extranet user manager deployment and …...2 extranet user manager deployment and configuration...

Extranet User Manager Deployment and Configuration Guide

Version 3.1 March 11, 2015

Envision IT

7145 West Credit Avenue Suite 100, Building 3

Mississauga, ON L5N 6J7 www.envisionit.com/eum

http://www.envisionit.com/eum

Table of Contents

INTRODUCTION ............................................................................................................................................................................... 1

WHAT’S NEW IN V 3.1 .................................................................................................................................................................... 2

WHAT’S NEW IN 3.1 (3.1.5500.2) – FEB 2015 .............................................................................................................................. 2 WHAT’S NEW IN 3.1 RELEASE 2 (3.1.5536.2) – FEB 2015.............................................................................................................. 4

PREPARING FOR DEPLOY MENT.................................................................................................................................................... 5

PREREQUISITES................................................................................................................................................................................. 5 CREATE AN IIS SITE OUTSIDE OF SHAREPOINT .................................................................................................................................... 5 DELEGATE TO ACTIVE DIRECTORY ...................................................................................................................................................... 6

INSTALLATION .................................................................................................................................................................................. 7

MSI INSTALLER ................................................................................................................................................................................ 7

COMPLETE THE EUM CONFIGURATION ....................................................................................................................................14

ADMINIDP PASSWORD ...................................................................................................................................................................14 INITIALIZE IDENTITY SERVER ............................................................................................................................................................15 LANDING ADMIN CONFIGURATION ..................................................................................................................................................16 TEST REGISTRATION........................................................................................................................................................................19 TEST LOGIN ....................................................................................................................................................................................19

POST DEPLOYMENT ......................................................................................................................................................................21

DISABLING LOGGING.......................................................................................................................................................................21 Database SQL Logging.........................................................................................................................................................21 Active Directory Provider Logging .....................................................................................................................................21 Email Logging........................................................................................................................................................................21

CUSTOMIZATION FILES....................................................................................................................................................................21

ADVANCED CONFIGURATION OPTIONS ...................................................................................................................................22

ADD SHAREPOINT AS A RELYING PARTY...........................................................................................................................................22 Running the PowerShell Script to Register Identity Providers ......................................................................................22 Enable the Token Issuer in SharePoint..............................................................................................................................23 SharePoint Relying Party in Identity Server .....................................................................................................................23 SharePoint Group to Allow Access ....................................................................................................................................24

INTEGRATE AD FS AS AN IDENTITY PROVIDER ..................................................................................................................................26 Home Realm Discovery (HRD) ............................................................................................................................................26 Thinktecture Identity Server Configuration .....................................................................................................................26 Identity Provider – Identity Server.....................................................................................................................................30 Identity Provider – AD FS.....................................................................................................................................................31 Relying Party – Identity Server ...........................................................................................................................................32 Relying Party – AD FS...........................................................................................................................................................33 Application Relying Party ....................................................................................................................................................36 Example Login to LandingAdmin with HRD displayed ...................................................................................................36 Use the &whr= Query String attribute to preselect a Realm on the HRD ...................................................................38

CONFIGURING EZREALM .................................................................................................................................................................39 Overview ................................................................................................................................................................................39 Configure IP Addresses in Landing Admin........................................................................................................................41 Configure Email Login Page Redirects in Landing Admin ..............................................................................................42 Enable ezRealm in Identity Server .....................................................................................................................................42

OFFICE 365 CONFIGURATION .........................................................................................................................................................43 Set the UPN correctly for your users .................................................................................................................................44

Register your application for Graph API access ..............................................................................................................44 Azure Active Directory Applications ..................................................................................................................................45 Grant Delete Permissions to the Application ...................................................................................................................46 How Does EUM use the Azure Active Directory Application .........................................................................................47 Federate Access to Office 365 ............................................................................................................................................48 Office 365 as a Relying Party in Identity Server ..............................................................................................................50

CONFIGURING HOST HEADER BASED FEDERATION ...........................................................................................................................51 <appSettings> .......................................................................................................................................................................51 cHostHeaderModule ............................................................................................................................................................51 <system.identityModel>......................................................................................................................................................52 <system.identityModel.services> ......................................................................................................................................52 Preventing the Infinite login loop ......................................................................................................................................53 Use relative Urls with multiple host headers ...................................................................................................................53

APPENDIX A – CONFIGURING IIS SITES FOR EUM INSTALLATION ......................................................................................54

CREATE SITE ...................................................................................................................................................................................54 MODIFY THE APPLICATION POOL.....................................................................................................................................................55 SET ANONYMOUS AUTHENTICATION ...............................................................................................................................................57 CONFIGURE DNS FOR YOUR NEW SITE NAME ...................................................................................................................................57

APPENDIX B – DELEGATE ACCESS IN ACTIVE DIRECTORY .....................................................................................................58

APPENDIX C – DETAILS OF INSTALLATION ...............................................................................................................................60

IIS WEB APPLICATIONS AND FOLDERS .............................................................................................................................................60 SIGNING CERTIFICATES....................................................................................................................................................................61 RELYING PARTIES............................................................................................................................................................................62 ROLES ............................................................................................................................................................................................63 USERS ............................................................................................................................................................................................64 DATABASE INSTALLED .....................................................................................................................................................................64 ADDITIONAL FOLDERS, FILES AND SETTINGS.....................................................................................................................................65 CONSOLE APPS...............................................................................................................................................................................66

EIT_MemberShipSync ..........................................................................................................................................................66 EIT_RemoveEUMInstallSPWebConfigEntries ...................................................................................................................67 EIT_TestLogin ........................................................................................................................................................................67

APPENDIX D – OVERVIEW OF LANDINGADMIN CONFIGURATION PAGES........................................................................68

SYSTEM/APPLICATION CONFIGURATION ..........................................................................................................................................68 Additional Hidden Settings .................................................................................................................................................73 Additional Obsolete Settings ..............................................................................................................................................73

GENERAL EMAIL SETTINGS ..............................................................................................................................................................74 EMAIL TEMPLATES AND SUBSTITUTION VARIABLES ...........................................................................................................................76

Pending Approval .................................................................................................................................................................76 Pending Approver.................................................................................................................................................................77 Welcome ................................................................................................................................................................................79 Forgot Password ...................................................................................................................................................................81

MANAGEUSERS DATABASE CONFIGURATION - DOMAIN TABLE ........................................................................................................84 MANAGEUSERS DATABASE CONFIGURATION - SITE TABLE ...............................................................................................................84 MANAGEUSERS DATABASE CONFIGURATION – EZREALMIP TABLE ...................................................................................................85 MANAGEUSERS DATABASE CONFIGURATION – EZREALMEMAIL TABLE .............................................................................................86 OFFICE 365 CONFIGURATION – OFFICE365CONFIGURATION TABLE ................................................................................................87

Office 365 License Threshold Notification Email .............................................................................................................89

APPENDIX E – POWERSHELL REGISTRATION OF SHAREPOINT IDENTITY PROVIDERS....................................................91

http://www.envisionit.com/Home/

REGISTERING CERTIFICATES .............................................................................................................................................................91 RELYING PARTY URLS – REALM AND SIGNIN ...................................................................................................................................91 RELYING PARTY – MAPPING CLAIMS ...............................................................................................................................................91 CREATE THE TRUSTED IDENTITY TOKEN ISSUER.................................................................................................................................92

1 Introduction

Introduction This document describes the process involved in installing and configuring Envision IT’s Extranet User Manager Version 3.1. This includes Thinktecture Identity Server, as a federated Identity Provider. This can be configured as a Trusted Identity Provider in SharePoint 2010 and SharePoint 2013, as well as providing claims based access to Office 365, or other web applications. Federation with existing AD FS domains is also supported, including Office 365.

The steps involved in installing and configuring EUM include:

Setting up an IIS site with SSL certificates Installing EUM and Identity Server with the Installer

Completing the configuration of Identity Server and EUM

Performing any email customizations Federating Identity with SharePoint or other web sites

Once the base install is complete and functional, additional branding, text changes, and registration customizations can be performed.


2 Extranet User Manager Deployment and Configuration Guide

What’s new in v 3.1

What’s New in 3.1 (3.1.5500.2) – Feb 2015

support for federating with Identity Server is enhanced with additional user management capabilities in Extranet User Manager v3.1.

New extranet users can be automatically given user accounts in Azure Active Directory (AAD). Support for both Active Directory and SQL based users in Office 365 federation.

Groups and group membership are also set in AAD.

Extranet users are licensed for SharePoint Online. Licensed and Unlicensed AAD users can be listed in EUM LandingAdmin.

New notification email for administrators when SharePoint Online licenses are running low.

New PowerShell script for federating with Office 365 New page in Landing Admin for all Office 365 connections and queries.

Database Schema 3.1 with new table for Office 365 configuration. See the section on configuring Office 365 in the advanced configuration section for more information. This is a post install multi step configuration. Install and configure the base application first before proceeding to Office 365 configuration.

The MVC dlls in Identity Server were updated to address security bulletin MS014-059 see https://technet.microsoft.com/library/security/ms14-059 for more information.

Landing Admin configuration editors can now get easier access to the Identity Server site, from the configuration menu. The Thinktecture Identity Server link at the bottom can be configured in

the Landing Admin web.config (appsettings IdentityServerURL) if the site is relocated, or the link


https://technet.microsoft.com/library/security/ms14-059

3 What’s new in v 3.1

can be turned off by setting it to “”.

Host Header mode (where a single install of EUM can appear differently, depending on the host header used in the web url) was fixed in this release, and enhanced, with the addition of a host based wsfederation configuration selection module. This allows the Issuer, Realm and Reply parameters to be modified based on the registered host headers for the site. Users will return to the expected host after signin if it is configured correctly. See the section on configuring host header based federation in the advanced configuration section for more information.

The Identity Server groups (IdentityServerUsers and IdentityServerAdministrators) are protected from renaming and deactivation in EUM. These groups are for use by IdentityServer and are not included in claims. They are not synced to AAD.

SQL provider users are now configured with the “Universal Providers” in System.Web.Providers.dll. These providers have support for Azure and SQL server as well as Compact SQL through the underlying entity 6 framework. The database schema is simplified from the Aspnet Db one. The Installer will automatically upgrade the users, and specify the compatible hash function if an existing aspnet db is upgraded from. See the EUM Upgrade Guide for more details.

