OpenText™ Access Manager

Applications configuration guide

Version : 25.2
PDF Generated on : July 27, 2025

© Copyright 2025 Open Text

Table of Contents
1. Applications configuration guide 1

1.1. Introduction to application connectors 2

1.2. Application connector catalog 4

1.2.1. Accessing connectors through Administration Console 5

1.2.2. Accessing the application connector catalog through the website 6

1.3. Single sign-on assistant connectors 7

1.3.1. Understanding SSO assistant 9

1.3.2. Requirements for using SSO assistant connectors 12

1.3.3. Configuring a connector for SSO assistant 14

1.3.4. Managing icons 17

1.3.5. Troubleshooting single sign-on assistant 18

1.4. Custom connectors 19

1.4.1. Navigating the connector studio page 21

1.4.2. Creating an SSO assistant connector 23

1.4.3. Creating a SAML 2.0 connector 28

1.4.4. Downloading a connector to a file 45

1.4.5. Importing a connector from a file 46

1.4.6. Importing a connector from the global catalog 47

1.4.7. Managing a connector 48

1.4.8. Publishing a connector to the local catalog 50

1.4.9. Importing a connector into the applications page 51

1.4.10. Example: using an existing SAML connector to configure an application 52

1.5. SAML connectors 62

1.5.1. Understanding federated SSO with SAML 2.0 63

1.5.2. Global requirements for SAML 2.0 connectors 67

1.5.3. Configuring a connector for a SAML application 68

1.5.4. Managing SAML 2.0 applications 69

1.5.5. Converting SAML 2.0 service providers in to a SAML 2.0 application 71

1.5.6. Unique ID 73

1.6. SAML/Account management connectors 74

1.7. Configuring the application for OpenText Access Manager on the public cloud 79

1.7.1. Requirements for the OpenText Access Manager connector 80

1.7.2. Importing and configuring the connector 81

1.7.3. Example scenarios 86

1.8. Configuring the applications for Microsoft 365 using WS federation and WS-Trust 93

1.8.1. Prerequisites for configuring the connector 94

1.8.2. Configuring a Microsoft 365 domain to federate with OpenText Access Manager 95

1.8.3. Configuring the connector 98

 Access Manager 25.2

1. Applications configuration guide

This guide provides information about importing, configuring, and managing the
connectors you use with OpenText Access Manager .
This guide provides information for OpenText Access Manager administrators who are
responsible for configuring and managing the single sign-on to OpenText Access
Manager . Administrators must know and understand the following concepts:
Secure Assertion Markup Language (SAML)
Extensible Markup Language (XML)
Public Key Infrastructure (PKI) digital signature concepts and Internet security
Secure Socket Layer/Transport Layer Security (SSL/TLS)
Hypertext Transfer Protocol (HTTP and HTTPS)
Uniform Resource Identifiers (URLs)
Domain Name System (DNS)
Firewalls
Public and private networks
Connected applications

Note
Contact [email protected] for any query related to OpenText Access
Manager SDK.

This PDF was generated on July 27, 2025 Page 1 of 100

 Access Manager 25.2

1.1. Introduction to application connectors

As an administrator, you have many users in your user stores that require access to
many different web applications. The identity federation enables you to provide single
sign-on (SSO) to your users. For more information about federation, see Configuring
authentication.
OpenText Access Manager provides a simplified way using connectors to give users a
secure SSO access to different web applications. OpenText Access Manager uses
connectors to establish the connection between the product and applications. An
application connector contains pre-integrated configurations for a specific SaaS
application.
An application connector helps you achieve the following objectives:
Reduce the complexity in setting up SSO and account management to SaaS
applications.
Deploy integrations quickly without doing any application or protocol-specific
configuration.
OpenText Access Manager supports the following types of application connectors:
Single Sign-On Assistants Connectors: These connectors work with SSO
Assistant extensions for browsers to securely collect, store, retrieve, and replay
the users’ authentication information for the application you select.
For more information, see Single sign-on assistant connectors.
Federation Connectors: (SAML 2.0 and WS-Fed) These connectors simplify the
configuration process of establishing a federated connection between
applications or web services and OpenText Access Manager.
For more information, see SAML connectors
Federation and Account Management Connectors: (SAML 2.0) In addition to
simplifying OpenText Access Manager configuration, these connectors can also
configure SaaS Account Manager (SAM) in OpenText Access Manager to
automatically provision user accounts at the corresponding SaaS providers.
To provision SAML accounts by using SAM, you must first purchase and deploy
the SAM appliance and configure the appropriate SAM connector for the SAML
application. For more information, see SAML/Account management connectors.

This PDF was generated on July 27, 2025 Page 2 of 100

 Access Manager 25.2

You can customize application connectors based on your requirements. See Custom
connectors.
When you configure a connector for an application, the system automatically creates
an appmark for this application and adds it on the User Portal page. For more
information about appmarks, see Appmarks.

This PDF was generated on July 27, 2025 Page 3 of 100

 Access Manager 25.2

1.2. Application connector catalog

OpenText Access Manager provides an Application Connector Catalog. The
Application Connector Catalog displays all available connectors and the browsers
which are compatible with the connectors.
The catalog can display the connectors by name or by connector type. The available
connector types are SSO Assistant, SAML, SAML/Account Management, and WSFED.
You can access the catalog in the following ways:
Accessing connectors through Administration Console
Accessing the application connector catalog through the website

This PDF was generated on July 27, 2025 Page 4 of 100

 Access Manager 25.2

1.2.1. Accessing connectors through

Administration Console
You require to import the connector from the Application Connector Catalog into
Administration Console to configure the connector and create an appmark.
To access a connector through Administration Console:
1. Log in to Administration Console, then click Administration Tasks >
Applications > + (plus sign).
2. Click Add Application from Catalog to import the predefined connector of a
specific applications
Or,
Click Add Application from Local Catalog. Local catalog contains connectors
that have been placed there by importing a connector from the public catalog or
from a file, or by using the Publish option from connector studio.
3. Browse or search through the catalog, then select the appropriate connector.
4. Configure the connector.
For information about Single Sign-On Assistant connectors, see Single
sign-on assistant connectors.
For information about SAML 2.0 connectors, see SAML connectors.
For information about SAML/Account Management connectors, see
SAML/Account management connectors.
For information about WS Federation Connectors, see Configuring the
applications for Microsoft 365 using WS federation and WS-Trust.
For information about custom connector, see Custom connectors.

This PDF was generated on July 27, 2025 Page 5 of 100

 Access Manager 25.2

1.2.2. Accessing the application

connector catalog through the website
Depending on your firewall configuration, you might not be able to access the
Application Connector Catalog through Administration Console. In this situation, you
can download connectors from another computer and then copy those files to a
computer that Administration Console can access.
Perform the following steps to access the catalog through the website:
1. Access Application Connector Catalog.
2. Browse through the Application Connector Catalog, then select the appropriate
connector.
3. Select the desired application connector and save it.
4. Copy the application connector to a computer that Administration Console can
access.
5. Log in to Administration Console, then click Applications.
6. Click + (plus sign) > Import from File.
7. Configure the connector.
For information about the Single Sign-On Assistant applications, see Single sign-
on assistant connectors. For information about the other connector types, see
the application-specific section in this guide.

This PDF was generated on July 27, 2025 Page 6 of 100

 Access Manager 25.2

1.3. Single sign-on assistant connectors

OpenText Access Manager provides users a way to perform secure single sign-on to
applications. OpenText Access Manager provides Single Sign-On (SSO) Assistant
connectors that are customized for each application to meet the interactive and
content requirements for logging in to the application. The SSO Assistant connectors
work with SSO Assistant extensions for browsers to securely collect, store, retrieve,
and replay the users’ authentication information for the application you select. See
Understanding SSO assistant.
OpenText Access Manager provides many connectors for SSO Assistant that you can
import from the Application Connector Catalog. You can access the Application
Connector Catalog through Administration Console, but Administration Console must
have access to the Internet for the Application Connector Catalog to work. Ensure that
you have port 80 open on your firewall for communication to the Application
Connector Catalog for the latest connectors. You can also access the Application
Connector Catalog without Administration Console. You can see the list of current
connectors in Application Connector Catalog. For more information, see Accessing
the application connector catalog through the website.
You can also create custom connector definitions for SSO Assistant. See Creating an
SSO assistant connector.

Important
Contact Technical Support if a connector for SSO Assistant is not yet
available for the application that your users access. This helps us to
define requirements and set priorities for future connectors for SSO
Assistant.

Use the information in the following sections to configure a connector for SSO
Assistant:
Understanding SSO assistant
Requirements for using SSO assistant connectors
Configuring a connector for SSO assistant
Managing icons
Troubleshooting single sign-on assistant

This PDF was generated on July 27, 2025 Page 7 of 100

 Access Manager 25.2

This PDF was generated on July 27, 2025 Page 8 of 100

 Access Manager 25.2

1.3.1. Understanding SSO assistant

SSO Assistant enables users to securely store their credentials for existing accounts
of online applications and provides an SSO experience.
For example, a user Maria has an account on ChatWork. Maria uses ChatWork to
communicate with her team members. Instead of logging in to ChatWork with
separate credentials each time, she can log in to ChatWork once. SSO Assistant will
save and replay her saved credential every time she accesses ChatWork.
SSO Assistant and Form Fill policies both automatically populate HTML forms. Form
Fill policies scan each login page accelerated through Access Gateway to populate
the credential information. For more information, see Form fill policies.
SSO Assistant does not go through Access Gateway. SSO Assistant provides
connectors for the different applications. You can configure a connector for a specific
site. SSO Assistant captures users’ credentials through a browser plug-in or
extension. It securely stores users’ credentials on Identity Server.
OpenText Access Manager protects users’ credentials through an SSL connection and
AES-256 encryption on OpenText Access Manager.
The following graphic depicts how OpenText Access Manager securely stores the
credentials:

How OpenText Access Manager securely stores credentials

Users must install the appropriate SSO Assistant extension or plug-in for their
browser or install the MobileAccess app to experience SSO Assistant to an
application. The following is the flow of actions a user logs in to first time to access an
SSO Assistant application:

This PDF was generated on July 27, 2025 Page 9 of 100

 Access Manager 25.2

1. A user logs in to User Portal by using OpenText Access Manager credentials.

2. The user sees the appmarks for the available applications and clicks the
appropriate appmark.
3. If the SSO Assistant extension or plug-in for the browser is not installed on the
computer, OpenText Access Manager prompts the user to install it.
4. After installing the extension or plug-in, the user goes to User Portal and click
the application again.
5. The extension or plug-in opens a new tab where the user enters the user name
and password for the application.
The user must enter the user name and password for the application once.
6. The extension or plug-in captures the user’s credentials for the application. The
extension or plug-in sends the user’s credentials to OpenText Access Manager
over an SSL connection.
7. OpenText Access Manager encrypts the user’s credentials with AES-256
encryption, and then stores the user name and password in the credential store
that is part of Identity Server.
Identity Server encrypts the user’s credentials with an encryption key that is
unique per user account in OpenText Access Manager.
8. OpenText Access Manager then redirects the user to the application over an SSL
connection.
In subsequent OpenText Access Manager sessions, the user can log in with Access
Manager credentials and access the destination application without providing the
additional credentials for the application. Identity Server securely retrieves and
submits the user’s credentials for an automatic login on behalf of the user. This
provides the user with an SSO experience.
The SSO Assistant browser extension must be installed on each device where the
user wants to access the application. OpenText Access Manager automatically
prompts the user to install the extension the first time that the user accesses the
application’s appmark from a different device, even if the user’s credentials for the
application are available in the user store. The extension then retrieves and submits
user’s credentials for the selected application from OpenText Access Manager for an
automatic login.
Typically, users have a different login user name and password for their individual
accounts for each application. A user can have only one account per application.

