Cloud Access Manager 8.1.4 - Configuration Guide

Primary credentials

In many cases, the directory which an application uses to authenticate a user is the same as the directory used by Cloud Access Manager to authenticate the user. In this situation, the username and password entered by the user to sign in to Cloud Access Manager, can be captured and re-used to automate sign in to the application.

Primary Credentials are the username and password that were used to authenticate to Cloud Access Manager. They will only be captured and saved when a login form, through the local built-in identity provider is used to authenticate the user. Authentication using either Kerberos, a smart card, or a federated identity provider will not update Primary Credentials.

Configuring user front-end authentication method selection

If Cloud Access Manager is configured with multiple front-end authenticators, the first time users authenticate through Cloud Access Manager they will have to select which front-end authenticator they want to use. This section describes how you can configure the selection method and what the user will experience.

To configure how the user selects which front-end authenticator to use

1. Log in to the Administration Console, navigate to the Settings page and click Home Realm Discovery Options.

2. Select Home realm discovery mode. There are two options with this mode:

   • User selects home realm from a list — the user can either select the home realm from a list.

   • User enters text to identify home realm — the user can enter text to match against. Typically, this will be an email address, where the domain of the email address is used to determine the front-end authenticator.

     If you select User selects home realm from a list then no further configuration is required; if you select User enters text to identify home realm, you will see the following.

     

3. In the User Input Prompt field, enter the prompt that will be displayed to your users the first time they authenticate through Cloud Access Manager.
4. Select an option from the Text Matcher Mode list to determine how the text entered by the user will be matched.
5. If matching is by email domain, enter the domain for each front-end authenticator. To enter multiple domains for each front-end authenticator, click Add Email Domain.

6. If matching is on a word or phrase, enter the word or phrase for each front-end authenticator. To enter multiple words or phrases for each front-end authenticator, click the + icon.

   NOTE: If you need to configure the matching text for a front-end authenticator after the initial configuration, you can either navigate back to the Home Realm DiscoveryOptions page in Settings, or go to the Front-end Authentication page and edit the required front-end authenticator. You will then see an extra Home Realm Discovery tab that allows you to edit the matching text for that front-end authenticator. In addition, if you have previously configured home realm discovery to use text matching, you will see the Home Realm Discovery tab as part of the wizard when you add a new front-end authenticator.

To always show the Home Realm Discovery choice

By default, the user will only be shown the Home Realm Discovery choice the first time they authenticate through Cloud Access Manager.

To show the Home Realm Discovery page each time the user authenticates

1. Navigate to the Settings page.
2. Click Turn Features On/Off.

3. In the Log in Options section, select Always show front-end authentication choice.

   If this option is selected then the user's previous choice or word/phrase will be displayed the next time they authenticate.

Home Realm Discovery user experience

By default the user will only need to select the authentication method the first time they authenticate through Cloud Access Manager.

If Home Realm Discovery is configured to display a list of front-end authenticators, the user will see a screen similar to that displayed below. The user must select the correct front-end authenticator from the list and click Log in. Authentication will then be directed to the selected front-end authenticator.

If Home Realm Discovery is configured to select the front-end authenticator using text matching, the user will see a screen similar to that displayed below.

If the default setting for displaying the home realm discovery page is still in place then the next time the user authenticates through Cloud Access Manager, they will be directed straight to the previously selected front-end authenticator.

Adding a web application

Topics:

Before adding an application to Cloud Access Manager you must first identify which method of authentication the application is using; the most common methods are Integrated Windows Authentication (IWA) and form fill authentication. The following sections describe how to configure an application for each of the supported authentication methods.

Integrated Windows Authentication

This section will guide you through the steps required to configure single sign-on for One Identity Active Roles which uses Integrated Windows Authentication (IWA).

To configure Integrated Windows Authentication

1. Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page.

   Cloud Access Manager provides a set of application templates to automatically configure common applications. This example describes how to configure an application manually, rather than using a template.