Landing and Registration are now using Bootstrap as their display engine. This provides for an adaptive and responsive design across multiple devices, particularly mobile.

The Identity Server Sign in page, now defaults to a Bootstrap enabled design, which resizes for mobile devices. See the EUM Developer’s Guide for more details on customizing Bootstrap applications.

Forgotten password and new account tokens are now stored in the database as UTC based rather than the local time zone. This allows the Eum manage users database to be hosted in local SQL server or Azure SQL. The expiration of the token (as displayed in the emails) will always be relative to the local time of the EUM web server, where the emails originate, not the UTC date stored in the SQL database.

MinPWDage is detected for more cases in the Active Directory Providers. The MinPWDAge prevents users from changing their password too often. Both the ADSI and NMAPI versions are now trapped, in both providers (AD and ADnoSP)



And of course all the new features from the 3.0 releases

.NET 4.5 Claims based

Low touch federated Integration with SharePoint and other web applications

Inclusion of Thinktecture Identity Server for Claims based Federation with other applications including AD FS for advanced federation signin and Home realm discovery.

ezRealm HRD (Home realm discovery) allows multiple Identity Providers to be selected by incoming IP address or redirected to through email/username on the signin page.

Support for Windows claims based auth for local administrators, through /LandingAdmin/_WinAuth

Signout.aspx in /Landing and /LandingAdmin (not for _WinAuth users) New Registered users are added to IdentityServerUsers Role by default so they can login with

Identity Server.

PowerShell scripts and generated certificates for SharePoint Trusted Identity Provider registration.

SQL and Active Directory providers for extranet user accounts

What’s New in 3.1 release 2 (3.1.5536.2) – Feb 2015

Multiple SKU selection in Office 365. Your account can now contain more than one type of SharePoint Online license, and you can choose which type to assign to extranet users.

LandingAdmin will no longer load the Sharepoint dll to validate the site tree database.


5 Preparing for Deployment

Preparing for Deployment

Prerequisites Windows Server x64 (2008 or higher – 2012 or 2012 R2 preferred)

.NET 4.5

ASP.NET 4.5 SSL Certificates for the server (All federated web traffic must be SSL encrypted)

MS SQL Server Database (2008 or higher)

Active Directory – EUM v3.0 and Identity Server only support users stored in Active Directory (SQL server and Universal Providers can be used in place of Active Directory)

DNS and Host names for Login site The Installer also requires

SharedManagementObjects.msi (Microsoft SQL Server 2008 Management Objects) aka SMO.

SQLSysClrTypes.msi is required, by SMO – x64 version We use the SQL 2008 version for maximum compatibility with older database servers, but these

will need to be installed, even if you have newer versions (such as 2012) since the interfaces have changed.

Create an IIS Site outside of SharePoint You will need to create an SSL site, for /Landing /LandingAdmin and /IdSrv. This set of sites, will allow users to register accounts, manage passwords, and login to other sites in the network through the claims based federation. The Application Pool for the site will be delegated access to Active Directory to manage the extranet users. Unless the SQL Provider option is chosen.



(The upper left Extranet is what we are installing in this document) It is important that the Application Pool is set up with a known domain account. It is also best to configure SSL before starting the installation. This should ideally not be a SharePoint site. This site must be configured for ASP.NET 4 Managed Pipeline Integrated mode.

For details on setting up a suitable IIS site – see Appendix A

Delegate to Active Directory

If you are storing the extranet users in SQL server (ASPNETDB) you can skip this. Access to the database is controlled by SQL Server security, and is initialized by the installer, when a database is created.

If you are storing the extranet users in Active Directory, then there are 2 accounts that need access to the Extranet Active Directory.

1. The App Pool Identity for the Landing/LandingAdmin sites 2. The NetworkService account that Identity Server runs under.

Or if you wish to specify a username for the LDAP connection, during installation, then only that specific account will need delegated access in Active Directory. A specific OU or CN should be created in Active Directory to hold the managed users and groups. “EumUsers” is recommended, if you don’t have a specific name that is better. It is best to have the security delegated before starting the installation. For details on delegating access in Active Directory – see Appendix B


7 Installation

Installation

Use the InstallEUM.cmd to install the EIT_EUM3_Install.msi. This allows you to right click and run as

Administrator, as well as it provides an InstallEUM.txt log file of the install, for review if there are any

issues. This cmd will also create a MyEUMSettings.ini file.

MSI Installer

This version is much simpler than the previous version. All SharePoint interaction is gone. No SharePoint

configurations are modified. There is only one path through the installer.

The EULA has changed to add the Thinktecture Open Source clauses



Only sites that are .NET 4, have known accounts for the app pool, and preferably have SSL set, are listed.

If you don't have SSL on your site "(no SSL!)" will be displayed beside it. You should Exit the installer and

set up SSL, before proceeding.

If your site is not listed, return to IIS, and check the prerequisites. Normally you will not pick the

SharePoint sites.

The database for EUM is very similar to previous versions, the current schema supports unicode.

If you are upgrading from a previous version the DB will be upgraded.


9 Installation

Now you get to choose, how your extranet user accounts are to be stored. Either in Active Directory (in a

single managed OU) or in SQL Server using the ASPNETDB and SQL providers from Microsoft (standard

in .net 4.5). The default is Active Directory.

If you chose Active Directory, you will want a specific CN or OU to hold the Extranet users.

If Active Directory is on a separate server, Identity Server will not be able to delegate with the

NetworkService account, and you will need to specify a username and password that is delegated.



If you have delegated to the two accounts, you don't need a username and password.

If you do specify one, ensure that it has access in AD to the Extranet OU.

If you chose SQL Database, you will see this dialog instead.

The ASPNETDB is a separate database from the EUM Database, but they can reside on the same server.

The installer creates this database using the aspnet_regsql program. The SQL Option, uses a SQL

connection string instead of an LDAP one, in each of the configs, and uses the Microsoft SQL providers,

instead of the Envision IT AD providers.


11 Installation

The Email information is optional - it used to be picked up from SharePoint, but not in this version.

If you don't want to specify it during install it will need to be set up post install. Users rely on email for

setting the passwords on their accounts.

If the database already exists, then the Email values are read from the DB, and this page, is skipped. Any

changes should be made in LandingAdmin, as changes are not written to the DB if the DB already exists.

Leaving the ReplyTo blank, will cause ReplyTo to have the same email as the Sender address.



Review the summary - ensure the URL and Path are what you expected, and that your LDAP contains the

correct OU. If SQL Database was chosen the LDAP line will show the ASPNETDB information instead.

Ready to install now


13 Installation

Installing...

Done!

For a detailed listing of what was installed - see Appendix C



Complete the EUM Configuration

AdminIdP Password

The Installer created one account in the specified Active Directory OU. This account is used to configure Identity Server. (Other administrators can be added later to the IdentityServerAdministrators group.). If you installed with the SQL option, then the AdminIdP user is in the aspnetdb database.

If you chose AD to store your external users, set the Password for the AdminIdP account by right

click "Reset Password" in Active Directory users and Computers. Be sure to uncheck "User must

change password at next login:

If you chose SQL to store your external users, navigate to the C:\Logs\Emails folder and view the

[email protected] email. Click on the link to set your password. This will launch the browser to

the change password page. Enter the new password and click Change Password.

This account has an “email” address of [email protected] which you will use to login with. This account is only for administrating Identity Server, it will not be allowed to login to SharePoint or LandingAdmin.


mailto:[email protected]


15 Complete the EUM Configuration

Initialize Identity Server

Initialize the Identity Server configuration Database, by going to the HTTPS://[ Your Site ]/IdSrv/

You can double check that the IdentityServerConfiguration.sdf is in IdentityServer\App_Data

folder on the disk.

If at this point, you see a broken x for the logo, then you need to allow anonymous access to the

files

o in IIS click on the IdSrv site icon

o double click IIS authentication

o right click Anonymous Authentication

o Edit

o Set the Radio button for "Application Pool Identity"

(which is NetworkService, and was granted file access during installation)

o /Landing may have the same issue, check each of the anonymous folders

common

forgotpass

images

register

You can click on the two links to ensure the XML and list of urls comes up

Click [Sign In] to signin as the Identity Server Administrator

use [email protected] and the password you set in step 1

Click [Administration] - look around - everything is already configured for right now.

NOTE: If the active directory, is not local to the Identity Server, then the NetworkService account cannot

be delegated to access active directory. In this case you will have to add connectionUsername and

connectionPassword to each of the Membership provider, Role Provider and Profile Provider. These are

in the IdentityServer\Web.config and Configuration\Profile.config.




If you specified the username and password during install, it will already be set in IdentityServer , and will

also be applied to Landing and LandingAdmin as well.

Landing Admin Configuration

using your Windows Credentials, that you installed the software with, go to

https://[ Your Site ]/LandingAdmin/_WinAuth/

You should see the Landing Admin Home page, with your username in the upper right.

You can click on it, to see your admin access and windows claims.



If you didn't set the Email fields during installation, you can do it now on the General Email

Settings page /LandingAdmin/EmailConfiguration.aspx .

It is difficult to set the passwords for registered Extranet users without the email!

See Appendix D for details

Before sending any emails, verify the Home Url is set appropriately, In Configure | System

Settings, Navigation URLs. This should be the main site that the user is registering to get access

to. By default it will be the top site that was configured for Identity Server, Landing and Landing

Admin, however by default there is no content there, and IIS will give you a 403 Forbidden error.

In previous versions of EUM, the installer would pick up the SharePoint site, but this is now

optional, and the installer does not know about your SharePoint site). If you are going to

configure the Site Tree with the SharePoint sites, then you can add “/Landing/” to the end of the

Home URL, making it the same as the Extranet Url.



You can test that the Emails can be sent, by using the Welcome Email Configuration Page,

/LandingAdmin/WelcomeEmailConfiguration.aspx .

Enter your Email address in the "Test Email" field and click OK.

Configure the SharePoint database connections if you want the site tree to show up when users

login. By default there is no sites. Add SharePoint Sites or Configure SharePoint Sites.

