JOSSO 2.4. Internet Information Server (IIS) Tutorial



Similar documents
SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Internet Information Services Integration Kit. Version 2.4. User Guide

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

JOSSO 2.4. Ws-Federation Integration Tutorial

Como configurar o IIS Server para ACTi NVR Enterprise

Active Directory Requirements and Setup

How to Install and Setup IIS Server

1. Introduction Auditing Handlers and Audit Trails Configure the Built-In Handler Create a Custom Audit Handler...

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

OutSystems Platform 9.0 SEO Friendly URLs

TIBCO Spotfire Metrics Prerequisites and Installation

Safewhere*ADFS2Logging

Cloud Services. Introduction...2 Overview...2 Simple Setup...2

Web Server Configuration Guide

ACTIVE DIRECTORY DEPLOYMENT

HP Software as a Service. Federated SSO Guide

Configuring EPM System for SAML2-based Federation Services SSO

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

WebNow Single Sign-On Solutions

Configuring Microsoft Internet Information Service (IIS6 & IIS7)

Perceptive Experience Single Sign-On Solutions

Apache Tomcat ISAPI Redirector and Canto Cumulus WPP

SAML v1.1 for.net Developer Guide

Migrating helpdesk to a new server

Cloud Services. Introduction...2 Overview...2. Security considerations Installation...3 Server Configuration...4

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Microsoft Office 365 Using SAML Integration Guide

Authentication and Single Sign On

Technical White Paper

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

Matrix Logic WirelessDMS Service 2.0

BusinessObjects Enterprise XI Release 2

IIS SECURE ACCESS FILTER 1.3

OrgPublisher 11 Web Administration Installation for Windows 2008 Server

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Ekran System Help File

Configuration Guide - OneDesk to SalesForce Connector

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

How To - Implement Single Sign On Authentication with Active Directory

FocusOPEN Deployment & Configuration Guide

Access It! Universal Web Client Integration

McAfee One Time Password

NETASQ SSO Agent Installation and deployment

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Securing SAS Web Applications with SiteMinder

Installation of IR under Windows Server 2008

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

HP Software as a Service

Automatic updates for Websense data endpoints

WWPass External Authentication Solution for IBM Security Access Manager 8.0

SAML v2.0 for.net Developer Guide

Microsoft Dynamics GP SQL Server Reporting Services Guide

Witango Application Server 6. Installation Guide for Windows

EVENT VIEWER IN WINDOWS 7

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Fusion Installer Instructions

SSO Plugin. Integration for Jasper Server. J System Solutions. Version 3.6

Configuring IIS 6 to Load Balance a JBoss 4.2 Adobe LiveCycle Enterprise Suite 2 (ES2) Cluster

OrgPublisher EChart Server Setup Guide

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Installing Globodox Web Client on Windows 7 (64 bit)

How To Use Saml 2.0 Single Sign On With Qualysguard

Copyright: WhosOnLocation Limited

OpenSSO: Cross Domain Single Sign On

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

Proof of Concept. A New Data Validation Technique for Microsoft ASP.NET Web Applications. Foundstone Professional Services

This document describes the installation of the Web Server for Bosch Recording Station 8.10.

Pcounter Web Report 3.x Installation Guide - v Pcounter Web Report Installation Guide Version 3.4

Filtering remote users with Websense remote filtering software v7.6

Capture Pro Software FTP Server Output Format

CA Nimsoft Service Desk

Issue Tracking Anywhere Installation Guide

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Installation Documentation Smartsite ixperion 1.3

SAML Authentication within Secret Server

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Egnyte Single Sign-On (SSO) Installation for OneLogin

Server Installation Manual 4.4.1

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

SOLGARI CLOUD BUSINESS COMMUNICATION SERVICES CLOUD CONTACT CENTRE MICROSOFT DYNAMICS INTEGRATION

Installation and Administration Guide. BlackBerry Web Desktop Manager for Microsoft Exchange. Version: 1.0 Service Pack: 1

Juris and Juris Suite 2.5 Service Pack 2. Installation Guide

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

Microsoft SQL Server 2008 R2 Express Edition with Advanced Services Installation Guide

How To Integrate IIS6 and Apache Tomcat

Configuring. Moodle. Chapter 82

SIEMENS. Teamcenter Web Application Deployment PLM

Citrix EdgeSight for NetScaler Rapid Deployment Guide

USER GUIDE. Snow Inventory Data Receiver Version 2.1 Release date Installation Configuration Document date

Contents About the Contract Management Post Installation Administrator's Guide... 5 Viewing and Modifying Contract Management Settings...


