Version 6.5 (and higher) Integration Note. Security Token Service and Microsoft Interoperability

Similar documents
ADFS Integration Guidelines

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Secret Server Installation Windows Server 2012

CA Nimsoft Service Desk

NSi Mobile Installation Guide. Version 6.2

IFS CLOUD UPLINK INSTALLATION GUIDE

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 2.6

Secret Server Installation Windows Server 2008 R2

Microsoft Corporation. Project Server 2010 Installation Guide

PHP Integration Kit. Version User Guide

DataCove. Installation Instructions for Search Plug-in for Microsoft Outlook 2007 & 2010 (All Users)

Internet Information Services Integration Kit. Version 2.4. User Guide

Configure Microsoft Dynamics AX Connector for Mobile Applications

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

Active Directory Management. Agent Deployment Guide

Introduction to Mobile Access Gateway Installation

Microsoft Dynamics CRM Server 2011 software requirements

Configuration Guide. SafeNet Authentication Service AD FS Agent

Microsoft Dynamics GP Release

MultiSite Manager. Setup Guide

Defender Token Deployment System Quick Start Guide

Zanibal Plug-in For Microsoft Outlook Installation & User Guide Version 1.1

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Cloud Services ADM. Agent Deployment Guide

Setting Up SSL on IIS6 for MEGA Advisor

PingFederate. Identity Menu Builder. User Guide. Version 1.0

Safewhere*ADFS2Logging

Installing and Configuring vcenter Multi-Hypervisor Manager

Check Point FDE integration with Digipass Key devices

Setup Guide Access Manager 3.2 SP3

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Getting Started with the Ed-Fi ODS and Ed-Fi ODS API

User Source and Authentication Reference

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

Using SQL Reporting Services with Amicus

MultiSite Manager. Setup Guide

O Reilly Media, Inc. 3/2/2007

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

XIA Configuration Server

Shavlik Patch for Microsoft System Center

Installing Management Applications on VNX for File

Installation and Configuration Guide

Installation Guide for Pulse on Windows Server 2008R2

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Installation Guide for Pulse on Windows Server 2012

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Active Directory Management. Agent Deployment Guide

Mobility Manager 9.0. Installation Guide

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

StreamServe Persuasion SP5 Control Center

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

safend a w a v e s y s t e m s c o m p a n y

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Using etoken for Securing s Using Outlook and Outlook Express

Sophos for Microsoft SharePoint startup guide

Using Microsoft Visual Studio API Reference

DameWare Server. Administrator Guide

How to Logon with Domain Credentials to a Server in a Workgroup

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

IIS, FTP Server and Windows

SafeNet Authentication Service

VMware Identity Manager Integration with Active Directory Federation Services 2.0

YubiKey PIV Deployment Guide

IBM Aspera Add-in for Microsoft Outlook 1.3.2

Use Enterprise SSO as the Credential Server for Protected Sites

DriveLock Quick Start Guide

Setup Guide for AD FS 3.0 on the Apprenda Platform

OneLogin Integration User Guide

Using Device Discovery

SOLARWINDS ORION. Patch Manager Evaluation Guide

HP Device Manager 4.6

SQL Server 2008 R2 Express Edition Installation Guide

SharePoint Server Quick Start Guide for Single Server Farms

Dell One Identity Cloud Access Manager Installation Guide

NetWrix Password Manager. Quick Start Guide

Flexible Identity Federation

CA CloudMinder. Getting Started with SSO 1.5

Microsoft Dynamics GP Web Services Installation and Administration Guide

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Design Better Products. SolidWorks SolidWorks Enterprise PDM Installation Guide

WCFStormHost User Guide

Lepide Exchange Recovery Manager

F-Secure Messaging Security Gateway. Deployment Guide

CA Nimsoft Service Desk

SafeGuard Enterprise Installation best practice

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

BlackShield ID Agent for Remote Web Workplace

RoomWizard Synchronization Software Manual Installation Instructions

Using SQL Reporting Services with Amicus

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Windows Server Update Services 3.0 SP2 Step By Step Guide

