Versions Compared

Old Version 11

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Style
importhttps://docs.empowerid.com/docs.css
mediascreen


 Div
classbreadcrumbs
Home  /  Web Access Management  /  Current:  Configuring the Sample .NET Web application for the EmpowerID Agent
...
To configure the Web application for the EmpowerID Agent
  1. In the Navigation Sidebar of the EmpowerID Web interface, expand Admin and click SAML.
  2. Search for AndysBeans and locate the ACS URL and the User Entered URL.
  3. Copy the GUID at the end of the ACS URL and the User Entered URL. You will need to add these values to the AndysBeans Web.config file.



  4. From Windows Explorer, navigate to your Web application folder and open the Web.config file with any text editor.
  5. In the Web.config file, navigate to <appSettings> and add the following key/value pairs:
    • certificateThumbprintForEncryption - This is the thumbprint of the certificate that the SAMLrequest uses to deserialize the requested URL when the agent is in SAML mode. This thumbprint must be from the certificate used when creating the SSO Connection for your Web application.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="certificateThumbprintForEncryption" value="‎c9daa74ecdb026dc3ee98737b02a5f652f452114" />



    • certificateThumbprintForToken - This is the thumbprint of the certificate that is linked to the person making the API calls.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="certificateThumbprintForEncryption" value="‎‎F59FC4F475AB382470AE2690701508F4F184C0EF" />



    • EidInitializeIdentityAssemblyInfo: This allows you to override the default logic for settingthe HttpContext Identity. (HttpContext is the object that contains all the information about an individualHTTP request.) To override this, create your own assembly with an interface that implements IInitializeUserIdentity and set this value to that of your custom assembly.

      The syntax for this setting is as follows:
       Div
      classshort-code-block


       Code Block
      languagexml
      themeDJango
      <add key="EidInitializeIdentityAssemblyInfo" value="AssemblyTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />



    • EidIdpUrl: This specifies the URL to which users are redirected if they are not currentlyauthenticated.

      The syntax for this setting is as follows, where "YourWebServer" is the FQDN of the server hosting your Web application and "YourSSOConnection" is the name of the SSO Connection you created for your protected Web application. In the case of AndysBeans, the value for "YourSSOConnection" is AndysBeans.

       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="eidIdpUrl" value="https://YourWebServer/WebIDPForms/Login/YourSSOConnection" />


    • EidSlidingExpirationTimeout - This specifies the time in minutes that a session cookie remains valid. Users must reauthenticate once this time windows expires.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="EidSlidingExpirationTimeout" value="60" />


    • EventLogSourceName - This is an optional setting that allows you to specify a log source name for logging entries related to the agent.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="EventLogSourceName" value="EIDHttpModule" />


    • EventLogLogName - This is an optional setting that allows you to specify a log name for logging events related to the agent.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="EventLogSourceName" value="EIDHttpModuleLog" />


    • EnableEventLogging - This is a Boolean that specifies whether Windows event logging is enabled or disabled for the agent. Set this to false when the agent is running in production.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="EnableEventLogging" value="false" />


    • HTTPMODULEAuthorizationEncryptionSalt - This is used to encrypt and decrypt the EmpowerID cookie containing the user identity and SSO Application IDs that person has authenticated against. This value can be arbitrary.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEAuthorizationEncryptionSalt" value="11021" /> 


    • HTTPMODULECustomAuthenticationAssembly - This is an advanced optional setting that specifies the fully qualified name of the dll/type to load to implement custom authentication and authorization logic.

    • HTTPMODULEIdentityPrincipalType - This determines the type of identity set by the agent. The values can be either "Forms" or "Claims" and must match the type of identity used by the Web application being protected. Since AndysBeans uses Forms authentication, the value of this key is set to Forms.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEIdentityPrincipalType" value="Forms" />


    • HTTPMODULEEnablePathAuthorization: This is a Boolean that specifies whether the agent enforces URL path authorization for the Protected Application URLs (PURLS) you created for the Web application. If the value is set to "false", the agent does not stop users without the appropriate delegations in EmpowerID from accessing the URL. So, for example, if you created the "employeemanager" PURL demonstrated in the Creating a WAM SSO Application for  Andy's Beansthe Sample App topic, but set this value to "false," then any user with knowledge of the URL can access it, unless the application itself specifically sets access control parameters.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEEnablePathAuthorization" value="true" />


