...
- Home
- Single Sign-On and MFA
- Configuring SSO Connections
- Identity Providers
- Current: Setting up the Remote Windows Identity Provider
...
Setting up the Remote Windows Identity Provider
Through the Remote Windows Identity Provider application, EmpowerID allows organizations to extend authentication to partner organizations without requiring that partner to have a Federation server or be licensed to use EmpowerID. The EmpowerID Remote Identity Provider is a small lightweight component that can be installed on a remote IIS server in AD domains where EmpowerID is not installed. The Remote IdP works by allowing users in external domains to browse to a page on a local Web server that authenticates them against their on-premise Active Directory and then redirects them to an external EmpowerID site with a SAML claim containing their Active Directory username. The external EmpowerID site validates that the information was signed with the appropriate trusted certificate and then authenticates the user as the Person owning the Active Directory user account. Once authenticated, EmpowerID seamlessly forwards the user to the requested destination Service Provider application they requested when browsing their local Web page for authentication. This Service Provider application could be the EmpowerID Web site or another SSO application, such as SalesForce.com, depending on how the SSO connection is configured. If the Service Provider application specified is not EmpowerID, the necessary method for performing single sign-on into that system will be invoked.
- With IdP-initiated SSO, the EmpowerID Remote IdP (the IdP) generates a SAML response for the user and posts it to the SP, where it is verified. Once verified the user gains access to their resources.
- For SP-initiated SSO, a SAML request is sent from the SP to the EmpowerID Remote IdP (the IdP). In response to the request, the EmpowerID Remote IdP (the IdP) generates a SAML response and posts it to the SP. If the response is valid, the user gains access to their resources.
This topic describes how to configure an IDP connection for the Remote Windows Identity Provider and is divided into the following activities:
- Creating an IDP Connection for the Remote Windows Identity Provider
- Installing the Windows Remote Identity Provider Application on the Remote Server
- Testing the Windows Remote IDP Connection
...
To create an IDP Connection for the Remote Windows Identity Provider
...
- Select Identity Provider as the SAML Connection Type.
- Select Default IdP Connection Settings from the SAML Application Template drop-down.
- Leave the External Identity Provider URL field set to about:blank.
- Type an appropriate name (without spaces), display name, and optionally a description for the connection in the Name, Display Name and Description fields, respectively.
Type the connection information in the User Entered URL field. The value you enter depends on how you want the SSO session to be initiated. For IdP-initiated SSO, enter a URL formatted as follows:
Code Block https://YourRemoteIdPServer.com/EmpowerIDRemoteIDP/Login/YourSPName/YourRemoteIdPName
If you want the SSO session to be SP-initiated, enter a URL formatted as follows:
Code Block https://YourEmpowerIDServer.com/EmpowerIDWebIdPForms/Login/YourSPName/YourRemoteIdPName
- Scroll to the Account Information section of the form and tick Create a New Account Directory. This tells EmpowerID to create a special type of account store for the connector that is internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. In this way, when users in the external domain attempt to access a service provider via EmpowerID, EmpowerID checks to see if that user has an account in the associated tracking-only account store.
- Scroll to the Certificates section of the form and from the Verifying Certificate drop-down select the certificate for verifying the SAML assertion sent to EmpowerID by the EmpowerID Remote IdP. This certificate must have the public key for the certificate used by the remote server to sign the SAML assertions being sent to EmpowerID.
- Leave all other fields as is and click Save.
...
To install the Remote Windows Identity Provider
...
- In the Remote EmpowerID Web Site URL field, type the URL to the EmpowerID Web server hosting the Remote Identity Provider connection, being sure to use Hypertext Transfer Protocol over Secure Socket Layer. The URL should look similar to "https://sso.empoweriam.com," where sso.empoweriam.com is the FQDN or resolvable DNS alias of the EmpowerID Web server.
- Type the appropriate information for the Application Identity in the Username, Password and Web Site fields.
- Select SAML as the Response Type.
- Click the ellipses (...) button to the right of the Signing Certificate field and select the certificate that will be used to sign the SAML assertions sent to the EmpowerID Web server. The verification certificate set for the Remote Identity Provider SSO connection on the EmpowerID server must have the public key for this certificate, as it is used to verify that the assertions are coming from the remote server.
- Click Apply and then click OK to close the Success message box.
- Close the EmpowerID Remote IDP Configuration window.
...
To test the Remote Windows IdP connection
- On the remote machine, prompt for Windows credentials by opening a browser and navigating to the URL you specified for the Remote Identity Provider connection on the EmpowerID server.
- Type the credentials of a remote user in the Windows Authentication dialog and click OK.
- This starts the Login workflow and directs your browser to the EmpowerID login check, which asks if you already have an EmpowerID login. Since this is your first login as the remote user click No.
- In the Create User Account Form that appears, fill in the required First Name and Last Name fields, as well as any other fields for which you have information and click Submit.
- Click OK to close the submission confirmation message.
- Log in to the EmpowerID Web application as an administrator and from your dashboard click the link from an anonymous user requesting an EmpowerID Person account.
- From the Task Details page that appears, select Approve.
- Type a comment for the approval and then click OK.
- Once the process completes log out of the Web application.
- From the remote server, navigate your browser to the URL for the Remote Identity Provider connection on the EmpowerID server and when prompted enter the Windows credential for that person and click OK.
- Answer the Password Self-Service Reset questions and click Submit.
...
Administrative Procedures:
- Creating IdP Domains
- Configure AD SF as an Identity Provider
- Configure Azure as an Identity Provider
- Configure Box as an Identity Provider
- Configure Google as an Identity Provider
- Configure LinkedIn as an Identity Provider
- Configure Paypal as an Identity Provider
- Configure Smart Card as an Identity Provider
- Configure Twitter as an Identity Provider
- Configure Windows Auth as an Identity Provider
- Configure Yahoo as an Identity Provider
- Configure Yammer as an Identity Provider
- Creating IP Address Ranges
- Setting MFA Points Granted by SSO Connections
...