How to enroll NetBackup master server as a service provider to IBM Security Access Manager

Description

To enroll NetBackup master server as a service provider to IBM Security Access Manager

• Log on to the IBM Security Access Manager console and select the Federations option.

• Download the ISAM IDP metadata.xml file after clicking on export button at configured federation.
• Add the downloaded IDP-metadata.xml file in NetBackup through nbidpcmd CLI or identity provider configurations API’s.
• Download the NetBackup master server’s service provider metadata.xml using NetBackup API (https://<netbackupmaster>/netbackup/sso/saml2/metadata).
• Click on Partners button for the configured federation and browse for the downloaded NetBackup master server’s service provider metadata.xml and proceed with further default steps. This will add the NetBackup master as partner for selected federated entity.
• Add AttributeRules for userPrincipalName and memberOf attributes in mapping rule for the same federated entity else values entered for the user (-u) and user group (-g) options must match the SAML attribute names  (Outgoing Claim Types field). If ( -u and -g) parameter is bind to different outgoing type file then for -u field value should be in (username@domainname) and (domainname/groupname) format for -g field

          NOTE: 

                        userPrincipalName attributes is expected to be in  {username@domainname}  format.

                        memberOf attribute is required only in case user is part of user groups Value of memberOf attribute is expected to be in {domainname/groupname}  format.

Note - 

If you are using NetBackup CA certificates or external certificate which does not have a CRL, you might want to disable CRL checking by using the advanced configuration parameter kess.crlEnabled. As this is a Known limitations for Security Access Manager documented here.