Internet Information Services Integration Kit. Version 2.4. User Guide



Similar documents
PHP Integration Kit. Version User Guide

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Java Integration Kit. Version User Guide

Preparing Your Server for an MDsuite Installation

Quick Connection Guide

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

PingFederate. Identity Menu Builder. User Guide. Version 1.0

Configuring Microsoft Internet Information Service (IIS6 & IIS7)

Deploying EMC Documentum WDK Applications with IBM WebSEAL as a Reverse Proxy

Como configurar o IIS Server para ACTi NVR Enterprise

Sage 300 ERP Sage CRM 7.2 Integration Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Dell Statistica Document Management System (SDMS) Installation Instructions

PingFederate. OpenID Cloud Identity Connector. User Guide. Version 1.1

Installation Guide Supplement

Wise Package Studio 8.0 MR1 Release Notes

Dell One Identity Cloud Access Manager Installation Guide

Sage 300 ERP Sage CRM 7.1 Integration Guide

How to Install and Setup IIS Server

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Front-Office Server 2.7

Archive Attender Version 3.5

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

ACTi NVR Config Converter User s Manual. Version /06/07

How to Install Multiple Monitoring Agents on a Microsoft Operating System. Version StoneGate Firewall/VPN 2.6 and SMC 3.2

Preparing Your Network for an MDsuite Installation

ACTIVE DIRECTORY DEPLOYMENT

Symantec AntiVirus Corporate Edition Patch Update

Migrating TimeForce To A New Server

XIA Configuration Server

Dell Statistica Statistica Enterprise Installation Instructions

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Click Studios. Passwordstate. Upgrade Instructions to V7 from V5.xx

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Reference and Troubleshooting: FTP, IIS, and Firewall Information

JOSSO 2.4. Internet Information Server (IIS) Tutorial

Microsoft SQL Server Installation Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

EVault Endpoint Protection 7.0 Single Sign-On Configuration

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Specops Command. Installation Guide

CA SiteMinder. Web Agent Installation Guide for IIS 12.51

SafeNet Authentication Manager Express. Upgrade Instructions All versions

Release Notes RSA Authentication Agent for Web for IIS 7.0, 7.5, and 8.0 Web Server

Enterprise Vault Installing and Configuring

FrontDesk. (Server Software Installation) Ver

Novell PlateSpin Portability Suite

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

CA Technologies SiteMinder

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Release Notes RSA Authentication Agent for Web for IIS 7.0, 7.5, and 8.0 Web Server

Microsoft SQL Server 2008 R2 (64-bit) Standard Edition Installation Guide

FireSIGHT User Agent Configuration Guide

formerly Help Desk Authority Upgrade Guide

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

PingFederate. SSO Integration Overview

HP Enterprise Integration module for SAP applications

Check Point FDE integration with Digipass Key devices

IBM WebSphere Application Server

Technical Note: How to Move AccountMate for SQL/Express to a Different Server

Document Exchange Server 2.5

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

CA Spectrum and CA Embedded Entitlements Manager

PlateSpin Migrate 11.1 Installation and Upgrade Guide

USER GUIDE. Snow Inventory Data Receiver Version 2.1 Release date Installation Configuration Document date

BusinessObjects Enterprise XI Release 2

Microsoft SQL Server 2008 R2 Express Edition with Advanced Services Installation Guide

Microsoft Dynamics GP SQL Server Reporting Services Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

NETWRIX WINDOWS SERVER CHANGE REPORTER

Abila MIP. Installation Guide

4cast Client Specification and Installation

Configuring EPM System for SAML2-based Federation Services SSO

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Customizing the SSOSessionTimeout.jsp page for Kofax Front Office Server 3.5.2

CA Nimsoft Monitor. Probe Guide for IIS Server Monitoring. iis v1.5 series

2 Downloading Access Manager 3.1 SP4 IR1

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

What's New in BlackBerry Enterprise Server 5.0 SP4 for Novell GroupWise

Symantec Backup Exec 2010 R2. Quick Installation Guide

Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic, or

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Microsoft Office 365 Using SAML Integration Guide

Microsoft Dynamics GP Web Services Installation and Administration Guide

Microsoft Corporation. Project Server 2010 Installation Guide

Dovico Timesheet v12 INSTALLATION GUIDE

Administering Jive for Outlook

ContentWatch Auto Deployment Tool

Symantec LiveUpdate Administrator. Getting Started Guide

Installation Instruction STATISTICA Enterprise Server

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

CA SiteMinder. Web Agent Installation Guide for IIS. r12.5

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

Transcription:

Internet Information Services Integration Kit Version 2.4 User Guide

2014 Ping Identity Corporation. All rights reserved. PingFederate Internet Information Services User Guide Version 2.4 June, 2014 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. PingFederate IIS Integration Kit 2 User Guide

Contents Introduction... 4 Intended Audience... 4 System Requirements... 4 ZIP Manifest... 4 Processing Overview... 5 Installation and Setup... 7 PingFederate IIS Integration Kit 3 User Guide

Introduction The PingFederate Internet Information Services (IIS) Integration Kit adds a Service Provider (SP) application-integration option to PingFederate. The kit includes an IIS Agent that works in conjunction with the PingFederate OpenToken Adapter to allow an SP enterprise to accept SAML assertions and provide single sign-on (SSO) to IIS Web applications. The assertions may be sent using the SAML protocol (version 2.0 or 1.x) or the WS-Federation passive-requestor protocol (see Supported Standards in Getting Started). Intended Audience This document is intended for system administrators with experience in the configuration and maintenance of Windows and IIS servers. Knowledge of networking and user-management configuration is assumed at certain points in this document. Please consult documentation provided with your server tools if you encounter any difficulties in areas not directly associated with the PingFederate or integration-kit setups. System Requirements The following prerequisites must exist in order to implement the IIS Integration Kit: PingFederate 5.x (or higher) See Installing the OpenToken Adapter and Configuring PingFederate on page 7 for more information. IIS 6.x ASP.NET application must use.net Framework 2.0 ZIP Manifest The distribution ZIP file for the IIS Integration Kit contains the following: ReleaseNotes.pdf contains updates on the latest release. /docs documentation: IIS_Integration_Kit_User_Guide.pdf this document IIS_Integration_Kit_Qualification_Statement.pdf testing information and known issues Legal.pdf licensing and other information /dist libraries and supporting files needed to install and run the adapter and agent: opentoken-adapter-2.5.1.jar the OpenToken Adapter JAR file /x86 agent installation directory for 32-bit Windows architecture: setup.exe installation program for the PingFederate IIS Agent Support Files.msi installation supporting files for the PingFederate IIS Agent PingFederate IIS Integration Kit 4 User Guide

/conf configuration file /Module Retargetable Folder IIS agent DLL, configuration data, and a sample application /x64 installation directory for 64-bit Windows architecture setup.exe installation program for the PingFederate IIS Agent Support Files.msi installation supporting files for the PingFederate IIS Agent /conf configuration file /Module Retargetable Folder IIS agent DLL, configuration data, and a sample application Processing Overview The IIS Agent acts as a filter in front of an application (or any external protected resource). The basic responsibilities of the Agent are to filter requests to determine whether a request is for a protected resource: If the request is for an unprotected resource, the Agent passes the request to the application. If the request is for a protected resource, the Agent checks to see if there is a PingFederate session available and if it meets the policy for the session. If a session exists and the session meets the policy for the request, then the Agent passes the request back to the application. If a session does not exist, or if the existing session does not meet the session policy for that request, the Agent redirects the user s browser through the PingFederate server to an Identity Provider (IdP) for authentication. After authentication, PingFederate redirects the user back to the protected resource with a valid session. PingFederate IIS Integration Kit 5 User Guide

The following figure illustrates an SP-initiated SSO scenario, showing the request flow and how the PingFederate OpenToken Adapter wraps attributes from an assertion into a secure token (OpenToken) and passes the token to IIS. Processing Steps 1. A user attempts to access a resource on the IIS server protected by the PingFederate IIS Agent. 2. The user is redirected to the PingFederate server for authentication. (If an OpenToken session already exists, the user is granted immediate access.) 3. The PingFederate server redirects the user s browser to an IdP for authentication using either the SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML assertion. 4. PingFederate validates the assertion and creates an OpenToken for the user including any configured attributes. PingFederate then redirects the browser, including the OpenToken, back to the IIS Agent s OpenToken Exchange service, which converts the OpenToken into a cookie, and redirects to the original resource. 5. The IIS Agent verifies the OpenToken and grants access to the protected resource. The User ID and any attributes from the OpenToken are exposed to the resource as HTTP Request Headers. PingFederate IIS Integration Kit 6 User Guide

