Integrate OSP with NetIQ Advanced Authentication using SAML 2.0

You can configure OpenText OSP (One SSO Provider) to integrate with NetIQ Advanced Authentication as a SAML 2.0 Identity Provider (IDP). This setup enables SAML-based authentication with OAuth2/OIDC token generation for applications like Dimensions CM.

Overview

In this integration architecture, the user authenticates to NetIQ Advanced Authentication (IDP), which sends a SAML response to OSP (Service Provider). OSP then generates OAuth2/OIDC tokens for integrated applications.

The integration includes the following components:

  • IDP: NetIQ Advanced Authentication server.

  • SP: OSP running on Apache Tomcat 10.

  • User Store: LDAP (backing NetIQ Advanced Authentication).

  • Token Type: JWT with RS256 signing.

  • OAuth2 Flows: Authorization Code, Password Grant.

Back to top

Prerequisites

Before you begin, ensure that you have the following requirements in place:

  • Apache Tomcat 10.1.46 (or compatible version).

  • Java 17 or later (Azul Zulu recommended).

  • NetIQ Advanced Authentication configured as SAML IDP.

  • LDAP user directory.

  • SSL certificates for HTTPS.

  • LDAP server added in Repositories. Navigate to New LDAP repo.

Back to top

Step 1: Configure NetIQ Advanced Authentication

Set up SAML 2.0 configuration in NetIQ Advanced Authentication.

To configure NetIQ Advanced Authentication:

  1. Log in to the NetIQ Advanced Authentication administration console.

  2. Navigate to the SAML configuration section.

  3. Follow the NetIQ documentation to create a SAML 2.0 event.

To import OSP metadata:

  1. Download the OSP metadata from:

    https://localhost:8443/osp/a/dimensions/auth/saml2/spmetadata

  2. Save the XML file.

  3. In NetIQ, upload the metadata file.

  4. Verify the imported configuration.

To export NetIQ metadata:

  1. Navigate to SAML > Metadata or Export Metadata.

  2. Download the IDP metadata XML file.

  3. Copy the metadata URL. The URL is typically in the format:

    https://aauth.multifactor.in/osp/a/TOP/auth/saml2/metadata

    Or:

    https://vlab029714.dom029700.lab/osp/a/TOP/auth/saml2/metadata

This XML metadata should be configured in the Metadata tag inside the SAML2 Protocol tag in authcfg.xml.

Back to top

Step 2: Configure OSP authcfg.xml

The primary configuration file is authcfg.xml. This file contains four critical configuration sections:

  • SAML2DataSource: SAML IDP connection settings.

  • AssertionAttributeMap: Maps SAML attributes to local names.

  • IDPAuthenticationSource: Attribute caching configuration.

  • OAuth2ApplicationTemplate: Maps attributes to JWT claims.

Configure the connection to NetIQ Advanced Authentication IDP.

Copy code 
<SAML2DataSource
    id="ds-saml2"
    displayName="SAML 2.0 Data Source"
    enabled="${com.opentext.dimensions.saml2.enabled:true}"
    forwardAssertionWindow="${com.opentext.dimensions.saml2.forwardAssertionWindow}">
    <Reference refId="saml2" type="Protocol"/>
</SAML2DataSource>

Assertion attribute map

Map SAML attribute names to OSP local attribute names.

Copy code 
<AssertionAttributeMap displayName="SAML Attribute Map" id="saml2-attr-map">
    <AssertionAttributeMapEntry
        friendlyName="sAMAccountName"
        localName="sAMAccountName"
        nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
        samlName="samaccountname"/>
    <!-- Add other attributes as needed -->
</AssertionAttributeMap>

IDP authentication source

This is where attribute caching for OAuth2 is configured.