This PDF was generated on July 27, 2025 Page 10 of 100

 Access Manager 25.2

OpenText Access Manager stores the user’s current credentials, but users still have
the responsibility to maintain the credentials. The User Portal page, on the menu on
the user’s name, provides a way for users to modify their credentials through the
Clear Single Sign-on Credentials option if they are expired or stolen.
If the user changes the user name or password or cancels the account, stored
credentials become invalid. The automatic login fails and the browser extension takes
the user to the application’s login page where the user can log in with new
credentials. You will need to remove the old credentials from the store on the portal
page. For subsequent logins, the new credentials will be saved if the previous ones
are removed.

This PDF was generated on July 27, 2025 Page 11 of 100

 Access Manager 25.2

1.3.2. Requirements for using SSO

assistant connectors
Connectors for SSO Assistant work with applications that require forms-based
authentication for login. Typically, they have the following login requirements:
The application’s login page uses HTML forms as the main point of
interaction with a user.
The application requires the user’s password to be sent for logging in to an
application.
The application does not support SAML 2.0 or WS-Federation protocols for
federated trust relationships instead of sending passwords.
The login page scheme must be HTTPS not HTTP.
The connectors for SSO Assistant support the following browsers:
Edge
Chrome
Firefox 34 or later
The MobileAccess app supports the secure retrieval and replay of previously
stored credentials for applications that users access through the User Portal
page on supported mobile devices.
The MobileAccess app supports the following versions:
iOS 9.x
Android Kit Kat 4.4 or Lollipop 5.x
A user must install the SSO Assistant extension in a supported browser one time
on each desktop or laptop they use to access the SSO Assistant applications.
For Chrome, the extension is available for free from the Google Play Store. If it is
not installed when the user accesses the application through OpenText Access
Manager, OpenText Access Manager prompts the user to go to the Google Play
Store and install it.
The installation adds the extension to the Chrome Extensions list with the
following permissions:

This PDF was generated on July 27, 2025 Page 12 of 100

 Access Manager 25.2

Access your data on all websites

Access your tabs and browsing activity
For Firefox, the extension is available through Add-ons. The Firefox extension
behaves the same way the Chrome extension behaves.
SSO Assistant is not supported in a mixed OpenText Access Manager
environment. All components of OpenText Access Manager (Identity Server
clusters, Access Gateway clusters, and Administration Console) must be of the
same version.

This PDF was generated on July 27, 2025 Page 13 of 100

 Access Manager 25.2

1.3.3. Configuring a connector for SSO

assistant
You can import and configure as many of the connectors for SSO Assistant as you
need. However, users can store only up to 20 saved credentials. For example, you
might import and configure 75 connectors for SSO Assistant. A user could only use
and save credentials for 20 of the 75 connectors for SSO Assistant.
The steps to configure the connectors for SSO Assistant are the same for each
connector provided in the Application Connector Catalog.
To configure a connector for SSO assistant:
1. Log in to Administration Console.
2. Click Applications.
3. Import a connector for SSO Assistant from Application Connector Catalog or
Local Application Catalog. For more information, see Application connector
catalog.
4. Specify the following details:

This PDF was generated on July 27, 2025 Page 14 of 100

 Access Manager 25.2

Options Description

Name Specify a unique name for the

connector.

Description Specify a description of the

connector. You can import and
(Optional)
configure multiple connectors for
the same application. You can have
more than one connectors for any
application. So, ensure to use a
unique name and a description to
help determine the differences
between the connectors.

Change Image Change the default image that the

User Portal page displays to users.

Roles Select the appropriate role from the

list to determine who can see the
(Optional)
appmark for this connector on the
User Portal page. If you do not
assign a role, all users can see the
appmark.
Appmarks for SSO Assistant have a
public endpoint to Identity Server.
Even if users who are not a member
of a role, log in to User Portal and
they know the exact URL that is part
of the appmark, the SSO Assistant
process starts. For information about
the SSO Assistant process, see
Understanding SSO assistant.

This PDF was generated on July 27, 2025 Page 15 of 100

 Access Manager 25.2

URL Specify the URL that users access

when they click the appmark for an
application.

Enable Select the user platforms where the

appmark will be visible.

Optional Configuration Values Specify a different image and URL

for the desktop browsers, iOS
devices, and Android devices.

Login Form Data Verify that the information displayed

is correct for the application. When
you import a connector, these fields
are populated.

5. Click Save.
The Applications page displays the new connector for SSO Assistant. An appmark for
this connector is created so that users can access it through User Portal. Ensure that
you have configured MobileAccess for the users to access and use the connectors
you have added. For more information, see Enabling mobile access.

This PDF was generated on July 27, 2025 Page 16 of 100

 Access Manager 25.2

1.3.4. Managing icons

OpenText Access Manager provides a set of default images you can use while
creating an appmark. You can also upload your own images. The maximum image
size is 200 x 200 pixels and the ideal image size is 100 x 100 pixels.
You can delete and edit any images you upload. You are not allowed to delete or edit
any of the images that come with OpenText Access Manager. You edit or delete the
images when you are creating or editing appmarks.

This PDF was generated on July 27, 2025 Page 17 of 100

 Access Manager 25.2

1.3.5. Troubleshooting single sign-on

assistant
Use the following information to help troubleshoot issues with SSO Assistant:
SSO Assistant can only work with one instance of OpenText Access Manager. If you
have two instances of OpenText Access Manager and users have an account for both
systems, when they try to log in to SSO Assistant applications, they might have
issues.
SSO Assistant uses sessions for saving and replaying users’ credentials. Opening
multiple sessions in the same browser causes issues.

This PDF was generated on July 27, 2025 Page 18 of 100

 Access Manager 25.2

1.4. Custom connectors

OpenText Access Manager provides Connector Studio and the Applications page to
manage connectors and applications. Connector Studio enables you to create and
edit Single Sign-On (SSO) Assistant and SAML 2.0 type connectors without coding or
scripting. You can then import a connector into the Applications page for creating an
SSO Assistant or SAML 2.0 type application based on the connector.
You can create a custom connector to integrate an application or a web service that
has no predefined connector and that uses the following SSO authentication methods.
SSO Assistant (Form-based)
SAML 2.0
After you create a connector, you can save it to a file (connector > More Options icon
> Download) or publish it to OpenText Access Manager's Local Catalog (connector >
More Options icon > Publish).

In this Section
Navigating the connector studio page
Creating an SSO assistant connector
Creating a SAML 2.0 connector
Downloading a connector to a file
Importing a connector from a file
Importing a connector from the global catalog

This PDF was generated on July 27, 2025 Page 19 of 100

 Access Manager 25.2

Managing a connector
Publishing a connector to the local catalog
Importing a connector into the applications page
Example: using an existing SAML connector to configure an application

This PDF was generated on July 27, 2025 Page 20 of 100

 Access Manager 25.2

1.4.1. Navigating the connector studio

page
The Connector Studio page provides options for changing view size, switching to the
Applications page, and redirecting to Dashboard.
The following diagram demonstrates Connector Studio options:

This PDF was generated on July 27, 2025 Page 21 of 100

 Access Manager 25.2

Icons on the connector studio page

Icon/Option Description

Provides options to create a new

connector or import an existing
connector from a file or from the Global
Catalog.

Provides options to change the view

size.

Redirects to the Applications page.

Provides more options to edit,

download, publish, duplicate, and
delete a connector.

Filter Connector Definition Filters the list of displayed connectors.

This option is useful when you have
configured many connectors and want
to list only those that match the filter
condition.

This PDF was generated on July 27, 2025 Page 22 of 100

 Access Manager 25.2

1.4.2. Creating an SSO assistant

connector
An SSO assistant connector uses HTML forms to populate the authentication
information. To create an SSO assistant connector, you must define the HTML form
for the application.

SSO assistant connector requirements

The application or web service must support HTML forms.
The connector supports user access to destination websites through web
browsers running on a desktop or a laptop.
The MobileAccess app supports the secure retrieval and replay of stored
credentials for websites that users access through the landing page on
supported mobile devices.
Determine whether the application uses different HTML forms for desktop and
mobile.

Planning for an SSO assistant connector

Collect the following information before creating an SSO assistant connector:
Domain name of the web service or application
Login URL of the web service or application
ID or name of the form that contains user name
ID or name of the form that contains user password
Input type used for the form
Criterion for a successful login or a failed login

Creating an SSO assistant connector

1. Log in to Administration Console as an administrator.
2. In Dashboard, click Administrative Tasks > Connector Studio > + > Create
SSO Assistant connector.

This PDF was generated on July 27, 2025 Page 23 of 100

 Access Manager 25.2

The type and the type name of the connector are set when you select the type
of connector to create.
3. Under General, specify the following details:
Target name: Specify a unique name for the connector.
Description: Specify the purpose of the connector.
Version: Specify a three-digit version number for the connector.
Icon: Browse to and select a graphic that you want as the icon for the new
connector.
4. Under Settings, create a new setting for the connector. This setting provides a
way for administrators to input data while creating the connector.

This PDF was generated on July 27, 2025 Page 24 of 100

 Access Manager 25.2

Field Description

Name Specify a name for the setting. This

name is used to reference or track
the setting internally.

Display Name Specify a display name for the

setting. This name appears on the
Applications page under Setting
Name and Value while configuring
an application using this connector.

Data Owner OpenText Access Manager does not

use this option for an SSO assistant
connector.

Type Select String as the data type of the

value that you specify in Setting
Name and Value on the Applications
page while configuring an
application.

Min OpenText Access Manager does not

use this option for an SSO assistant
connector.

Max OpenText Access Manager does not

use this option for an SSO assistant
connector.

This PDF was generated on July 27, 2025 Page 25 of 100

 Access Manager 25.2

Description Specify the description of this

setting. This value appears when
you mouse over the help icon for
this setting under Setting Name and
Value in the Applications page while
configuring an application.

Default Value Specify a default value. This value

appears by default for the
corresponding Setting Name and
Value in the Applications page while
configuring an application.