Installation and Setup The following sections describe how to install and configure the OpenToken Adapter for both an IdP and an SP as well as deploy the IIS agent. Installing the OpenToken Adapter and Configuring PingFederate Note: If you have already deployed version 2.5.1 (or higher) of the OpenToken Adapter, skip to step 5 in the following procedure. 1. Stop the PingFederate server if it is running. 2. Remove any existing OpenToken Adapter files (opentoken*.jar) from the directory: <PF-install>/pingfederate/server/default/deploy The adapter JAR file is open-token-adapter-<version>.jar. Important: If you are running PingFederate 5.1.0, also remove the file opentokenadapter.jar from the directory: <PF_install>/pingfederate/server/default/lib 3. Unzip the integration-kit distribution file and copy opentoken-adapter-2.5.1.jar from the /dist directory to the PingFederate directory: <PF_install>/pingfederate/server/default/deploy 4. Start or restart PingFederate. Note: References to screens in the following steps conform to the appearance of the PingFederate 6.x administrative console. However, the configuration is the same for 5.x versions; only the screen names have changed. 5. Create an instance of the OpenToken Adapter for your SP configuration using settings on the Instance Configuration screen as indicated in the table below. (Fields not specified are optional. For more information, see OpenToken Adapter Configuration in the PingFederate Administrator s Manual.) Option Password Confirm Password Description Enter any password you choose. Password confirmation. 6. On the Actions screen in the adapter setup steps, click the Download link and save the properties file to any directory on the machine running IIS. You will move this file later when you set up the PingFederate IIS Agent (see Installing and Configuring the PingFederate IIS Agent on page 8). PingFederate IIS Integration Kit 7 User Guide

7. On the Extended Contract screen, enter any attributes you wish to pass to the application as HTTP request headers. For more information, see IIS Agent Session Information on page 11. 8. Configure a connection to your IdP partner, using the instance of the OpenToken Adapter you configured in the last steps. For more information, see Identity Provider SSO Configuration in the PingFederate Administrator s Manual. Installing and Configuring the PingFederate IIS Agent Note: If this is a first-time installation of the IIS Integration Kit, proceed directly to step 2 in the following procedure. If you are upgrading this integration, we strongly recommend reinstalling the OpenToken IIS Agent in IIS. 1. If you are upgrading this integration: a. Using the Windows Control Panel, remove the existing OpenToken IIS agent from the IIS server. b. Restart IIS for changes to take effect. 2. Unzip the IIS Integration Kit distribution file into a directory on the IIS machine. 3. From the integration-kit /dist (Win32 or Win 64)/ directory, run setup.exe and follow the setup screens. Note: The setup installs the.net Framework and supporting components. If you are unable to run the installer, you can manually accomplish these tasks (see Alternative Manual Installation on page 10). Important: If you are running Windows Vista or Server 2008, run the executable as Administrator. 4. Register the.net Framework 2.0 by entering the following command: PingFederate IIS Integration Kit 8 User Guide

<Windows>\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -i -enable where <Windows> is the location of the operating system files. 5. Move the agent-config.txt exported during the Adapter setup into the conf directory created by the installer. By default, this directory is located in: C:\Program Files\Ping Identity Corporation\OpenToken IIS Agent (n-bit)\ where n is either 32 or 64, depending on your architecture. 6. For IIS 6.0, follow the steps below to register the PingFederate ISAPI extension: a. Access the IIS Manager. b. Locate the virtual directory representing the IIS site and right-click to go to Properties. c. On the Properties screen under the Virtual Directory tab, click Configuration. d. On the Application Configuration screen under Mappings, click Insert to locate and add the PingFederate IIS Agent to the Wildcard application maps. If you chose the default path for the PingFederate IIS Agent during installation, the path and file for the extension is: C:\Program Files\Ping Identity Corporation\OpenToken IIS Agent (nbit)\bin\opentokeniisagent.dll Note: If you used the default path or chose another path with spaces in a folder name, then you must add quotation marks around the path. PingFederate IIS Integration Kit 9 User Guide

