Cloud Access Manager 8.1 - Configuration Guide

Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page.

Dell™ One Identity Cloud Access Manager provides a set of application templates to automatically configure common applications. This example describes how to configure an application manually, rather than using a template.

Click Configure Manually.

Select HTTP Header and click Next.

You now need to configure how Cloud Access Manager will derive the user's username that will be used to authenticate to the application. This step will vary depending on which front-end authentication method you are using. In this example, we will run through the steps required for Active Directory® front-end authentication. Select Derive the username from an attribute. A text box is displayed for you to enter the Active Directory attribute to use. Enter sAMAccountName and click Next.

Enter the name of the header you wish to use to send the derived username. The application's web server may prefix this header name with HTTP_. If this is the case, the application must include this prefix when referencing the header. Click Next.


	NOTE: Additional user attributes can also be sent in HTTP headers. In this example we will send the user's username only.

Enter the protocol and Fully Qualified Domain Name (FQDN) used by the application you wish to Single Sign-On (SSO). Click Next.


	NOTE: The protocol and FQDN can be obtained from the URL used to access the application. For example, if the application is normally accessed using https://ars.democorp.local/ARServerAdmin, the protocol would be HTTPS and the FQDN would be ars.democorp.local.

In this step, Cloud Access Manager needs to know how to proxy the application. Typically this involves configuring Cloud Access Manager to proxy the entire web server used by the application using a new fully qualified domain name. This is the preferred method and the method which is compatible with the most applications. To configure Cloud Access Manager in this way, simply enter a new public FQDN into the field provided on the Proxy URL page, and click Next.

The new FQDN should be within the wildcard DNS subdomain created during the installation, which will resolve to the public IP address used by the proxy. For example, if you created the wildcard DNS subdomain *.webapps.democorp.com during the installation you could use the FQDN owa.webapps.democorp.com to proxy Microsoft® Outlook® Web App. If you did not create a wildcard DNS subdomain for Cloud Access Manager during the installation you will need to add this new FQDN into your public DNS manually. The new FQDN should be covered by the wildcard SSL certificate you are using.

Alternatively, some applications are installed entirely within their own virtual directory on the web server where they reside. One example of such an application is Dell™ One Identity Active Roles, formerly known as Quest One™ ActiveRoles Server™, which installs into the virtual directory /ARServerAdmin. In this case you may be able to configure Cloud Access Manager to proxy the application's virtual directory only, rather than the whole web server, and reuse the FQDN of the proxy. To configure this option, select the proxy's FQDN from the list, then enter the virtual directory where the application is installed into the field below and click Next.


	NOTE: Take care to ensure that the path entered is unaltered, even down to subtle changes such as character case, in the example Active Roles Server the path must be ARServerAdmin.

You will now see the Permissions page, which enables you to control the users who can access the application. By default, all Cloud Access Manager users have access to the application. You can restrict access to the application to users who belong to a specific role, but for this example, simply click Next to allow all users to access the application.

Enter a name for the application, then click Next.

You can now configure how the application is displayed on the Cloud Access Manager Portal. Enter the Title and Description you want to display on the Cloud Access Manager Portal. Many applications will require you to configure a particular entry point, for example for Active Roles Server you would need to add ARServerAdmin in the URL field of the Application Portal page.


	NOTE: Take care to ensure that the URL entered is unaltered, even down to subtle changes such as character case, in the example Active Roles Server the URL must be ARServerAdmin. The Add application to application portal home and Allow user to remove application from application portal options allow you to specify whether the application should appear automatically on each user’s portal page, and how the user can manage the application from the application portal.

The options are shown in Table 8.

Table 8. Application portal options
Add application to application portal home	Allow user to remove application from application portal home	Functionality
		application is added to the portal and it cannot be removed by the user through the application catalog.
		application is added to the portal and it can be removed by the user through the application catalog.
		application is not automatically added to the portal. The user can add or remove the application to/from the portal through the application catalog.

To access the application catalog from the application portal, the user simply needs to click their username, then select Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.

Configuration of the application is now complete. Click Finish.

To ensure that users are securely authenticated, you must configure applications that use header authentication to prevent users accessing the application directly. For further information on how to ensure that users access the application using Cloud Access Manager, please refer to Preventing direct access to applications protected by Cloud Access Manager in the Dell™ One Identity Cloud Access Manager Security and Best Practice Guide.

No back-end SSO

To configure an application that uses no back-end SSO

Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page.

Click Configure Manually.

Select Cloud Access Manager should not log the user in and click Next.

You can now configure the application for external access.

If the application is only accessible within your corporate network, select the internal option and click Next. This option will proxy the application so that users accessing Cloud Access Manager from outside of your corporate network can use the application.


	NOTE: If users require access to the application before they have authenticated, or do not require authentication to access the application, then you can select the Allow un-authenticated access to this application box to allow un-authenticated access.

If your application is already accessible from outside of your corporate network, select the external option and click Next. This option will not configure the proxy, you may skip to Step 7.

Enter the protocol and Fully Qualified Domain Name (FQDN) used by the application you wish to Single Sign-On (SSO). Click Next.