For Detailed LandingAdmin configuration options – See Appendix D



Test Registration

Close the Browser Open https://[ Your Site ]/Landing/Register/Register.aspx

The Red * indicating required fields should come up immediately.

If you do not see them, check the F12 console errors (f12 - Console - refresh the page), for

WebResource.axd. It is likely the anonymous settings in IIS did not work.

Fill in the form, or at least first name last name and email address

Save by clicking the Register button

By default the Registration goes into Pending Approval and there is no Email sent.

Return to Landing Admin

https://[ Your Site ]/LandingAdmin/_WinAuth/

search users Search

Click on the new Pending Approval user you registered above.

Verify they are already in the IdentityServerUsers Group

Set the Status Dropdown to Active

Save settings

This should send the Welcome Email to the Registered User.

Click on the Link in the Email to take you to /Landing/ForgotPass/UpdatePassword.aspx

Change your password and Save - Your Password has been Changed should be displayed

Test Login



Goto the Landing Site Root (don't click on Home)

https://[ Your Site ]/Landing/

This will redirect to the Identity Server Login page, use your EMAIL address, and newly set password.

The Landing page will give "Sorry, you do not have access to any sites." if there is no SharePoint sites configured yet. (see Site Table configuration in Appendix D)

Test the MySettings page. Landing/MySettings.aspx to ensure the page loads. You can try changing some settings.


21 Post Deployment

Post Deployment

Disabling Logging During install and configuration, it is useful to log actions, into the C:\Logs folder, but after the system has been successfully running for a while it may be better to turn off the logging, to save disk space, and reduce the maintenance effort of cleaning up the log files. Logging is always configured in the <appsettings> of the web.config.

Database SQL Logging

Database logging is only in the Landing and LandingAdmin configs – by default these are turned off. (The QueryEngine is only used in LandingAdmin.)

<add key="Manageusers.Debug" value="false" /> <add key="Querying.Debug" value="false" /> <add key="QueryEngine.Logging_On" value="false"/>

The “ErrorLog” appsettings you typically want to leave set to “true” as they will only write to the log file if there is a problem.

Active Directory Provider Logging

Provider logging is in IdentityServer, as well as Landing and LandingAdmin. The AD providers all log to the same file: C:\Logs\EIT_ADProividers.txt. The provider logging is enabled by default in all 3 web.configs. Set to “false” to turn it off.

<add key="EIT_ADProviders.Logging" value="true" />

Email Logging

The logging to the C:\Logs\Emails folder is controlled in the General Email settings page in Landing Admin. Setting it to blank, will disable logging of emails.

Customization Files Extranet User Manager ships with a customizable registration process. The base pages are already installed and available in the Landing and LandingAdmin folders. The registration pages are often customized. If you have a customized version, these will need to be applied on top of the standard ones. For more details on the customization of EUM, please refer to the Extranet User Manager Developer Guide. For information on customizing the Identity Server Login page, see your account manager.



Advanced Configuration Options

Add SharePoint as a Relying Party

SharePoint needs the certificates that were created during install, and several PowerShell commands to

register Thinktecture Identity Server as a Trusted Identity Provider. These are all available in the trust

folder under the Installation root. (The root of the IIS Site that you selected during installation).

A Trusted Identity Provider will show up in Central Admin (Application Management | Manage web

Applications) under Authentication Providers:

Trusted Identity Provider Authentication enables federated users in this Web application. This authentication

is Claims token based and the user is redirected to a login form for authentication.

During Installation, certificates were created and placed in the trust folder under the Installation Root. (If you upgrade, repair, or reinstall, you will get new signing certificates for Identity Server, and they will need to be reregistered)

Running the PowerShell Script to Register Identity Providers During install, a PowerShell script was written to the trust folder under the root of the IIS Site that you selected. e.g. C:\inetpub\wwwroot\[your selected site]\trust\RegisterIdentityServerIP.ps1 This Script contains a PowerShell function to register Identity servers. It is designed to be run multiple times, if the certificates change, or any of the hard coded parameters change. If the local server, is not your SharePoint server, copy the PowerShell .ps1 file and the .cer files from the trust folder to the SharePoint Server, before continuing.


23 Advanced Configuration Options

To run, open any PowerShell console as administrator, either the normal one, or the SharePoint one, and CD to the trust directory under the root of your IIS installation. Type R tab, the name of the script will be filled in Type space and the URL for your SharePoint Web Application.

If you just run the script, you will be prompted for the Web Application

It will install the two certificates, and show those details It will map Claims

It will create or update the Identity Provider The end of the script shows the 2 sites, configured

For details of the Internal PowerShell commands used see Appendix E This script will get overwritten on reinstall/upgrade so if you customize it, move it to a different location.

Enable the Token Issuer in SharePoint

In Central Admin (Application Management | Manage web Applications) under Authentication

Providers: Check the box for the new provider. (On the Application that you want to use it).

SharePoint Relying Party in Identity Server

Before you can login, with Identity Server, it has to be configured to trust the SharePoint site

SharePoint trusts Identity Server, due to the SignIn Url set above.

Go to the home site for /IdSrv/

HTTPS://[ Your Site ]/IdSrv/



Click [Sign In]

[email protected] and your password configured during post install

click [administration]

Relying Parties & Resources

New

check Enabled

any Display name you like

the Realm URL is the same as $realm in PowerShell ( https://[ SharePoint Site ]/_trust/ )

Token type SAML11 (always use this with SharePoint)

Redirect URL should be the same as Realm

Create

SharePoint Group to Allow Access SharePoint will still need a Role Claim to allow access. In LandingAdmin

Add a Group – e.g. “AllowAccess” Add the user, you want to give access, to this group

In Central Admin The easiest way to grant access via the group, while in Central Admin is...

Web Applications - highlight the application and click "User Policy"




Add Users - All Zones - next

Click the Book icon to open the full people picker Find AllowAccess (or whatever you named your group above)

People picker will list your Trusted Identity Provider, and show a Match for each of the claims mapped in PowerShell.

Pick "Role (1)" beneath your provider Name highlight "AllowAccess" it on the right

click add

it should come back in the Users: box as allowaccess lower case, mousing over it, will say "Role" in the tooltip

Check Full read or Full control

Finish

The Policy for Web Application should have something like this in it:

Roles for trusted identity provider always start with "c:0-.t|" and the name given to the Identity Provider in PowerShell

Assuming you have a password set for your user (They should have got an Email - when activated - see C:\Logs\Emails if you used a fake email)

Now in the browser go to the home page of the SharePoint site The SharePoint Home Realm discovery dropdown should list your Trusted Identity Provider.

Choose it

You should get the Identity Server Login page Login as a registered Extranet user (not the admin) - the login form takes Email address not

username

You should get access to the SharePoint Site, and your Email address is displayed as the Logged in user



Integrate AD FS as an Identity Provider If you have additional users in an AD FS domain, and would like to seamlessly integrate their login process with the Extranet users using Identity Server, then you would like to extend the federation to include AD FS.

Home Realm Discovery (HRD) Users will go to a Home Realm Discovery page in Identity Server, and choose between the installed Identity Providers in Identity Server. Each Relying Party, needs only point to the HRD instead of the wsfed url to get the extended functionality.

Thinktecture Identity Server Configuration Inside Identity Server, we need to enable Federation and HRD in WS-Federation, Enable Federated Authentication in WS-Trust, and enable and configure the ADFS Integration Protocol.

Access your identity server home page

HTTPS://[ Your Site ]/IdSrv/

[sign in] as [email protected]

[administration]

Protocols WS-Federation

We are enabling Federation which will add the "Identity Provider" section




and we are Enabling the HRD (Home Realm Discovery) so the users can choose where to login

Save Changes

Protocols WS-Trust

We are enabling Federated Authentication

Save Changes



Protocols - enable ADFS Integration

Save Changes, then Click on ADFS Integration on the left under Protocols

Enable

Enable Username/password authentication

Pass-Through authentication token (or it will become JWT instead of SAML !)

Don't Enable SAML authentication unless you also want to configure the Encryption certificates)

Note that the Lifetime is in Minutes - the default is 1 hour or 60 minutes.



Inside "AD FS" there is a list of Service Endpoints, the blue ? icon tooltip in Identity Server will give

you hints for which one you want. The /13 protocols (ws-trust 1.3) are newer than the /2005 ones.

o Username Endpoint: /adfs/services/trust/13/usernamemixed

o Federation Endpoint: /adfs/services/trust/13/issuedtokenmixedsymmetricbasic256

o Ensure they are Enabled and available on the proxy (yes in the 2 left columns)

The Issuer URI is in the Federation XML - https://adfsserver/federationmetadata/2007-

06/FederationMetadata.xml

view source, if it does not look like XML

at the top is the entityID this is the ADFS Issuer URI (note it may be http... it is just an identifier

string, not a URL to visit)

In the "AD FS" application, there is a list of Certificates, below the Endpoints

Double click the Token signing one - select Details

scroll down to the Thumbprint

Select all the text and paste into a text editor -

Beware the UTF unprintable character at the front!

(if you cut and paste into notepad you won't see it, and it will cause the key to not match)

http://support.microsoft.com/kb/2023835

Remove all the Spaces and the leading unprintable character, so there is one string of Hex

characters (lower or upper case is fine)

Paste this as the ADFS Signing Certificate Thumbprint Save changes


https://adfsserver/federationmetadata/2007-06/FederationMetadata.xml

https://adfsserver/federationmetadata/2007-06/FederationMetadata.xml

http://support.microsoft.com/kb/2023835


Identity Provider – Identity Server

Identity Providers show on the Home Realm Discovery Page if they are enabled.

(If only one Identity Provider is enabled, then the HRD will be bypassed)

The Identity Providers heading should have shown up on the left when Federation was enabled.

