digitalpersona altus saml sso portal the altus saml sso portal component provides single sign-on to...

50
DigitalPersona ® Altus SAML SSO Portal Implementation Guide Altus SAML SSO Portal - Implementation Guide

Upload: vonguyet

Post on 02-May-2018

223 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

DigitalPersona®

Altus SAML SSO Portal

Implementation Guide

Altus SAML SSO Portal - Implementation Guide

Page 2: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Copyright© 2016 Crossmatch. All rights reserved. Specifications are subject to change without prior notice. The Crossmatch logo and Crossmatch® are trademarks or registered trademarks of Cross Match Technologies, Inc. in the United States and other countries. DigitalPersona® is a registered trademark of DigitalPersona, Inc., which is owned by the parent company of Cross Match Technologies, Inc. All other brand and product names are trademarks or registered trademarks of their respective owners.

Published: May 12, 2016 (v2.0.0)

Page 3: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 3

Contents

SOLUTION OVERVIEW 5Introduction ................................................................................................................................................... 5Network configuration ................................................................................................................................... 7

Altus AD ....................................................................................................................................................7Altus LDS ..................................................................................................................................................8

Conceptual Overview .................................................................................................................................... 9Prerequisites.................................................................................................................................................. 9Planning and preparation .............................................................................................................................. 9

Plan network architecture .........................................................................................................................9Prepare DNS resource records ...............................................................................................................10

Using DNS Manager ..........................................................................................................................10Using the command line ....................................................................................................................11

Create a root key ....................................................................................................................................11Obtain or create SSL certificates ............................................................................................................11

SSL CERTIFICATE USE 12Overview...................................................................................................................................................... 12Windows Certification Authority role (optional) ........................................................................................... 12

Installing the Certification Authority role .................................................................................................12Configuring Active Directory Certificate Services (AD CS) .....................................................................12Creating an SSL certificate .....................................................................................................................13

Exporting a certificate.................................................................................................................................. 14Importing a certificate.................................................................................................................................. 14Binding a certificate to a website ................................................................................................................ 14

AD FS INSTALLATION & CONFIGURATION 16Installing the AD FS server role ...............................................................................................................16Configuring Active Directory Federation Services (AD FS) .....................................................................16Noting required identifiers .......................................................................................................................17Connecting to the Altus Secure Token Service (STS) ............................................................................17

ALTUS SERVER INSTALLATION 18Altus AD Server ........................................................................................................................................... 18Altus LDS..................................................................................................................................................... 18

ALTUS WEB ADMINISTRATION CONSOLE 20Configuration of the Altus Web Admin Console .....................................................................................20Create an Altus Web Administrative Console Relying Party Trust .........................................................20

WEB SERVER (IIS) SETUP 27

ALTUS WORKSTATION 29Installation ...............................................................................................................................................29

ALTUS WEB SERVER COMPONENTS 30Installation ...............................................................................................................................................30Confirm that the web service is running .................................................................................................30

ALTUS STS INSTALLATION 31Prerequisites................................................................................................................................................ 31

Page 4: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 4

Configuration of STS ...............................................................................................................................33XML configuration of STS authentication credentials ............................................................................36

ALTUS SSO PORTAL 38Overview...................................................................................................................................................... 38Prerequisites................................................................................................................................................ 38Installing the SSO Portal.............................................................................................................................. 40Configuring the SSO Portal ......................................................................................................................... 42

Identity.config .........................................................................................................................................42Federation.config ....................................................................................................................................43Portal.config ............................................................................................................................................43

Configuring the Relying Party Trust............................................................................................................. 43Portal verification......................................................................................................................................... 44Troubleshooting........................................................................................................................................... 45

IIS Manager .............................................................................................................................................45Portal installation ....................................................................................................................................45ADFS .......................................................................................................................................................45

WEB APPLICATION PROXY 46Overview...................................................................................................................................................... 46Prerequisites................................................................................................................................................ 46Installing the WAP role service .................................................................................................................... 46Configuring WAP ......................................................................................................................................... 47

INDEX 49

Page 5: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 5

1Solution OverviewTHIS CHAPTER PROVIDES A HIGH-LEVEL OVERVIEW OF HOW TO IMPLEMENT THE ALTUS SAML SSO PORTAL.

Introduct ion

The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries, through integration with Microsoft’s Active Directory Federation Services (AD FS), a Windows Server Role.

Altus and the Altus SAML SSO Portal extend SSO to the full range of credentials supported by the Altus solution, as well as providing administrators with easy configuration and management of multi-factor authentication for logon to Windows, network and web resources.

Federated identification to claims-aware applications is provided through the integration of AD FS and the Altus Secure Token Service (STS), which supports all trust authentication protocols that issue JSON Web Tokens (JWT), such as SAML, Ws-Fed, OAuth and WS-Trust.

The Altus SSO Portal can provide a central access point, or home page, for launching selected claims-aware applications on the enterprise intranet or the public internet/cloud.

Additionally, the AD FS Proxy or Web Application Proxy and the (optional) Altus NPS Plugin for RADIUS VPN can allow authorized users to access specified interior applications and network resources from outside the firewall using multi-factor authentication. The Altus NPS Plugin for RADIUS VPN is described in the Administrator Guide for your specific Altus AD or LDS Solution.

In this Implementation Guide, we provide instructions for setting up a sample AD FS environment with either Altus AD or Altus LDS, and integrating it with the following Altus components.

Altus AD Solution (Machines & components) Page

DC1: Windows Server 2008 R2 or above (Domain Controller)

- Certificate Authority (optional) 12

- AD FS Role 16

- Altus AD Server 18

Machine1: Windows Server 2008 R2 or above

- Web Server (IIS) 27

- Altus AD Workstation 29

- Altus Web server components 30

- Altus Secure Token Service (STS) 31

- Altus SSO Portal 38

dmz1: Windows Server 2008 R2 or above (Optional)

- Web Application Proxy (optional) 46

Page 6: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 6

Introduction

The above tables show the minimum recommended configuration for implementing enterprise-level Altus federated identification and optional components such as the Altus Web Administration Console that extend Altus functionality. The Microsoft Web Application Proxy may be included in the environment to support access from outside the firewall.

Altus LDS Solution (Machines & components) Page

DC1: Windows Server 2008 R2 or above (Domain Controller)

- Certificate Authority (optional) 12

- AD FS Role 16

Machine1: Windows Server 2008 R2 or above

- Altus LDS Server 18

- Altus Web Administration Console (optional) 20

- Web Server (IIS) 27

- Altus Web server components 30

- Altus Secure Token Service (STS) 31

- Altus SSO Portal 38

dmz1: Windows Server 2008 R2 or above (Optional)

- Web Application Proxy (optional) 46

Page 7: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 7

Network configuration

Network conf igurat ion

We will use the following network configuration for our sample environments.

Altus AD

In our Altus AD sample domain, the domain name is MyDomain.com. If you plan on accessing AD FS from outside the domain, for instance using the Microsoft Web Applications Proxy, the domain will need to be a first level domain (such as .com, .net, etc.).