Administering Jive for Outlook

Capture Pro Software FTP Server System Output

Transcription:

JOSSO 2.4 Internet Information Server (IIS) Tutorial

JOSSO 2.4 : Internet Information Server (IIS) Tutorial

1. Introduction... 1 2. Prerequisites... 2 3. Defining Identity Appliance Elements... 3 3.1. SAML Service Provider... 3 3.2. JOSSO 1 Resource... 3 3.3. Windows IIS Execution Environment... 3 4. Activating the Execution Environment... 5 4.1. Installing Agent Resources... 5 4.2. Configuring IIS... 6 4.2.1. Windows Registry Configuration... 6 4.2.2. Create JOSSO Agent Application... 7 4.2.3. Setup JOSSO ISAPI Filter... 7 5. Partner Application Integration... 9 5.1. Accessing the Security Context... 9 5.2. Triggering login and logout explicitly... 10 iii

Chapter 1. Introduction Normally you will install an agent in each container that will host SSO partner applications. For example, if you have applications deployed on IIS and Apache, you will have to install an agent in each container. Agents are part of the Service Provider (partner application) runtime environment. The ISAPI (Internet Server Application Programming Interface) JOSSO Agent enables transparent Single Sign-On capabilities to web assets, such as ASP pages and.net applications, thus allowing seamlessness integration without any programmatic intervention. Once installed, the agent will create a local security context that IIS applications can access to obtain information about the current user: identity, properties, roles/groups. As with every JOSSO Agent, the ISAPI Agent must rely on a working Identity Provider for handling the full lifecycle of a single sign-on session, from establishment to disposal. The Identity Provider role must be realized through a configured JOSSO 2 Identity Appliance instance. This tutorial describes the different steps required to install the JOSSO ISAPI Agent and establishing user identity on sample ASP application using the available SSO security context. 1

Chapter 2. Prerequisites Before starting, make sure that the following prerequisites are meet. JOSSO 2.4.x instance Internet Information server (v6, v7 or v7.5) IIS application resource 2

Chapter 3. Defining Identity Appliance Elements The first step is to define the elements that represent your application and execution environment in the Identity Appliance. The following components must be added to the model: SAML Service Provider: JOSSO 1 Resource: The resource represents the IIS application, it holds information about the application base URL Windows IIS Execution Environment: This elements represents the IIS server where the application is running. Here you can specify the server architecture, agent install folder, etc. Once the appliance is compiled, JOSSO will create several configuration resources that will be used to install the agent in the IIS server, based on the different elements' properties. 3.1. SAML Service Provider This element represents SAML 2 services for the application, with JOSSO 2 you can SAMLenable. For details on how to modify the default SAML options refer to JOSSO 2.4 reference guide. Use a lower-case meaning full name for the SP, in our example we selected partnerapp-sp 3.2. JOSSO 1 Resource This elements represents a web resource/application that uses a JOSSO agent as SSO enabling mechanism. In this case, this represents our ASP application. The key properties are name and location. The name should also be a meaningful value describing the application (i.e. crm). It is also a good practice using a value similar to the one selected for the Service Provider (SP). For this tutorial partnerapp was selected. The location property refers to the application base URL (i.e. http://www.mycompany.com). In this tutorial the application is actually not the entire site, but resources under the /partnerapp path. The configured location is: http:// www.mycompany.com:80/partnerapp 3.3. Windows IIS Execution Environment The final element is the execution environment. The Windows IIS Execution Environment has information used to install the JOSSO ISAPI Agent. The key properties are: Property ISAPI Agent URI Description This is a special path that the agent will use to provide SSO endpoint services. The 3

Defining Identity Appliance Elements default value /josso/agent.sso works in most environments and is normally not modified. Target Host Install Home Activation Service Endpoint Local when JOSSO and IIS are running on the same OS intance, otherwise Remote is selected. Path where the JOSSO ISAPI Agent will be installed. Keep in mind that site will be defined in IIS pointing to a sub-folder of this path. You can set this value to c:\inetpub \josso. This is only available when Remote Target Host is selected, it represents the URL where a second JOSSO instance running in the Windows server will be listening for execution environment activation requests. The activation allows JOSSO to perform an initial agent setup on the execution environment. For remote activations a second JOSSO 2 server to perform the local tasks (install files, etc) that the main JOSSO server requires. You don t need the second JOSSO server running at all times, only when performing the agent activation. You can also remove JOSSO from the server once the activation is completed. The process can also be performed manually, but the execution environment properties configured in the appliance need to reflect the target environment. 4