e. Click OK and then click OK again on the Properties screen. 7. For IIS 7.0, follow the steps below to register the PingFederate ISAPI extension: a. Open the IIS Manager console. b. Select the Site you wish to protect with the Agent. c. Open the Features view, and select ISAPI Filters. d. Add a new filter named OpenTokenIISAgent with an executable of: C:\Program Files\Ping Identity Corporation\OpenToken IIS Agent (nbit)\bin\opentokeniisagent.dll e. On either a Site level, or an Application/Virtual Directory level, create a Wildcard script map to the IISAgent. To do this, select Handler Mappings on the Features view, click Add Wildcard Script Map, and add a new script named OpenTokenIISAgent with an executable of: C:\Program Files\Ping Identity Corporation\OpenToken IIS Agent (nbit)\bin\opentokeniisagent.dll 8. Configure the properties file for IIS: The file is pfisapi.conf located in C:\Program Files\Ping Identity Corporation\OpenToken IIS Agent (n-bit)\conf\. Refer to comments in the file for information and configure the required properties, at minimum, when no defaults are provided (change defaults as needed). 9. Restart IIS for changes to pfisapi.conf to take effect. Alternative Manual Installation If you are unable to run the installer script, you can configure the IIS Integration Kit Agent manually using the following procedure: 1. Download and install the.net Framework 2.0 from Microsoft, and register the framework in IIS. 2. Copy the contents of Module Retargetable Folder in the integration-kit distribution to any directory. In this procedure, the full path of this directory is referred to as <agent-install-dir>. 3. Copy conf/pfisapi.conf from the distribution into a directory named: <agent-install-dir>\conf 4. Create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE using the key folder\subfolder: Ping Identity Corporation\ISAPI Configuration Use the following key attributes: Name: InstallPath Type: REG_SZ (the default) Value: <agent-install-dir> 5. Install the Agent service: PingFederate IIS Integration Kit 10 User Guide

Open a Command window and go to the <agent-install-dir>\bin folder. Run the following command: AgentService.exe install Note: To uninstall the agent service, run the following command: AgentService.exe remove 6. Start the service from the Windows Services manager. 7. (For IIS 6.0) Register the ISAPI filter in IIS: a. Open the IIS Manager console. b. On the Web Sites level, right click Web Sites and select Properties. c. Under the ISAPI Filters tab, click Add. d. Add a new filter named OpenTokenIISAgent with a value: <agent-install-dir>\bin\opentokeniisagent.dll 8. (For IIS 7.0) Register the ISAPI filter in IIS: a. Open the IIS Manager console. b. Select the Site you wish to protect with the Agent. c. Open the Features view, and select ISAPI Filters. d. Add a new filter named OpenTokenIISAgent with an executable of: <agent-install-dir>\bin\opentokeniisagent.dll e. On either a Site level, or an Application/Virtual Directory level, create a Wildcard script map to the IIS Agent. To do this, select Handler Mappings on the Feature view, and click Add Wildcard Script Map. Add a new script named OpenTokenIISAgent with an executable of: <agent-install-dir>\bin\opentokeniisagent.dll IIS Agent Session Information The PingFederate IIS Agent exposes session information and user attributes from the adapter to the protected application via HTTP request headers. This information can then be used by the application for authorization decisions, for example, or for generation of content specific to the user making the request. The session and attribute information exposed to the application includes the following: Attributes from the OpenToken Adapter contract These include, by default, the subject (SUBJECT) and attributes specified on the Extended Contract screen of the adapter setup (see Installing the OpenToken Adapter and Configuring PingFederate on page 7). Only the attributes fulfilled at runtime will be exposed to the application; attributes with a NULL value will not be included in the OpenToken. NOT-ON-OR-AFTER The time until inactivity timeout is reached. RENEW-UNTIL The time until overall session timeout is reached. AUTH_NOT-BEFORE The time when the session was created. PingFederate IIS Integration Kit 11 User Guide

AUTHNCONTEXT Information from the SAML assertion that describes how the user was authenticated at the IdP. (For more information, locate Authentication Context in the PingFederate Getting Started manual.) For security reasons, each HTTP request header is first pre-pended with a specific (configurable) prefix. The IIS Agent will always remove and rewrite these prefixed request headers for each request. If applications protected by the IIS Agent cannot be modified to accept headers with this prefix, the IIS Agent can be configured not to add a prefix to the HTTP headers. In this case, on the Extended Contract screen in the OpenToken Adapter configuration, include an attribute named pf_attribute_list. Then map that attribute in your IdP Connection as a Text field containing a comma-separated list of all the attributes in the adapter contract (see figure below). This attribute list is sent in the OpenToken and used by the IIS Agent to overwrite headers in the request. For more information, see Configuring Adapter Contract Fulfillment in the PingFederate Administrator s Manual. PingFederate IIS Integration Kit 12 User Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information