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Microsoft Exchange 2010 and 2007

Transcription:

Version 6.5 (and higher) Integration Note Security Token Service and Microsoft Interoperability

PingFederate Integration Note 2014 Ping Identity Corporation. All rights reserved. About Integration Notes PingFederate software developers, specialty teams, and third parties periodically submit supplemental documentation to give our customers insight into configuration, deployment, integration, or use cases that are not specifically covered by the core product documentation. Disclaimer This document is provided for informational purposes only, and the information herein is subject to change without notice. Ping Identity does not provide any warranties and specifically disclaims any liability in connection with this document. Note that Ping Identity may not provide support for any sample configurations provided in this document. The variability inherent among security environments prevents full testing and support for all possible platform configurations. If you need special assistance or would like to inquire about implementation or support programs, please contact Ping Identity Support (www.pingidentity.com/support). Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to the online documentation at documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: May 15, 2014. Contact Information Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 E-mail: info@pingidentity.com Web Site: www.pingidentity.com Ping Identity Page 2

Overview The Microsoft suite of federation technologies provides several integration points with the PingFederate WS-Trust Security Token Service (STS). This document addresses common scenarios encountered when using the Windows Identity Foundation (WIF) and Windows Communication Foundation (WCF). Currently, the PingFederate STS fulfills active use cases and may act as either an Identity Provider STS (IP-STS) or Relying Party STS (RP-STS). (For the purpose of this document, Microsoft Web Services federation terminology is used.) Note: This document provides a sample configuration and applications for the IP-STS use case. Increasingly, Ping Identity customers are deploying PingFederate in conjunction with Microsoft federation technologies. To ensure successful deployment of these technologies, Ping Identity is providing this document to demonstrate the most common interoperability scenario (IP-STS) via configuration examples and sample applications. Most scenarios resemble the diagram below but are becoming more complex as federation technologies mature. Sequence 1. The.NET WIF client sends a request-security-token (RST) message to the PingFederate STS containing a WS-Security Username Token. Ping Identity Page 3

2. PingFederate STS validates the WS-Security Username Token using a token processor instance and issues a SAML token with holder-of-key (HoK) confirmation method contained in a requestsecurity-token-response (RSTR) message. 3. The.NET WIF client sends a SOAP request to the.net WIF Web Service with the issued SAML token to be used for authentication by the service. 4. The.NET WIF Web Service validates the issued SAML token and fulfills the Web Service request. Preparation These sections provide detailed requirements for PingFederate and Windows components needed for integration, as well as information needed to run the sample applications. PingFederate Server Prerequisites The samples used in this document require a PingFederate server with additional components and configuration applied, as listed below: Note: Some of these settings will render the PingFederate server temporarily unreachable for other purposes and thus should not be carried out on a production or other in-use instance of the server. Be sure to restore previous settings after completing this demonstration, or create a configuration archive in advance if needed to restore all settings. PingFederate 6.5-PREVIEW or higher Username Token Translator version 1.1 or higher The Translator plug-in is available from the Downloads page at pingidentity.com. Note: For PingFederate 7.2 or higher, Username Token Processor is part of the product and does not require a separate download or installation. Imported Key Pair and Certificate for digital signature and digital signature verification, see Key Pair and Certificate on page 5. Use of an SSL Certificate for the PingFederate runtime port that is trusted by the Microsoft Windows Workstation. For purposes of this document, DN of the SSL Certificate should be CN=pfsts.contoso.com. PingFederate must be configured in Server Settings (on the Federation Info screen) with a Base URL of http://pfsts.contoso.com:9031. Ping Identity Page 4