Chapter 4. Activating the Execution Environment 4.1. Installing Agent Resources Because we want the tutorial to provide as much information as possible about the IIS integration, the manual activation process will be used. The following resources will be used to configure the agent: Agent binary file: a Windows Dynamic-lik Library (DLL) for the ISAPI Agent. Choose the version that matches your architecture. The files are provided with JOSSO, and can be found at the following location: 32bit ISAPI Agent: $JOSSO2_HOME/josso/dist/agents/bin/ JOSSOIsapiAgent32.dll 64bit ISAPI Agent: $JOSSO2_HOME/josso/dist/agents/bin/ JOSSOIsapiAgent64.dll Agent configuration file: Once your appliance has been compiled, you can select the execution environment element and access the Activation section. Use the Export config button to get a copy of the agent configuration required by your setup. Windows Registry scripts: These scripts will configure the Windows registry based on your settings. The files are created by JOSSO during appliance building process. To get the scripts access the following location: $JOSSO2_HOME/data/work/maven/projects/<APPLIANCE>/project/idau/src/main/ resources/meta-inf/spring/<exec-env>/josso/ josso-agent-eventlog.reg josso-agent-isapi.reg Agent Configuration Resources Path Make sure to replace <APPLIANCE> and <EXEC-ENV> whith the Identity Appliance and Windows IIS execution environment names. Once gathered, the resources must be installed in the IIS server using the following structure. Make sure that the base folder matches the one configured in the execution environment (i.e. c: \InetPub\josso) 5

Activating the Execution Environment C:\InetPub\josso\bin\JOSSOIsapiAgent64.dll C:\InetPub\josso\config\josso-agent-config.ini C:\InetPub\josso\config\josso-agent-isapi.reg C:\InetPub\josso\config\josso-agent-eventLog.reg C:\InetPub\josso\log\ Folder Permissions Make sure that IIS system account has the proper permissions over the created folders (i.e. read/write/execute) 4.2. Configuring IIS 4.2.1. Windows Registry Configuration The ISAPI Agent uses Windows registry entries to obtain basic information about agent specific resources like binary, configuration and log locations, log verbosity level, etc. JOSSO Agent ISAPI Registry entries: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Atricore] [HKEY_LOCAL_MACHINE\SOFTWARE\Atricore\JOSSO Isapi Agent] [HKEY_LOCAL_MACHINE\SOFTWARE\Atricore\JOSSO Isapi Agent\1.8] "LogLevel"="trace" "ExtensionUri"="/josso/agent.sso" "LogFile"="c:\\InetPub\\josos\\log\\josso_isapi.log" "AgentConfigFile"="c:\\InetPub\\josos\\config\\josso-agent-config.ini" Property LogLevel ExtensionUri LogFile AgentConfigFile Description supported values are: trace (max verbosity), debug, info (recommended for production environments), warn and error. value used by JOSSO ISAPI Extension to process SSO specific services. Agent log file location. Agent configuration file location. The ISAPI Agent also integrates with Windows Event viewer to provide troubleshooting information related to errors occurred before the agent log system is initialized. The following entries register 6

Activating the Execution Environment the agent s DLL as Event Viewer resource messages for errors triggered by the agent. Make sure to select the proper DLL for your architecture. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application \JOSSO Isapi] "TypesSupported"=dword:00000007 "EventMessageFile"="c:\\InetPub\\josso\\bin\\JOSSOIsapiAgent64.dll" "CategoryCount"=dword:00000007 "CategoryMessageFile"="c:\\InetPub\\josso\\bin\\JOSSOIsapiAgent64.dll" Simply double-click each file using an Administrator account and the changes will be added to the system registry. 4.2.2. Create JOSSO Agent Application To enable SSO services on your execution environment, a web application needs to be created for JOSSO. The application physical path must be set to the agent bin folder: c:\inetpub\josso \bin, and the virtual path /josso. Now that the application is ready, we need to configure a Handler Mapping that relates all requests ending with.sso with the ISAPI agent. Select the created application, and then click the Add Module Mapping option on the right menu. Use the following values: Property Value Description Request Path *.sso Request path for the module, can also be an expression. All requets ending with.sso will be handled by the agent. Module IsapiModule IIS Module type, make sure that IsapiModule is selected Executable c:\inetpub\josso\bin \JOSSOIsapiAgent64.dll Isapi Module binary file Name JOSSOIsapiAgent The module mapping name Request Restrictions Access: Execute Make sure to enable execute access for the module. 4.2.3. Setup JOSSO ISAPI Filter The final step requires to configure the Agent ISAPI filter to ensure that all requests targeted to your partner application will be protected by the SSO agent. ISAPI filters are configured in IIS at 7