The domain controller machine name is DC1, and the second machine is named Machine1. They are both Windows Server 2008 R2 or above servers.

DC1 will have the following Windows roles and Altus components

• AD FS role

• Certificate Authority role - Optional, and is only required if you are generating your own SSL certificates (as we will be doing in the sample environment described in this guide) and not using certificates generated from an external CA.

• Altus AD Server

Machine1 will have the following Windows roles and Altus components

• Web Server (IIS) role

• Altus AD Workstation

• Altus Web server components

• Altus Secure Token Service (STS)

• Altus SSO Portal

dmz1

• The Microsoft Web Application Proxy is a Remote Access role service available in Windows Server 2012 R2 or above. It may optionally be installed in a DMZ (demilitarized zone) to support access to the SSO Portal from public networks. A similar feature, the Federation Service Proxy role, is available in Windows Server 2008 R2 and Windows Server 2012.

Page 8: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 8

Network configuration

Altus LDS

In our Altus LDS sample domain, the domain name is MyDomain.com. If you plan on accessing AD FS from outside the domain, for instance using the Microsoft Web Applications Proxy, the domain will need to be a first level domain (such as .com, .net, etc.).

In our Altus LDS sample domain, the domain name is MyDomain.com.

The domain controller machine name is DC1, and the second machine is named Machine1. They are both Windows 2008 R2 or above servers.

DC1 will have the following Windows roles and Altus components

• AD FS role

• Certificate Authority role - Optional, and is only required if you are generating your own SSL certificates (as we will be doing in the sample environment described in this guide) and not using certificates generated from an external CA.

Machine1 will have the following Windows roles and Altus components

• Active Directory Lightweight Directory Service (AD LDS) role

• Altus LDS Server

• Web Server (IIS) role

• Altus Web server components

• Altus Secure Token Service (STS)

• Altus SSO Portal

• dmz1 - The Microsoft Web Application Proxy is a Remote Access role service available in Windows Server 2012 R2 or above. It may optionally be installed in a DMZ (demilitarized zone) to support access to the SSO Portal from public networks. A similar feature, the Federation Service Proxy role, is available in Windows Server 2008 R2 and Windows Server 2012.

Note that references to procedures, UI elements and images in this guide are always made to the current version of the Altus product unless another version is specifically mentioned. References to Microsoft Windows Server are to Windows Server 2012 R2 unless otherwise noted.

Page 9: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 9

Conceptual Overview

Conceptual Overview

The figure below shows a high-level conceptual overview of the relationships between Windows Active Directory Federated Service (AD FS), the Altus Secure Token Service (STS), the Altus Web Administration Console and additional required Altus components.

Prerequisi tes

There are two prerequisites that need to be present in the network prior to beginning the initial installations and configuration of the AD FS-integrated Altus SSO environment.

• An Active Directory (AD) domain has been created and configured.

• Optional

• The Certificate Authority (AD CA) role has been added to the domain (for intranet-only setup), or• A public CA is available (for publicly accessible services)

Planning and preparat ion

This section covers four aspects of planning and preparation necessary before beginning installation and configuration.

• Plan network architecture

• Prepare DNS resource records

• Issue SSL certificates

• Create a root key

Plan network architecture

Plan your network architecture, considering your potential needs for AD FS and the AD FS Proxy or the Web Application Proxy hosting, using these guidelines.

• AD FS may be hosted on any Windows Server machine in the domain.

• Large networks - (or networks with a potential of substantial growth), AD FS should be hosted separately from the Domain Controller (DC) and a Federation Farm should be considered.

• Small networks - It is possible to host AD FS on the domain controller in order to save on the purchase of server licenses.

Page 10: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 10

Planning and preparation

• Public networks - You should avoid exposing AD FS to public networks. Plan on installing AD FS Proxy or Web Application Proxy (WAP) on a perimeter network.

For additional in-depth information on planning your AD FS deployment, see:

https://msdn.microsoft.com/en-us/library/azure/dn151324.aspx

Prepare DNS resource records

Prepare DNS resource records for your chosen deployment structure. On the domain controller, create DNS aliases (CNAME) for each of the following functions used in your environment.

• adfs - Active Directory Federated Service

• portal - Altus SAML SSO Portal

• web - Web Server (IIS)

• www - dmz1 (Web Application Proxy)

• enterpriseregistration - If the AD FS Device Registration Service (DRS) will be used to register mobile devices, then also add a resource record for it.

Using DNS Manager

1 From the Server Manager, select Tools then DNS to open the DNS Manager.

2 Expand the Forward Lookup Zones node, right-click MyDomain.com and select New Alias (CNAME)....

Page 11: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 11

Planning and preparation

3 Using the New Resource Record dialog, create aliases for each function listed above. Your names may vary.

4 After creating the records, open a command prompt and type ipconfig /flushdns to clear and refresh the DNS Resolver cache.

Using the command lineFor example, using "dc1.MyDomain.com" as the domain controller host, “Machine1.MyDomain.com” to host the remainder of the necessary Altus SSO functions, and "dmz1.MyDomain.com" as a publicly-accessible host, you might create these DNS resource records.

• dnscmd /recordadd adfs CNAME dc1.MyDomain.com

• dnscmd /recordadd web CNAME <Machine1Name>.MyDomain.com

• dnscmd /recordadd portal CNAME <Machine1Name>.MyDomain.com

• dnscmd /recordadd www CNAME dmz1.MyDomain.com

If the Device Registration Service (DRS) will be used to register mobile devices, then also add a DNS record for it.

• dnscmd /recordadd enterpriseregistration CNAME adfs.MyDomain.com

• After creating the records, open a command prompt and type ipconfig /flushdns to clear and refresh the DNS Resolver cache.

Create a root key

If setting up an AD FS farm, create a root key for Key Distribution Service (KDS), using the following PowerShell cmdlet.

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Obtain or create SSL cert i f icates

SSL Certificates can be obtained from a commercial global Certificate Authority, or through the Windows Server Certificate Authority.

Note that an SSL certificate from the Domain Certificate Authority or a Global CA is highly recommended. Use of a self-signed certificate will cause invalid certificate warnings and may have additional unanticipated effects.

See the following chapter for instructions on creating an SSL certificate through the Windows Server Certificate Authority, as well as procedures for exporting, importing and binding the certificate.

Page 12: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 12

2SSL Certificate useTHIS CHAPTER DESCRIBES THE OPTIONAL INSTALLATION AND USE OF THE WINDOWS CERTIFICATION AUTHORITY ROLE, WHICH CAN BE USED TO CREATE AN SSL CERTIFICATE FOR USE IN THE ALTUS SAML SSO PORTAL ENVIRONMENT.

Overview

If you will only be using your Altus and AD FS environment for computers that belong to the same Active Directory domain, you can use a wildcard certificate issued by your Domain Certificate Authority. A wildcard certificate is valid for an unlimited set of domain names in the specific domain, e.g. "*.MyDomain.com."