We will need two Identity Providers, "Identity Server" for EUM extranet users, and "AD FS" for federated

administrators

Identity Providers New

The Identifier is the Issuer URI - for Identity Server installed with EUM 3 it is

"urn:thinktecture:identityserver:EnvisionIT"

(you can also find it on General Configuration Site ID: or in the federation metadata as entityID)

The Display Name is what will show on the HRD - use "Identity Server" or whatever you like

Enabled

Include in Home Realm Discovery

WSStar (e.g. WS-Trust, WS-Federation et al )

the WS-Federation Endpoint is on the [home] application integration page - it is /issue/wsfed

on the Identity Server URL

The Issuer Thumbprint is on the [administration] Key Configuration page (as signing

Thumbprint)

Save Changes



Identity Provider – AD FS

The second Identity Provider is "AD FS"

Identity Providers

New

The Identifier is the Issuer URI - we already found the ADFS one for the Protocol

The Display Name is what will show on the HRD - use "AD FS" or whatever you like

Enabled

Include in Home realm Discovery

WSStar (e.g. WS-Trust, WS-Federation et al )

the WS-Federation Endpoint is in the list of endpoints in AD FS - it is typically /adfs/ls

The Issuer Thumbprint is the same as on the ADFS Protocol page.

Save Changes



Relying Party – Identity Server Now each of the Identity Providers needs a matching Relying Party to complete the trust. First Identity Server needs to trust itself

Relying Parties & Resources

New

Enabled

Display name IdentityServer

Realm/Scope Name is the Issuer ID or EntityID "urn:thinktecture:identityserver:EnvisionIT"

Redirect URL is our /issue/hrd page that we are trusting

Save changes Application Recycle to refresh all the changes in Identity Server



Relying Party – AD FS

Now we need the IdentityServer Relying Party in AD FS, so AD FS will reply to us

In the AD FS configuration application Trust Relationships - Relying Party Trusts

add Relying party - now we get a long wizard process to configure AD FS

Start

Enter data about the relying party manually

Next

Display name IdentityServer

AD FS Profile (SAML 2.0) <-- Still AD FS always sends SAML 1.1 tokens

Next (no encryption certificate)

Next

Enable Support for WS-Federation Passive protocol - using the /issue/hrd url for

IdentityServer as we did above. It is very important that the case of this url, matches the url of the

Identity Server site. (Failure to do so will cause a cookie exception in the HRD)

Next

the Relying Party trust identifier is the Realm/Scope name or Issuer ID or

EntityID "urn:thinktecture:identityserver:EnvisionIT" as above

Add

Next

Permit all users to access this relying party

Next

Next



Edit the Claim Rules

LDAP Attribute Outgoing Claim Type

Email-Addresses E-Mail Address

User-Principal Name UPN

Display-Name Common Name

SAM-Account-Name Name

Token-Groups – Qualified by Domain Name Role

You must map a Claim to "Name" (e.g. the SAM Account name) if this is missed, you will get errors

about Thread.CurrentPrincipal.Identity.Name being blank, or Value cannot be null. Parameter name:

name



You can also set up a pass through claim for Windows Account name claim, which will be used to assess domain membership in the Landing Admin configuration.



Application Relying Party Each Application will have to change its wsfederation issuer to point to the hrd page instead of the wsfed page. LandingAdmin and SharePoint will want to allow AD FS federated users, but Landing is only for EUM users, it only needs to point to /issue/wsfed. For LandingAdmin

Web.config <wsFederation change the issuer attribute to your IdentityServer hrd page

e.g. issuer="https://Login/IdSrv/issue/hrd"

To allow a particular user or group to access as ConfigurationEditor. From AD FS or Identity

Server. Remove the domain information from “EditConfigurationUser” and

“EditConfigurationGroup”.

This will preclude access via _WinAuth. For SharePoint

In the SharePoint Powershell Script - $signInURL should be changed

$signInURL = "https://login/IdSrv/issue/hrd"

If the SP Trusted Identity Token Issuer was previously set up, the SignIn URL can be modified:

(the command must be on a single line, the –Identity is the name given when it was New)

The Realm and Certificate may be needed or not, depending on if you get an error or not

Set-SPTrustedIdentityTokenIssuer

-Identity "Extranet Identity Server"

-Realm $realm

-ImportTrustCertificate $cert

-SignInUrl $signInURL

Example Login to LandingAdmin with HRD displayed

Go to your LandingAdmin URL https://[ Your Site ]/LandingAdmin/

The HRD should come up


https://login/IdSrv/issue/hrd



Once the user picks the right one, they can check "Remember Selection" to set a browser cookie,

to remember the selection and bypass display of this page next time.

If you Click Identity Server you will get the Identity Server login we got before

Click AD FS to go to the ADFS login page

So with Admin access configured - our Administrator logging in through ADFS and Thinktecture looks

like:



Use the &whr= Query String attribute to preselect a Realm on the HRD Optionally you may wish to configure one or more relying parties to always select a specific Identity Provider for authentication.

The &whr= attribute of the query string, to the /issue/hrd page can be used to select a specific Identity Provider on the HRD. This is specified with the "identifier" of the Identity Provider. (Which is also the Issuer URI or Entity ID) This is a standard part of the WS Federation specification for home realm discovery. For .N ET 4.5 it is

easy to specify, just add a homeRealm= attribute to the <wsFederation tag in web.config

<wsFederation passiveRedirectEnabled="true" requireHttps="true"

realm="https://Login/LandingAdmin/" reply="https://Login/LandingAdmin/"

issuer="https://Login/IdSrv/issue/hrd" homeRealm="urn:thinktecture:identityserver:EnvisionIT" />

(For SharePoint there is a UseWHomeRealmParameter that provides this, that can be set in PowerShell)

Normally you will not use the &whr parameter. Either the user, or ezRealm will select the default realm.


https://login/LandingAdmin/

https://login/LandingAdmin/



Configuring ezRealm

Overview

Before using ezRealm, you must configure the normal HRD and the Identity Providers in Identity Server, as per the previous section . ezRealm overrides the Identity Server HRD, and instead of showing the gui with the buttons, it automatically selects an Identity Provider, based on the specified IP address ranges.

The normal use cases, have extranet users in Identity Server, and internal users in AD FS. The internal users all have the same email domain, and internal IP addresses. Extranet users either have routable IP addresses, or all end up with the same IP address, from a network device (firewall load balancer etc.). ezRealm supports sending the internal users to the AD FS login, and allowing redirect on email address if the internal user is logging on from the Internet, instead of the office. External IP addresses go to Identity Server. ezRealm is configured in LandingAdmin, but affects the login of Identity Server.



An overview of the configuration can be seen from the ezRealm Settings on the Configure menu

You must have the Identity Providers configured in Identity Server, these show up at the top, followed by your current IP address for reference.



Configure IP Addresses in Landing Admin

You can add or edit a new range. The IP addresses must be valid, and form a range, or specify a single address. Identity Server, is the default if there is no match, so it does not have to be specified. You would want at least one range for your other identity provider.


Configure Email Login Page Redirects in Landing Admin

The second ezRealm function occurs on the login page, if you got sent to the Identity Server by mistake, certain email addresses or usernames can be used to send you to a different Identity Provider (such as AD FS)

It is expected that either email fragments, or domain\ username fragments would be most useful Avoid specifying too general an address, such as “@” or “.” AD FS 3.0 and Identity Server accepts the &username= on the query string. If your Identity Provider sign in accepts it and the matched text it is what the user would type in on the Login form, then check the box to include it. (E.g. if AD FS accepts usernames, and the redirect is based on email address, you may not want to pass it on the query string.)

Enable ezRealm in Identity Server

Once the Identity Providers are specified and one or more redirects are configured in Landing Admin, then it is time to enable it in the Identity Server web.config. The installer will have the item in <appSettings> but it will be set to false out of the box.  <add key="EnableezRealmHRD" value="true"/> Now – access a relying party that is configured to have the issuer as the /hrd. Instead of the HRD displaying you should go directly to the right login page, based on your IP address. (or Identity Server if you have none) You may need to perform an IIS reset to clear any cache.

Office 365 Configuration

EUM 3.1 Adds support for Office 365

The 3.0 version of Identity Server, includes the EIT_O365ProviderClaimsRepository which creates SAML tokens that Office 365 accepts. This claims repository is enabled when the Office 365 Realm is detected

as urn:federation:MicrosoftOnline. Eum 3.1 adds the user licensing portion of Office 365 support to the authentication features already in place. As well as support for SQL based users as well as active directory ones. Unlike other federated Realms - Office 365 requires a copy of each user in Microsoft Azure Active Directory (AAD or WAAD), the cloud directory. The password is not needed, but the Imutable ID must match in AD and AAD. To get local users into the cloud, Microsoft usually recommends DirSync or the newer AADSync programs be run to continuously sync the users every 3 or 4 hours. In EUM we would prefer to license and sync the user when they are activated. This allows them to change their password and sign on almost immediately after activation. To achieve this we bypass

AADSync and instead directly manipulate the users in the cloud using the Azure AD Graph API. When the membership provider updates the account in AD (or SQL) we immediately make the same changes in AAD. Since Microsoft AAD is a site on the internet, you can only federate with Office 365 and register and license users if you are connected to the internet.

Active Directory users get their ImmutableId and UserPrincipalName read directly from AD (as they are not available in the provider interface) when the token is created. Identity Server web.config gets these items filled in with the domain and a user that can access the users in active directory. These same settings will be used in Landing and Landing Admin to read the user when registering them in the cloud.

 <add key="UserDomain" value="MYDOMAIN" /> <add key="ADUsername" value="Administrator" /> <add key="ADPassword" value="******" />

For SQL provider, the UserID Guid can be read as the ProviderUserKey. This is used to create both the ImmutableId and the UserPrincipalName.


http://msdn.microsoft.com/en-us/library/azure/hh974476.aspx


Set the UPN correctly for your users The UserPricipalName in AD must end in one of the managed domains for the tenant - either the .onmicrosoft.com domain or the federated one. In the web.configs (IdentityServer, Landing, LandingAdmin) - ensure that the Membership Providers are

set with UPNSuffix="@yourdomainname" and not the default UPN="email" Any existing extranet users stored in Active directory will have to have their UPN changed in AD before they can register in the cloud. This can be done by deactivating and then activating the user again. (this will send an email and require a password change as well). If you are using the SQL Provider, then the domain is read from the GraphAPI tenant info, when the user is synchronized. The first, non onmicrosoft.com domain is chosen. On the IdentityServer side, the domain to use is specified in the web.config appSettings. <add key="O365SQLDomainSuffix" value="@eitdev.org" /> Thus, for AD the UPN is stored with the user, and for SQL the UPN is created on the fly from the UserID Guid and the federated domain. (Office 365 will only allow logins for users with UPN of the correct domain).

