Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


...

Div
classbreadcrumbs

/wiki/spaces/E2D/pages/29982926  /  Single Sign-On and MFA

...

  /  Web Access Management  /  Current: Configuring the Web application for the Reverse Proxy


After creating the Reverse Proxy WAM application, the protected URLs, and the OAuth application, the last step to enable EmpowerID to protect the AndysBeans application is to add the necessary key/value pairs to the application's Web.config file as described below. Not all of these key/value pairs are used with AndysBeans. For example, the EidInitializeIdentityAssemblyInfo key is used to override the default logic of the Agent for setting the HttpContext Identity. However, we have included these optional keys here for your information.

In our example, we are making adjustments to the Web.config file of AndysBeans. However, if desired, you can addthese values to the registry instead of the Web application's config file. However, when protecting multiple Web applications,you should avoid using the registry and make your adjustments for each application in that application's config file.To alter the registry, open Registry Editor, navigate to the TheDotNetFactory\EmpowerID key and add a subkey named "WebSettings."You can then add your key/value pairs there.
anchor
to-configure-the-web-application-for-the-empowerid-reverse-proxyto-configure-the-web-application-for-the-empowerid-reverse-proxy

To configure the Web application for the EmpowerID Reverse Proxy

From the Navigation Sidebar of the EmpowerID Web interface, navigate to the SAML Connections page by expandingAdmin and clicking SAML. Search for the reverse proxy application you created for AndysBeans and locate the ACS URL as well as the User Entered URL. Copy the GUID at the end of the ACS URL as well as the User Entered URL. You will need to add these values to the AndysBeans Web.config file. Image Removed Image Added From Windows Explorer, navigate to your Web application folder and open theWeb.config file with any text editor. In the Web.config file, navigate to <appSettings> and add the following key/value pairs: certificateThumbprintForEncryption - This is the thumbprint of the certificate that the SAML request uses to deserialize the requested URL when the agent is in SAML mode. This thumbprint must be from the certificate used when creating the SSO Connection for your Web application. This setting is not needed when using the Reverse Proxy. EidInitializeIdentityAssemblyInfo: This allows you to override the default logic for setting the HttpContext Identity. (HttpContext is the object that contains all the information about an individual HTTP request.) To override this, you need to create your own assembly with an interface that implementsIInitializeUserIdentity and then set this value to that of your custom assembly.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="EidInitializeIdentityAssemblyInfo" value="AssemblyTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/<


EidIdpUrl: This specifies the URL to which users are redirected if they are not currently authenticated.

The syntax for this setting is as follows, where "YourWebServer" is the FQDN of the server hosting your Web application and "YourSSOConnection" is the name of the SSO Connection you created for your protected Web application.


Code Block
languagexml
themeEmacs
<add key="eidIdpUrl" value="https://YourWebServer/WebIDPForms/Login/YourSSOConnection"/> 


EidSlidingExpirationTimeout - This specifies the time in minutes that a session cookie remains valid. Users will need to reauthenticate once this time windows expires.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="EidSlidingExpirationTimeout" value="60"/>


EventLogSourceName - This is an optional setting that allows you to specify a log source name for logging entries related to the agent. This setting is not used for the Reverse Proxy. EventLogLogName - This is an optional setting that allows you to specify a log name for logging events related to the agent. This setting is not used for the Reverse Proxy. EnableEventLogging - This is a Boolean that specifies whether Windows event logging is enabled or disabled for the agent. This should be set to false when the agent is running in production.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="EnableEventLogging" value="false">


HTTPMODULEAuthorizationEncryptionSalt - This is used to encrypt and decrypt the EmpowerID cookie containing the user identity and SSO Application IDs that person has authenticated against. This value can be arbitrary.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="HTTPMODULEAuthorizationEncryptionSalt" value="11021"/> 


HTTPMODULECustomAuthenticationAssembly - This is an advanced optional setting that specifies the fully qualified name of the dll/type to load to implement custom authentication and authorization logic. HTTPMODULEIdentityPrincipalType - This determines the type of identity set by the agent. The values can be either "Forms" or "Claims" and should match the type of identity used by the Web application being protected.Since AndysBeans uses Forms authentication, the value of this key should be set to Forms.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="HTTPMODULEIdentityPrincipalType" value="Forms"/>


. HTTPMODULEEnablePathAuthorization: This is a Boolean that specifies whether the agent will enforce URL path authorization for the Protected Application URLs (PURLS) you created for the Web application. If the value is set to "false", the agent will not stop users without the appropriate delegations in EmpowerID from accessing the URL. So, for example, if you created the "employeemanager" PURL demonstrated in the Creating WAM Applications for the EmpowerID Reverse Proxy topic, but set this value to "false," then any user with knowledge of the URL will be able to access it, unless the application itself specifically sets access control parameters.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="HTTPMODULEEnablePathAuthorization" value="true">


HTTPModuleTokenMode - This is used to set whether the agent operates in reverse proxy or SAML mode. In reverseproxy mode, the agent will assume the EID_USER variable inserted into the HTTP header is authenticating the user. To specify reverse proxy mode, set the value to "Forms." If you do not specify a value, the agent defaults to reverse proxy mode.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="HTTPModuleTokenMode" value="Forms"/>


HTTPMODULEErrorUrl - This is an optional setting that you can use to specify a custom page for displayingmodule errors to your end users. If this key is not added to the config file, then the agent displays the defaulterror page.

The syntax for this setting is as follows, where /home/error is the location of the custom pagae on AndysBeans for displaying errors:


Code Block
languagexml
themeEmacs
<add key="HTTPMODULEErrorUrl" value="http://sso.empowerid.com:8080/AndysBeans/home/error"/>


HTTPMODULENotAuthorizedUrl - This is an optional setting that you can use to specify a custom page for displaying messages to users who do not have the delegations to view a requested page. If this key is not added to the config file, then the agent displays the default not authorized message.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="HTTPMODULENotAuthorizedUrl" value="https://sso.empowerid.com:8080/AndysBeans/home/unauthorized/">


RedirectUrlGuid: This specifies the GUID that EmpowerID generated for the SSO Connection linked to your Web application when you created it. EmpowerID appends this GUID to the Target URL you entered for the SSO Connection.

The syntax for this setting is as follows:


Code Block
languagexml
themeEmacs
<add key="RedirectUrlGuid" value="42f07925-1b7b-48a0-b48b-a431cca0f133">
Image Removed


Image Added

After you have completed the above, your <appSettings> section of your configuration file should contain the following key/value pairs and look similar to the below image.

Image Removed Image Added In the config file, navigate to the <system.webServer> section and add the following under <modules runAllManagedModulesForAllRequests="true">. Make sure the Net version matches the version of the .NET assembly you received from EmpowerID (Net35 or Net45).


Code Block
languagexml
themeEmacs
<add name="EidAuthenticationHeaderModule" type="TheDotNetFactory.EmpowerID.Web.Core.Modules.EidAuthenticationHeaderModule,
                                                TheDotNetFactory.EmpowerID.Web.Net45.Modules, Version=4.0.0.0, Culture=neutral"/>


The <system.webServer> section should now look similar to the following image.

Image Removed Image Added Save your changes and reset IIS.

Now that we have configured the AndysBeans Web.config file for use with the agent only, we cantest the Web agent.