The certificate Subject must match the Fully Qualified Domain Name of the AD FS server.

Other options are:

• Create individual certificates for each domain name.

• Create a SAN certificate for a limited set of domain names, added as Subject Alternative Names (SANs).

Windows Cert i f icat ion Authori ty role (opt ional)

Installation of the Certification Authority role is not required if you are planning on importing the required certificate(s) from an external global CA.

When planning to use a certificate issued by this server’s CA, the SSL certificates to be used must be created prior to configuring AD FS in the next section.

Note that the name and domain settings of this computer cannot be changed after a certificate authority (CA) has been installed. If you want to change the computer name, join a domain, or promote the server to a domain controller, complete these changes before installing the CA.

We will also be using a GPO to distribute the wildcard certificate to any additional computer(s) in our sample domain.

Instal l ing the Certif icat ion Authority role

1 Open Server Manager, click Add roles and features, click Next.

2 On the Select installation type page, select Role-based or featured-based installation, click Next.

3 On the Select destination server page, click Next.

4 On the Select server roles page, select Active Directory Certificate Services. In the Add features dialog, click Add features. Then click Next.

5 On the Select features page, click Next. Then click Next on the following page.

6 On the Select Role Services page, choose Certification Authority. Click Next.

7 On the Confirm installation selections page, review your installation selections and then click Install.

Configuring Active Directory Certif icate Services (AD CS)

Once the Certification Authority role has been successfully installed, the final page of the wizard will show a link Configure Active Directory Certificate Services on the destination computer. Click the link to configure AD CS.

1 On the Credentials page, ensure that the named user is a member of the Enterprise Admins group. If not, click Change to enter the necessary credentials.

2 On the Role Services page, select Certification Authority. Click Next.

3 On the Setup Type page, click Enterprise. Click Next.

Page 13: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 13

Windows Certification Authority role (optional)

4 On the CA Type page, click Root CA. Click Next.

5 On the Private Key page, click Create a new private key. Click Next.

6 On the Cryptography for CA page, use the default cryptographic provider, RSA#Microsoft Key Storage Provider and a key length of 2048. Use of the SHA256 hash algorithm is recommended. Click Next.

7 On the CA Name page, you will generally want to accept the given defaults. Click Next.

8 On the Validity Period page, accept the default validity period for the certificate of 5 years, or change it if necessary. Click Next.

9 On the CA Database page, accept the default locations unless you want to specify a custom location for the certificate database and certificate database log. Click Next.

10 On the Confirmation page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Configure and wait until the configuration process has finished. Then click Close.

Creating an SSL cert i f icate

Adding a Web Server certificate template

1 From the Tools menu, select Certification Authority.

2 In the Certification Authority (certsrv) window, expand the server node and right-click on Certificate Templates. Then select Manage.

3 In the Certificates Templates Console, middle panel, scroll down and right-click on Web Server, then select Properties.

4 On the Security tab of the Web Server Properties tab, select Authenticated Users and click the checkbox that assigns Enroll permissions for Authenticated Users. Click OK. Then close the Certificate Templates Console.

Requesting a Web Server certificate

1 For our sample SAML SSO Portal environment, we will be using a wildcard certificate.

2 Open the Certification Manager (certlm) window. You can do so by searching from the desktop on Manage Computer Certificates.

3 Expand the Personal node to show the Certificates node. Right-click the Certificates node and select All Tasks>Request New Certificate. Then click Next.

4 On the Select Certificate Enrollment Policy page, click Next.

5 On the Request Certificates page, on the Web Server row, click Details. Then click Properties.

6 In the Certificate Properties dialog, on the Subject tab, select Common Name from the Type dropdown list and in the Value field, enter an asterisk (*) and the name of your sample domain. For our scenario, we will use *.MyDomain.com. You should use *.<yourDemoDomainName.com> where yourDemoDomainName is the name of your test or demo domain. Then click Add.

Reminder: If you plan on accessing AD FS from outside the domain, for instance using the Microsoft Web Applications Proxy, the domain will need to be a first level domain (such as .com, .net, etc.).

7 In the same dialog, enter the same value as an Alternative Names:

Type: DNS Value: *.MyDomain.com or *.<yourDomainName.com>

8 On the General tab, enter a Friendly Name for the certificate, such as *.MyDomain.com SSL or *.<yourDemoDomainName.com> SSL.

9 On the Private Key tab, select Key options and check Make private key exportable.

Page 14: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 14

Exporting a certificate

10 Click OK. The dialog will close and the Request Certificates page will redisplay.

11 Ensure that Web Server is selected, then click Enroll. The Certificate Installation Results page displays. If STATUS is Succeeded, the certificate has been enrolled and installed on the computer. Click Finish.

Export ing a cert i f icate

We will export the wildcard certificate created on our domain controller in the previous procedure, which we will then import to any other machines in our sample domain. If you are using a certificate from a commercial vendor, this step is not necessary.

1 Open the Certification Manager (certlm) window. You can do so by searching from the desktop on Manage Computer Certificates.

2 Expand the Personal node to show the Certificates node. Select the Certificates node.

3 Right-click the certificate you want to export and select All Tasks>Export ... to launch the Certificate Export Wizard. Then click Next.

4 On the Export Private Key page, select Yes, export the private key. Then click Next.

5 On the Export File Format page, select Personal Information Exchange - PKCS #12 (PFX) and check the option to Include all certificates in the certification path if possible.

6 On the Security page, check the option to protect the private key to Group or user names. For our sample environment, you can accept the default of Administrator. Then click Next.

7 On the File to Export page, specify a name and location for the file to be exported. We will use MyWildcardCert.pfx and save it to a location that you can access from Machine1.

8 On the final page of the wizard, after a successful export of the certificate, click Finish.

Import ing a cert i f icate

1 Copy the certificate file created in the previous step (or one obtained commercially) to Machine1.

2 Double-click the certificate file to launch the Certificate Import Wizard.

3 On the first page of the wizard, select Local Machine as the Store Location and click Next.

4 On the File to Import page, accept the default and click Next.

5 On the Private key protection page, select the option to Include all extended properties.

6 On the Certificate Store page, select the option to Place all certificates in the following store. Click Browse to select a certificate store and choose Personal. Then click Next.

7 On the final page of the wizard, click Finish. When the import has concluded successfully, click OK to close the message box.

Binding a cert i f icate to a website

1 From the Server Manager, Tools menu, select Internet Information Services (IIS) Manager.

2 In IIS Manager, expand the elements in the Connection panel.

3 Under Sites, right-click on Default Web Site and select Edit Bindings.

4 In the Site Bindings windows, click Add.

Page 15: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 15

Binding a certificate to a website

5 In the Add Site Binding window, select https from the Type dropdown list.

6 Accept the defaults for IP Address and Port, unless you know that different values should be used in your environment.

7 If using the wildcard certificate imported in the previous procedure, select that certificate from the SSL certificate dropdown list. If it is not in the dropdown list, click Select and choose it from the list that displays. Then you should be able to choose it from the refreshed dropdown list.