Required Ensure to select this option. After

selecting, the end user must enter a
value for the setting.

Concealed OpenText Access Manager does not

use this option for an SSO assistant
connector.

5. Define the HTML form for the appropriate application and platform under
Desktop, iOS, and Android.
You can use the same fields for all three platforms or define a unique form for
each platform. HTML forms for some applications are different for desktop
application and mobile application. When the HTML forms are different, you
must create multiple forms for an application.

This PDF was generated on July 27, 2025 Page 26 of 100

 Access Manager 25.2

Field Description

Login URL Specify the login URL of the

application.

Import Use this option if you want to

populate the values in Form ID, Input
Field Definitions, and Submit ID by
using Login URL that you have
specified.
When you use this option, you do
not need to specify details in the
other fields on this page manually.

Input Field Definitions Click + to add more input fields if

required. Only the String type is
supported.

Submit ID Specify the ID or name on the

element that submits the login form.

6. Click OK.
7. Proceed to Publishing a connector to the local catalog.

This PDF was generated on July 27, 2025 Page 27 of 100

 Access Manager 25.2

1.4.3. Creating a SAML 2.0 connector

Connector Studio and the Applications page help you set up basic configuration
settings for a SAML 2.0 application. After you create a SAML 2.0 application by using
a connector, the Applications page displays Advanced Setup links in each
configuration section. You can use these links to go to the SAML 2.0 configuration
pages and configure additional settings.

SAML 2.0 connector requirements

To create a SAML 2.0 connector, ensure that the service provider meets the following
protocol-specific requirements:
Supports identity federation by using the SAML 2.0 protocol.
Supports the SAML web browser single sign-on profile, with the Redirect and
POST bindings for service-provider-initiated SSO, and the POST binding for
identity-provider-initiated SSO.
Provides technical documents that describe the application’s SAML federation
requirements, metadata, and assertions.

Planning for a SAML 2.0 connector

You must collect information about the destination web service or application before
creating a SAML 2.0 connector.
Ask the application service provider the following questions to gather the required
information:
What does your SAML assertion look like?
Do you have a SAML metadata document? What fields, if any, are customer-
specific?
Does your service support the SAML single logout protocol?
What are the required configuration steps in your application to set up
federation?
What information do you provide to customers when they set up federation with
their identity source?

This PDF was generated on July 27, 2025 Page 28 of 100

 Access Manager 25.2

Creating a SAML 2.0 connector

You must configure the fields shown in red before saving a connector. Other fields are
optional, but may require configuration based on requirements of the service
provider.
Perform the following steps to create a SAML 2.0 connector:
1. Log in to Administration Console as an administrator.
2. In Dashboard under Administrative Tasks, click Connector Studio > + > Create
SAML 2.0 connector.
3. Under General, specify the following details:

This PDF was generated on July 27, 2025 Page 29 of 100

 Access Manager 25.2

Field Description

Target Name Specify a unique name for the

connector file.
This name is used as the filename
when downloading the connector to
a file or publishing to the Local
Application Catalog.

Version Specify a three-digit version number

for the connector.
This value is used in the filename
when downloading the connector to
a file or publishing to the Local
Application Catalog. It is displayed in
the Applications page while
configuring an application based on
this connector.

Description for Provider OpenText Access Manager does not

use this option.

Description for Tenant Specify the description of the

connector.
This value is displayed in the
Description field on the Applications
page while configuring an
application based on this connector.

This PDF was generated on July 27, 2025 Page 30 of 100

 Access Manager 25.2

Certificate required for provider Select if the service provider

requires a signing certificate. If
selected, the Applications page
displays the signing certificate field
as required.
If this option is selected, the
Applications page considers the
certificate field as mandatory and
displays a red asterisk. A certificate
from the service provider must be
imported to save the application.
You can also import a default
certificate from the service provider
while creating the connector by
using the Metadata page. See Step
5.

Change Image Add a custom graphic to use for the

icon that represents the connector in
Connector Studio and the
Applications page.

4. Select Settings.
You can use the Settings page to create settings based on requirements of a
service provider. These settings are used to create SAML metadata while
creating an application based on this connector.
You can use these settings to gather and display configuration information from
the administrator while configuring a connector in Connector Studio and while
configuring an application on the Applications page.
In Connector Studio, these settings are available for selection on other
configuration pages within Connector Studio (Metadata, Assertion, and
Federation Instructions pages) and in the Applications page under the
Application Connector Setup section. Settings, also referred to as replaceable
values , are used as configuration data placeholders. An administrator can
specify actual values while configuring an application based on this connector.
In the XML definition file of a connector created in Connector Studio,

This PDF was generated on July 27, 2025 Page 31 of 100

 Access Manager 25.2

replaceable values use the ${nameOfSetting} format. In the Applications

page, while creating an application based on a connector with one or more
settings, the Display Name of the setting is displayed in the Application
Connector Setup section. The values specified for those settings while
configuring the application are then used to create metadata for the application.
The Settings page provides the following options to create a new setting or edit
an existing one:

This PDF was generated on July 27, 2025 Page 32 of 100

 Access Manager 25.2

Field Description

Name Specify a name for the setting. This

name is used to reference or track
the setting internally.

Display Name Specify a display name for the

setting. This name is used on the
Metadata, Assertion, and Federation
Instructions pages in Connector
Studio and also in the Applications
page under the Application
Connector Setup section.

Data Owner Select Tenant. OpenText Access

Manager does not support other
options in the list.

Type Select the type of the

data. OpenText Access Manager
supports only String and URL .

Min Specify the minimum acceptable

limit of the data. This value depends
on the type you select under Type.
For example, if you select String,
specify the minimum length of the
value.
If you leave this field blank, then no
minimum value is enforced.

This PDF was generated on July 27, 2025 Page 33 of 100

 Access Manager 25.2

Max Specify the maximum acceptable

limit of the data. This value depends
on the type you select under Type.
For example, if you select String,
specify the maximum length of the
value.
If you leave this field blank, then no
maximum value is enforced.

Description Specify the description of this

setting. This value is displayed when
you mouse over the help icon
associated with this setting in the
Application Connector Setup
section on the Applications page.

Default Value Specify a default value.

Required Select if you want to make this field

mandatory. When selected, the field
is marked as required (a red
asterisk) on the Applications page. If
not selected, you can skip
specifying a value while creating or
editing an application.

Concealed If you select this option, the value for

this setting is masked with asterisks
(*) when you create an application
based on this connector on the
Applications page.

5. Select Metadata.

This PDF was generated on July 27, 2025 Page 34 of 100

 Access Manager 25.2

OpenText Access Manager uses the service provider's metadata for

communications with the service provider. You can use the Metadata page to
determine how the metadata representing the service provider is created and
configured.
Some service providers allow you to download their metadata from a URL. If not,
you can manually generate the metadata based on the settings defined here.
Select one of the following methods to create the metadata:
Request: Specify Source URL to retrieve the metadata from the service
provider. You can specify Source URL by using replaceable values
configured on the Settings page if required.
Generate: Specify the following details to manually generate the metadata
for the service provider based on the information provided by the service
provider. You can use Import from URL or Import from File if the metadata
is available in that form instead of specifying the following values:

This PDF was generated on July 27, 2025 Page 35 of 100

 Access Manager 25.2

Field Description

EntityID The value required for EntityID is

available in the service provider’s
metadata or in the help information
that may be available in federation
instructions from the provider.
Specify the entityID of the metadata
that uniquely identifies the particular
service provider, such as
sp_domain_name .
For example, google.com .
You can also specify a previously
configured setting (replaceable
value) by clicking the Select icon.

Signing Certificate If you have selected Certificate

required for provider under General
and do not upload a certificate here,
the administrator will be required to
add a certificate while configuring
an application based on this
connector by using the Applications
page.

Assertion Consumer Service URL Specify the URL where the assertion
is posted by the browser. For
example,
https://www.google.com/a/${custo
mer-domain}/acs .
You can also specify a previously
configured setting (replaceable
value) by clicking the Select icon.

This PDF was generated on July 27, 2025 Page 36 of 100

 Access Manager 25.2

Logout URL Specify a logout URL.

The logout URL corresponds to the
field SingleLogoutService from the
service provider’s metadata.
You can also specify a previously
configured setting (replaceable
value) by clicking the Select icon.

Logout URL Binding Specify the logout URL Binding

(HTTP Post or Redirect).
For SAML 2.0, the only supported
binding method is POST.

Logout Response URL Specify the URL a logout request be

sent to.
The logout response URL is required
when the SingleLogoutService field
has ResponseLocation specified in
the metadata.
You can also specify a previously
configured setting (replaceable
value) by clicking the Select icon.

Import from File If you selected Method > Generate

and you have downloaded the
service provider’s metadata to a file,
use this option to populate the
values in Metadata page
configuration fields using that file.

This PDF was generated on July 27, 2025 Page 37 of 100

 Access Manager 25.2

Import from URL If you selected Method > Generate

and the service provider’s metadata
is available at a specified URL, use
this option to populate the values in
Metadata page configuration fields.

6. Select Attributes.
You can use the Attributes page to define mappings between the remote
attribute names required by the service provider and the user attributes available
in the local OpenText Access Manager user stores. The mapped attributes are
included in the SAML response and are used by the service provider to identify
the user.
Attribute mappings configured here are displayed in the Attributes section while
creating an application based on this connector (using the Applications page).
When the application is created, an Attribute Set object is automatically
created that contains these attribute mappings. You can view or edit the attribute
set in the IDP Global Settings page of OpenText Access Manager.
Using the Attributes page, you can either create new attributes or import existing
attributes from attribute sets already configured on the local OpenText Access
Manager system.
To import existing attributes:
1. Click Import Attribute Set.
All attribute sets from the local Access Manger system are displayed.
2. Select one or more attribute sets from the list.
The mappings from the selected sets are displayed.
3. (Optional) Click the More Options icon associated with each attribute and
click Edit to modify the details if needed. You can use the attributes as it is
also.
Any change that you make in attribute mappings here does not impact the
source attribute set that was used as a template. These changes are
applicable only for this connector. After you save the connector, the
attribute mappings are saved in the connector. When you download or

This PDF was generated on July 27, 2025 Page 38 of 100

 Access Manager 25.2

publish the connector, these attribute mappings are included in the

connector definition.
4. Click OK.
To create new attributes:
1. Click New Attribute.
2. Specify the following details:

This PDF was generated on July 27, 2025 Page 39 of 100

 Access Manager 25.2

Field Description

Display Name Specify a display name.

The value of Display Name is
used in the Assertion page when
the Select icons are clicked for
Audience Restriction and Name
ID.

Remote Attribute Name Specify a name.

This name is used to identify the
attribute in the SAML response
sent to the service provider. It is
displayed on the Applications
page under Attributes > Remote
Attribute while configuring an
application based on this
connector.

Description Specify the description of this

attribute.
This text is displayed when you
mouse over the help icon
associated with this attribute in
the Attributes section on the
Applications page while
configuring an application.

