We have SSO implemented with a web-based service in our initial dev
setup of NAM. I did a packet capture for our security team to make sure
it meets our security needs and architecture and something came up. This
packet capture is of my going to the service provider website and
selecting to login by SSO, it redirects to our server for a username and
password and back to the service provider where I logged into their
service. The security team tells me that in that packet capture the web
browser never hits the Access Gateway but that redirect mentioned goes
to the ID server. It is my understanding from the documentation that
when using SSO, the service provider will reach out to our NAM gateway
and the gateway will then reach out to our NAM ID server which will
verify a user against our identity store which is eDirectory, pass it
back to the gateway, and then to service provider. Am I correct in that
understanding of how it is supposed to work? It seems like we are
bypassing the gateway entirely. Perhaps I misconfigured something or
gave the wrong connection information to the service provider because I
thought the service provider should be going through the reverse proxy
on the gateway.

bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=53388