Register your application for Graph API access

A Windows Azure Account must be associated with your office 365 account, using the same

Administration account that created the Office 365 tenant.

In Windows Azure, on the Active Directory tab a new Application can be created.

This will give you the GUID for the Tenant, the GUID for the App ID and the Secret Password hash.

These items are stored in the O365Configuration Table in the EUM database, and configured in the Office

365 Configuration Page.

Start with an Office 365 SharePoint Account

The users will be in Azure Active directory, but you cannot see them, unless you connect the Azure Portal to the Office 365 instance. This involves creating a new Azure account with the same

Administrator that created the Office 365 instance. (e.g. [email protected] ) At manage.windowsazure.com in the Active Directory portion, click the large + new in the lower left New - Directory Custom create




Choose “Use existing directory” and fill in the information. Before you can use an existing directory, you will need to sign you out sign in again as a global administrator of the directory.

Once connected the Active Directory will show in the Azure portal

Under the Domains at the top of Active directory you should see your onmicrosoft.com domain (active) and the external federated Domain (Verified)

Under the Users at the top you should see the same users you see in the office 365 admin portal To allow EUM to register users in WAAD we need to create an "application" that grants access to the GraphAPI so we can add and remove users.

Azure Active Directory Applications While in the Active Directory portion of Azure - click APPLICATIONS at the top

Add - at the bottom

Add an Application my organization is developing

Name: EUMGraphAPI - type Web Application and/or web api

Sign-On URL - This doesn't matter ? and can be changed later - start with your IdSrv folder

e.g. https://eum.eitdev.org/IdSrv

APP ID URI - this is a URI identifier, not a URL that is actually resolvable

e.g. http://eum.eitdev.org/AccessGraphAPI

Check mark to complete

Your app has been added!

Click configure

Leave application is Multi-Tenant - NO

CLIENT ID - Note this you will need a copy (click the paper pages icon to copy to clipboard)

Keys = This is the password - you can create a one year or 2 year password key

The Key is displayed - when you save - copy it once it shows as you can't get it again later

“permissions to other applications”, the first row is Windows Azure Active Directory

Set it to Read and Read/Write.


https://eum.eitdev.org/IdSrv

http://eum.eitdev.org/AccessGraphAPI


Endpoints

View endpoints (at the bottom) to get the GUID for the Domain - there will be seven endpoints,

all with the same guid.

Copy this guid - it is the identifier for your mycompany.onmicrosoft.com domain

These items can now be configured in EUM, on the Office 365 configuration page

Grant Delete Permissions to the Application Additional permissions need to be set using PowerShell to allow deletion of created users. We need the AppPrincipalId guid to get the Object ID and grant permissions. You will need the Azure Active directory PowerShell module installed http://aka.ms/aadposh You will then need to authorize with the Connect-MsolService command. First we get the Object ID from the Application – use the App Client Key, it is the 6th line returned


http://aka.ms/aadposh


Get-MsolServicePrincipal -AppPrincipalId Your_AppPrincipalId

Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName 'User Account Administrator'

-RoleMemberObjectId YOUR_OBJECT_ID

Adding ‘User Account Administrator’ role to your object ID, will allow it to delete users (e.g. when they are deactivated in EUM)

How Does EUM use the Azure Active Directory Application

A user is set to Activated, a new AD account is created through the membership provider .

If the Office 365 application is configured, then the GraphAPI can connect.

The user is registered in AAD - with a number of attributes from AD, but not all

1. UserPrinciaplName - becomes the key in AAD

2. SamAccountName or username is passed as MailNickname

3. ImmutableID as base64 string (must be unique, even across deleted accounts)

4. GivenName, Surname and DisplayName

5. Email Address goes into a collection of other addresses, but it is not queryable.

The Mail property is for Exchange mailbox users and cannot be set

(and not usually for extranet users that already have an email address)

6. Telephone number (optional)

7. two character country code sent as usage location - required for license

The tenant information is queried for the SubscribedSkus and SHAREPOINT licenses are detected. A SharePoint license is assigned to the user. If the licenses run out an exception is thrown. If the licenses are at or below the threshold, and the threshold notification email was configured and enabled, then the Threshold Notification email is sent. When the user is deactivated they are first removed from AAD by UPN and then from AD through the provider. In AAD a licensed user that is deleted automatically gives back its licenses. (see above – additional PowerShell permissions are needed to delete users from AAD !) Deleted users remain in the deleted users list for at least 30 days in office 365 - but since they were



deleted in AD as well a new account will have a different ImmutableID, and so will be a different user to AAD. If the user is modified (changes name or telephone) then the matching attributes in the cloud AAD will be changed to match. The ImmutableID is Immutable and can't be changed. Email and username can be changed and will be synced but they are not as useful in AAD as they are locally in AD. Security Groups are also created or deleted in AAD when a group is activated or deactivated in EUM.

Federate Access to Office 365

In the /Trust folder under the IIS site where Eum and Identity server were installed, there is a PowerShell

script - Office365Register.ps1

You will need the Azure Active directory PowerShell module installed http://aka.ms/aadposh You will then need to authorize with the Connect-MsolService command before running it. It can be run with the domain on the command line, or it will prompt you. Passing the domain on the command line, also turns on Verbose mode (yellow text) You must own a new domain, that you want to federate, and to prove this, you must be able to change DNS txt records for the domain. The First time you run the script, it will register the domain and tell you what to set in the DNS record Then it will attempt to verify the change. Once verified the domain can be federated with a certificate and signin urls for Identity Server. Here is a new domain, which must be verified


http://aka.ms/aadposh


The Domain is registered, but still not verified

This is a registered federated domain, getting refreshed with a new signing key. You can verify this is the same X509Certificate from the federation metadata



Office 365 as a Relying Party in Identity Server

Last step is to configure Office 365 in Identity Server. The Realm must be: urn:federation:MicrosoftOnline. This turns on the claims support in EIT_O365ProviderClaimsRepository in Identity Server. Only SAML 1.1 tokens And ensure the redirect URL is correct: https://login.microsoftonline.com/login.srf



Configuring Host Header Based Federation If you use the Host Header method to select the SystemConfiguration by url in Landing, you will also want to select different wsFederation configurations, so that the signed in user can return to the same site, or to use different Identity Providers for each host header.

See System Configuration for the host header field. You will also set the SystemConfigurationKey in the web.config to “host” ( <add key="SystemConfigurationKey" value="host"/> ). It is typically the Landing site that gets multiple host headers. Host Headers must also be configured in IIS for the site (they are called site bindings), and each site will need an SSL certificate that matches the host name. In the same web.config you need multiple named wsFederation configurations and a way to select them. You can use the same Identity Provider for all - unless you want a customized GUI for signin, in which case you will want a separate Identity Server site for each customized version.

<appSettings> To enable ASPnet to use the host header values in URLs, set

<add key="aspnet:UseHostHeaderForRequestUrl" value="true" />

To enable logging in the HostHeaderModule (useful to debug when initially setting it up).

<add key="HostHeaderModule.Logging" value="true" />

By default the log file is C:\Logs\EUM_HostHeaderModule_Log.txt but can be overridden with the

.Logfile setting.

<add key="HostHeaderModule.Logfile" value="C:\Logs\mylogfilename.txt" />

cHostHeaderModule

This adds the module into the request pipeline, so it can hook the FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider event. It is defined in <system.Webserver><modules>

<add name="EUMHostHeader"

type="EIT_MembershipUserMaintenance.cHostHeaderModule, EIT_MembershipUserMaintenance"

preCondition="managedHandler" />

This should be the first module in the section. It is inside the EIT_MembershipUserMaintenance.dll



<system.identityModel>

This section, has <IdentityConfiguration>. There is only one default one for all host headers. All the <audienceURIs> for alternate host headers should be contained in the same section. The app's realm is specific to the host header. The <IssuerNameRegistry> contains the thumbprint and name of the trusted issuer. This is the Identity Server, and is likely the same for all host headers (especially if they are sharing a cookie), even though it may have multiple urls, it will only have one signing certificate and URI.

<system.identityModel.services>

This sections, contains the <federationConfiguration> and will need an unnamed default, that contains the cookiehandler, and default wsfederation with passiveRedirectEnabled="true" requireHttps="true". Each host header, then gets a named one, with the overriding issuer, realm and reply attributes.

(e.g. <federationConfiguration name="eum.host1.com" >) Since the cookieHandler is shared between hosted sites, the issuer has to be the same, even if it appears on different urls.

The <wsFederation section needs a unique issuer, realm and reply for each host header configured site. These will also have to be registered in the Identity Server as Relying Parties. e.g.



The Signout.aspx page also uses these settings to redirect to the correct issuer at signout.

Preventing the Infinite login loop

Enabling the HostHeader module has been seen to cause infinite login loops if /Landing/ is used for the reply instead of /Landing/default.aspx. (The /Landing/ continues to redirect to the signin page, that responds automatically, instead of authenticating the user) You must specify the reply= parameter in the web.config but it will be ignored if Identity Server is left at the default. (Protocol Configuration: WS-Federation)

When the ReplyTo is not accepted from the incoming URL it must be specified in the re lying party configuration. ( called Redirect URL: on the Relying party page). To prevent signin looping set the URL to end with /Landing/default.aspx rather than just /Landing/.

Use relative Urls with multiple host headers

In each web.config look for fully qualified urls in appSettings, that should be relative to work with multiple host headers. For instance

<add key="IdentityServerURL" value="/IdSrv/"/> <add key="LandingAdminUrl" value="/LandingAdmin/"/>

<add key="EIT_LandingURL" value="/Landing/"/>

<add key="idsrv:DefaultHostURL" value=""/>



Appendix A – Configuring IIS Sites for EUM Installation

The normal installation has 3 Applications under the Site - /Landing /LandingAdmin and /IdSrv Identity Server, will use its own AppPool with NetworkService as the account. The installer will provision this for us. For EUM the application pool will be:

.NET 4.5 (this will display as 4.0.30319 in the dropdown, but the 4.5 upgrade must be installed)

Integrated

APP Pool with a known domain account (Not ApplicationPoolIdentity)

All Sites that use Federation should be configured for SSL and HTTPS!

Create Site In this example the site is “Login”. Normally you need a fully qualified domain name for your domain.