Remote Namespace Specify the namespace defined

for the attribute by the remote
system.

This PDF was generated on July 27, 2025 Page 40 of 100

 Access Manager 25.2

Remote Format Select one of the following

formats:
Unspecified: Indicates that
the interpretation of the
content is implementation-
specific.
URI: Indicates that the
interpretation of the content
is application-specific.
Basic: Indicates that the
content conforms to the
xs:Name format as defined
for attribute profiles.

Type Select the type of the attribute.

Available options are LDAP
Attribute, String, and Token.

Encoding Select None.

OpenText Access Manager does
not support attribute encoding
while publishing connectors to the
Local Application Catalog or while
importing connectors into the
Applications page. Selecting
encoding types other than None
is allowed in Connector Studio for
compatibility when creating
connectors to be exported and
used with other system types.

This PDF was generated on July 27, 2025 Page 41 of 100

 Access Manager 25.2

Local Attribute (Optional) You can specify a

default value for the Type you
have selected. If a default value is
specified, you can view or edit it
in the Mapped to System
Attribute column on the
Applications page for this
attribute.
In the Applications page, the
Attributes section displays the
mappings defined here.

Required If you select this option, a red

asterisk is displayed with the
attribute in the Applications page
and the attribute mapping must be
completed to save the application.

7. Select Assertion.
You can use the Assertion page to configure values for specific elements
included in the SAML assertion sent to the service provider.
Specify the following details:

This PDF was generated on July 27, 2025 Page 42 of 100

 Access Manager 25.2

Field Description

Audience Restriction OpenText Access Manager does not

support this option.

Name ID Select an attribute that uniquely

identifies the user at the service
provider.
If an attribute has not yet been
created (using the Attributes page),
click the select icon > New Attribute
to create a new attribute.

Format Select the NameID formats to match

the requirements of the service
provider by inspecting the provider’s
metadata or federation instructions.

Destination URL Specify the URL of the destination

application.
The default appmark created for an
application that is configured based
on this connector contains the target
override field populated with the
value specified here. The user’s
browser is redirected to this URL
after a successful single sign-on
when clicking the appmark.

8. Select Federation Instructions.

You can use the Federation Instructions page to create the help information that
is displayed in the Applications page while configuring an application based on
this connector. This information is available under the System Setup section in

This PDF was generated on July 27, 2025 Page 43 of 100

 Access Manager 25.2

the Applications page. Specify the detailed instructions here for configuring the
service provider to trust OpenText Access Manager as an identity
provider.Federation instructions can use the following system-provided
replaceable values. When configuring an application in the Applications page,
these placeholders are replaced with values appropriate for the OpenText
Access Manager Identity Server cluster where the application is being
configured.

Field Description

${entityID} Represents the value of Identity

Server cluster’s Entity ID.

${ssoURL} Represents the value of the Identity

Server cluster’s single sign-on URL.

${sloURL} Represents the value of the Identity

Server cluster’s single logout URL.

${sloReturnURL} Represents the value of the Identity

Server cluster’s logout return URL.

${signingCert} Represents the value of the Identity

Server cluster’s default signing
certificate.

9. Click OK.
10. Proceed to Publishing a connector to the local catalog to finish creating the new
connector.

This PDF was generated on July 27, 2025 Page 44 of 100

 Access Manager 25.2

1.4.4. Downloading a connector to a file

OpenText Access Manager enables you to save the connector to the local drive as a
ZIP file that contains the XML definition for the connector. You can import this ZIP file
on other OpenText Access Manager setups and use to configure applications.
Perform the following steps to download a connector:
1. In Dashboard, click Administrative Tasks > Connector Studio.
2. Click the More Options icon in the upper right corner of the connector that you
want to download and click Download.
3. Save the ZIP file.

This PDF was generated on July 27, 2025 Page 45 of 100

 Access Manager 25.2

1.4.5. Importing a connector from a file

You can import a connector as a file that you have downloaded from the same or a
different OpenText Access Manager setup. The file must be in the ZIP format and
contain a valid XML.
Perform the following steps to import a connector:
1. In Dashboard, click Administrative Tasks > Connector Studio > + > Import
Connector from file.
2. Browse to and select the ZIP file.
The connector gets listed on the Connector Studio page.
3. Edit the details as required.
4. Publish the connector. See Publishing a connector to the local catalog.

This PDF was generated on July 27, 2025 Page 46 of 100

 Access Manager 25.2

1.4.6. Importing a connector from the

global catalog
The Global Catalog is a public website at and contains existing SSO Assistant and
SAML 2.0 connectors. If your OpenText Access Manager configuration does not have
Internet connectivity, you can access the catalog from a different machine and
download connectors to a file.
Perform the following steps to import a connector from the Global Catalog:
1. Click Administrative Tasks > Connector Studio > + > Import Connector from
Global Catalog.
2. Select the required connector from the catalog.
The connector gets listed on the Connector Studio page.
3. Edit the details as required.
4. Publish the connector. See Publishing a connector to the local catalog.

This PDF was generated on July 27, 2025 Page 47 of 100

 Access Manager 25.2

1.4.7. Managing a connector

Perform the following steps to edit, duplicate, and delete SSO Assistant and SAML
connectors:
1. In Dashboard, click Administrative Tasks > Connector Studio.
2. Click the More Options icon in the upper right corner of the connector. Select
any of the following commands based on your requirement:

This PDF was generated on July 27, 2025 Page 48 of 100

 Access Manager 25.2

Command Description

Edit Opens the Edit Connector page.

For OpenText Access Manager to
consider modifications, you must
publish the connector again.
You must change the version or
name of the connector before re-
publishing it. Or, you can delete the
published connector before
publishing the changes.

Download Saves the connector to a ZIP file that

you can use on the local system or
import to other OpenText Access
Manager systems.
For more information, see
Downloading a connector to a file.

Publish Publishes the connector to the Local

Catalog.
For more information, see Publishing
a connector to the local catalog.

Duplicate Creates an identical copy of the

connector. You can modify the
details to differentiate between two
connectors.

Delete Deletes the connector.

This PDF was generated on July 27, 2025 Page 49 of 100

 Access Manager 25.2

1.4.8. Publishing a connector to the local

catalog
After creating a connector, you can publish it to OpenText Access Manager’s Local
Application Catalog. You can then select this connector to configure an application by
using the Applications page (Applications > + > Import Application from File or Add
Application from Local Catalog).

Important
Connector Studio allows you to create connectors with configurations that
can be used with other products apart from OpenText Access Manager.
However, such connectors may not be compatible with OpenText Access
Manager. If you attempt to publish a connector that contains settings that
are not compatible with OpenText Access Manager, an error message is
displayed.

Perform the following steps to publish a connector to the Local Application Catalog:
1. In Dashboard, click Administrative Tasks > Connector Studio.
2. Click the More Options icon in the upper right corner of the connector and click
Publish.
3. Confirm that you want to publish the connector you created and click Publish.
4. Click Yes.

This PDF was generated on July 27, 2025 Page 50 of 100

 Access Manager 25.2

1.4.9. Importing a connector into the

applications page
1. In Dashboard, click Administrative Tasks > Applications > + (plus).
Options to import connectors from the global catalog, file, and local catalog are
available.
2. Select Add Application from Local Catalog.
3. Select the connector that you want to import into the Applications page.
4. Make changes based on your requirements.
5. Click Save.
6. Update Identity Server.

This PDF was generated on July 27, 2025 Page 51 of 100

 Access Manager 25.2

1.4.10. Example: using an existing SAML

connector to configure an application
This example describes how to import an existing SAML connector from the Global
Catalog into Connector Studio, create a SAML connector, and configure an
application based on this connector in the Applications page. Let us use an existing
SAML type connector for Salesforce for understanding these tasks.

Importing a SAML 2.0 connector from the global

catalog
1. In Dashboard, click Administrative Tasks > Connector Studio > + > Import
connector from Global Catalog.
2. In the Connector Catalog window, specify salesforce to see existing
connectors that have been created for Salesforce, then select the Salesforce
SAML connector to import into Connector Studio.

Modifying a SAML connector

1. In Connector Studio, click the More Options icon on the Salesforce connector
that you have imported in the Importing a SAML 2.0 connector from the global
catalog section.
2. Click Edit.
Configuration options on each page are as follows. The default configuration
values for the Salesforce connector are shown in italics.
General

This PDF was generated on July 27, 2025 Page 52 of 100

 Access Manager 25.2

Field Value

Target Name Salesforce

Version 1.10.1

Description for Provider SAML connector to Salesforce

Not used with OpenText Access
Manager.

Description for Tenant SAML connector to Salesforce

Certificate required for provider Not selected

This option is not selected in the
default Salesforce connector
because a signing certificate is not
required when doing identity
provider type single sign-on to
Salesforce. For example, when the
user clicks the Salesforce appmark
in the OpenText Access Manager
user portal page.

Change Image An image is specified

Settings

This PDF was generated on July 27, 2025 Page 53 of 100

 Access Manager 25.2

Field Value

Name ssoStartPage
Where ssoStartPage is a replaceable
value represented as
${ssoStartPage} in the connector
XML and as shown in the
configuration fields on Metadata and
Assertion configuration pages when
this setting is chosen from the list of
settings.

Display Name Login URL

Where Login URL is the name used
to represent this replaceable value in
the selection lists shown on the
Metadata and Assertion pages while
configuring the connector in
Connector Studio, and also under
the Application Connector Setup
section of the Applications page
when configuring the application
based on this connector. The value
entered for Login URL in the
Applications page becomes the
AssertionConsumerService endpoint
in the metadata that gets created for
the application.

Data Owner Tenant

Type URL

This PDF was generated on July 27, 2025 Page 54 of 100

 Access Manager 25.2

Min 1

Max 1024

Description The Login URL is the value of the

Salesforce Assertion Consumer
Service URL assigned to a particular
client. This is the value identified as
the Salesforce.com Login URL on
the Single Sign-on Settings page.

Default Value https://login.salesforce.com

Required Selected

Concealed Not selected

Metadata

This PDF was generated on July 27, 2025 Page 55 of 100

 Access Manager 25.2

Field Value

Method Generate

EntityID https://saml.salesforce.com

Signing Certificate Not populated

Assertion Consumer Service URL ${ssoStartPage}

Logout URL Not used by the Salesforce service

provider.

Logout URL Binding Not used by the Salesforce service

provider.

Logout Response URL Not used by the Salesforce service

provider.

Import from File Not used by the Salesforce service

provider.

Import from URL Not used by the Salesforce service

provider.

Attributes

This PDF was generated on July 27, 2025 Page 56 of 100

 Access Manager 25.2

Field Value

Name Subject/NameID
Where Subject/NameID is used to
identify the attribute in the SAML
assertion sent to the application.

Display Name Salesforce ID

Where Salesforce ID is the name
used to represent this mapping in
the Assertion page of Connector
Studio and in the Attributes section
of the Applications page.