Activating the Execution Environment the Site level, select the site element and then open the ISAPI Filters list. You need to add a new entry for JOSSO. Make sure to agree to the ISAPI extension creation when the filter configuration is confirmed. Property Value Description ISAPI or CGI Path c:\inetpub\josso\bin \JOSSOIsapiAgent64.dll The location of the agent binary file. Description JOSSOIsapiFilter Filter configuration description. Allow Extension path to Exectue Selected This will allow the filter to run. 8

Chapter 5. Partner Application Integration Now that the agent installation is completed, let s take a look at the application integration. 5.1. Accessing the Security Context You can access user information as Web Server variables, this worsk for ASP and ASP.NET or any.net application as well. All JOSSO server variables have the HTTP_JOSSO prefix. Variable Description Example HTTP_JOSSO_USER Authenticated user login name HTTP_JOSSO_USER, value user1 for a user with login user1 HTTP_JOSSO_USER_PROPERTY_<NAME> Represents a user property HTTP_JOSSO_ROLE_<NAME>Represents a user role HTTP_JOSSO_ORIGINAL_RESOURCE_URL the protected resource URL that was originally requested HTTP_JOSSO_USER_PROPERTY_EMAIL, value user1@josso.org [mailto:user1@josso.org] for a property email: user1@josso.org [mailto:user1@josso.org] HTTP_JOSSO_ROLE_ROLE1, value role1 for user with role role1 http://www.mycompany.com/ partnerapp/protected/ myprotected.asp Let s take a look at a sample ASP page: <html> <body> <table width="100%" cellpadding="0" cellspacing="0" border="0" > <tr> <td align="center" class="label"> <table cellpadding="0" cellspacing="3" border="0" > <tr> <td colspan="2" align="center"><b>hello, < %=Request.ServerVariables("HTTP_JOSSO_USER") %>!</b></td> </tr> <%^M 9

Partner Application Integration for each varname in Request.ServerVariables^M If instr(varname, "HTTP_JOSSO") then^m response.write("<tr><td>" & varname & "<td/ ><td>"& Request.ServerVariables(varName) &"</td></tr>")^m end if^m next^m %> </table> </td> </tr> </table> </body> </html> 5.2. Triggering login and logout explicitly A partner application can force a user to authenticate by issuing a HTTP redirect to the proper local agent URL. Depending on the URL parameters, applications can start a login, start a passive login, or perform a logout. The URL is based on the JOSSO Isapi Extension URI, for example if the host name is www.mycompany.com and the extension URI is /josso/agent.sso, the login URL should be: http://www.mycompany.com/josso/agent.sso?josso_login&josso_partnerapp_id=partnerapp-sp Parameter Value Description josso_login No value required Triggers a login process, the IdP will try any available authentication mechanism, like basic authentication josso_login_optional No value required Triggers a passive login process, the IdP will use only passive authentication mechanisms (existing session, WIA, etc). Useful to check for the existence of an SSO session. josso_force_authn true, false Tells JOSSO that an authentication must be forced for the user, even if a session is active. Useful to request an authentication context with different security constraints. For example, require basic authentication 10

Partner Application Integration josso_authn_ctx SAML 2.0 authentication context when remember-me has been detected. When combined with josso_force_authn, it allows applications to request a specific authentication mechanism. josso_logout No value required Triggers the single logout process. josso_partnerapp SP Name Tells the agent which application is performing the request. It must match the SAML service provider name (i.e. partnerapp-sp). associated to the IIS partenra application. Let s take a look at some samples: Intent Login Force a login, even if session exists, using password Passive login (no user interaction) Logout Sample URL http://www.mycompany.com/josso/agent.sso? josso_login&josso_partnerapp_id=partnerappsp http://www.mycompany.com/josso/agent.sso? josso_force_authn&josso_partnerapp_id=partnerappsp&josso_authn_ctx=urn:oasis:names:tc:saml:2.0:ac:classes:pas http://www.mycompany.com/josso/agent.sso? josso_login_optional&josso_partnerapp_id=partnerappsp http://www.mycompany.com/josso/agent.sso? josso_logout&josso_partnerapp_id=partnerappsp Action Parameters The parameters that specify the type of action to be performed (josso_login, josso_login_optional, josso_logout), are exclusive and cannot be combined in the same request. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information