.NET SAML Consumer Deployment Guide - SecureAuth the option list, select ASP.NET v4.0 as shown in...

.NET SAML Consumer Deployment Guide

Copyright Information

SecureAuth© is a copyright of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions, are copyrighted products of SecureAuth Corporation.

Contents

General 1Requirements 1Installation 2Virtual Directory Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

IDP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Use Examples 15Update Warning 17

GeneralThis document details the method for enabling SecureAuth customers to integrate the SAML Service Provider into their current Internet Information Services (IIS) environment.

RequirementsIn order to perform this integration, you need the following components:

+ IIS Server

+ SecureAuth IDP setup in your environment or an accessible environment

+ SAML service provider compressed file

+ Valid X509 certificate to sign the assertion

+ .Net Framework 4.5 or later

General 1


InstallationThe SAML service provider integration process involves two steps:

+ Virtual Directory Installation

+ IDP Configuration

Both steps are detailed in the following subsections.

Virtual Directory InstallationTo install a virtual directory, follow this procedure:

1. Bring up the Internet Information Services Manager.

The IIS manager can be started most easily by selecting Run from the Start menu, then typ-ing inetmgr and clicking OK.

If the IIS manager console does not appear, go to the Control Panel and click Programs And Features. In the left panel, click Turn Windows Features On or Off. Once the small window populates, one of the choices will be Internet Information Services. Expand this option. You will find IIS Management Console under Web Management Tools. Ensure that the IIS Man-agement Console option is checked, then click OK.

2. Expand the Sites object in the Connections pane to reveal the Default Web Site.

3. Right-click the Default Web Site and select Add Application from the drop-down option list as shown in Figure 1 on page 3.

Installation 2

mailto:[email protected]



FIGURE 1. Selecting Add Application from Default Web Site

The Add Application dialog box appears.

4. In the Alias field, supply a name for the site. This will be the URL that will be used later.

5. From the Application Pool field, click Select…

The Select Application Pool dialog box appears.

6. From the option list, select ASP.NET v4.0 as shown in Figure 2 on page 4.

Installation 3


FIGURE 2. Selecting ASP.NET v4.0

7. Select the Physical Path location by clicking the button.

The Browse for Folder dialog box appears.

8. Click the Make New Folder button.

9. Enter a name for this new folder then click OK.

A screen like Figure 3 on page 5 appears.

Installation 4


FIGURE 3. Enter New Folder Name

The Add Application dialog box reappears like Figure 4.

FIGURE 4. Add Application Dialog Box

10. Click OK again.

Figure 5 on page 6 appears.

Installation 5


FIGURE 5. Add Application Dialog Box

11. Extract the contents of the SAML service provider compressed file into the directory cre-ated in Step 9 as shown in Figure 6.

FIGURE 6. SAML Service Provider Extraction Location

12. Return to the IIS Manager and validate that the ASP.NET v4.0 application pool has the cor-rect identity defined so that it can read from or write to the newly-created directory.

Installation 6


13. From the left pane of the IIS Manager, click to highlight the Application Pools object.

All the available application pools appear in the main pane.

14.Click to highlight the ASP.NET v4.0 application pool.

15. From the right Actions pane, select Advanced Settings…

The Advanced Settings window appears.

16.Mouse-over the Identity text field that displays the identity.

The Application Pool Identity dialog box appears.

17. From the available options in the Built-in account window, click to highlight a valid account then click OK as shown in Figure 7.

FIGURE 7. Highlighting a Valid Account

18.Define the rights to the assigned folder you created.

Installation 7


a. Right-click the folder you created in Step 8 and select the Properties option.

The folder’s properties page appears.

b. Click the Edit button.

The Permissions page for that folder appears.

c. Click the Add button.

The Select Users, Computers, Service Accounts, or Groups dialog box.

d. In the bottom field, enter the account name for this folder.

e. Click Check Names to verify that this account name is correct then click OK.

The Permission page is reactivated with the newly-defined permission highlighted as shown in Figure 8.

FIGURE 8. Checking Names

f. In the Permission box at the bottom of the screen, check the Allow box in the Modify line as shown in Figure 9 on page 9.

Installation 8


FIGURE 9. Checking the Modify Allow Check Box

g. Click Apply then click OK.

19.Click OK again.

IDP ConfigurationTo configure an IDP:

1. Load the newly-created site’s admin console by double-clicking SamlAdmin.aspx.

This is one of the files extracted into the site’s new folder in Step 11 on page 6.

The SecureAuth SAML Consumer page appears like Figure 10 on page 10.