Microsoft Windows Workstation Prerequisites The samples used in this document require a Microsoft Windows workstation with the following software installed and configured: Microsoft Windows 7 Professional or higher Microsoft Visual Studio 2010 Professional or higher Microsoft Windows Identity Foundation runtime (release 3/22/2010 KB974405) Microsoft Windows Identity Foundation SDK (release 12/15/2010 for Microsoft.NET Framework 4.0 ) Internet Information Services (IIS) 6.1 or higher with DefaultAppPool available Dynamic XSD generation by the WCF Service Application requires write access to %SYSTEMROOT%\Temp. Grant sufficient privileges to this directory to the <IIS AppPool\DefaultAppPool> IIS user. Create a record for the PingFederate server in %SYSTEMROOT%\System32\drivers\etc\hosts. For the purpose of this document, designate the PingFederate server hostname as pfsts.contoso.com. Sample Application Prerequisites Key Pair and Certificate A self-signed key pair with DN CN=localhost is required to use the sample application. Note: If such a key pair already exists on the Microsoft Windows development workstation, skip this section. To create the key pair: 1. Use the following command from the Visual Studio 2010 Command Prompt. Note: The makecert.exe example imports the created certificate into the LocalMachine\Personal certificate store. Since this is a privileged operation, run the Visual Ping Identity Page 5

Studio 2010 Command Prompt as Administrator and disable User Account Control (UAC) to prevent interference with privileged operations run from a command line. 2. Grant Full Control of the CN=localhost private key to the <IIS AppPool\DefaultAppPool> via the Certificates Snap-In for Microsoft Management Console (MMC). 3. Import the public certificate into the Trusted Root Certification Authorities. The following command window shows both commands: Ping Identity Page 6

The first command, certutil -store, displays the key pair details and saves the public certificate to file localhost.crt in the current directory. Note: Ensure that the file is accessible to the PingFederate server for importing later. The second command, certutil -addstore, imports the certificate into the necessary store to create a valid certificate path for the newly created self-signed key pair. The public certificate is also used later when configuring a connection via the PingFederate administrative console. 4. Use certutil to export the public/private key pair to a file named localhost.pfx for later import into PingFederate, as shown here: Ping Identity Page 7

PingFederate Configuration Configure PingFederate to include a WS-Trust SP Connection (see Configuring SP Connections for STS in the PingFederate Administrator s Manual). Use the following steps to create the connection. Note: It is assumed that PingFederate System Settings are configured, including using an SSL certificate trusted by the Microsoft Windows development workstation. To configure PingFederate: 1. Import the localhost.pfx file into the Digital Signing and Decryption Keys and Certificates store. 2. Create a Username Token Processor instance with processing scheme User Table with Password and add a single row with username joe and password 2Federate. (For detailed instructions, see the User Guide for the Username Token Processor.) 3. Follow the configuration steps for a new WS-Trust SP Connection, including the following settings: a. On the Connection Type screen, select WS-Trust STS using SAML 2.0 as the Default Token Type. b. On the General Info screen, enter the following: Partner Entity ID: http://localhost/wcfservice Virtual Server ID: http://localhost/sts c. On the Protocol Settings screen under WS-Trust STS: Partner Service ID: http://localhost/wcfservice Select the checkbox Generate Key for SAML Holder of Key Subject Confirmation Method d. On the Attribute Contract screen under Token Creation, extend the attribute contract with an attribute named: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name e. On the Attribute Contract Fulfillment screen: Map the attribute defined above using Token as the Source and username as the Value. Map the SAML subject in the same way, using the username attribute from the Token. f. Under Credentials: On the Digital Signature Settings screen, select the certificate defined earlier with CN=localhost and select the checkbox to include the certificate in the signature <KeyInfo> element. Ping Identity Page 8

On the Select XML Encryption Certificate screen, click Manage Certificates to import the public certificate localhost.crt and then select it as the encryption certificate. g. Save and activate the connection. Using PingFederate as an IP-STS via Metadata Follow these steps to create a WCF Web Service client that uses PingFederate as an IP STS. Step 1 Create Visual Studio Projects This exercise consists of creating a Visual C# WCF Service Application and a Visual C# client Console Application with STS configuration conducted via metadata available from PingFederate. Begin by creating a new Solution via Visual Studio with the two application projects (see Figure 1). Ensure the client Console Application is set as the StartUp Project. Figure 1 - Initial Visual Studio solution and project setup Step 2 Publish the WCF Service Application and Verify Deployment Publish the WCF Service Application to the local IIS instance and ensure the service is available by testing the availability of the Web application via a Web browser. Publishing can be accomplished in a variety of ways; Web Deploy is used for the example shown in Figure 2. Simply retrieving the service URL in a browser will render a page indicating a successful deployment, as shown in Figure 3. Ping Identity Page 9