Data Owner Tenant

Encoding None

Description Contains the user's Salesforce ID.

Default Value mail

Required Selected

Role Attribute Not selected

Assertion

This PDF was generated on July 27, 2025 Page 57 of 100

 Access Manager 25.2

Field Value

Audience Restriction https://saml.salesforce.com

Name ID Salesforce ID
Where Salesforce ID is the Display
Name of the attribute mapping
created on the Attributes page. The
mapping results in the value of the
user’s local LDAP mail attribute
being used to populate the value of
the NameID element and the remote
attribute “Subject/NameID” in the
SAML assertion.

Format Email

Destination URL Not specified

Federation Instructions

This PDF was generated on July 27, 2025 Page 58 of 100

 Access Manager 25.2

Field Description

${entityID} Represents the value of Identity

Server cluster’s Entity ID.

${ssoURL} Represents the value of the Identity

Server cluster’s single sign-on URL.

${sloURL} Represents the value of the Identity

Server cluster’s single logout URL.

${sloReturnURL} Represents the value of the Identity

Server cluster’s logout return URL.

${signingCert} Represents the value of the Identity

Server cluster’s default signing
certificate.

3. Click OK.
4. Click the More Options icon on the connector > Publish to save the connector
into the Local Application Catalog of OpenText Access Manager or click More
Options > Download to save the connector to a ZIP file in the local file system.

Importing the SAML connector into the applications

page
1. In Dashboard, click Administrative Tasks > Applications > + > Add Application
from Local Catalog.
2. Select the Salesforce connector that you published in Modifying a SAML
connector.
The connector is imported into the Applications page and opened for editing.

This PDF was generated on July 27, 2025 Page 59 of 100

 Access Manager 25.2

The following table lists the mapping between fields and respective
configuration in the Connector Studio page and the Applications page:

Connector Studio Applications Page

General > Target Name Name

General > Description for Tenant Description

General > Version Created from Connector with version

[Version]

General > Image Default image

Settings Application Connector Setup

Metadata Application Connector Setup

Assertion Application Connector Setup

Attributes Attributes

Federation Instructions System Setup

3. Edit the values based on your requirements.

4. Click Save to create a Salesforce application.
5. Update Identity Server.
The following are few important points:

This PDF was generated on July 27, 2025 Page 60 of 100

 Access Manager 25.2

The Settings and Attributes sections contain help icons. When you mouse over
the icon, help text is displayed that was specified in the Description fields of the
connector.
Clicking Show in the System Setup section displays the federation instructions
that contain substituted actual values for the ${ssoURL}, ${sloURL}, ${entityID},
and other replaceable values that were specified in the connector’s federation
instructions.
Settings and attribute mappings that are configured as Required in the
connector are flagged with a red asterisk. If you remove the default values, a
warning symbol is displayed indicating that a required value is not available. If an
application is saved without configuring required settings, the application is
displayed under Application needs more information on the Applications page.
Saving the application creates an associated appmark that, by default, is visible
in the user portal page.
A SAML 2.0 service provider is created. You can view or edit the details of this
service provider by clicking Advanced Settings.

This PDF was generated on July 27, 2025 Page 61 of 100

 Access Manager 25.2

1.5. SAML connectors

OpenText Access Manager provides a number of SAML 2.0 connectors to create
secure and federated connections to applications. You can manage these connectors
through the Applications page in Administration Console Dashboard under
Administration Tasks.
SAML 2.0 connectors simplify the configuration process of establishing a federated
connection between applications or web services and OpenText Access Manager.
When you import and configure a SAML 2.0 connector, OpenText Access Manager
automatically creates an appmark for the connector. The role assignments that you
specify while configuring a connector allow access to the applications and the role
assignment on the appmarks determines whether users can see the appmark on the
User Portal or in the MobileAccess app.
Understanding federated SSO with SAML 2.0
Global requirements for SAML 2.0 connectors
Configuring a connector for a SAML application
Managing SAML 2.0 applications
Converting SAML 2.0 service providers in to a SAML 2.0 application
Unique ID
To see the list of all SAML connectors that OpenText Access Manager provides, refer
to Application Connector Catalog > SAML.
For information about SAML connectors that support account provisioning, see
SAML/Account management connectors.

This PDF was generated on July 27, 2025 Page 62 of 100

 Access Manager 25.2

1.5.1. Understanding federated SSO with

SAML 2.0
To understand the federated single sign-on process with OpenText Access Manager,
you must understand SAML 2.0.

Understanding SAML 2.0

SAML is an XML-based framework for communicating user authentication,
entitlement, and attribute information. For more information see, Security Assertion
Markup Language (SAML) V2.0 Technical Overview.
SAML 2.0 creates a two-way agreement between two vendors asserting that the
information provided is valid. It provides a standard framework to share this
information, so you do not need to recreate the configuration for every vendor you
want to share information.
To use the SAML 2.0 connectors provided for OpenText Access Manager, you must
understand the basic concepts and components of SAML 2.0.
SAML 2.0 defines each of the components using the XML schema. You must be able
to read and format documents in XML to use SAML 2.0 connectors.
XML-based framework: You must understand the XML format, structure, elements,
and how it defines rules for encoding documents.
Assertion: SAML assertions define the syntax for creating XML-encoded assertions
to describe authentication, attribute, and authorization information for an entity. The
SAML 2.0 connectors help create the assertions for OpenText Access Manager and
the federation applications.
Attributes: LDAP attributes passed between two entities. In this case, it is LDAP
attributes passed between OpenText Access Manager and connected federation
applications.
Metadata: Metadata defines how SAML 2.0 shares configuration information between
two communicating entities. You must be able to access and share the OpenText
Access Manager metadata information with the federated application. You must also
be to access and share the federated application metadata with OpenText Access
Manager

This PDF was generated on July 27, 2025 Page 63 of 100

 Access Manager 25.2

Protocols: SAML 2.0 supports HTTP, HTTPS, and SOAP protocols. SAML 2.0
connectors use HTTPS to establish a secure connection between OpenText Access
Manager and federated applications. To establish a secure HTTPS connection, you
must obtain the certificate from the metadata of OpenText Access Manager and the
application. Each side then uses the other side’s certificate to create the secure
connection

Understanding SAML 2.0 federated SSO processes

with OpenText Access Manager
Federated SSO relies on a trust relationship between an identity provider and a
service provider to give users access to web services or applications.
SAML 2.0 is an open standard for federation that provides a vendor-neutral means of
exchanging user identity, authentication, attribute information, and authorization
information. SAML 2.0 defines the structure and content of assertions and protocol
messages used to transfer this information between OpenText Access Manager and
the web services or applications (service providers). For more information about
SAML 2.0, see Understanding SAML 2.0.
Using a SAML 2.0 connection, the service provider (web services or applications)
trusts the identity provider (OpenText Access Manager) to validate the user’s
authentication credentials and to send identity information about the authenticated
user. The service provider accepts the data and uses it to give the user access to the
web service or application. This data exchange is transparent for the user. It allows
the user to access the web service or application without providing additional
credentials.
OpenText Access Manager SSO with SAML 2.0 illustrates how a SAML SSO
authentication works with OpenText Access Manager:

This PDF was generated on July 27, 2025 Page 64 of 100

 Access Manager 25.2

Access Manager SSO with SAML 2.0

1. The user Steve Smith authenticates to the corporate Identity Server (OpenText
Access Manager) with his corporate user name and password.
2. OpenText Access Manager authenticates Steve against the user name steve s.
and associated password in the user store.
3. Steve accesses User Portal with an appmark to the 401k application that he is
entitled to use.
4. When Steve clicks the 401k appmark, OpenText Access Manager produces an
authentication assertion or token for the 401k application (service provider) that
contains the identity attributes needed for authentication.
5. The 401k application consumes the assertion or token to establish a security
context for the user with OpenText Access Manager.
6. The 401k application uses the assertion or token to validate that steve s. is
ssmith_01 and authorizes the authentication (resource request).
7. The 401k application establishes a session with Steve.
OpenText Access Manager now provides a simpler means of creating the SAML 2.0
federation for SSO by providing connectors for specific applications. When you use
the connectors, OpenText Access Manager automatically creates an appmark for the
web service or application and places the appmark on the User Portal page for users
to access. You can limit access to the SAML 2.0 web service or application by using
role assignments configured on the Applications page. You can limit visibility of the
SAML 2.0 appmarks on the User Portal page by using role assignments configured on
the appmarks.

This PDF was generated on July 27, 2025 Page 65 of 100

 Access Manager 25.2

OpenText Access Manager allows you to convert the existing SAML 2.0 service
providers to applications that you can manage from the Applications page. The
benefit of conversion is to add the ability to configure access control to the
application using roles. For more information, see Converting SAML 2.0 service
providers in to a SAML 2.0 application.

This PDF was generated on July 27, 2025 Page 66 of 100

 Access Manager 25.2

1.5.2. Global requirements for SAML 2.0

connectors
All SAML 2.0 connectors have unique requirements. However, some of the
requirements are the same no matter which SAML 2.0 connector you use. Ensure that
you meet the following global requirements before configuring a SAML 2.0 connector:
SAML 2.0 connectors are not supported in a mixed OpenText Access Manager
environment. All components of OpenText Access Manager (Identity Server
clusters, Access Gateway clusters, and Administration Console) must be of the
same version.
An understanding of identity federation using the SAML 2.0 protocol. For more
information, see Understanding SAML 2.0 federated SSO processes with Access
Manager.

This PDF was generated on July 27, 2025 Page 67 of 100

 Access Manager 25.2

1.5.3. Configuring a connector for a SAML

application
The following is the common procedure for configuring a SAML connector. For
specific details, see the instructions embedded within the individual connectors.
1. Log in to Administration Console as an administrator.
2. In Dashboard, under Administrative Tasks, click Applications.
3. Select the appropriate Identity Server cluster to use the application.
4. Click the plus sign + and then perform any one of the following actions:
Click Add Application from Catalog, then search for the SAML 2.0
connector that you want to configure.
For more information, see Application connector catalog.
Click Import Application from File, then browse to and select the file.
5. (Optional) Review the name of the application, and specify additional appmarks
if needed.
6. In System Setup, click Show to view the federation instruction.
7. Configure the SAML application as instructed in the federation instructions
8. At OpenText Access Manager, review and configure Application Connector
Setup, Attributes, Access and Roles, and System Setup.
You can find the help associated with each field when you mouse over the help
icon.
9. Click Save.
10. Click Configuration Panel and update all servers.

Note
If the federation is not setup successfully after configuring the connector,
refer to the application’s latest metadata or contact the support team.