Page 16: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 16

3AD FS installation & configuration

THIS CHAPTER DESCRIBES THE INSTALLATION AND CONFIGURATION OF THE WINDOWS ACTIVE DIRECTORY FEDERATED SERVICES (AD FS) ROLE, A REQUIRED COMPONENT OF THE ALTUS SAML SSO PORTAL SOLUTION.

In our sample environment, in order to conserve resources and simplify initial understanding of the Altus SAML SSO Portal solution, the AD FS role is added to our sample domain controller. For production environments, Microsoft recommends installing AD FS on a separate physical machine, and not on the Domain Controller.

An SSL certificate will be required during configuration of AD FS. See SSL Certificate use on page 12 for further details.

Instal l ing the AD FS server role

To install the AD FS server role via the Add roles and features wizard

1 Open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.

2 On the Before you begin page, click Next.

3 On the Select installation type page, click Role-based or Feature-based installation, and click Next.

4 On the Select destination server page, click Select a server from the server pool, verify that the target computer is highlighted, and then click Next.

5 On the Select server roles page, click Active Directory Federation Services, and then click Next.

6 On the Select features page, click Next. The required prerequisites are pre-selected for you. You do not need to select any other features.

7 On the Active Directory Federation Service (AD FS) page, click Next.

8 After you verify the information on the Confirm installation selections page, click Install.

9 On the Installation progress page, verify that everything installed correctly.

Configuring Active Directory Federation Services (AD FS)

1 Once the AD FS role has been successfully installed, the final page of the wizard will display a link, Configure the federation service on this server. Click the link to configure AD FS.

2 On the Welcome page, accept the default option to Create the first federation server. Note that there is a link to a webpage where you can review the prerequisites for installing AD FS.

3 On the Connect to Active Directory Domain Services page, ensure that the specified account has domain administrator permissions, or use Change to supply new credentials.

4 On the Specify Service Properties page, select your SSL certificate from the dropdown list. You can accept the default for the Federation Service Name and enter AD FS for the Federation Service Display Name.

5 On the Specify Service Account page, select the second option to Use an existing domain user account ...

You can ignore the warning about the KDS Root Key unless you are setting up an AD FS farm. Doing so is beyond the scope of this chapter.

6 On the Specify Configuration Database page, select the first option to Create a database on this server ...

7 On the Review Options page, ensure that your selections are correct and click Next.

Page 17: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 17

Note the View script button that will open a generated PowerShell script in Notepad. You can use this script to automate additional installations.

8 On the Pre-requisites Checks page, ensure that there are no errors and then click Configure.

9 On the Results page, view any displayed results. Then click Close.

Noting required identif iers

There are a few items of information from AD FS that you will need later on in the setup of the Altus SAML SSO Portal solution.

• Federation Service identifier

• Federation Service WS-Federation token issuance URL

• Federation Metadata URL

These can be found through the AD FS Management application on the AD FS server (click Start, Administrative Tools, AD FS Management). Note the following parameters from AD FS.

To view the Federation Service identifier

1 In the AD FS Management application , select the Service node.

2 In the Actions pane on the right, click Edit Federation Service Properties….

3 The Federation Service identifier is shown on the General tab of the Federation Service Properties dialog, in the third text box, labeled Federation Service Identifier.

To view the Federation Service WS-Federation token issuance URL

1 In the AD FS Management application , select the Service\Endpoints node.

2 Scroll down to the endpoint that has SAML 2.0/WS-Federation as the type, and note the URL path.

To view the Federation Metadata URL

1 In the AD FS Management application , select the Service\Endpoints node.

2 Scroll down to the endpoint that has Federation Metadata as the type, and note the URL path.

Connecting to the Altus Secure Token Service (STS)

After the Altus Secure Token Service has been installed (see AD FS installation & configuration on page 31), run the generated AltusSTS.ps1 PowerShell script on the AD FS host machine. This will enable the AD FS Server to locate STS.

Page 18: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 18

4Altus Server installation

THIS CHAPTER PROVIDES A HIGH-LEVEL OVERVIEW OF THE ALTUS AD SERVER AND ALTUS LDS SERVER COMPONENTS REQUIRED FOR IMPLEMENTATION OF THE ALTUS SAML SSO PORTAL.

The Altus SAML SSO Portal requires the presence of an Altus Server in the domain. This can be either an Altus AD or Altus LDS Server.

A brief outline of installation steps for each Altus Server is shown below. For detailed instructions, including system requirements, prerequisites and compatibility constraints, see the Altus AD or Altus LDS Administrator’s Guide.

Altus AD Server

Use Altus AD Server if extending the Active Directory schema is permissible.

Full installation instructions and screenshots can be found in the Altus AD Administrator Guide. However, the basic high-level steps are shown below.

Altus LDS

Use Altus LDS if extending the Active Directory schema is not an option. Altus LDS uses Active Directory Lightweight Directory Service as a data repository and works with Active Directory without needing to extend the schema.

Full installation instructions and screenshots can be found in the Altus LDS Administrator Guide. However, the basic high-level steps are shown below.

Procedure

1 Altus AD Server must be installed on your sample environment’s domain controller. Ensure that the Active Directory Domain Services role has been added to Windows Server and properly configured and tested.

2 Run the Altus Schema Extension Wizard by launching DPSchemaExt.exe from the Schema Extension folder of your Altus AD Server product package. This extends the Active Directory schema to include attributes and classes used by DigitalPersona Altus AD Server. AD Schema Administrator rights are required.

You can view the details of the changes that will be made to the schema by opening the file dp-schema.ldif located in the same folder

3 Configure each domain on which DigitalPersona Altus Server will be installed by running DPDomainConfig.exe (located in the folder "AD Domain Configuration" in the product package). AD Domain Administrator rights are required.

4 Install the DigitalPersona Altus AD Server software. Note that this will set firewall rules necessary for the operation of DigitalPersona software.

5 Install the DigitalPersona Altus AD Administration Tools. This is necessary for licensing the Altus AD Server.

6 Activate your Altus AD Server license.

Procedure

1 The Altus LDS Server should not be installed on the domain controller. In our sample environment, Altus LDS Server is installed on the Machine1 computer.

2 Add the Active Directory Lightweight Directory Services (AD LDS) role to Windows Server.

Page 19: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 19

Altus LDS

3 Install and set up a unique instance of AD LDS using the Active Directory Lightweight Services Setup Wizard. Configure the AD LDS Service by running the DigitalPersona Altus AD LDS Configuration Wizard.

4 Install the Altus LDS Server by running Setup.exe, located in the Altus Server folder in your Altus LDS product package. For our sample environment, we will use a Custom setup type and select the Web Administration Console feature. Do not select the Security Token Service feature, as we will be using a separate standalone STS Server installer package instead.

