When you have successfully installed the Cloud Access Manager software, the Cloud Access Manager Administration Console is displayed.
Before users and administrators can login to Cloud Access Manager, you need to configure a front-end authentication method. Typically, this would involve configuring the Microsoft Active Directory authenticator to authenticate users to your corporate domain, but equally you could configure the SAML or WS-Federated authenticator to authenticate users to a different identity management system. This example will use the Active Directory authentication method to authenticate users and administrators accessing Cloud Access Manager.
To configure the front-end authentication service
Before Cloud Access Manager administrators and users can login to Cloud Access Manager using their Active Directory credentials, you must define how the user and administrator roles are to be derived from Active Directory group membership.
Click Close to return to the Cloud Access Manager Administration Console. The configuration is now complete. Cloud Access Manager administrators and users can now login to Cloud Access Manager using their Active Directory credentials.
For example, users who belong to the Active Directory Domain Admins security group can login and configure Cloud Access Manager, and Domain Users can login to the Cloud Access Manager portal using their Active Directory credentials.
In this section we will demonstrate how to configure an Integrated Windows Authentication (IWA) application for Single Sign-On (SSO). We will use One Identity Active Roles as our example application, but the procedure is similar for any other IWA application.
To configure an IWA application for SSO
Click Configure Manually.
Select Using Integrated Windows Authentication, then click Next.
Select the protocol used by the application and enter its fully-qualified domain name. Click Next.
NOTE: You can obtain the protocol and fully-qualified domain name from the URL used to access the application. For example, if you normally access the application using https://ars.prod.local/ARServerAdmin, the protocol will be Secure HTTP (HTTPS) and ars.prod.local will be the fully-qualified domain name.
In order to perform SSO to a non-federated web application, Cloud Access Manager must proxy the HTTPS traffic between the browser and the application. When the application requests authentication credentials, the proxy automatically intercepts the request, retrieves the credentials from the user's Password Wallet and forwards them to the application.
To proxy the HTTPS traffic to the application, the user's browser must navigate to a proxy URL, which in turn maps to the real application URL. When the user clicks a link to the application on his application portal he is really clicking a link to the proxy service. Using the settings you provide, the proxy then relays incoming traffic to the correct application URL.
In a typical production scenario the proxy service is installed on a host in the perimeter network (DMZ). The application's public proxy URL is resolved to the IP address of the host on which the proxy service is installed.
When you install Cloud Access Manager in Proof of Concept mode the proxy component is automatically installed on the same computer as the other components. This means the application's proxy URL must resolve to the IP address of this Cloud Access Manager computer.
You can do this either by adding a canonical name (CNAME) entry to the Domain Name System (DNS) service your computer is using, or for testing on a single computer, you can add an entry to your computer’s hosts file.
In this case, we will add an entry to our hosts file, %WINDIR%\system32/drivers/etc/hosts as follows:
Where xxx.xxx.xxx.xxx is the IP address of the Cloud Access Manager computer.
Now save this file.
Enter the application's proxy URL into the Proxy URLs page of the application wizard in Cloud Access Manager. Click Next.
NOTE: Make sure that the URL path is entered in the correct case. In the example, ARServerAdmin must be the URL path.
To verify that the application is configured correctly
Configuration of SSO to One Identity ActiveRoles Server is now complete. For more information on configuring SSO for applications, please refer to the One Identity Cloud Access Manager Configuration Guide.