This PDF was generated on July 27, 2025 Page 68 of 100

 Access Manager 25.2

1.5.4. Managing SAML 2.0 applications

Each connector that you import and configure contains the More Options ( ) icon on
the upper right corner. This icon enables you to disable, delete, and download the
application to a connector.
You can save the configuration information at any stage and complete the SAML 2.0
connector configuration later. If you save any SAML 2.0 application without
configuring all required details, the application appears at the top of the list of
connectors on the left side of the Applications page under the heading Application
needs more information. The More Options icon does not appear on this connector
until you complete the configuration.
Any section of the SAML 2.0 connector that requires information contains a red
warning symbol. Until the configuration is complete, OpenText Access Manager does
not configure an appmark or a service provider for the application.

Disabling and enabling a SAML application

1. In Dashboard, click Administrative Tasks > Applications.
2. Click the More Options ( ) icon in the upper right corner of the connector that
you want to disable.
3. Click Disable.
4. Update Identity Server for it to take effect. The application gets disabled.
5. Click More Options icon of the disabled connector > Enable and then update
Identity Server if you want to enable it.

Deleting a SAML application

1. Click the More Options ( ) icon in the upper right corner of the connector that
you want to delete.
2. Click Delete.
3. Update Identity Server.

Downloading a SAML application

You can download a SAML application as a connector and use it to create any number
of applications in the same or different OpenText Access Manager setups. However,

This PDF was generated on July 27, 2025 Page 69 of 100

 Access Manager 25.2

when you download an application, a few settings configured for this application in
the Applications page or in the SAML 2.0 configuration pages for the associated
service provider will not be exported to the downloaded file.
The downloaded connector includes the following details:
Application’s name, icon, and description.
The settings configured in the Application Connector Setup section. These
settings are used to generate Assertion Consumer Service URL , Binding ,
Entity ID , Name ID , and Signing Certificate in the metadata for the
associated service provider. However, if the metadata of the associated service
provider object contains elements other than the ones listed here, those
elements will not be preserved.
The settings configured in the Attributes section. The attribute mappings are
preserved, but the Send With option is cleared for all mappings.
The settings configured in the System Setup section. However, the Show button
may display only partial federation instructions if this application was converted
from a SAML service provider.
The downloaded connector does not include the following details:
Any setting that you have configured in SAML 2.0 configuration pages
Roles or contracts configured in the Access and Roles section on the
Applications page
Unique ID
Additional certificate of the service provider
Additional appmarks
Perform the following steps to download a SAML application:
1. Click the More Options icon in the upper right corner of the connector that you
want to download.
2. Review the details and click Download.
3. Click OK to save the application as a zip file that contains the XML definition for
the connector.

This PDF was generated on July 27, 2025 Page 70 of 100

 Access Manager 25.2

1.5.5. Converting SAML 2.0 service

providers in to a SAML 2.0 application
If you have configured federated authentication using SAML 2.0 to internal and
external identity providers, service providers, and embedded service providers (ESP),
you can convert the previously configured SAML 2.0 service providers to a SAML 2.0
application.
For more information about the prior configuration for service providers, see
Converting the service providers gives you the following benefits:
Adds the ability to configure access control to the application by using roles.
Automatically creates an appmark for the application.
No change takes place to the appmarks that you had created for SAML 2.0 service
providers. The conversion process only adds a new appmark for the SAML 2.0
application, if you select to create a new appmark.
In an upgraded OpenText Access Manager setup, the Applications page displays any
service providers you have created in the past. OpenText Access Manager does not
convert the service provider until you click it and save the new configuration options.
If the service provider contains only one signing certificate, you cannot upload the
additional certificate after conversion. However, if the service provider has been
configured with multiple signing certificate, the application retains the configured
certificates after conversion.
To convert a service provider to an application:
1. Log in to Administration Console as an administrator.
2. In Dashboard, click Administration Tasks > Applications.
3. Identify the service provider you want to convert and click it.
If the service provider is not converted, then there is no menu in the upper right
corner of the tile and the image is a default SAML image for all SAML 2.0 service
providers.
4. Review the available options to ensure that these are correct.

This PDF was generated on July 27, 2025 Page 71 of 100

 Access Manager 25.2

Note
If you have existing appmarks, OpenText Access Manager populates
the Roles field with the roles assignments from the existing
appmarks. The roles assignments here grant the users accessibility
to applications. The role assignments on the appmark grants
visibility to appmarks for the users.

5. Click Save to convert the SAML 2.0 service provider to be a SAML 2.0
application.
6. Click Yes to create a new appmark for this SAML 2.0 application.
7. Click the Configuration Panel, then perform an Update All.
After you convert a SAML 2.0 service provider to a SAML 2.0 application, the
Advanced Setup links appear in each configuration section. You can use these links
to view or edit additional settings.

This PDF was generated on July 27, 2025 Page 72 of 100

 Access Manager 25.2

1.5.6. Unique ID
While creating a SAML application, if the specified entity ID is already in use by
another service provider, OpenText Access Manager prompts to specify a different
entity ID or a unique ID. You must specify a different entity ID or a unique ID to create
the application.
Consider the following points while specifying a unique ID:
A unique ID can contain numbers, alphabets, special characters or combination
of all.
A unique ID must not contain spaces.
A unique ID must not contain patterns uniqueid or naminstance (case-
insensitive).
A unique ID must be unique among all unique IDs available for different SAML
2.0 service providers in the Identity Server cluster.
Adding a unique ID changes the OpenText Access Manager identity provider’s
metadata, such as single sign-on endpoint and entity ID, for that service
provider. The service provider uses this new metadata for establishing
federation with OpenText Access Manager.
Later, if you change the unique ID, you must re-import OpenText Access
Manager identity provider’s new metadata for that service provider.
For more information, see Configuring multiple instances of a SAML 2.0 service
provider in an Identity Server cluster.

This PDF was generated on July 27, 2025 Page 73 of 100

 Access Manager 25.2

1.6. SAML/Account management

connectors
The Application Connector Catalog includes a specialized set of connectors called
Account Management Connectors . In addition to simplifying OpenText Access
Manager configuration, these connectors can also configure SaaS Account Manager
(SAM) in OpenText Access Manager to automatically provision user accounts at the
corresponding SaaS providers. SAM can provision user accounts, update, and
deprovision accounts for connected applications based on changes made in your
user store.
Each SAML/Account Management connector requires configuration at the SaaS
provider. Detailed instructions are available when you configure the application in
OpenText Access Manager Administration Console.
When you save your application configuration, SAM starts provisioning users from the
specified LDAP user stores that are members of the filtered groups to the SaaS
provider. Depending on the number of users and groups in your user stores, the
operation time varies.
To see the list of all SAML/Account Management connectors that OpenText Access
Manager provides, see Application Connector Catalog > Account Management.

Note
SAM supports only SAML 2.0 applications.

Prerequisite
To provision SAML accounts by using SAM, you must first deploy the SAM appliance
and configure the appropriate SAML/Account Management connector for the SAML
application.
For more information about deploying the SAM appliance and SAML/Account
Management connectors, see SaaS Account Management 1.0 ‘Installation Guide and
SaaS Account Management 1.0 Connectors Guide.
You do not need to perform any action in OpenText Access Manager. Installing and
configuring SAM automatically configure the SAM-NAM integration.
Perform the following steps in OpenText Access Manager to configure a new
SAML/Account management connector:

This PDF was generated on July 27, 2025 Page 74 of 100

 Access Manager 25.2

1. On Dashboard, under Administrative Tasks, click Applications.

2. Select the appropriate Identity Server cluster to use the application.
3. Click the plus sign + and then perform any of the following actions:
Click Add Application from Catalog, click the filter icon, select Account
Management, and then search for the connector that you want to
configure.
For more information, see Application connector catalog.
Click Import Application from File and select the file.
4. (Optional) Review the name of the application and specify additional appmarks if
needed.
5. Review and configure other sections: Application Connector Setup, Attributes,
Access and Roles, and System Setup.
6. Expand the Account Management section and select Enable Account
Management.
7. Click Setup Instructions and follow the help for configuring the service account
and completing other steps at the SAML application site.
8. Provide the required information, such as credentials for the service account
and other details, for the SaaS application. This information varies depending on
the connector.
9. Under LDAP User Store Configuration, specify the user store information:

This PDF was generated on July 27, 2025 Page 75 of 100

 Access Manager 25.2

Field Description

User Store Select the user store that you want

SAM to use for provisioning users to
SaaS applications.

Polling Interval Specify a duration for SAM to check

your LDAP user store for changes

This PDF was generated on July 27, 2025 Page 76 of 100

 Access Manager 25.2

LDAP Groups and Authorizations Select the LDAP groups containing

users that might be provisioned to
SaaS applications.
You can map authorizations returned
by the SaaS application, such as
licenses, service plans, roles, and
groups to the local LDAP groups in
the OpenText Access Manager user
stores. While provisioning qualified
users from the LDAP user stores to a
SaaS application, SAM creates these
users with the authorizations as
mapped in the LDAP Groups and
Authorizations page. Click the LDAP
Groups and Authorizations icon
to perform the following actions:
Add, view, or remove the
selected groups.
Manage authorizations for the
selected groups.

Note
The LDAP Groups and
Authorizations page
does not work in
Microsoft Internet
Explorer and Microsoft
Edge 18 or earlier.
Consider upgrading to
the new Chromium-
based Edge (which
provides backward-
compatibility with IE 11)
or using another
browser, such as
Chrome or Firefox.

This PDF was generated on July 27, 2025 Page 77 of 100

 Access Manager 25.2

(Conditional)If you want to add more than one user store, click the plus (+) icon
next to the heading and provide the similar information for the additional user
store. Repeat this step to add multiple user stores.
10. Click Save.
After you save your application configuration, SAM begins provisioning users from the
specified LDAP user stores that are members of the filtered groups to the SaaS
service provider.

This PDF was generated on July 27, 2025 Page 78 of 100

 Access Manager 25.2

1.7. Configuring the application for

OpenText Access Manager on the public
cloud
OpenText Access Manager provides a connector that simplifies the procedure for
creating a SAML 2.0 federated connection between an on-premises OpenText Access
Manager setup and a cloud-based OpenText Access Manager setup.
This connector helps you configure single sign-on (SSO) to the on-premises
applications and cloud-based applications of an organization and provides seamless
login experience to users.
Using this connector, you can configure an OpenText Access Manager Identity Server
as a SAML 2.0 identity provider (IDP) by importing the SAML 2.0 metadata of
another OpenText Access Manager Identity Server that will act as a service provider
(SP).

Note
By default, this connector establishes the transient federation between
two OpenText Access Manager setups. If needed, you can later change
the type of federation by using Advanced Setup under Attributes on the
application page.

This section includes the following topics:

Requirements for the OpenText Access Manager connector
Importing and configuring the connector
Example scenarios

This PDF was generated on July 27, 2025 Page 79 of 100

 Access Manager 25.2

1.7.1. Requirements for the OpenText

Access Manager connector
To use this connector, you must meet the following requirements:
Ensure that you have met the global requirements for SAML 2.0 connectors. For
more information, see Global requirements for SAML 2.0 connectors.
An administrator account for both OpenText Access Manager setups is available.
Users must be able to access both Identity Servers. However, direct
communication between Identity Servers is not required.
The metadata URL of the OpenText Access Manager setup acting as an SP is
reachable from the Administration Console of the IDP setup.
The user store must be available in the OpenText Access Manager IDP setup.
Both on-premises and cloud-based OpenText Access Manager Identity Server
cluster instances are running, resolvable, and reachable during the connector
administration process.