5 At the end of the Altus LDS Server installation, the Web Admin Console Configuration Wizard will launch automatically. For details on the wizard and additional configuration of the required Relying Party Trust and Claims Rules, see the chapter Altus Web Administration Console beginning on page 20

6 Install the DigitalPersona Altus LDS Administration Tools. (Optional, but recommended.)

7 Activate your Altus LDS Server license.

8 Launch the Microsoft Authorization Manager and define the authorization store name.

Procedure

Page 20: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 20

5Altus Web Administration Console

THIS CHAPTER DESCRIBES CONFIGURING THE ALTUS WEB ADMINISTRATION CONSOLE, AN OPTIONAL WEB-BASED COMPONENT OF THE ALTUS LDS SERVER USED TO ADMINISTER ALTUS LDS USERS AND POLICIES.

The Altus Web Administration Console is an optional feature of the Altus LDS Server, and is not compatible with, and cannot be used with the Altus AD Server.

It is therefor not a required component of the Altus SAML SSO Portal, but as a SAML token-aware application, it can be integrated with the SSO Portal in an Altus LDS environment, and serves as an example of how to setup a SAML token-aware application for access through the SSO Portal.

If the Altus Web Administration Console functionality is desired, without integration with AD FS and the SAML SSO Portal, a single-machine installation of the Altus Web Admin Console can be configured during the installation of the Altus LDS Server, as a custom feature, described in chapter 2 of the Altus LDS Administrator Guide, Altus LDS Server Installation & Setup. This will install the Altus LDS Server, a special version of Altus STS, and the Altus Administration Console on the same machine.

Configuration of the Altus Web Admin Console

At the end of the Altus LDS Server installation with the Altus Admin Console feature selected, the Web Admin Console Configuration Wizard will launch automatically.

In the wizard, note the following two parameters for the Web UI component.

• Relying Party identifier (aka realm). Note that both the Web UI and Web API should use the same Id.

• The URL of the component (aka reply URL).

You will need these parameters during the configuration of AD FS, as described on page 16.

The Altus LDS Server installation automatically assigns the following URLs to the Web UI and Web API components:

"Web UI - https:\\<hostname>\dpadminui

"Web API - https:\\<hostname>\dpadminapi

Create an Altus Web Administrat ive Console Relying Party Trust

The following procedure adds and configures a Relying Party for the Altus Web Administration console.

1 Open the AD FS Management application on the AD FS server. (Click Start, Administrative Tools, AD FS Management.)

2 Click Trust Relationships/Relying Party Trusts. In the Action pane on the right, click Add Relying Party Trust… to launch the Add Relying Party Trust Wizard.

3 Click Start.

Page 21: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 21

4 On the Select Data Source page, select the option Enter data about the relying party manually and click Next.

5 On the Specify Display Name page, enter the Display name of the relying party and any optional notes. Then click Next.

Page 22: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 22

6 On the Choose Profile page, select AD FS Profile.

7 On the Configure Certificate page, simply click Next.

Page 23: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 23

8 On the Configure URL page, select Enable support for the WS-Federation Passive protocol and enter the URL noted during Configuration of the Altus Web Admin Console on page 20 and click Next.

9 On the Configure Identifiers page, enter the identifier of the relying party noted during Configuration of the Altus Web Admin Console on page 20 and then click Add. Click Next.

Page 24: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 24

10 On any additional pages, accept the defaults until the Finish page is displayed.

11 On the Finish page, select the option to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.

12 Click Close.

Page 25: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 25

13 The Edit Claim Rules dialog displays.

14 From the Edit Claim Rules dialog, configure the claims that should be added to the SAML token for the Administrative Console. As a minimum, we need the Name and Role claims. Since these claims are already issued by the Altus STS claims provider, we just need to pass them through. To do that, on the Issuance Transform Rules tab, click Add Rule… to display the Add Transform Claim Rule Wizard.

15 On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim template and click Next.

Page 26: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 26

16 On the Configure Rule page, enter the desired name of the Rule, select the claim type (Name in the above illustration), and accept the default Pass through all claim values selection. Then click Finish to return to the Edit Claim Rules dialog.

17 Repeat steps 14 through 16 for the following additional claims required for Altus Web Administration.

• Role

• https://www.crossmatch.com/altus/claims/operation

• UPN

Page 27: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 27

6Web server (IIS) setup

THIS CHAPTER DESCRIBES ADDING THE WINDOWS WEB SERVER (IIS) ROLE AND ADDITIONAL REQUIRED WEB SERVER FEATURES.

The Windows Web Server role is a required component of the Altus SAML SSO Portal solution. During the installation of the Altus Web server components, additional features will also be added to the Web Server to support Altus functionality.

In our sample installation, the Web Server role is added to Machine1.

To add the Web Server role

1 In Server Manager, select Dashboard, and click Add roles and features.

2 In the Add Roles and Features Wizard, on the Before You Begin page, click Next.

3 On the Select Installation Type page, select Role-based or Feature-based Installation and click Next.

4 On the Select Destination Server page, select Select a server from the server pool, select your server, and click Next.

5 On the Select Server Roles page, select Web Server (IIS), and then click Next.

6 On the Select Features page, select the following features:

• .NET Framework 3.5 Features

• HTTP Activation (and click Add Features when prompted to Add features that are required for HTTP). Activation)

• .NET Framework 4.5 Features

• WCF Services\HTTP Activation (and click Add Features when prompted to Add features that are required for HTTP). Activation)

• Group Policy Management

7 Click Next.

8 On the Web Server Role (IIS) page, click Next.

9 On the Select Role Services page, note the preselected role services that are installed by default, and then click Next.

10 On the Confirm Installation Selections page, you will need to specify an alternate source path for the .NET 3.5 features, since they are not installed as part of a typical Windows Server installation. Near the bottom of the page,

Page 28: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 28

click Specify an alternate source path and then enter the path to the side-by-side (SxS) store. See the image below for further details. Then click OK and Install.

11 On the Installation Progress page, confirm that your installation of the Web Server (IIS) role and required role services completed successfully, and then click Close.

12 To verify that IIS installed successfully, type the following into a web browser:

http://localhost

13 You should see the default IIS Welcome page.

Page 29: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 29

7Altus Workstation

THIS CHAPTER PROVIDES A BRIEF OVERVIEW OF THE ALTUS WORKSTATION INSTALLATION, A COMPONENT THAT MAY BE REQUIRED IN YOUR ALTUS SAML SSO PORTAL SOLUTION, DEPENDING ON HOW YOUR ENVIRONMENT IS CONFIGURED.

Altus AD

In our Altus AD sample environment, the Altus AD Workstation is required as part of the Altus SAML SSO Portal solution when used in an Altus AD environment. This application includes underlying components that are necessary for the solution and need to be installed on Machine1.

Altus LDS

If the SAML SSO Portal is installed on a different machine than the Altus LDS Server, then Altus LDS Workstation will be need to be installed on the SAML SSO Portal machine.

Instal lat ion

To add the Altus AD or LDS Workstation

1 From the Altus AD or Altus LDS Workstation folder in your Altus product package, launch the DigitalPersona Altus AD or LDS Workstation installation wizard by running setup.exe.