IIS Manager

Right click on Sites

Add WebSite...


55 Appendix A – Configuring IIS Sites for EUM Installation

Site Name - Login

Physical Path - C:\inetpub\wwwroot\LoginSite

HTTPS

Host Name - Login

(if you have a fully qualified domain name use it here (e.g. login.mycorp.com) - it has to match the

SSL certificate and be configured in DNS)

Choose the SSL Certificate that matches the host name

you may want to turn on SNI by checking "Require Server Name Indication"

http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-

scalability

This created a new APP Pool - that needs to be modified!

Modify the Application Pool

Find it in Application Pools (it has the same name as the new site - e.g. Login )

Advanced Settings

Change the Identity

Custom Account (Specify the domain !)

ensure you know the password


http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability


Ensure that it is 4.0 and Integrated

The installer, will only list Sites, that have App Pools set for Integrated Pipeline with an explicit username

It will find those without SSL, but you will have to manually configure the Site for SSL afterwards, and this

is not recommended (it is better to configure SSL before running the installer)


57 Appendix A – Configuring IIS Sites for EUM Installation

Set Anonymous Authentication

Click on the Site, and Open IIS Authentication

Right Click Anonymous Authentication

Set the identity to Application pool identity

Configure DNS for your new site name You will also need DNS to point other users to your Login site.



Appendix B – Delegate Access in Active Directory

There are 2 accounts that need access,

1. The Identity for the Landing/LandingAdmin sites

2. The NetworkService account that Identity Server runs under.

If you specify a username for the LDAP connection, during installation, then only that account will need

delegated access in Active Directory.

In "Active Directory Users and Computers" right click on the OU for Extranet users,

and select Delegate Access...

Next >, Add...


59 Appendix B – Delegate Access in Active Directory

In the standard select users box, type in the username of the app pool, click check names, then ok if it

matches. You can add both accounts before proceeding

Next >

Check the top 5

Next, Finish



Appendix C – Details of Installation This Appendix details the files and configurations made by the EUM v3 Instal ler

IIS Web Applications and Folders

The "LoginHere" site, was created during the Pre-install phase (see Appendix A), it can be named anything, the Files and Web Applications are underneath. The IdentityServer folder is mapped to the url /IdSrv by convention, they are both physically the same. (It runs under its own app pool as NetworkService.) Notice in this release the addition of Bootstrap 3.2 files in Landing. Identity Server also includes a Bootstrap enabled signin view.


61 Appendix C – Details of Installation

Signing Certificates Separate from the SSL certificates for the site, these are certificates used to sign the SAML tokens issued by the Identity Server. The installer creates 2 certificates. It will remove any certificates with the same name, meaning each time you run the installer you will get a new signing certificate for Identity Server.

The files are placed in the trust folder under the IIS root selected - if they are not needed for integration with other servers, - they could be backed up to a secure location, and removed from the file system. The web.config is configured to prevent download from the trust folder.

They are in the Computer Personal certificate store on the server

The LocalHost_Issuer is a self signed certificate, It will Issue (sign), the certificate that Identity Server will use for signing.

The IdentityTokenSigning Certificate. This one has a 2K Public key.

The Thumbprint for this certificate, goes in each of the relying party sites (e.g. Landing, LandingAdmin). As a trusted Issuer. Thumbprint.txt is in the trust folder for reference. (Note that SharePoint has its own way of storing the trusted issuer, and doesn't use the web.config for this.)

<trustedIssuers>



<add thumbprint="A1B9FE85B53A1F2BEC833B0FA0D1EA03E9245C2B" name="urn:thinktecture:identityserver:EnvisionIT"/>

</trustedIssuers>

</issuerNameRegistry>


Relying Parties

When the Thinktecture Identity Server Web.config is installed, these two settings, control the initialization

of the IdentityServerConfiguration.sdf Databse in APP_Data.

<add key="idsrv:CreateTestDataOnInitialization" value="false"/>

<add key="idsrv:DefaultHostURL" value="https://Login/"/>

The DefaultHostURL will create a /Landing and a /LandingAdmin relying Party in Identity Server.

This will allow users to Login at the Identity Server Login form, and have the SAML Claims allow access in

/Landing and /LandingAdmin. (Because the Landing and LandingAdmin web.configs are also configured

to use the Identity Server for WS-Federation.)


https://login/%22/


Roles

Two roles are created, for the Identity Server

IdentityServerUsers

IdentityServerAdministrators

These are used by IdentityServer to - allow login (If you remove a user from the IdentityServerUsers, their

account will still exist, but the login form will not log them in) - and allow Administration of the

IdentityServer database (change settings, relying Parties, Certificates etc.)

The Roles are in AD in the Extranet OU

They are also in the EUM Manage Users database, so they can easily be assigned along with any other

roles.

Avoid deleting or deactivating these.

By default the Registration Process will add the user to the IdentityServerUsers role at registration time.

IdentityServer does not include either of these roles as Claims, therefore Identity Server Administrators in

the IdentityServerAdministrators Role cannot manage users in LandingAdmin, (unless another Role is used

to grant access).



Users

The "Identity Server Administrator" account is created, and placed in the

IdentityServerAdministrators Role.

It is manageable by EUM - username AdminIdP and Email [email protected].

A password will need to be set for the account.

Database Installed An EUM database needs to be preexisting, or a new one is created on your SQL server. The IIS site Application Pool account will be granted datareader and datawriter access to that database. The NetworkService account is granted read access, for ezRealm. The Installer will also grant access to the Domain\Machine$ account that NetworkService connects as, if the sql server is remote.




If the SQL Database provider option was selected, then a database to hold the user accounts is also created. This database is used for the Universal Providers, and not the SQL Providers, so the schema is different than in previous releases. It now contains only these 6 tables, and the entity framework can create them on the fly.

Additional Folders, Files and Settings The MSI installer will also create a C:\Logs folder and an Emails folder underneath it. Check this folder for errors and diagnostic files when EUM is running. Copies of Emails sent can be seen in the email folder, if logging is enabled.



Console Apps

C:\Program Files\EnvisionIT\EUM\Console

There are 3 programs, their configuration files, required dlls, and the eum license

EIT_MemberShipSync

The purpose of this program is to resynchronize the users in the Extranet user database with the accounts

and Roles in Active Directory

By default the program only lists information, use -Update to modify the database.

The program will wait for an Enter at the end, unless you specify -noPause

To only update the user Role membership, specify -AddUserRoleOnly. This excludes -Update.

Any properties of the user that are stored in AD will get updated in the database. (e.g. if the user's City or

office is changed in AD)

These happen behind the scenes - the program does not report which attributes are updated. But you

could see them in the UserAudit table modified by EIT_MemberShipSync.

If a user is in the OU in ActiveDirectory, they will be added as a managed user, even if they belong to no

groups.

All users in deactivated groups, will be removed from the group

If a User is Active, but their account is missing From AD, then they will be marked as Deactivated.

This program uses the core EUM dlls and providers which require a valid license to operate pro perly, the

.config must have the correct credentials for the providers, and the database connection string.

The installer will configure the application for the same SQL or Active Directory providers as the Web

applications.



EIT_RemoveEUMInstallSPWebConfigEntries

Previous versions of the EUM installer, updated the SharePoint web.configs, by setting values in the

database.

V3 does not do this.

If you have left over SPWebconfig entries stuck in the database, then this program may be able to remove

them.

Just running the program displays the Central Admin entries

specify -WebApplication <site url> to also process the web application database

use -Remove if you see items that should be removed, by default the program is non destructive and

only lists items from previouls installs.

Normally all items would have been removed when you upgraded from EUM 2.6 to 3.0 .

This program does not require a license. The .config does not generally require customization.

EIT_TestLogin

This program is for testing the connectionUsername and connectionPassword parameters on the

providers

on the command line specify -username and -password for a known active user in the Extranet OU

if the .config is correct and the username and password are correct you will get result was: True and a list

of the Roles the user is in.

Otherwise you will get result was: False

this program uses the providers which require a valid license to operate properly, the .config must have

the correct credentials for the providers. The profile provider is not uses, only Membership and Role

manager.

The installer will configure the application for the same SQL or Active Directory providers as the Web

applications.



Appendix D – Overview of LandingAdmin Configuration Pages The following provides details on the configuration of the Extranet User Manager.

System/Application Configuration

The SystemConfiguration Table in the Manage Users Database holds these values.

ApplicationName Name of this specific configuration. It does not have to be a URL ExtranetURL The url to the root of the Extranet_Enduser site.

Used in the two Emails; Welcome and Forgot Password

HostHeader Optional – can be used to select a configuration, based on incoming url. The Match is anywhere in the field, so that multiple host headers can select the same configuration. The Web.config SystemConfigurationKey must be set to “host” for this feature to work. See also: How to select wsFederation configuration by host header.


69 Appendix D – Overview of LandingAdmin Configuration Pages

HomeURL The url to the home directory of the site. Used in the two Emails; Welcome and Forgot Password

ChangePasswordDefaultSiteURL Used to set the target for the “Continue” button that is displayed by the ChangePassword and UpdatePassword pages when the user has completed the password change process. By default this should be /Landing/

EditUserURL Used on the UserSearch page to provide EditUser hyperlinks. It can be used to take the administrator to the Standard Edituser.aspx, or a custom page.

ForgotPassURL Used on the UserSearch page to provide a hyperlink to the forgot password page. This was made a configuration item in case someone wants to have a custom page.

SiteListURL Used on the UserSearch page to provide a hyperlink to the users site list tree. This was made a configuration item in case someone wants to have a custom page.

SiteTreeProviderPrefix The domain prefix used to reference users in the domain. Used by SiteTree code when resolving the users group membership and associated site access rights.



SiteTreeProviderGroupPrefix The domain prefix used to reference groups in the domain. Used by SiteTree code when resolving the users site access rights.

ShowLibsinSiteTree The Libraries are not usually included. Configuring them requires changing the LibraySQL in the Site table.

EditGroupsDomain_FK The Domain of the EditGroupsGroup selected from a dropdown The Valid Domains are stored in the Domain Table of the EUM Database. The use of Domains is depreciated in a federated model

EditGroupsGroup The name of the group that a user must belong to in order to have GroupEdit rights. In our security model these users will have the ability to create/edit groups and users.