    • HTTPModuleTokenMode - This is used to set whether the agent operates in reverse proxy or SAML mode. In reverse proxy mode, the agent assumes the EID_USER variable inserted into the HTTP header is authenticating the user; otherwise, it looks for a SAML redirection response. To specify reverse proxy mode, set the value to "Forms." To specify SAML mode, set the value to "Saml." If you do not specify a value, the agent defaults to reverse proxy mode.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPModuleTokenMode" value="Saml" />



    • HTTPMODULESchemeAndHostName - This is used to specify the host name and the scheme for the base URL of the application.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULESchemeAndHostName" value="https://sso.empowersso.com/andysbeans" /> 



    • HTTPMODULEApiPath - This is used to specify the path to the API endpoint for making access calls to EmpowerID.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEApiPath" value="/api/services/v1/ReverseProxy/GetResults" /> 



    • HTTPMODULEApiKey - This is used to specify the API key for the OAuth application created for the Web application.

      The syntax for this setting is as follows:
       Div
      classshort-code-block


       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEApiKey" value="7ea95464-05e0-4982-ae72-1b2f0559cc95" /> 




    • HTTPMODULEClientID - This is used to specify the Client ID for the OAuth application created for the Web application.

      The syntax for this setting is as follows:
       Div
      classshort-code-block

       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEClientID" value="063a9e21-ff66-4450-b105-2d4ca7b991b2" /> 



    • HTTPMODULERBAC_REFRESH_INTERVAL_SECONDS - This is used to specify the interval in seconds that need to pass before the module makes an API call to refresh RBAC.

      The syntax for this setting is as follows:
       Div
      classshort-code-block


       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULERBAC_REFRESH_INTERVAL_SECONDS" value="3600" /> 





    • HTTPMODULEErrorUrl - This is an optional setting that you can use to specify a custom page for displaying module errors to your end users. If this key is not added to the config file, then the agent displays the default error page.

      The syntax for this setting is as follows, where/home/erroris the location of the custom error page on AndysBeans:
       Div
      classshort-code-block


       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULEErrorUrl" value="http://sso.empowerid.com:8080/AndysBeans/home/error" />




    • HTTPMODULENotAuthorizedUrl - This is an optional setting that you can use to specify a custom page for displaying messages to users who do not have the delegations to view a requested page. If this key is not added to the config file, then the agent displays the default not authorized message.

      The syntax for this setting is as follows:
       Div
      classshort-code-block


       Code Block
      languagexml
      themeDJango
      <add key="HTTPMODULENotAuthorizedUrl" value="https://sso.empowerid.com:8080/AndysBeans/home/unauthorized/" />




    • RedirectUrlGuid: This specifies the GUID that EmpowerID generated for the SSO Connection linked to your Web application when you created it. EmpowerID appends this GUID to the TargetURL you entered for the SSO Connection.

      The syntax for this setting is as follows:
       Div
      classshort-code-block


       Code Block
      languagexml
      themeDJango
      <add key="RedirectUrlGuid" value="42f07925-1b7b-48a0-b48b-a431cca0f133" />




      After you have completed the above, your <appSettings> section of your configuration file contains the following key/value pairs and looks similar to the image below.



  2. In the config file, navigate to the <system.webServer> section and add the following under <modulesrunAllManagedModulesForAllRequests="true">. Make sure that the .NET version matches the version of the .NET assembly you received from EmpowerID (Net35 or Net45).
     Div
    classshort-code-block


     Code Block
    languagexml
    themeDJango
    <add name="EidAuthenticationHeaderModule" type="TheDotNetFactory.EmpowerID.Web.Core.Modules.EidAuthenticationHeaderModule,
                                TheDotNetFactory.EmpowerID.Web.Net45.Modules, Version=4.0.0.0, Culture=neutral"/>




    The <system.webServer> section now looks similar to the following image.



  3. Save your changes and reset IIS.

Now that we have configured the AndysBeans Web.config file for use with the agent only, we can test the Web agent.


 Info
iconfalse