2 Follow the onscreen prompts and select a Typical installation.

3 Full details and screenshots are provided in the Administrator Guide for your Altus AD or Altus LDS solution.

Page 30: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 30

8Altus Web server components

THIS CHAPTER DESCRIBES THE INSTALLATION OF THE ALTUS WEB SERVER COMPONENTS.

The Altus web server components (aka Altus Confirm) and a supported web browser are required as part of the Altus SAML SSO Portal solution. In our sample environment, they should be installed on Machine1, regardless of whether you are using Altus AD Server or Altus LDS Server.

Google Chrome for Windows is the recommended web browser. Internet Explorer and Firefox are also supported, but the user experience may be less than optimum.

Instal lat ion

To add the Altus web server components

1 From the Altus Authentication SDK, launch the DigitalPersona Altus Confirm installation wizard by running setup.exe.

2 Follow the onscreen instructions. You will be prompted to reboot during the installation, and the wizard will continue after the computer restarts. Upon completion, click Finish to close the wizard.

Confirm that the web service is running

In order to confirm that the DP Web Authentication Service is running

• On the computer where Altus Web service components was installed, enter the following string (where <computer-name or alias> is the name of this computer or its alias) in your browser address bar.

https://<computer-name or alias>/DPWebAUTH/DPWebAuthService.svc

Examples:

https://Machine1.MyDomain.com/DPWebAUTH/DPWebAuthService.svc

https://web.MyDomain.com/DPWebAUTH/DPWebAuthService.svc

Page 31: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 31

9Altus STS Installation

THIS CHAPTER DESCRIBES THE INSTALLATION OF ALTUS SECURE TOKEN SERVICE, A REQUIRED COMPONENT OF THE ALTUS SAML SSO PORTAL SOLUTION.

Prerequisi tes

• A valid SSL certificate with a private key imported into the "LocalMachine\Personal" store on the computer where Altus STS will be installed.

• The SSL certificate should have the correct Common Name and DSL value. These should be identical.

• If creating the SSL certificate using the Windows Certification Authority, see instructions on page 12.

To install the Altus STS Server

1 In the Altus STS subfolder of your SAML SSO Portal and Password Manager Admin Tool folder, launch setup.exe.

2 On the Welcome page, click Next.

3 Accept the license agreement and click Next.

Page 32: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 32

Prerequisites

4 Click Install to begin the installation.

5 On the final page of the wizard, click Finish.

Page 33: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 33

Prerequisites

Configuration of STS

After a successful installation of STS Server, the DigitalPersona Altus STS configuration wizard will launch automatically.

1 Click Next to begin configuration.

2 Confirm that the URL is correct. Ensure that the URL matches the subject in the SSL certificate being used.

3 If the wizard is able to locate an appropriate SSL certificate, it will be selected automatically. When there are more than one, click Select Existing to choose a certificate. You can also click Import to locate and import a certificate through a .pfx file.

Page 34: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 34

Prerequisites

4 Click Next.

5 Type in the AD FS WS-Federation token issuance URL and Federation Service identifier. (See the section Noting required identifiers on page 17 for instructions on locating this information.) Note that the identifier must exactly match the identifier specified in the AD FS properties, including the character case.

6 Click Next.

7 On the Apply configuration page, verify the actions to be performed during configuration. Note (under Next steps) the name of the AD FS configuration script which will be generated during the configuration. Click Next.

Page 35: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 35

Prerequisites

8 Upon successful completion, a final page displays. Click Finish to close the wizard and open the generated AD FS configuration script in Notepad. By default, this file is created in the Documents folder of the Domain Administrator user. You can also save the Notepad file to any other desired location.

9 The script needs to be executed in PowerShell on the AD FS server (the domain controller in our sample environment, see page 16) in order to enable the AD FS Server to locate STS.

You can verify the results of the script in the AD FS Management console.

• Select AD FS Management from the Tools menu.

• Expand Trust Relationships and click on Claims Provider Trusts.

• Ensure that the Altus STS Claims Provider Trust has been added.

Also, you should be able to display the AD FS sign on page and test its connection to STS by entering the following test URL.

https://adfs.MyDomain.com/adfs/ls/IdpInitiatedsignon

Page 36: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 36

Prerequisites

On the AD FS web page, click Altus STS to display the Altus Identity Server.

You can test logging into the Identity Server with any valid domain account’s username and password. For our sample environment you might use MyDomain\administrator and the administrator password. Logging in with other credentials will be available after they have been enrolled though an Altus client, such as Altus AD Workstation, Altus LDS Workstation, Altus Attended Enrollment, etc.

XML configuration of STS authenticat ion credentials

Altus STS provides a customizable multi-factor authentication web page where specified credentials (tokens) are displayed as options that a user may authenticate with through STS.

You can access this page directly from the AD FS page (https://adfs.MyDomain.com/adfs/ls/IdpIinitiatedsignon) mentioned in the last section, by clicking Altus STS.

The complete current list of supported credentials is provided in the Altus STS Web.config file. This file is normally located in the following folder: C:\inetpub\wwwroot\dpsts

Page 37: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 37

Prerequisites

Open the file in a plain text editor such as Notepad (or XML editor) and find the XML element IdServer, and within that element, find the enclosed element IdentityProvider and within that, the element Credentials.

The Credentials element contains a list of authorized credentials. You should be able to easily recognize the credentials by their DisplayName (Password, Fingerprint, etc.).

Comment out all credentials which you are not planning to use.

Page 38: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 38

10Altus SSO PortalTHIS CHAPTER DESCRIBES INSTALLING, CONFIGURING AND DEPLOYING THE ALTUS SAML SSO PORTAL COMPONENT.

Overview

The DigitalPersona Altus SAML SSO Portal is an optional Altus module that provides single sign-on to applications through the integration of Altus and Windows AD FS (Active Directory Federated Services), and the use of claims-aware tokens.

Prerequisi tes

The following activities and procedures should be accomplished prior to installing the Altus SSO Portal.

1 Ensure that the OS is Windows Server 2008 R2 or above and that the Microsoft Active Directory Service (AD) and Domain Name Service (DNS) roles have been added. You will need to know (or configure) the DNS domain name of the SSO portal (for example, portal.MyDomain.com)

2 Obtain and install a valid SSL certificate on the DNS domain name of the SSO portal from your Active Directory Certification Authority (AD CA) or any trusted root CA. Note: using a self-signed certificate in a production environment is possible but strongly discouraged. Even in a testing environment, the use of a CA-issued certificate is recommended in order to avoid browser warnings about untrusted connection and possible issues with AD FS.

3 Have Active Directory Federation Service (AD FS) installed and configured in the domain. You will need to know the following information from AD FS.

• AD FS Federation Service Identifier (e.g. https://adfs.MyDomain.com/adfs/services/trust)

• To view the Federation Service identifier• In the AD FS Management application , select the Service node.

• In the Actions pane on the right, click Edit Federation Service Properties….

Page 39: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 39

Prerequisites

• The Federation Service identifier is shown on the General tab of the Federation Service Properties dialog, in the third text box, labeled Federation Service Identifier.