2. Click Configure Manually.

3. Select Integrated Windows Authentication, then click Next.

   NOTE: Additional user attributes can be sent in HTTP headers. In this example, we only need to send the authentication header.

4. Enter the protocol and Fully Qualified Domain Name (FQDN) used by the application you wish to Single Sign-On (SSO). Click Next.

   NOTE: The protocol and FQDN can be obtained from the URL used to access the application. For example, if the application is normally accessed through https://ars.prod.local/ARServerAdmin the FQDN would be ars.prod.local and the protocol would be Secure HTTP (HTTPS).

5. In this step, Cloud Access Manager needs to know how to proxy the application. Typically, this involves configuring Cloud Access Manager to proxy the entire web server used by the application through a new fully qualified domain name. This is the preferred method and the method with the most applications. To configure Cloud Access Manager in this way, simply enter a new public FQDN into the field provided on the Proxy URL page, and click Next.

   The new FQDN should be within the wildcard DNS subdomain created during the Cloud Access Manager installation, which will resolve to the Public IP address used by the proxy. For example, if you created the wildcard DNS subdomain *.webapps.democorp.com during the installation you could use the FQDN owa.webapps.democorp.com to proxy Outlook Web App. If you did not create a wildcard DNS subdomain for Cloud Access Manager during the installation you need to add this new FQDN into your public DNS manually. The new FQDN should be covered by the wildcard SSL certificate you are using.

   Alternatively, some applications are installed entirely within their own virtual directory on the web server where they reside. One example of such an application is One Identity Active Roles which installs into the virtual directory /ARServerAdmin. In this case you may be able to configure Cloud Access Manager to proxy the application's virtual directory only, rather than the whole web server, and reuse the FQDN of the proxy. To configure this option, select the proxy's FQDN from the list, then enter the virtual directory where the application is installed into the field below and click Next.

   NOTE: Take care to ensure that the path entered is unaltered, even down to subtle changes such as character case, in the example Active Roles Server the path must be ARServerAdmin.

6. You will now see the Permissions page, which enables you to control which users can access the application. By default, all Cloud Access Manager users have access to the application. You can restrict access to the application to users who belong to a specific role, but for this example, simply click Next to allow all users to access the application.
7. Enter an Application Name, for example ARS.
8. Select Use primary credentials to log into this application and click Next. This will ensure that ARS uses the user's Active Directory domain credentials rather than a different username or password unique to the application, for example the same credentials that the user used to authenticate to Cloud Access Manager. For applications that require different credentials, make sure this option is deselected.

9. You can now configure how the application is displayed on the Cloud Access Manager Portal. Enter the Title and Description you want to display on the Cloud Access Manager Portal. Many applications will require you to configure a particular entry point, for example for Active Roles Server you would need to add ARServerAdmin in the URL field of the Application Portal page.

   NOTE: Take care to ensure that the URL entered is unaltered, even down to subtle changes such as character case, in the example Active Roles Server the URL must be ARServerAdmin. In addition the Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should automatically appear on each user’s portal page and how the user can manage the application from the application portal. The options are shown in the table below.

   Table 2: Application portal options

   Add application to application portal home	Allow users to remove application from application portal home	Functionality
   		application is added to the portal and it cannot be removed by the user through the application catalog.
   		application is added to the portal and it can be removed by the user through the application catalog.
   		application is not automatically added to the portal. The user can add or remove the application to/from the portal through the application catalog.

   To access the application catalog from the application portal, the user simply needs to click their username, then select Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.

10. Configuration of the application is now complete. Click Finish.

To verify that the application is configured correctly

1. Close Internet Explorer to end your Cloud Access Manager session.
2. Use the desktop shortcut Cloud Access Manager Application Portal to open the Cloud Access Manager Portal.
3. Log in to the Cloud Access Manager application portal and click the Active Roles Server application.
4. If the user's application credentials, the user's primary credentials in this case, have not yet been stored in Cloud Access Manager you will be prompted to enter them.
5. You will be signed in to One Identity Active Roles automatically.

Configuration of One Identity Active Roles for SSO is now complete.