.NET SAML Consumer Deployment Guide - SecureAuth the option list, select ASP.NET v4.0 as shown in...

of 20/20
.NET SAML Consumer Deployment Guide
  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of .NET SAML Consumer Deployment Guide - SecureAuth the option list, select ASP.NET v4.0 as shown in...

  • .NET SAML Consumer Deployment Guide

  • Copyright Information

    SecureAuth is a copyright of SecureAuth Corporation. SecureAuths IdP software, appliances, and other products and solutions, are copyrighted products of SecureAuth Corporation.

  • Contents

    General 1Requirements 1Installation 2Virtual Directory Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    IDP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Use Examples 15Update Warning 17

  • GeneralThis document details the method for enabling SecureAuth customers to integrate the SAML Service Provider into their current Internet Information Services (IIS) environment.

    RequirementsIn order to perform this integration, you need the following components:

    + IIS Server+ SecureAuth IDP setup in your environment or an accessible environment+ SAML service provider compressed file+ Valid X509 certificate to sign the assertion+ .Net Framework 4.5 or later

    General 1

  • .NET SAML Consumer Deployment Guide

    InstallationThe SAML service provider integration process involves two steps:

    + Virtual Directory Installation+ IDP ConfigurationBoth steps are detailed in the following subsections.

    Virtual Directory InstallationTo install a virtual directory, follow this procedure:

    1. Bring up the Internet Information Services Manager.

    The IIS manager can be started most easily by selecting Run from the Start menu, then typ-ing inetmgr and clicking OK. If the IIS manager console does not appear, go to the Control Panel and click Programs And Features. In the left panel, click Turn Windows Features On or Off. Once the small window populates, one of the choices will be Internet Information Services. Expand this option. You will find IIS Management Console under Web Management Tools. Ensure that the IIS Man-agement Console option is checked, then click OK.

    2. Expand the Sites object in the Connections pane to reveal the Default Web Site.

    3. Right-click the Default Web Site and select Add Application from the drop-down option list as shown in Figure 1 on page 3.

    Installation 2

    mailto:[email protected]:[email protected]

  • .NET SAML Consumer Deployment Guide

    FIGURE 1. Selecting Add Application from Default Web Site

    The Add Application dialog box appears.

    4. In the Alias field, supply a name for the site. This will be the URL that will be used later.

    5. From the Application Pool field, click Select

    The Select Application Pool dialog box appears.

    6. From the option list, select ASP.NET v4.0 as shown in Figure 2 on page 4.

    Installation 3

  • .NET SAML Consumer Deployment Guide

    FIGURE 2. Selecting ASP.NET v4.0

    7. Select the Physical Path location by clicking the button.

    The Browse for Folder dialog box appears.

    8. Click the Make New Folder button.

    9. Enter a name for this new folder then click OK.

    A screen like Figure 3 on page 5 appears.

    Installation 4

  • .NET SAML Consumer Deployment Guide

    FIGURE 3. Enter New Folder Name

    The Add Application dialog box reappears like Figure 4.

    FIGURE 4. Add Application Dialog Box

    10. Click OK again.

    Figure 5 on page 6 appears.

    Installation 5

  • .NET SAML Consumer Deployment Guide

    FIGURE 5. Add Application Dialog Box

    11. Extract the contents of the SAML service provider compressed file into the directory cre-ated in Step 9 as shown in Figure 6.

    FIGURE 6. SAML Service Provider Extraction Location

    12. Return to the IIS Manager and validate that the ASP.NET v4.0 application pool has the cor-rect identity defined so that it can read from or write to the newly-created directory.

    Installation 6

  • .NET SAML Consumer Deployment Guide

    13. From the left pane of the IIS Manager, click to highlight the Application Pools object.

    All the available application pools appear in the main pane.

    14.Click to highlight the ASP.NET v4.0 application pool.

    15. From the right Actions pane, select Advanced Settings

    The Advanced Settings window appears.

    16.Mouse-over the Identity text field that displays the identity.

    The Application Pool Identity dialog box appears.

    17. From the available options in the Built-in account window, click to highlight a valid account then click OK as shown in Figure 7.

    FIGURE 7. Highlighting a Valid Account

    18.Define the rights to the assigned folder you created.

    Installation 7

  • .NET SAML Consumer Deployment Guide

    a. Right-click the folder you created in Step 8 and select the Properties option.

    The folders properties page appears.

    b. Click the Edit button.

    The Permissions page for that folder appears.

    c. Click the Add button.

    The Select Users, Computers, Service Accounts, or Groups dialog box.

    d. In the bottom field, enter the account name for this folder.

    e. Click Check Names to verify that this account name is correct then click OK.

    The Permission page is reactivated with the newly-defined permission highlighted as shown in Figure 8.