• ADFS endpoint URL for SAML 2.0 authentication (e.g. https://adfs.<mydomain>.com/adfs/ls/

• To view the Federation Service WS-Federation token issuance URL• In the AD FS Management application , select the Service\Endpoints node.

• Scroll down to the endpoint that has SAML 2.0/WS-Federation as the type, and note the URL path.

4 Import the token-signing certificate (without private keys) from AD FS to the SSO Portal machine. The certificate must be imported into the Local Computer/Trusted People store.

5 You will also need to know the thumbprint of the AD FS token-signing certificate. You can obtain this by running the following PowerShell command on the AD FS machine. Write the thumbprint down, it will be needed during the SSO Portal configuration.

Get-ADFSCertificate -CertificateType Token-Signing | Select Thumbprint

6 Have your list of claims-aware applications that use SAML 2.0 tokens for authentication that you want to access through the SSO Portal. Every application should be configured to use claims issued by your AD FS. Details of configuring applications are different for each service provider and are not covered in this document.

7 You will need an SSO-enabled entry URL for every claims-aware application (e.g. https://www.dropbox/sso/<id> for Dropbox Business).

Page 40: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 40

Installing the SSO Portal

Instal l ing the SSO Portal

1 Run the SSO Portal installer by clicking ssoportal.exe in the SSO Portal folder (Altus 2.0.0 SAML SSO Portal and Password Manager Admin Tool) of your product package.

2 The installer will add any required Windows roles and features such as the Web Server role, Internet Information Server, ASP.NET 4.5, URL Rewrite 2.0 module etc, if not previously installed. This may require a reboot of the computer.

3 The SSO Portal installation wizard will copy supporting files into the selected installation folder (by default, C:\Program Files\Crossmatch\SSOPortal) and create a website named SSOPortal in IIS. Click through the pages of the wizard and accept the license agreement then click Finish to close the wizard.

Page 41: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 41

Installing the SSO Portal

4 Complete the installation of the SSO Portal website in IIS by binding it to an SSL certificate.

• Open IIS Manager and select the new SSOPortal site.

• Click on the "Bindings..." action link in the Actions side panel.

• In the Site Binding dialog, select the https binding.

• Edit the binding and select the SSL certificate issued for the SSO Portal. For our sample, we can use the wildcard certificate that we created.

5 If your IIS runs several sites with HTTPS protocol that are bound to port 443, there could be conflicts. You can resolve any conflicts in one of two ways:

• Create a unique DNS name for the SSO Portal (adding a DNS alias, CNAME as we did) and type this name in the "Host name" field in the HTTPS binding of the SSO Portal, or

• Choose a different port number.

6 In the IIS Manager, Actions panel, under Manage Website, click Start to restart the SSO Portal website.

Page 42: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 42

Configuring the SSO Portal

Conf iguring the SSO Portal

Once the SSO Portal has been installed, the following configuration files will be located in the installation folder (the default is C:/Program Files/Crossmatch/SSOPortal.)

• Identity.config - keeps Identities of Trusted Token Issuers. Our trusted token issuer will be ADFS.

• Federation.config - keeps information required for the WS-Federation protocol.

• Portal.config - keeps a list of claims-aware applications you will list in the SSO Portal.

Editing or replacing these files requires Administrator privileges. You should backup the files before editing, and you may want to copy the files to the desktop for editing to avoid warnings about insufficient rights and then copy them back to the installation folder.

Identity.config

• Replace the {adfsIdentifier} value with the AFDS Unique Identifier you have obtained.For example, “https://adfs.MyDomain.com/adfs/services/trust”

• Replace the {adfsTokenSigningCertificateThumbprint} value with the thumbprint of the AD FS Token Signing Certificate. You can obtain this by running the following PowerShell command on the AD FS machine.

Get-ADFSCertificate -CertificateType Token-Signing | Select Thumbprint

Page 43: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 43

Configuring the Relying Party Trust

Federation.config

• Replace the {adfsSaml2Endpoint} value with the URL of the AD FS endpoint for SAML 2.0 authentication. For example, “https://adfs.MyDomain.com/adfs.ls/” for our sample environment.

• If you don't want AD FS to show a Home Realm Discovery page during the first logon, in the <wsFederation> section set the homeRealm value equal to the identifier of the default Claims Provider you want to use (e.g., Altus STS identifier). For our sample environment, this is “https://web.MyDomain.com/dpsts”

Portal .config

• Add data about SAML-ready applications that will be displayed in the SSO Portal applications page. Each application should have a following record in the <applications> section:

For each new SAML-ready application you add to the SSO Portal, you will need to

1 Add a new application record with the SSO-enabled link to the application.

2 Create and add an application icon. Icons are located in the "/icons" subdirectory of the portal installation folder. The icon must be in the PNG format, and have a name corresponding to the application unique name defined in the Portal.config file.

3 Add an AD FS Relying Party Trust record for the application/service. Such records are vendor-specific and not covered in this documentation. Use the instructions provided by the application/service provider.

Conf iguring the Relying Party Trust

During the configuration process of the SSO Portal, please take note of the following two parameters:

• Portal's Relying Party Identifier (aka Realm). The default value defined in the Federation.config is urn:crossmatch:sso:portal. Change the urn to match your installation.

• Portal's return URL. This URL will be in a form such as https://<portal host name>/app/

Page 44: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 44

Portal verification

To add the Relying Party trust for the SSO Portal,

• copy the Add-SSOPortalTrust.ps1 PowerShell script (C:\Program Files\Crossmatch\SSOPortal\deploy\Add-SSOPortalTrust.ps1) onto the AD FS machine and run it using the following syntax (providing the actual return URL).

In our sample environment, that would be “https://portal.MyDomain.com/app/”

Portal ver i f icat ion

Open the Portal main page in a browser, navigating to the main portal page (https://portal.MyDomain.com). If everything is set up correctly, your browser will be redirected to the DigitalPersona Identity Server logon page (web.MyDomain.com/dpsts). After successful logon, the browser will be redirected back to the Portal main page, with a list of applications. that can now be accessed without logging on to the individual applications.

Page 45: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 45

Troubleshooting

Troubleshoot ing

The information provided in this section may be helpful in troubleshooting various issues that may arise with the Altus SSO Portal.

IIS Manager

1 Ensure the HTTPS binding for the SSO Portal web site is assigned an SSL certificate, the certificate is valid and not expired, and the certificate successfully validates on the client computer.

2 Ensure that the SSO Portal website is running.

Portal instal lat ion

In the folder where the SSO Portal was installed

1 Ensure that the Identity.config and Federation.config files have been edited correctly with the values mentioned in the previous section. Check AD FS for its identifier and endpoint URL. Note that the AD FS identifier is case-sensitive and must be an exact match.

2 Ensure that the Portal.config file contains application definitions.

3 Ensure that the AD FS Token Signing certificate is installed into the Local Computer\Trusted People store. It should not be installed into any of the Current User stores or Personal stores, or Trusted Root CAs stores etc.

