Okay, so let's say we have this scenario:

NAM 3.2.x
Separate IDP, AG, and Admin Console (just to clarify that the components
are on separate boxes). Using the MAG appliance, not the AGS.

Back-end web server is Windows 2008 R2, IIS.
Supposedly IIS/whatever is setup to do SAML. Therefore, they are the SP
and my NAM IDP is the IDP.

We have exchanged SSL Certs
We have exchanged metadata files

I have defined (in the Admin Console) under SAML 2.0 -> Trusted SERVICE
Provider for the IIS box.

However, we also want to front-end the actual IIS box with the AG. This
is where I'm not clear on things.

I know that the one other time we've done this, you can open a browser,
enter the "direct" URL of the server, and, because it's configured for
SAML, it will redirect you to the NAM IDP, you login and if you look at
SAML Tracer, you'll see the back-end server sending the request, the NAM
IDP sending the response, everything is fine.

However, if you're front-ending the back-end server with the AG, and the
AG resource is set to "protected", then how can the browser ever
actually send the SAML HTTP post stuff?

Your browser will hit the AG, the AG will redirect to the IDP (but no
SAML requests sent because it's the "normal" AG/IDP login stuff), you
CAN login to eDir via the IDP, but then of course, no SAML is ever sent
to the back-end web server.

The ONLY other time we've set up something like this, we did not
front-end the web server with the AG. But that prevents us from using
the server "externally".

I know I can front-end an origin server if NAM is the SP and "something
else" is the IDP (that works fine), but not sure about this particular


kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49280