    FIGURE 8. Checking Names

    f. In the Permission box at the bottom of the screen, check the Allow box in the Modify line as shown in Figure 9 on page 9.

    Installation 8

  • .NET SAML Consumer Deployment Guide

    FIGURE 9. Checking the Modify Allow Check Box

    g. Click Apply then click OK.

    19.Click OK again.

    IDP ConfigurationTo configure an IDP:

    1. Load the newly-created sites admin console by double-clicking SamlAdmin.aspx.

    This is one of the files extracted into the sites new folder in Step 11 on page 6.

    The SecureAuth SAML Consumer page appears like Figure 10 on page 10.

    Click Allow for theModify Permission

    Installation 9

  • .NET SAML Consumer Deployment Guide

    FIGURE 10. SecureAuth SAML Consumer Main Page

    2. Select IdentityProvider0 and click the Edit button.

    A screen like Figure 11 on page 11 appears.

    Click Edit

    Installation 10

  • .NET SAML Consumer Deployment Guide

    FIGURE 11. Edit SAML Identity Provider

    3. At the Name field, leave or edit it as required.

    4. At the Issuer field, type a valid issuer in the field.

    5. At the Certificate field, enter the certificate serial number, or click the Get button to display a list of installed certificates as shown in Figure 12.

    FIGURE 12. Choose Certificate

    NOTE: This valid issuer can be any name as long as it matches what is typed into the issuer of the Identity Provider.

    Installation 11

  • .NET SAML Consumer Deployment Guide

    If the required certificate is not listed, import the required certificate using the Windows MMC snap-in for managing local computer certificates as shown in Figure 13.

    FIGURE 13. Importing the Required Certificate

    6. Install the certificate that was supplied by the Identity Provider Owner. This should be a base-64 cer file, such as the example Robert.cer.

    7. Return to the admin console and select the Get button next to the certificate serial number.

    The Choose Certificate screen appears like Figure 14.

    FIGURE 14. Choose Certificate Screen

    Installation 12

  • .NET SAML Consumer Deployment Guide

    8. Click the radio button next to the certificate you just loaded into the certificate console, then click Select.

    The Edit SAML Identity Provider page appears like Figure 15.

    FIGURE 15. Edit SAML Identity Provider Page

    9. Enter values in the Service Provider Init section fields, as required.

    10.Click Save Configuration to update the settings file.

    IDP Service URL Type the URL for the identity provider that can accept a SAML request.

    An example of a URL that will start a service provider-initiated request to an identity provider is:

    Relay State Parameter

    Enter a querystring parameter that can be translated into a relay state. For example, in the preceding example, the value is ReturnURL and is placed in the relay start as a parameter like this: "?ReturnUrl=https://servername/sp.aspx?ReturnURL=https://mysite/landingpage.aspx"

    Relay Root URL Use this field to create a fully-qualified relay state URL. This is useful if the relay state URL is located at a different site or on a different system

    Force SSL Check this box for a use-case in which an intermediate redirect passes from an SSL to a non-SSL URL. With this checked, the final relay state will be reformatted as an SSL URL.

    Set As Default Check this box to mark this identity provider as the default in the event that no identity provider is specified in the querystring.

    Installation 13

  • .NET SAML Consumer Deployment Guide

    11. Return to the SecureAuth SAML Consumer page and note that various settings (primarily encryption-related) for the identity providers are displayed in the Application Authentica-tion Cookie section like Figure 16.

    FIGURE 16. Application Authentication Cookie

    12. Click the Generate Auth. Settings (for Web.Config) button and a text box appears contain-ing a string as shown in Figure 17 on page 15.

    When you are finished, click this key

    Installation 14

  • .NET SAML Consumer Deployment Guide

    FIGURE 17. Web Config String Refresh

    13. Copy this string and paste it into both the service provider's web.config file and the Saml-Consumer's web.config file.

    An additional modification may be required in the two web.config files. In the section, make sure the "name" attribute of the node is the same for both files:

    Use ExamplesThe SecureAuth adapter will be used for the defined requirements either globally or at the specific Per Relaying Party Trust. It will be prompted at either SP-initiated or IdP-initiated login attempts at ADFS.

    Figure 18 on page 16 provides an example of an IdP-initiated login request flow.

    Use Examples 15

  • .NET SAML Consumer Deployment Guide

    FIGURE 18. IdP-Initiated Login Request Flow

    Use Examples 16

  • .NET SAML Consumer Deployment Guide

    Update WarningThe process of updating SecureAuth software to a newer version may cause the SecureAuth SAML Consumer module changes to become invalid and the adapter itself to stop working. Until this feature is included in the main product, these customizations will need to be merged into any future updates.

    Please contact [email protected] before making any updates.

    Update Warning 17

    mailto:[email protected]

    GeneralRequirementsInstallationVirtual Directory InstallationIDP Configuration

    Use ExamplesUpdate Warning