Environment
Novell Access Management 3 Linux Novell Identity Server
Situation
When authenticating to the Identity (IDP) server, one can do so directly or via an SP (the Access Gateway or Java agent, as an example).
When going directly to the IDP server, the default settings (from IDP configuration -> Local -> Defaults -> Authentication contract) will be used. When redirecting to the IDP server via an SP, the contract defined at the SP, and used in the authentication request, will be used.
To customise the login page of the IDP server, one needs to somehow tie the customised login pages to the contract used to authenticate.
When going directly to the IDP server, the default settings (from IDP configuration -> Local -> Defaults -> Authentication contract) will be used. When redirecting to the IDP server via an SP, the contract defined at the SP, and used in the authentication request, will be used.
To customise the login page of the IDP server, one needs to somehow tie the customised login pages to the contract used to authenticate.
Resolution
To create a customised login page, one needs to do the following steps:
1. Create a new METHOD, or modify an existing METHOD, and add the JSP (upper case) property to the method. This JSP property will have a value that matches the name of the custom login page, but without the jsp extension. For example, if we copy the existing default login page from /opt/novell/nids/lib/webapp/jsp/login.jsp to /opt/novell/nids/lib/webapp/jsp/custom_login.jsp, the JSP property assigned to the METHOD should have a value of custom_login (without the jsp extension!).
As a recommendation, do NOT have any spaces, dashes ("-") or slashes ("/") in the names. Just do regular "a-z" characters, with no spaces.
2. If the customised login page has multiple fields required to authenticate the user, or is not using the default user LDAP cn attribute to search on during authentication, the Query (case sensitive) property will be required for the METHOD too. The value of this property will be the LDAP search request. With the default login page Access Manager ships with, the user is asked for their username and password. The LDAP search request used to identify the user is
(&(objectClass=User)(cn=%Ecom_User_ID%))
where the base of the search is defined by the contexts configured in the user store configuration.
If, for example, we wanted to authenticate the users based on their email address and LDAP password, we could modify the default login page to ask for the users email address (Ecom_User_mail instead of Ecom_User_ID). The Query property must then be added to the METHOD and the value would be
(&(objectClass=User)(mail=%Ecom_User_mail%))
3. Create a new CONTRACT or modify an existing CONTRACT and assign the modified METHOD from above. Again, Novell recommends that you do NOT have any spaces, dashes ("-") or slashes ("/") in the names. Just do regular "a-z" characters, with no spaces.
4. The custom login page MUST have its GROUP and OWNER set to: novlwww (just like the default "login.jsp" page). If the administrator logged in as root and copied the existing login.jsp default login page to custom_login.jsp, the new file would be created with root as GROUP and OWNER. Use 'chown novlwww:novlwww custom_login.jsp' to change it.
5. After making the above changes and verifying the settings, you have to restart tomcat on the IDP. Do this with the command:
/etc/init.d/novell-tomcat4 restart
1. Create a new METHOD, or modify an existing METHOD, and add the JSP (upper case) property to the method. This JSP property will have a value that matches the name of the custom login page, but without the jsp extension. For example, if we copy the existing default login page from /opt/novell/nids/lib/webapp/jsp/login.jsp to /opt/novell/nids/lib/webapp/jsp/custom_login.jsp, the JSP property assigned to the METHOD should have a value of custom_login (without the jsp extension!).
As a recommendation, do NOT have any spaces, dashes ("-") or slashes ("/") in the names. Just do regular "a-z" characters, with no spaces.
2. If the customised login page has multiple fields required to authenticate the user, or is not using the default user LDAP cn attribute to search on during authentication, the Query (case sensitive) property will be required for the METHOD too. The value of this property will be the LDAP search request. With the default login page Access Manager ships with, the user is asked for their username and password. The LDAP search request used to identify the user is
(&(objectClass=User)(cn=%Ecom_User_ID%))
where the base of the search is defined by the contexts configured in the user store configuration.
If, for example, we wanted to authenticate the users based on their email address and LDAP password, we could modify the default login page to ask for the users email address (Ecom_User_mail instead of Ecom_User_ID). The Query property must then be added to the METHOD and the value would be
(&(objectClass=User)(mail=%Ecom_User_mail%))
3. Create a new CONTRACT or modify an existing CONTRACT and assign the modified METHOD from above. Again, Novell recommends that you do NOT have any spaces, dashes ("-") or slashes ("/") in the names. Just do regular "a-z" characters, with no spaces.
4. The custom login page MUST have its GROUP and OWNER set to: novlwww (just like the default "login.jsp" page). If the administrator logged in as root and copied the existing login.jsp default login page to custom_login.jsp, the new file would be created with root as GROUP and OWNER. Use 'chown novlwww:novlwww custom_login.jsp' to change it.
5. After making the above changes and verifying the settings, you have to restart tomcat on the IDP. Do this with the command:
/etc/init.d/novell-tomcat4 restart