Configuring NetIQ Access Manager 3.2

You can configure NetIQ Access Manager 3.2 as your identity provider for Enterprise Logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise identity provider with ArcGIS Online and registering ArcGIS Online with the enterprise identity provider.

Step 1: Register NetIQ Access Manager as the enterprise identity provider with ArcGIS Online

Steps:
  1. Verify that you are logged in and that you are an administrator of your organization.
  2. Click the My Organization button at the top of the site. Your organization page opens.
  3. Click the Edit Settings button.
  4. Click the Security link on the left side of the page.
  5. Within the Enterprise Logins section, click the Set Identity Provider button.
  6. Enter a name for the identity provider in the window that opens.
  7. Provide metadata information for the identity provider using one of the three options below:
    • URL—Choose this option if the URL of NetIQ Access Manager federation metadata is accessible by ArcGIS Online. The URL is usually http(s)://<host>:<port>/nidp/saml2/metadata on the machine where NetIQ Access Manager is running.
    • File—If the URL is not accessible by ArcGIS Online, save the metadata obtained from the URL above as an XML file and upload the file.
    • Parameters—Choose this option if the URL or file is not accessible. Enter the values manually and supply the requested parameters: login URL, binding type, and certificate. Contact your NetIQ Access Manager administrator to obtain these.

Step 2: Register ArcGIS Online as the trusted service provider with NetIQ Access Manager

Steps:
  1. Configure an attribute set.

    Follow the steps below to create a new attribute set so that the attributes can be sent to ArcGIS Online as a part of the SAML assertion after authenticating the user. If you have an existing attribute set already configured in your NetIQ Access Manager, you can use that set as well.

    1. Sign in to NetIQ Access Manager administration console. This is usually available at http(s)://<host>:<port>/nps.
    2. Browse to your identity server in the NetIQ admin console and click the Shared Settings tab. Under Attribute Sets, you should see any attribute sets you've already created. Click New and create a new attributes set. Enter ArcGISOnline under Set Name and click Next.

      Create Attribute Set

    3. Define the attribute mappings and add them to the attribute set you created in the previous step.

      ArcGIS Online supports flow-in of the givenName and the email address attributes of the enterprise login from the enterprise identity provider into ArcGIS Online. When a user signs in using an enterprise login and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the identity provider.

      It is recommended that you pass in the email address from the enterprise identity provider to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

    Click the New link and add any new attribute mappings. The screen captures below show adding attribute mapping for givenName, email address, and uid. You can choose any attributes from your authentication source instead of these examples.

    givenName attribute
    email attribute
    uid attribute

    Click Finish within the Create Attribute Set wizard. This creates a new attribute set named ArcGISOnline.

  2. Follow the steps below to add ArcGIS Online as a trusted provider with NetIQ Access Manager.
    1. Sign in to the NetIQ admin console, choose your identity sever, and click the Edit link.
      Admin console

      The General tab opens.

    2. Click the SAML 2.0 tab and click New > Service Provider.

      The Service Provider window is where you add ArcGIS Online as a trusted service provider with NetIQ Access Manager.

    3. In the Create Trusted Service Provider wizard, click Metadata Text as the Source and paste the metadata of your ArcGIS Online organization within the Text box.

      Get the metadata of your ArcGIS Online organization by logging into your organization as an administrator, clicking the Edit Settings button, the Security tab, and the Get Service Provider button. Save the metadata as an XML file.

      Create Trust Service Provider

      Click Next and Finish to finish adding the trusted service provider.

      Trusted Provider
  3. Follow the steps below to configure ArcGIS Online and NetIQ Access Manager federation properties.
    1. In the SAML 2.0 tab, click the service provider link under Service Providers. (For example, in the screen capture above, the link is named ArcGISOnlineSAMLTest.) The Configuration tab opens. Click the Metadata tab and verify that the metadata for your ArcGIS Online organization is correct.
    2. Click the Configuration tab to go back to the Trust section of the configuration. (You do not need to make any changes in this section.)
    3. Click the Attributes tab.

      In this step, you add the attribute mapping from the set you created in step 2.1 so NetIQ Access Manager can send the attributes to ArcGIS Online in the SAML assertion.

      Select the attribute set you defined in step 2.1 above. After you select your attribute set, the attributes you defined in the set appear in the Available box. Move your givenName and email attributes to the Send with authentication box.

      Attribute set
    4. Click the Authentication Response tab under the Configuration tab of the service provider and set up the authentication response:

      Click Post from the Binding drop-down menu.

      In the Name Identifier column, check the box next to Unspecified.

      In the Default column, choose Ldap Attribute uid. (You can configure any other unique attribute in the attribute set from your authentication source to be sent as NameID.

      Click Apply. Verify that your page matches the screen capture below.

      Authentication Response
    5. Under Configuration, click the Options tab and choose your user authentication contract, for example, Name/Password - Form and click Apply.

      Configuration Options

  4. Restart NetIQ Access Manager by browsing to your identity server and clicking the Update All link.

    Restart NetIQ

Copyright © 1995-2013 Esri. All rights reserved.
9/23/2013