4 Open the Event Viewer and check the Application and Security event logs for possible errors related to authentication.

ADFS

1 Ensure that there is a Relying Party Trust created on the AD FS host.

2 Ensure that the Relying Party Trust contains correct values for the Relying Party Identifier (urn:crossmatch:sso:portal) and for endpoints. Note that the Relying Party Identifier is case-sensitive and must be an exact match.

3 Ensure that the Relying Party Trust contains correct Claim Rules: pass-through rules for Name, UPN and Role, and a custom rule for querying the email address by the Windows account name.

4 Ensure that every claims-based application has its own Relying Party Trust record created in AD FS as specified by the vendor.

5 Open the Event Viewer and check the Application, Security and AD FS event logs for possible errors related to authentication.

Page 46: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 46

11Web Application ProxyTHIS CHAPTER DESCRIBES CONFIGURING THE MICROSOFT WEB APPLICATION PROXY FOR USE WITH THE ALTUS SAML SSO PORTAL.

Overview

The Microsoft Web Application Proxy enables the publishing of selected HTTP- and HTTPS-based applications from your corporate network to client devices outside of the corporate network. It can use AD FS (Active Directory Federation Services) and Altus multi-factor credentials to ensure that authorized users are authenticated before they gain access to published applications.

The Web Application Proxy also provides proxy functionality to your AD FS server.

Note that the Web Application Proxy should not be installed on the same machine as AD FS.

Prerequisi tes

• Active Directory Federation Services (AD FS) installed and configured.

• Altus AD Server or Altus LDS Server is installed and configured.

• Altus Secure Token Service (STS) is installed and configured.

• Altus SAML SSO Portal is installed and configured.

• (Optional) A Web Application Proxy host machine is available with Windows Server 2012 R2, in a DMZ; not joined to the main AD domain (or joined to a special DMZ domain). A similar feature, the Federation Service Proxy role, is available in Windows Server 2008 R2 and Windows Server 2012.

• A Public DNS is configured to map a reserved public host name and public IP to the WAP host in the DMZ.

• One or more SSL certificates issued by a public Certificate Authority. For example, you can

• Create individual certificates for each web host in the domain to be published, such asSubject="CN=adfs.MyDomain.com"Subject="CN=portal.MyDomain.com"Subject="CN=admin.MyDomain.com" etc.

• Use a SAN-certificate for a defined and finite set of hosts in the domain, for example:Subject="CN=MyDomain.com", Subject Alternative Names="DNS=adfs.MyDomain.com, DNS=portal.MyDomain.com, DNS=admin.MyDomain.com, ...".

• Provide a wildcard certificate for an open set of hosts in the domain, for example:Subject="CN=*.MyDomain.com"

• An internal DNS configured to have an additional Forward Lookup Zone for the public domain. It is recommended to publish services using aliases (CNAME) instead of computer names (A-names) to keep flexibility, so you can migrate services between computers by redirecting the alias and therefore avoid reconfiguring and/or issuing new certificates.

• Web Applications installed and configured as AD FS Relying Parties.

Instal l ing the WAP role service

Add the Remote Access server role in Windows Server and select the Web Application Proxy role service. Use the following PowerShell cmdlet or the steps that follow (example is for Windows Server 2012 R2).

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

Page 47: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 47

Configuring WAP

1 On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

2 In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

3 On the Select server roles dialog, select Remote Access, choose Web Application Proxy, and then click Next.

4 Click Next again.

5 On the Confirm installation selections dialog, click Install.

6 On the Installation progress dialog, verify that the installation was successful. Before closing the Add Roles and Features Wizard, read the next section.

Conf iguring WAP

On the last page of the Add Roles and Features Wizard, there is a link to Open the Web Application Proxy Configuration Wizard.

1 Use the Web Application Proxy Configuration Wizard to connect WAP with your AD FS server or complete the same task by running the following PowerShell cmdlet:

Install-WebApplicationProxy -CertificateThumbprint publicSslCert -FederationServiceName adfs.MyDomain.com

2 Publish Altus STS.

• Open the Remote Access Management Console, click the Publish action link. • On the Preauthentication step, choose Passthrough, because Altus STS doesn't require AD FS

preauthentication. • On the Publishing Settings step, enter the Altus STS external URL and choose a public SSL certificate. The

Internal URL will be the same as the external URL (This is why the internal DNS needs the additional Forward Lookup Zone corresponding to the public domain name.

• Confirm and finish the wizard.

3 Publish your internal web applications to the internet.

• For each application, open the Remote Access Management Console and click the Publish command.

Page 48: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 48

Configuring WAP

• On the Preauthentication step, choose AD FS. • On the Relying Party step, choose the web application from the list of AD FS Relying Parties. • On the Publishing Settings step, provide the web application's external URL and public SSL certificate. The

Internal URL will be the same as the external URL, provided by the additional Forward Lookup Zone on the internal DNS.

Note: You do not need to publish any of the Relying Parties created for cloud-based applications such as Dropbox or Ofice365.

Page 49: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,

Altus SAML SSO Portal - Implementation Guide 49

Index

A

Active Directory Certificate Services 12AD FS installation & configuration 16AD FS server role 16Add Transform Claim Rule Wizard 25Altus

Altus SAML SSO Portal 38Altus Web server components 30Confirm 30Confirm Server 20Web Administration Console 20Web Administrative Console relying party 20

Altus AD Workstation 29Altus Server installation 18

B

binding a certificate to a website 14

C

Certification Authority role 12Chrome browser 30conceptual overview 9configure AD FS 16configuring

Active Directory Certificate Services 12Active Directory Federation Services 16Altus SAML SSO Portal 42Altus STS 33Altus Web Admin Console 20Relying Party Trust 43WAP 47

configuring the Altus Web Admin Console 20creating an SSL certificate 13

D

DNS resource records 10

E

Edit Claim Rules dialog 25exporting a certificate 14

F

Federation Metadata URL 17Federation Service identifier 17Federation Service WS-Federation token issuance URL 17

federation.config 43

G

Google Chrome for Windows 30

I

identity.config 42importing a certificate 14installing

Altus LDS Server & Web Admin Console 29, 30AltusSAML SSO Portal 40WAP role service 46

integration of AD FS Server and Altus 36

N

network configuration 7noting required identifiers 17

P

plan network architecture 9portal.config 43prerequisites 9prerequisites for Altus SAML SSO Portal 38

R

Requesting a Web Server certificate 13root key 11

S

Secure Token Service (STS) 31solution overview 5SSL certificate 11STS authentication credentials configuration 36STS configuration 33

T

troubleshooting 45

W

WAP- Web Application Proxy 46Web Application Proxy 46Web Server (IIS) role, adding 27Web Server certificate template 13wildcard certificate 13Windows Certification Authority role 12WS-Federation token issuance URL 17

X

XML configurationSTS authentication credentials 36

Page 50: DigitalPersona Altus SAML SSO Portal The Altus SAML SSO Portal component provides Single Sign-on to claims-aware applications across organizational boundaries,