GroupOwnerRights_FK Which users can the Group Owner see ?

ImportUserRights_FK Who is allowed to use the Import user feature

Edit Configuration Group and Edit Configuration user, from the LandingAdmin web.config are shown at the top of this section, for convenience, they are not modifiable from the application.



EditUserShowExtraInfo This is a debugging value. When set to true the EditUser.aspx page will display several additional pieces of data about the user, and the membership provider : Provider Details

Provider Name = ExtranetSQLMP

Domain Name = Extranet (Entity Framework membership provider.)

Application Name = Extranet

Description of Provider = Enti ty Framework membership provider.

Users can reset Passwords

Password Retrieval at the Provider level is disabled

Password Must be this long: 7

Password Requires This many NonAlphaNumeric characters: 1

Password Strength RegEx =

Max Invalid Password Attempts Allowed: 5

Minutes for Invalid attempts to occur: 10

Q and A is NOT required

A Unique Email address is required

Additional User Details

Provider UserKey = 1426c2f1-8be1-4b09-8a2d-c9fc0341ef8d

This user i s Approved

This user i s NOT Locked Out

This user i s Offline

Account was Created 26-Nov-2014 17:16 (4 days ago)

Last Activity for Account was on 28-Nov-2014 9:27 (3 days ago)

User was last lockedout on 31-Dec-1753 19:00 (95297 days ago)

Password was last changed on 28-Nov-2014 10:38 (3 days ago)

Disclaimer was read on 26-Nov-2014 17:18 (4 days ago)

EditProviderGroups Checking this box causes the EditUser page to display the Assigned Groups / Available Groups controls, allowing the Admin user to change the user’s group membership.



EditUnmanagedGroups Checking this box causes the EditUser page to display the

UnmanagedGroups list for the edited user. You might want to turn this off if your users are confused by this list of groups that they don’t have the authority to change.

EditSendEmail Checking this box makes available the bottom section of the

EditUser page which allows the current user to send a simple, brief email to the user whose account is being edited. Ensure the ReplyTo field is set in the Email confuguration

SearchExportToExcel Check this box, to enable the button on the search pages.

ShowDebuginfo the Provider Description is shown on the User Search.aspx Page e.g.



Additional Hidden Settings

There is currently no GUI for these settings, they must be set directly in the DB, in the SystemConfiguration table.

EmailNewAccountSendToken True means to use the time limited token method of setting a user’s password. In the interest of security this value should always be True. However if security is not an issue and the client wants a simpler way of welcoming new users the tool can generate a random password and include in it PLAINTEXT in the welcome email.

Additional Obsolete Settings

These are in the DB, in the SystemConfiguration table, but are not used by the application WelcomeMessage (Was used on the home page of the Extranet module to greet the

user.)

ForgotPassEmailURL SignoutLoginLinkURL (Was used on the 2007 Signout page, to allow the user to sign in

again. If left blank, the URL will not show)

LoginShowDisclaimer Originally from the 2007 signin – Show Disclaimer settings may still trigger the disclaimer from the change password pages.

LoginShowRememberMe Originally from the 2007 signin – currently not used (the remember me check box on the Identity server signin form creates a cookie to keep you logged in longer than without it. )



General Email Settings

EmailSMTPServer The server that will be used for outgoing emails. If it is in another

domain you may need to specify the full domain name. Also some email servers need to be configured (more info) to accept and route emails coming from the server that is generating the emails. E.g. the web server or the server where AccountProvisioner is running.

EmailFromUser The address used for the From tag in the emails. This should be a valid looking email address but the mailbox need not exist.

EmailReplyToUser The address used for the Reply To tag in the emails. This should be a valid looking email address but the mailbox need not exist. NOTE: that this field must be filled in, or the Email user functionality of EditUser will fail.

EmailDisableSend Set this value to true while configuring and debugging and the email engine will not actually send out the generated emails. This can be used in conjunction with the EmailCopyFolder to allow you to take a look at the emails that would be sent. When you are sure that the emails are good you can set this value back to false and re-run the email generator process.

EmailCopyFolder A local folder where copies of all generated emails are stored. This is helpful when initially setting up the server to verify that the correct emails are being generated. It can be left on in production to keep a record of every email sent or it can be set to null to stop storing local copies.


75

EmailImagePath In an HTML formatted email we will want to embed images into the email rather than use the img src tags as found in the raw HTML template. These src tags could point to protected repositories or even to local files on the pc of the user who created the template. These paths would not work in an email so the code will replace any path information with references to embedded images. All images must appear in the EmailImagePath folder on the server that is generating the emails. The code will strip off any path information and will use the filename to read the image from the EmailImagePath folder. e.g. if I created an HTML template using Frontpage or some other tool it could contain tags like <img src=”c:\Documents and Settings\tabbott\My Pictures\Welcome.gif” /> The email engine will expect to find Welcome.gif in the EmailImagePath folder on the server and will embed this image into the email so that it will be accessible to the recipient.



Email Templates and Substitution variables

Pending Approval

EmailPendingApprovalSubject The subject line for Pending Approval emails.

EmailPendingApproval Template The template used to generate Pending Approval emails. It can be plain text or it can contain formatted html. HTML templates should start with <html> and end with </html>. There are no substitution variables allowed in this Email.

EmailPendingApproverBCC One or more comma separated Email address that should get a copy of the sent email, unbeknownst to the recipient.

EmailPendingApproverEnable To enable this Email to be sent by the system, the Check box must be checked.

The Test Email, is not persisted, but can be used to see if the Email message can be received, and how the layout looks. The Email is sent to the entered Test Email account, when the OK button is clicked.


77

Pending Approver

EmailPendingApproverTo One or more comma separated Email Addresses for Approvers of

new accounts. This field is merged with a virtual field at run time, if the Registration page wants to add context specific approvers. (MembershipProvider_EmailAddressforPendingApprover)

EmailPendingApproverSubject The subject line for Pending Approver emails.

EmailPendingApproverTemplate The template used to generate Pending Approver emails. It can be plain text or it can contain formatted html. HTML templates should start with <html> and end with </html>. See below for substitution variables that can be used in the template.

EmailPendingApproverBCC One or more comma separated Email address, that should get a copy of the sent email, unbeknownst to the recipient.



EmailPendingApproverEnable To enable this Email to be sent by the system, the Check box must be checked.


Substitution variables allowed in this Email:

~email~ Emaill address of the registering user.

~displayname~ Display name for the registering user (typically first and last name)

~username~ The Username of the registering user.

~userkey~ The key in the User Table for the registering user. (integer)


79

Welcome

EmailNewAccountSubject The subject line for New account welcome emails.

NewAccountTokenExpiryMinutes Users who receive a Welcome email will have this many minutes to use the ChangePassword link that is provided in the email.

EmailNewAccountTemplate The template used to generate NewAccount welcome emails. It can be plain text or it can contain formatted html. HTML templates should start with <html> and end with </html>. See below for substitution variables that can be used in the template.

EmailNewAccountBCC One or more comma separated Email address that should get a copy of the sent email, unbeknownst to the recipient.

EmailNewAccountEnable To enable this Email to be sent by the system, the Check box must be checked.





~username~ The Username of the new account

~emailaddress~ The email of the new account

~displayname~ Display name for the registering user (typically first and last name)

~homeurl~ HomeUrl from Application Configuration

~language~ The Language of the user (e.g. EN, FR, ES, NL). Can be used on urls to trigger the alternate language display of the page.

If EmailNewAccountSendToken = 0

~password~ The password of the new account

If EmailNewAccountSendToken = 1

~token~ Guid of the assigned token for password retrieval

~tokenexpiry~ When does the token expire. (see Token Expiry setting)

~updatepasswordurl~ The url to the UpdatePassword.aspx page in the landing project Comes from the ExtranetUrl in the Application Configuration with “/ForgotPass/UpdatePassword.aspx” on the end, with the Query String fully populated.

~forgotpasswordurl~ The url to the ForgotPassword page. Used to offer a link to the password reset functionality. Comes from the ExtranetUrl in the Application Configuration with “/ForgotPass/default.aspx” on the end

The Following Multilingual options are also available: The tokenexpiry can be displayed in

English (~tokenexpiry~), French (~tokenexpiryfr~), Spanish (~tokenexpiryes~) , Dutch (~tokenexpirynl~)

The Token expiry date is a long date format including the day of the week, and the time. Also each of the URLS can have an &lang= added to the query String

English (~updatepasswordurl~,~ forgotpasswordurl~) French (~updatepasswordurlfr~,~ forgotpasswordurlfr~) Spanish (~updatepasswordurles~,~ forgotpasswordurles~) Dutch (~updatepasswordurlnl~,~ forgotpasswordurlnl~)

There is only one Email Template, not one per language, so to support multilingual emails, all the variables could be used at the same time, in different sections, or a single unilingual template can be used in any of the languages.


81

Forgot Password

EmailForgotPasswordSubject The subject line for Forgot Password emails. LostPasswordTokenExpiryMinutes Users who use the ForgotPassword link will have this many minutes

to use the ChangePassword link that is provided to them via email.

EmailForgotPasswordTemplate The template used to generate Change password emails. It can be plain text or it can contain formatted html. See below for substitution variables that can be used in the template.

EmailForgotPasswordBCC One or more comma separated Email address, that should get a copy of the sent email, unbeknownst to the recipient.

EmailForgotPasswordEnable To enable this Email to be sent by the system, the Check box must be checked.





~homeurl~ HomeUrl from Application Configuration

~language~ The Language of the user (e.g. EN, FR, ES, NL). Can be used on urls to trigger the alternate language display of the page.