	NOTE: The protocol and FQDN can be obtained from the URL used to access the application. For example, if the application is normally accessed using https://ars.democorp.local/ARServerAdmin, the protocol would be HTTPS and the FQDN would be ars.democorp.local.

In this step, Cloud Access Manager needs to know how to proxy the application. Typically this involves configuring Cloud Access Manager to proxy the entire web server used by the application using a new fully qualified domain name. This is the preferred method and the method compatible with the most applications. To configure Cloud Access Manager in this way, simply enter a new public FQDN into the field provided on the Proxy URL page, and click Next.

Alternatively, some applications are installed entirely within their own virtual directory on the web server where they reside. One example of such an application is Dell™ One Identity Active Roles, formerly known as Quest One™ ActiveRoles Server™, which installs into the virtual directory /ARServerAdmin. In this case, you may be able to configure Cloud Access Manager to proxy the application's virtual directory only, rather than the whole web server, and re-use the FQDN of the proxy. To configure this option, select the proxy's FQDN from the list, then enter the virtual directory where the application is installed into the field below and click Next.


	NOTE: Take care to ensure that the URL entered is not altered, even down to subtle changes such as character case. In the example Active Roles Server, the URL must be ARServerAdmin.

Enter a name for the application, then click Next.

You can now configure how the application is displayed on the Cloud Access Manager Portal. Enter the Title and Description you want to display on the Cloud Access Manager Portal. Many applications will require you to configure a particular entry point, for example, for Active Roles Server you would need to add ARServerAdmin in the URL field of the Application Portal page.


	NOTE: Take care to ensure that the URL entered is unaltered, even down to subtle changes such as character case, in the example Active Roles Server the URL must be ARServerAdmin. The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user’s portal page, and how the user can manage the application from the application portal.

The options are shown in Table 9.

Table 9. Application portal options
Add application to application portal home	Allow user to remove application from application portal home	Functionality
		application is added to the portal and it cannot be removed by the user through the application catalog.
		application is added to the portal and it can be removed by the user through the application catalog.
		application is not automatically added to the portal. The user can add or remove the application to/from the portal through the application catalog.

Configuration of the application is now complete. Click Finish.

Further considerations

When you have added an application to Dell™ One Identity Cloud Access Manager, you may want to ensure users only access the application using Cloud Access Manager. This may be required if you use Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. For further information on how to ensure that users access the application using Cloud Access Manager, please refer to Preventing direct access to applications protected by Cloud Access Manager in the Dell™ One Identity Cloud Access Manager Security and Best Practice Guide.

Exporting an application configuration template

When you have configured an application, you can export the configuration as a template file that can be imported into other Dell™ One Identity Cloud Access Manager installations and used to re-create your configured application.

To export an application configuration as a template, in the list of applications click the download icon next to the application you want to export.

Before you can create a template, you need to know whether there are any environment or account specific variables within your application configuration. For example, any applications that have been purchased and installed on your local network are highly likely to have environment specific URLs within the configuration.

For SaaS applications such as Salesforce.com® there may also be account specific variables within URLs, such as a unique domain name or account identifier.

To setup applications with no environment or account specific variables

If there are no environment or account specific variables in the application’s configuration, you can:

Enter the template name.

Clear the box shown in the image below:

Click Create Template.

When prompted to save or open the file, select Save.

To setup applications with existing environment or account specific variables

If there are environment or account specific variables within the application’s configuration, you need to define the template settings page.

The template settings page is the first page of the application setup wizard that you will see when you click on a template. The image below shows an example of the Salesforce template settings page within Cloud Access Manager.

The text box in the image above is referred to in the Export Application as Template page as the Input Field. The value entered into this field by the administrator using the template is referred to as the Input Field Value. The Template settings page instructions should outline what the administrator must enter into the Input Field.

In the Salesforce example, this instruction is displayed below the Settings for Salesforce heading. The Input Field Label is used to identify the Input Field text box and is displayed just above the input field text box. The Format of Input Field Value list allows you to select the required format of the Input Field Value. For example, on the Salesforce template settings page, the Input Field Value must be a valid URL, so the format of the Input Field Value would be set to Full URL.

The final step is to identify the part of the application you are currently exporting as a template which is unique to your environment/account. For example, when configuring Google Apps the recipient field will be in the format https://www.google.com/a/yourgoogledomain.com/acs where yourgoogledomain.com is an account specific domain.

In this example you would enter yourgoogledomain.com into the Environment/account specific value to be replaced text box. This text will be replaced by the value users enter into the input field when using the template.

Example application configuration template

In the following example configuration for Google Apps, the Input Field Value would be questapitest.com as this is an account specific variable. The text in italics is the value of each field in your application’s configuration. So, to make the Recipient field generic you need to tell Cloud Access Manager where the Input Field Value would be. The Audience / SP Identity field does not contain questapitest.com, so we can select that option.

When you have configured all fields, click Create Template. You are prompted to save or open the file. Select Save. The application configuration template file is now ready to use.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

Cloud Access Manager 8.1 - Configuration Guide

HTTP header value

No back-end SSO

Further considerations

Exporting an application configuration template