Click Allow for theModify Permission

Installation 9


FIGURE 10. SecureAuth SAML Consumer Main Page

2. Select IdentityProvider0 and click the Edit button.

A screen like Figure 11 on page 11 appears.

Click Edit

Installation 10


FIGURE 11. Edit SAML Identity Provider

3. At the Name field, leave or edit it as required.

4. At the Issuer field, type a valid issuer in the field.

5. At the Certificate field, enter the certificate serial number, or click the Get button to display a list of installed certificates as shown in Figure 12.

FIGURE 12. Choose Certificate

NOTE: This valid issuer can be any name as long as it matches what is typed into the issuer of the Identity Provider.

Installation 11


If the required certificate is not listed, import the required certificate using the Windows MMC snap-in for managing local computer certificates as shown in Figure 13.

FIGURE 13. Importing the Required Certificate

6. Install the certificate that was supplied by the Identity Provider Owner. This should be a base-64 cer file, such as the example Robert.cer.

7. Return to the admin console and select the Get button next to the certificate serial number.

The Choose Certificate screen appears like Figure 14.

FIGURE 14. Choose Certificate Screen

Installation 12


8. Click the radio button next to the certificate you just loaded into the certificate console, then click Select.

The Edit SAML Identity Provider page appears like Figure 15.

FIGURE 15. Edit SAML Identity Provider Page

9. Enter values in the Service Provider Init section fields, as required.

10.Click Save Configuration to update the settings file.

IDP Service URL Type the URL for the identity provider that can accept a SAML request.

An example of a URL that will start a service provider-initiated request to an identity provider is: http://192.168.137.110/SecureAuth/SP.aspx?sso=http://192.168.137.110/SecureAuth/UserRequest-Page.aspx

Relay State Parameter

Enter a querystring parameter that can be translated into a relay state. For example, in the preceding example, the value is ReturnURL and is placed in the relay start as a parameter like this: "?ReturnUrl=https://servername/sp.aspx?ReturnURL=https://mysite/landingpage.aspx"

Relay Root URL Use this field to create a fully-qualified relay state URL. This is useful if the relay state URL is located at a different site or on a different system

Force SSL Check this box for a use-case in which an intermediate redirect passes from an SSL to a non-SSL URL. With this checked, the final relay state will be reformatted as an SSL URL.

Set As Default Check this box to mark this identity provider as the default in the event that no identity provider is specified in the querystring.

Installation 13

http://192.168.137.110/sc/SP.aspx?sso=http://192.168.137.110/sc/UserRequestPage.aspx

http://192.168.137.110/sc/SP.aspx?sso=http://192.168.137.110/sc/UserRequestPage.aspx


11. Return to the SecureAuth SAML Consumer page and note that various settings (primarily encryption-related) for the identity providers are displayed in the Application Authentica-tion Cookie section like Figure 16.

FIGURE 16. Application Authentication Cookie

12. Click the Generate Auth. Settings (for Web.Config) button and a text box appears contain-ing a string as shown in Figure 17 on page 15.

When you are finished, click this key

Installation 14


FIGURE 17. Web Config String Refresh

13. Copy this string and paste it into both the service provider's web.config file and the Saml-Consumer's web.config file.

An additional modification may be required in the two web.config files. In the <authentica-tion> section, make sure the "name" attribute of the <forms> node is the same for both files:

<authentication mode="Forms">

<forms name="FormsAuth1" loginUrl="https://vm-oc1-d0622.sadev.local/samlconsumer/sp.aspx?idpkey=IdentityProvider0" requireSSL="false"/>

</authentication>

Use ExamplesThe SecureAuth adapter will be used for the defined requirements either globally or at the specific Per Relaying Party Trust. It will be prompted at either SP-initiated or IdP-initiated login attempts at ADFS.

Figure 18 on page 16 provides an example of an IdP-initiated login request flow.

Use Examples 15


FIGURE 18. IdP-Initiated Login Request Flow

Use Examples 16


Update WarningThe process of updating SecureAuth software to a newer version may cause the SecureAuth SAML Consumer module changes to become invalid and the adapter itself to stop working. Until this feature is included in the main product, these customizations will need to be merged into any future updates.

Please contact [email protected] before making any updates.

Update Warning 17


.NET SAML Consumer Deployment Guide - SecureAuth the option list, select ASP.NET v4.0 as shown in...

Documents

Transcript of .NET SAML Consumer Deployment Guide - SecureAuth the option list, select ASP.NET v4.0 as shown in...