Copy code 
<IDPAuthenticationSource
    id="as-saml2"
    displayName="Advanced Auth SAML 2.0"
    enabled="${com.opentext.dimensions.saml2.enabled:true}">
    <Reference refId="ds-saml2" type="DataSource"/>
    <AttributeMapping>
        <AttributeMapEntry localName="sAMAccountName" nativeName="samaccountname" cachable="true"/>
    </AttributeMapping>
</IDPAuthenticationSource>

Access settings

Request attributes from the IDP during SAML authentication.

Copy code 
<AccessSettings
    responseBinding="${com.opentext.dimensions.saml2.sp.idp.responseBinding}"
    identifierFormat="${com.opentext.dimensions.saml2.sp.idp.identifierFormat:unspecified}"
    requestedSubjectIdentifierFormat="${com.opentext.dimensions.saml2.sp.idp.requestedSubjectIdentifierFormat:unspecified}"
    createFedsAtLogin="${com.opentext.dimensions.saml2.sp.idp.createFedsAtLogin:true}"
    consentType="${com.opentext.dimensions.saml2.sp.idp.consentType}"
    ignoreConsent="${com.opentext.dimensions.saml2.sp.idp.ignoreConsent}"
    signatureDigestAlgorithm="${com.opentext.dimensions.saml2.sp.idp.signatureDigestAlgorithm}"
    signatureC14nAlgorithm="${com.opentext.dimensions.saml2.sp.idp.signatureC14nAlgorithm}"
    SOAPSecurityMethod="${com.opentext.dimensions.saml2.sp.idp.SOAPSecurityMethod}"
    requestContextType="${com.opentext.dimensions.saml2.sp.idp.requestContextType}"
    contextComparisonType="${com.opentext.dimensions.saml2.sp.idp.contextComparisonType}"
    forceAuthAtIDP="${com.opentext.dimensions.saml2.sp.idp.forceAuthAtIDP}">
    <Reference refId="saml2-attr-map" type="AssertionAttributeMap"/>
    <AttributeMapEntry localName="sAMAccountName"/>
    <Binding sso="${com.opentext.dimensions.saml2.sp.idp.binding-post.sso:true}" slo="${com.opentext.dimensions.saml2.sp.idp.binding-post.slo:true}">HTTP-POST</Binding>
    <Binding sso="${com.opentext.dimensions.saml2.sp.idp.binding-redirect.sso:true}" slo="${com.opentext.dimensions.saml2.sp.idp.binding-redirect.slo:true}">HTTP-Redirect</Binding>
</AccessSettings>

SAML2 protocol metadata

Add the NetIQ metadata XML content to the Metadata tag inside the SAML2 Protocol tag.

Copy code 
<Metadata failOnError="true">
    <![CDATA[
        METADATA XML CONTENT HERE
    ]]>
</Metadata>

OAuth2 application templates

Map OSP attributes to JWT claims for your applications.

Copy code 
<AttributeMapping>
    <AttributeMapEntry localName="sAMAccountName" clientName="preferred_username" accessToken="jwt"/>
</AttributeMapping>

Back to top

Step 3: Restart Tomcat

Restart Tomcat to apply the configuration changes.

To restart Tomcat:

Run the appropriate command for your Tomcat installation.

Back to top

Configuration checklist

Use the following checklist to verify your configuration:

NetIQ Advanced Authentication

  • SAML event created for OSP.

  • OSP metadata imported (Entity ID, ACS URL).

  • SAML attributes configured (samaccountname, CN, mail, and others).

  • NameID format set to transient.

  • Assertion signing enabled.

  • Users or groups assigned to SAML event.

  • Configuration published and deployed.

  • Metadata exported for OSP.

OSP configuration

  • NetIQ metadata imported into authcfg.xml.

  • AssertionAttributeMap configured with samaccountname.

  • IDPAuthenticationSource has cachable="true" on sAMAccountName.

  • AccessSettings requests sAMAccountName attribute.

  • OAuth2ApplicationTemplate maps to preferred_username.

  • Tomcat restarted after configuration changes.

  • JWT token verified to contain preferred_username claim.

Back to top

See also: