision A]