Figure 2 - Publishing the WCF Service Application Ping Identity Page 10

Figure 3 WCF Service Application Information Page Step 3 Add an STS Reference to the WCF Service Application Add an STS reference to the WCF Service Application. Leave the default value for the Application configuration location. For the application URI use http://localhost/wcfservice. Select the radio button to specify the use of an existing STS as shown in Figure 4. For the STS WS-Federation metadata document location use https://pfsts.contoso.com:9031/pf/wstrust_sts_metadata.ping?partnerspid=http://localhost/wcfservice. Figure 4 - Add STS Reference Continue through the configuration wizard and enable encryption specifying CN=localhost as the encryption certificate. For the rest of the configuration, leave default options selected. At the end a dialog box is displayed stating Federation Utility completed successfully. Re-publish the WCFService to the local IIS instance. Ping Identity Page 11

Step 4 Add a Service Reference to the Client Console Application Specify the URL to the WCF Service Application endpoint using value http://localhost/wcfservice/service1.svc, as shown in Figure 5. Click Go and then Ok to add the Service Reference. The result of this operation is the insertion of the WCF binding descriptors in the App.config of the client Console Application, needed for accessing the WCF Service Application and the respective STS. Figure 5 - Add Service Reference Step 5 Invoke the WCF Service Application from the Client Console Application Add the following lines of code to the Program.cs file of the client Console Application within the main() method. ServiceReference1.Service1Client client = new ServiceReference1.Service1Client(); client.clientcredentials.username.username = "joe"; client.clientcredentials.username.password = "2Federate"; System.Console.WriteLine(client.GetData(10)); Ping Identity Page 12

Step 6 Modify the WCF Service Application to use IClaimsPrincipal Add a reference to the WCFService for Microsoft.IdentityModel (see Figure 6). Figure 6 - Add Reference to WCF Service Application Add the following statements to the top of Service1.svc.cs file. using Microsoft.IdentityModel.Claims; using System.Threading; Replace the implementation of the GetData(int value) method in the Service1.svc.cs file with the following code. IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal; return string.format("{0} entered: {1}", icp.identity.name, value); Re-publish the WCF Service Application. Step 7 Start the Client Console Application Start the client Console Application via the menu option Debug -> Start Without Debug Ping Identity Page 13

See the PingFederate command window or the server log for processing information. Trace Logging If any exceptions or errors occur during the runtime of the sample application, it is helpful to enable trace logging to obtain more details about the fault details. To enable trace logging, add the following XML directives to the App.config of the respective component of the sample application. For the WCF Service Application, add the path C:\Windows\Temp to the initializedata attribute value. <system.diagnostics> <sources> <source name="microsoft.identitymodel" switchvalue="verbose"> <listeners> <add name="xml" type="system.diagnostics.xmlwritertracelistener" initializedata="wiftrace.svclog" /> </listeners> </source> <source name="system.servicemodel" switchvalue="information, ActivityTracing" propagateactivity="true"> <listeners> <add name="sdt" type="system.diagnostics.xmlwritertracelistener" initializedata= "WCFTrace.svclog" /> </listeners> </source> </sources> <trace autoflush="true" /> </system.diagnostics> The trace logging XML directives create two files. If no path is specified as part of the initializedata attribute value, the files are located in the current directory of the executable. These files are associated with the Microsoft Service Trace Viewer. For more details about trace logging, see the MSDN article Service Trace Viewer Tool (msdn.microsoft.com/en-us/library/ms732023.aspx). Ping Identity Page 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information