This PDF was generated on July 27, 2025 Page 80 of 100

 Access Manager 25.2

1.7.2. Importing and configuring the

connector
You need to import and configure the connector on the OpenText Access Manager
setup that will act as the IDP.
This section provides information about how to create the SAML relationship between
the IDP setup, on which you are configuring the connector, and the OpenText Access
Manager SP setup.
Perform the following steps to import and configure the connector:
1. Log in to Administration Console of the OpenText Access Manager system that
will be the IDP.
2. In Dashboard, under Administrative Tasks, click Applications.
3. Select the desired Identity Server cluster.
4. Click + (plus sign) to import the connector.
5. Click Add Application from Catalog, and then search for the OpenText Access
Manager connector.
For more information, see Application connector catalog.
6. Specify a name and description for the connector.
7. In Application Connector Setup, specify the following details:

This PDF was generated on July 27, 2025 Page 81 of 100

 Access Manager 25.2

Field Description

OpenText Access Manager IDP Specify the base URL of OpenText

Base URL Access Manager Identity Server that
will become the SP.
For example,
https://spidp.com:8443/nidp

Get Metadata Click this to retrieve the metadata

from the base URL specified in
OpenText Access Manager IDP
Base URL.
This action populates the required
values in Assertion consumer
service URL, EntityID, Logout
response URL, and Logout URL.
In addition, it downloads the signing
certificate of the SP.

Destination URL (Optional) Specify the URL to which

users are redirected after being
authenticated to the SP via SAML.
The specified URL will become the
URL (Target override) value
specified in the default appmark that
is created when saving the
application.

8. In Attributes, keep the default attribute mappings to map values from the local
user store into attributes sent with the assertion. See the Help information
associated with the options for modifying the default mappings if necessary.
9. (Optional) In Access and Roles, specify the following details:

This PDF was generated on July 27, 2025 Page 82 of 100

 Access Manager 25.2

Field Description

Roles Select the role assignments to

determine the user accessibility of
this application.

Contracts Select the contract presented to

users when they click the appmark.
Users see the specified contract
unless the contract is satisfied
during login or through the
authentication levels.

10. In System Setup, perform the following actions:

This PDF was generated on July 27, 2025 Page 83 of 100

 Access Manager 25.2

Field Description

Metadata (Optional) You can view or download

the metadata information
from OpenText Access Manager that
can be used later to create the
federated connection at the SP.

Signing Certificate (Optional) You can view or download

the signing certificate
from OpenText Access Manager to
create for later use when creating
the federated connection at the SP
setup.

Federation Instructions Click Show to display the federation

instructions.
These instructions provide detailed
steps that you must perform at the
OpenText Access Manager setup
that will be configured as the SP.
If clicking Show returns an error and
does not display the federation
instructions, ensure that the machine
(virtual or physical) where
Administration Console is being
accessed can connect directly to the
base URL of the Identity Server
cluster.

11. Click Save.

12. Click Configuration Panel, and then update the Identity Server.
If the Identity Server health status turns yellow after the update, it is likely due to
an untrusted certificate. For more information, see Managing the keys,

This PDF was generated on July 27, 2025 Page 84 of 100

 Access Manager 25.2

certificates, and trust stores.

An appmark is created automatically after saving the application. By default, all
users can see this appmark on their user portal page. The appmark is
configured with a target URL set to the value specified in the Destination URL
field you configured in Step 7.
13. In the System Setup section, click Show to display the federation instructions.
Follow these instructions at the OpenText Access Manager setup that will act as
the SP.

This PDF was generated on July 27, 2025 Page 85 of 100

 Access Manager 25.2

1.7.3. Example scenarios

Scenario 1: cloud-based IDP and on-premises SP
with a protected resource
In this scenario, the cloud-based setup is configured as the IDP and the on-premises
setup is configured as the SP. The SP setup has Access Gateway protected
resources.
The protected resources need to be accessed from appmarks displayed in the user
portal page of the cloud-based setup.
User flow

1. A user browses to the URL of the cloud-based user portal page and specifies
the credentials.
The user sees the expected appmarks including the appmark for the Access
Gateway protected resource at the on-premises SP.
2. The user clicks the appmark for the protected resource. The user is
authenticated to the on-premises SP using the SAML protocol.
After a successful SAML authentication, the user sees the expected content of
the protected resource.
Configuration details

1. Establish the federation between the two setups by importing and configuring
the Access Manager SAML connector at the cloud-based setup to create the
SAML application.
2. Follow the federation instructions provided by SAML application to complete the
federation at the on-premises setup.
With this configuration, the cloud-based Access Manager setup acts as an IDP
while the on-premises Access Manager setup acts as an SP.
3. At the on-premises setup, configure an Access Gateway protected resource with
Authentication Procedure set to Any Contract .
4. At the cloud-based setup, use the Applications page to create an appmark for
the Access Manager SAML application and configure URL (Target override) with
the public URL of the Access Gateway protected resource at the on-premises
setup.

This PDF was generated on July 27, 2025 Page 86 of 100

 Access Manager 25.2

Scenario 2: on-premises IDP and cloud-based SP

with a protected resource
In this scenario, the on-premises setup is configured as the IDP and the cloud-based
setup is configured as the SP. The SP setup has Access Gateway protected
resources.
The protected resources need to be accessed from appmarks displayed in the user
portal page of the on-premises setup.
User flow

1. A user browses to the URL of the on-premises user portal page and specifies
the credentials.
The user sees the expected appmarks including the appmark for the Access
Gateway protected resource at the cloud-based SP.
2. The user clicks the appmark for the protected resource. The user is
authenticated to the cloud-based SP the SAML protocol.
After a successful SAML authentication, the user sees the expected content of
the protected resource.
Configuration details

1. Establish the federation between the on-premises and cloud-based setups by

importing and configuring the Access Manager SAML connector at the on-
premises setup to create the SAML application
2. Follow the federation instructions provided by the SAML application to complete
the federation at the cloud-based setup.
With this configuration, the on-premises Access Manager acts as an IDP and the
cloud-based Access Manager acts as an SP.
3. At the cloud-based setup, configure an Access Gateway protected resource
with Authentication Procedure set to Any Contract .
4. At the on-premises setup, use the Applications page to create an appmark for
the Access Manager SAML application and configure URL (Target override) with
the public URL of the Access Gateway protected resource at the cloud-based
setup.

Scenario 3: on-premises IDP and cloud-based SP

with third-party SP
This PDF was generated on July 27, 2025 Page 87 of 100
 Access Manager 25.2

This scenario builds upon Scenario 2: on-premises IDP and cloud-based SP with a
protected resource by adding additional configuration required for SSO to third-party
SAML SPs, such as Salesforce, Google, and Microsoft 365. These service providers
are configured and trusted by the cloud-based OpenText Access Manager setup.
This scenario enables SSO to the cloud-based user portal page and third-party SPs
when the users log in to the on-premises setup.
User flow

1. A user browses to the URL of the on-premises OpenText Access Manager IDP
user portal page and specifies credentials.
The user sees the expected appmarks including the new appmark for the user
portal page at the cloud-based OpenText Access Manager setup.
2. The user clicks the appmark for the user portal page at the cloud-based setup.
The user is authenticated to the cloud-based SP using the SAML protocol.
After a successful SAML authentication, the user sees the user portal page of
the cloud-based setup.
3. The user clicks the appmark for the third-party SP.
After a successful SAML authentication, the user sees the expected content of
the SP.
Configuration details

1. Establish the federation between the two OpenText Access Manager setups and
verify as described in Scenario 2: on-premises IDP and cloud-based SP with a
protected resource.
2. Configure the on-premises setup as follows:
1. In the Applications UI, modify the OpenText Access Manager application
and add an additional appmark.
2. In URL (Target override), specify the URL of the user portal page of the
cloud-based OpenText Access Manager setup.
3. Modify the attribute set originally created and used by the OpenText
Access Manager SAML application in Administration Console > IDP Global
Settings.
By default, the mappings for sn and givenName are created. Add the
additional attribute mappings as follows:

This PDF was generated on July 27, 2025 Page 88 of 100

 Access Manager 25.2

Local Attribute Remote Attribute

Ldap Attribute: cn cn

Ldap Attribute: GUID GUID

Ldap Attribute: mail mail

4. In the Applications page for the OpenText Access Manager connector,

select Send with for all attributes in the Attributes section.
3. Configure the cloud-based setup as follows:
1. Verify that the SAML 2.0 federations have been configured with third-party
SPs, such as Salesforce, Google, and Microsoft 365. After logging in to the
user portal page of the cloud-based setup, users see appmarks associated
with each provider. Users are single signed-on to these providers when
clicking the respective appmarks.
2. Modify the attribute set originally created when following federation
instructions to create the IDP object in Administration Console > IDP
Global Settings.
By default, the mappings for sn and givenName are created. Add the
additional attribute mappings as follows:

Local Attribute Remote Attribute

Ldap Attribute: cn cn

Ldap Attribute: objectGUID GUID

Ldap Attribute: mail mail

This PDF was generated on July 27, 2025 Page 89 of 100

 Access Manager 25.2

3. On the Home page, click Applications > [CHECK in QA] Edit > SAML 2.0 >
[IDP] > Configuration > Attributes. Modify the IDP object and move all
attributes to the Obtain at authentication field. All these attributes will be
obtained during authentication.
If the Microsoft 365 SAML application is configured at the cloud-based setup, ensure
that the SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME property is configured for
the Microsoft 365 SP. Else, SSO may fail for users being federated from the on-
premises setup.
Configuring SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME
1. In the cloud-based Administration Console, click Identity Servers [CHECK in
QA] > cluster > Edit Cluster > SAML 2.0 > [Microsoft 365 SP] > Configuration >
Options.
2. Click New.
3. Select Other from the list.
4. Specify the following values:
Property Name: SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME
Property Value: objectGUID
5. Click OK.
6. Update the Identity Server cluster.