~tokenexpiry~ When does the token expire. (see Token Expiry setting)

~forgotpasswordurl~ The url to the ForgotPassword page. Used to offer a link to the password reset functionality. Comes from the ExtranetUrl in the Application Configuration with “/ForgotPass/default.aspx” on the end

~updatepasswordurl~ The url to the UpdatePassword.aspx page in the landing project Comes from the ExtranetUrl in the Application Configuration with “/ForgotPass/UpdatePassword.aspx” on the end You must construct your own QueryString, if using this one (see also ~updatepasswordlist~ and ~updatepasswordlink~ below)

~username~ Used when constructing your own Query String with ~updatepasswordurl~. Only the first username that matches the entered email can be returned. If there are multiple usernames for the same email address, then use ~updatepasswordlist~

~token~ Guid of the assigned token for password retrieval Used when constructing your own Query String with ~updatepasswordurl~.

e.g. This is an example of the 3 substitution variables being used to construct a single URL (spaces added for readability – URL should not contain spaces) <a href= "~updatepasswordurl~? Token=~token~ &Username=~username~ &lang=EN">Reset your Password</a>

~updatepasswordlist~ The Forgot password request is based on an Email address. It is possible for more than one account to have the same email. This provides for a bulleted list of accounts with a separate reset for each one. Only one link per email can be used to reset a password. Comes from the ExtranetUrl in the Application Configuration with “/ForgotPass/ UpdatePassword.aspx” on the end, as well as the customized QueryString.

~updatepasswordlink~ *NEW * This one shows the EMAIL address as the link, and only includes the first username from the updatepasswordlist. Otherwise the link is the same as above. This is meant as a direct replacement for ~updatepasswordlist~ if you are generally using email addresses as if they were usernames.


83

Note that you can not log on with an Email address, if there is more than one in the database that matches. Comes from the ExtranetUrl in the Application Configuration with “/ForgotPass/ UpdatePassword.aspx” on the end, as well as the customized QueryString.

~emailaddress~ The email address used to request the forgotten password. Email will be sent to this user, so it is not always necessary to include it in the body as well.

The Following Multilingual options are also available: The tokenexpiry can be displayed in

English (~tokenexpiry~), French (~tokenexpiryfr~), Spanish (~tokenexpiryes~), Dutch (~tokenexpirynl~)

The Token expiry date is a long date format including the day of the week, and the time. Also each of the URLS can have an &lang= added to the query String

English (~updatepasswordlist~, ~ forgotpasswordurl~) French (~updatepasswordlistfr~, ~ forgotpasswordurlfr~) Spanish (~updatepasswordlistes~, ~ forgotpasswordurles~) Dutch (~updatepasswordlistnl~, ~ forgotpasswordurlnl~)

There is only one Email Template, not one per language, so to support multilingual emails, all the variables could be used at the same time, in different sections, or a single unilingual template can be used in any of the languages.



ManageUsers Database Configuration - Domain Table This table has 1 row for each domain. Group membership is now claims based, so the use of the Domain Table is now limited.

DomainName The domain that the users and roles will exist in.

Username The username to be used when doing LDAP queries in this domain. Doesn’t need to be the Domain Admin but does need to have rights to query and modify users and roles.

Password The encrypted password for the Username above. Use the Envision IT command-line utility StoreEncryptedDataInDB tool to populate this field.

PasswordSalt The salt value used to encrypt and decrypt the password value above. Will also be populated by the StoreEncryptedDataInDB tool.

LDAPConnectionString The full LDAP path to the Users unit in the LDAP structure. This could be an OU=Users or a CN=Users (the default Microsoft schema). Someone familiar with the LDAP structure at the client needs to supply this value.

Access is through the Providers, the Domain table, is now a placeholder, for defining groups.

ManageUsers Database Configuration - Site Table This table has one row for each SharePoint site collection that the users might have access to. This is used when building the Site Tree in the Extranet module. For each site (row in this table) we query for any sites the specified user (and any groups they belong to) has access to. For most installations there will be only 1 row that describes the Extranet sharepoint site.

SharePointRoot The root of the sharepoint site to be queried.

ContentDBServer The database server hosting the content database for the sharepoint site above.

ContentDBName The name of the content database for the sharpeoint site above. UserName The SQL username to be used to access the database. Make sure this account has at

minimum read access to the content database.

Password The encrypted password for the Username above. Use the Envision IT command-line utility StoreEncryptedDataInDB tool to populate this field.

PasswordSalt The salt value used to encrypt and decrypt the password value above. Will also be populated by the StoreEncryptedDataInDB tool.

If the account that is running the IIS app pool can read from the specified content database, the username, password, and password Salt values can be left as NULL.


85

ManageUsers Database Configuration – ezRealmIP Table

This table has one row for each range of IP addresses that you might want to redirect to a specific Identity Provider. This is used during login, when ezRealm is enabled, and the login url, is not specifying a specific home relam. IP address ranges are expected to be unique and valid.

IPFrom A starting IPv4 or IPv6 address

IPTo An ending IPv4 or IPv6 address that is the same or higher than IPFrom

RedirectIdentity The Identifier of the Identity Provider configured in Identity Server



ManageUsers Database Configuration – ezRealmEmail Table

This table has one row for each partial match of the email field that will redirect to a specific Identity Provider. This is used during login, when ezRealm is enabled. The Login form for Identity Server, will detect and redirect to another Identity Provider. Redirecting to Identity Server is not recommended.

EmailFragment The substring to match in the username field

RedirectIdentity The Identifier of the Identity Provider configured in Identity Server

PassonQueryString True to include the text the user entered as &username= when redirecting. This is supported by some login pages, such as AD FS 3.0 to fill in the username field.


87

Office 365 Configuration – Office365Configuration Table This page contains all the Office 365 integration configuration in one place. The page is large, and dynamic, so we will focus on the sections available, and what they look like configured and unconfigured.

The Graph API application is first configured in Windows Azure Active Directory, then the values are configured here to allow access by Extranet User Manager. Save to configure access, delete to remove the application, turn off integration, and remove the notification email The top section will display license counts, and tenant information once the Graph API is configured.



If you are using Active Directory to store the Extranet users, the membership provider, is not able to get the UPN or ImmutableID, so it needs direct access to Active Directory configured in the Web.config (of each of the 3 applications that will use it). If these settings are found, the page will attempt to connect, as a diagnostic. This does not prove the user has access to read all the extranet users, but that the credentials are acceptable to Active Directory, and you are connecting to the expected domain for your extranet users.

Once the GraphAPI is connected we can query users, at the bottom are two ajax grids that can list licensed and unlicensed users from AAD. There is also a listing of security groups and membership in AAD.


89

Office 365 License Threshold Notification Email

EmailLicenseThresholdEnable To enable this Email to be sent by the system, the check box must be checked.

LicenseThreshold Integer number for License threshold Send the email, if the number of licenses left is this number or lower. The Gui limits the value from 0 to 9999

EmailLicenseThresholdTo One or more comma separated Email Addresses for admins who can manage license purchases in Office 365.

EmailLicenseThresholdSubject The subject line for License Threshold Notification emails. EmailLicenseThresholdTemplate The template used to generate License threshold emails. It can be

plain text or it can contain formatted html. HTML templates should start with <html> and end with </html>. See below for substitution variables that can be used in the template.

EmailPendingApproverBCC One or more comma separated Email address that should get a copy of the sent email, unbeknownst to the recipient.





~licenseremaining~ How many of the SharePoint online licenses remain unallocated and available to new users. This is the number compared to the threshold, to cause the email to be sent.

~licenseallocated~ How many of the SharePoint online licenses have been allocated to users.

~licensetype~ The uppercase name for the SharePoint online licenses from your Office 365 tenant


91 Appendix E – PowerShell registration of SharePoint Identity Providers

Appendix E – PowerShell registration of SharePoint Identity Providers

Registering Certificates During Installation, certificates were created and placed in the trust folder under the IIS Web Site root. A Powershell script is written to the same folder. Here we take a closer look inside. (if you upgrade, repair, or reinstall, you will get new signing certificates for Identity Server, and they will need to be reregistered)

We use the New-SPTrustedRootAuthority command to register the certs

$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c: \LocalHost_Issuer.cer")

New-SPTrustedRootAuthority -Name "LocalHost Root" -Certificate $root

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c: \IdentityTokenSigning.cer")

New-SPTrustedRootAuthority -Name "Token signing TTIds" -Certificate $cert

If you want to remove certs that you previously registered, use Remove-SPTrustedRootAuthority Remove-SPTrustedRootAuthority -Identity "LocalHost Root" -Confirm:$false

Remove-SPTrustedRootAuthority -Identity "Token signing TTIds" -Confirm:$false

Relying Party URLs – Realm and SignIn The Realm is the /_trust/ url for the SharePoint Site - it should be https: and include the trailing /

$realm = "https://labvm12dc.labvm.com:999/_trust/" The signin url is the WS-Federation end point in Thinktecture Identity Server.

this URL is on the Application Integration page. It will always end in /issue/wsfed for Identity Server.

This url does not include a trailing /

$signInURL = "https://login.labvm.com/IdSrv/issue/wsfed"

Relying Party – Mapping Claims All the claims coming from Identity Server, that you want to use in SharePoint must be explicitly mapped. Note, that these commands need to go on a single line - they are broken up here for clarity


https://labvm12dc.labvm.com:999/_trust/

https://login.labvm.com/IdSrv/issue/wsfed


The URIs are selected from those that Thinktecture can send, from the Federation XML in the fed:ClaimTypesOffered

$emailClaimMap = New-SPClaimTypeMapping

-IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

-IncomingClaimTypeDisplayName "EmailAddress"

-SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping

-IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

-IncomingClaimTypeDisplayName "Role"

-SameAsIncoming

$nameClaimMap = New-SPClaimTypeMapping

-IncomingClaimType "http://identityserver.thinktecture.com/claims/profileclaims/displayname"

-IncomingClaimTypeDisplayName "displayName"

-SameAsIncoming

Create the Trusted Identity Token Issuer Note, that these commands need to go on a single line - they are broken up here for clarity -Name is what will show in the Authentication Providers List We use all the variables from above

$ap = New-SPTrustedIdentityTokenIssuer -Name "Extranet Identity Server" -Description "Thinktecture SAML token provider" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$nameClaimMap,$roleClaimMap -SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType

To Remove a Token issuer use Remove-SPTrustedIdentityTokenIssuer, it must be unchecked in Central Admin before it can be removed. Once you have created a Trusted Identity Token Issuer, you can modify it with Set-SPTrustedIdentityTokenIssuer. Use –Identity with the Name given in the New Command, to specify which one you are modifying. This command is not used in the provided script, instead it uses the Get-SPTrustedIdentityTokenIssuer and calls .Update after modifying the changed settings.


http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

http://identityserver.thinktecture.com/claims/profileclaims/displayname