I'm in the planning phases of setting up NAM 3.2 as an Identity Provider
to federate with a third party service provider via SAML2. Haven't done
federation or Kerberos before.

We want to use Kerberos from Active Directory clients for authentication
(with the user store as an IDM/IDVault that actually provisions AD),
with a fallback to two factor form logon where the client can't
authenticate via Kerberos (based on IP ranges).

I understand that it is possible to use the IDVault/eDirectory as the
user store as long as we specify a match attribute that has the same
value as the AD userprincipalname. Is that correct?

We don't want to reverse proxy any URLs if at all possible (except if
necessary protecting the IDP)

Currently the default contract is username / password / SMS.

Does this need to be changed to Kerberos to allow the fallback mechanism
to work?

Looking through the documentation, it seems that the Intersite Transfer
Service is what we're after as it provides a more seamless experience
for the end-user.


"Figure 7-5 Using the Intersite Transfer Service URL"

Seems to describe the federation scenario we need (including specifying
the id=<contract> to select the kerberos authentication contract. Can
anyone point out any gotchas with this?

Finally, I'm a bit confused by the "step up authentication" mentioned on

Is this "step up authentication" required or is it optional?

Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.