Scenario 4: on-premises IDP, cloud-based SP with

third-party SP, and third-party SP is accessible
from on-premises user Portal
This scenario builds upon Scenario 3: on-premises IDP and cloud-based SP with
third-party SP by adding appmarks for each third-party service provider (Salesforce,
Google, and Microsoft 365) on the user portal page of the on-premises setup. With
this configuration, users can access these service providers without navigating to the
user portal page of the cloud-based OpenText Access Manager setup.
In addition to the configurations made in the scenario 3, you need to add appmarks
on the OpenText Access Manager SAML application at the on-premises setup.
User flow

1. A user browses to the URL of the on-premises OpenText Access Manager IDP
user portal page and specifies credentials.

This PDF was generated on July 27, 2025 Page 90 of 100

 Access Manager 25.2

The user sees the expected appmarks including the new appmarks for each
third-party SP configured in the cloud-based OpenText Access Manager setup.
2. The user clicks any of the appmarks for the third-party SP.
After a successful SAML authentication to the cloud-based OpenText Access
Manager setup, the user is single signed-on to the third-party SP and redirected
to the appropriate destination.
Configuration details

1. Follow the steps for configuring Scenario 3: on-premises IDP and cloud-based
SP with third-party SP. See Configuration details.
2. Configure additional appmarks on the OpenText Access Manager SAML
application at the on-premises setup (one for each third-party SAML SP
configured in the cloud-based setup).
1. In the Applications page of the on-premises setup, open the OpenText
Access Manager SAML application for editing.
2. In the Appmarks region, click + to add an additional appmark.
3. Specify an appropriate value for Name and other settings as desired.
4. In URL (Target Override), specify the URL of the appmark at the cloud-
based setup.
You can copy this URL from the appmark editor for the third-party
application, under URL used by Appmark on User Portal at the cloud-
based setup.
A typical configuration of a Google application contains an appmark with a
URL that includes scheme, Identity Server Base URL, PID, and an optional
Target.
The following are examples for Salesforce, Google, and Microsoft 365
configuration:
Salesforce: https://idp.baseurl.cloud:8443/nidp/saml2/idpsend?
PID=TSP_3bdb77e5-9515-4f2d-9699-86c0a48fba2c
Google: https://idp.baseurl.cloud:8443/nidp/saml2/idpsend?
PID=TSP_59d317d4-85cb-407a-9d39-
431a88ad164a&target=https://mail.google.com/a/cloudtest13.info
Microsoft 365: https://idp.baseurl.cloud:8443/nidp/saml2/idpsend?
PID=TSP_975bf51a-91b8-4a35-ab48-5aad5cdc8510

This PDF was generated on July 27, 2025 Page 91 of 100

 Access Manager 25.2

3. Repeat the step 2 for each third-party SAML application for which you want to
create an appmark at the on-premises setup.

Note
If the Microsoft 365 SAML application is configured at the cloud-based
setup, ensure that the SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME
property is configured for the Microsoft 365 SP. Else, SSO may fail for
users being federated from the on-premises setup.
For information about how to configure this property for the Microsoft 365
SP, see Configuring SAML2_OFFICE365_NAMEID_ATTRIBUTE_NAME.

This PDF was generated on July 27, 2025 Page 92 of 100

 Access Manager 25.2

1.8. Configuring the applications for

Microsoft 365 using WS federation and
WS-Trust
OpenText Access Manager provides a connector for Microsoft 365 that allows you to
create a federated connection between OpenText Access Manager and Microsoft 365
by using WS Federation and WS-Trust protocols.
This connector simplifies the configuration process to establish a federated
connection between Microsoft 365 and OpenText Access Manager. This connector
supports both passive mode applications, such as SharePoint, and active mode
applications, such as Skype.
When you import and configure the connector, OpenText Access Manager
automatically creates an appmark for the users.
Prerequisites for configuring the connector
Configuring an Microsoft 365 domain to federate with OpenText Access
Manager
Configuring the connector

This PDF was generated on July 27, 2025 Page 93 of 100

 Access Manager 25.2

1.8.1. Prerequisites for configuring the

connector
WS-Trust and WS Federation protocols are enabled in OpenText Access
Manager.
Perform the following steps:
1. On the Home page, click Identity Servers > Edit Cluster.
2. In the Enabled Protocols section, ensure that WS-Trust and WS
Federation are selected.
A Microsoft 365 administrative account is available. This administrative user
must not belong to the Microsoft 365 domain that your organization will manage.
Microsoft does not support sub-domains having different federated settings
than their parent. To use a sub-domain for Microsoft 365, ensure that either you
do not use Microsoft 365 with the parent domain, or both the parent domain and
its sub-domain have the identical federation settings.
An Microsoft 365 domain for your organization is available. See Configuring a
Microsoft 365 domain to federate with OpenText Access Manager.

This PDF was generated on July 27, 2025 Page 94 of 100

 Access Manager 25.2

1.8.2. Configuring a Microsoft 365 domain

to federate with OpenText Access
Manager
You must configure an Microsoft 365 domain before using the Microsoft 365
connector.

Prerequisites for configuring a Microsoft 365

domain
Identity Server must be accessible from outside the firewall so that the Microsoft
365 domain can communicate with Identity Server.
Sign up for an Microsoft 365 account.
For enabling single-sign on to the Microsoft 365 applications, ensure that you
download the application from the Microsoft 365 portal.
Create a federated domain in Microsoft 365 and prove ownership of it. This
ensures that you add your company domain into the Microsoft 365 domain.
For more information, see Adding and Verifying a Domain for Microsoft 365.
Ensure that the Windows 7 or Windows 8 workstations do not have the Active
Directory Federation Service 2.0 snap-in installed.
Ensure that the SSL certificate is issued by a well-known external certification
authority (CA).
If you are using Microsoft Lync or Microsoft Outlook thick clients with WS-Trust,
replace the default self-signed SSL server certificate included with OpenText
Access Manager with one that is signed by a public CA. This enables Microsoft
365 to establish a trusted SSL session with OpenText Access Manager.
For more information, see Managing trusted roots and trust stores.

Note
If you are using Microsoft Lync, ensure that you enable federation.

Install Microsoft Live Sign-in Module to help manage and establish a remote
session with the Microsoft 365 account that is created to manage the Microsoft

This PDF was generated on July 27, 2025 Page 95 of 100

 Access Manager 25.2

365 domain.
Install Microsoft Entra ID Module.

Enabling federation settings in the Microsoft 365

domain
Modify the following commands with your domain name as per your setup and run
these in PowerShell. The domain name in the example is namtest.com .
1. Launch Windows Microsoft Entra ID Module for Windows PowerShell.
2. Run $cred=Get-Credential and specify your cloud service administrator
account credentials.
3. Ensure that the Identity Server certificate is in the CER format. OpenText
Access Manager does not support the CTR format.
4. Run Connect-MsolService –Credential $cred .
For example, if the name of the domain is namtest.com and Base URL of
Identity Server is https://namtest.com/nidp/ , run the following commands in
PowerShell:

Important
In this example, the port is not specified with Base URL because it
uses the default port 443. If you are using a different port, specify
the port with Base URL.

$dom = "namtest.com"
$url = "https://namtest.com/nidp/wsfed/ep"
$ecpUrl = "https://namtest.com/nidp/wstrust/sts/active12"
$uri = "https://namtest.com/nidp/wsfed/"
$logouturl =
"https://namtest.com/nidp/jsp/o365wsfedlogout.jsp"
$mex = "https://namtest.com/nidp/wstrust/sts/mex"
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificat
e2 "<name and path of the certificate>"
$certData = [system.convert]::tobase64string($cert.rawdata)
$brand = "NamTest Co Bangalore"

This PDF was generated on July 27, 2025 Page 96 of 100

 Access Manager 25.2

5. Use the following cmdlet to update the settings of the single sign-on domain:
Set-MsolDomainAuthentication -FederationBrandName $brand -DomainName
$dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate
$certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -
MetadataExchangeUri $mex

Verifying single sign-on access

You need at least one Microsoft 365 user to verify that single sign-on is set up. If you
have an existing user, ensure that the Immutable ID matches the GUID of the
OpenText Access Manager user.
For example, if your user store is eDirectory and you want to retrieve the GUID of an
existing OpenText Access Manager user, run the following command on the
eDirectory server terminal:
ldapsearch -D cn=<context> -w <password> -b <search base> cn=<fqdn of the
administrator> GUID | grep GUID
Where D is the bind credential, w is the password, and b is the search scope.
Create an Microsoft 365 user with this GUID as the Immutable ID by running the
following command in PowerShell:
new-msolUser -userprincipalName "user1@domain name" -immutableID "GUID of
user1" - lastname "lastname of user 1" -firstname "user1" -DisplayName "user1 users"
-BlockCredential $false -LicenseAssignment "testdomain:ENTERPRISEPACK" -
usageLocation "two letter country code[example: US,IN,DE,BE,GB etc]" -Password
"password of the user"
To verify that single sign-on is set up correctly, perform the following steps in a
server that is not added to the domain:
1. Go to Microsoft Online Services.
2. Log in with your corporate credentials.
For example, [email protected]
If single sign-on is enabled, the password field is disabled and the following
message is displayed:
You are now required to Sign in at <your company>.
3. Click the Sign in at <your company> link.If you are able to sign in without errors,
single sign-on is set up successfully.

This PDF was generated on July 27, 2025 Page 97 of 100

 Access Manager 25.2

1.8.3. Configuring the connector

1. Log in to Administration Console as an administrator.
2. In Dashboard, click Applications under Administrative Tasks.
3. (Conditional) Select the appropriate Identity Server cluster in Cluster.
4. Click the plus sign (+) and perform any one of the following steps:
1. Click Add Application from Catalog, then search for the WS Federation
and WS-Trust connector for Microsoft 365. For more information, see
Application connector catalog.
2. Click Import Application from File, then browse to and select the file.
3. Click Add Application from Catalog to select a custom connector.
5. Specify the following details:

This PDF was generated on July 27, 2025 Page 98 of 100

 Access Manager 25.2

Field Description

Name Specify a unique name for the

connector.

Description Specify a description of the

connector.
You can configure multiple
connectors for Microsoft 365.
Ensure to use a unique name and a
description to help determine
differences between the connectors.

Change Image (Optional) Change the default image that the

User Portal page displays to the
users.
Each connector contains a default
image. You can change that image to
any image you want. The maximum
image size is 200 x 200 pixels and
the ideal image size is 100 x 100
pixels.
Use an image from the Image
Gallery or upload your own image.

Attributes: This section enables you to view and manage the attributes that
are part of the assertion.

ImmutableID By default, Ldap Attribute:GUID

[LDAP Attribute Profile] is selected.

This PDF was generated on July 27, 2025 Page 99 of 100

 Access Manager 25.2

User Principal Name (UPN) By default, Ldap Attribute:mail [LDAP

Attribute Profile] is selected.

Roles and Federation Instructions: This section enables you to control who
has access to the application and how to configure the federation.

Roles Select the role assignments to

determine the user accessibility of
this application.
The Role assignments made in the
Appmark editor determine the user
visibility of the appmarks associated
with this application, not the
accessibility of the application.

Federation Instructions Contains the federation instructions

on what you must change or modify
in Microsoft 365 to create the
federated connection. Follow these
instructions.

Note
Advanced Setup does not appear in any of these sections until you
save the connector.

6. Click Save.

This PDF was generated on July 27, 2025 Page 100 of 100
 © Copyright 2025 Open Text

For more info, visit https://docs.microfocus.com