Unable to render embedded object: File (Emp18Notice.png) not found.
Skip to end of banner
Go to start of banner

Creating a Pre-Authentication Header WAM Application for AndysBeans

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

/wiki/spaces/E2D/pages/29982926  /  Single Sign-On and MFA  /  Web Access Management  /  Current: Creating a WAM SSO Application for Andy's Beans


To enable the EmpowerID Agent to protect the Andy's Beans Web site, you neet to create an application for it with URL subcomponents for each URL or group of URLs on the site you want to protect in EmpowerID and link that application to a SAML SSO Connection to provide single sign-on capabilities to all authorized users.

For the AndysBeans Web site, there are a number of URLs that need to be restricted. These include the following:

  • AndysBeans/Employees
  • AndysBeans/Employees/Details
  • AndysBeans/Employees/MyHR
  • AndysBeans/Employees/MyMedical
  • AndysBeans/Employees/UpdatePlan
  • AndysBeans/EmployeeManager/
  • AndysBeans/EmployeeManager/Create
  • AndysBeans/EmployeeManager/Details
  • AndysBeans/EmployeeManager/Edit
  • AndysBeans/EmployeeManager/Delete
  • AndysBeans/ProductManager
  • AndysBeans/ProductManager/Create
  • AndysBeans/ProductManager/Details
  • AndysBeans/ProductManager/Edit
  • AndysBeans/ProductManager/Delete

There are a number of ways in which these URLs can be protected, depending on the granularity of your security policy: You can add a URL subcomponent that is an exact match for a specific URL, limiting the scope of the subcomponent to that one URL; you can create a URL subcomponent that uses a javascript regular expression to block access to all URLs meeting the condition (pattern match) of the expression; or, you can create a path-specific URL subcomponent that restricts access to any URL with a matching beginning path. For our purposes, we will use a combination of pattern matches and beginning paths to protect the URLs on the AndysBeans Web site.

This topic demonstrates how to create an application for AndysBeans and add to it URL subcomponents for each path that needs to be protected from unauthorized access.

To create an WAM SSO application for AndysBeans

From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Application page by expanding Applications and clicking Manage Applications. From the Application page, click the Create Application Action link.

This opens the Application Details form for the application. This form provides you with fields and options for registeringapplications in EmpowerID.

In the General section of the form, do the following:
  1. Type AndysBeans in the Name field.
  2. Type Andy's Beans Web Site in the Display Name and Description fields.
  3. Leave the Icon field as is.
  4. Leave the Full URL (Exact Match Path) blank. This field is used with Reverse Proxy applications.
  5. Type the Base URL for the HTTP Module in the Base URL for HTTP Module field. For the sample app, the value
  6. Leave Allow Access Requests checked. When this option is selected, the application appears in the IT Shop,allowing users to request or claim an account in the application.
  7. Leave Allow Claim Account checked. When this option is selected, users can claim their accounts and gaininstant access after passing the requisite identity proofs.
  8. Select Login Is Email Address (Receive OTP to Claim). This setting is necessary for receiving a one-time password to claim the account as well as for passing the appropriate identity assertion to the application when logging in from EmpowerID.
  9. Leave Allow Request Account checked. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
  10. Tick Make me the Application Owner so that the option is selected. Application owners have the abilityto manage the application and approve or deny access requests.
  11. Leave Configure Advanced Claim and Request Account Options deselected.

The following image shows what the General section of the Application Details form looks like after completingthe above steps.

Click the Single Sign-On tab, select Web Access Management (HTTP Header) from the Single Sign-On Connection Type drop-down.

This opens the WAM Connection Information section of the form. You use this section to build the SSO Connection forthe Web application.

In the WAM Connection Information section, do the following: Leave the Display Name field as is. Enter https://sso.empowersso.com/andybeans in the Base URL for Reverse Proxy field, replacing sso.empowersso with the FQDN of the server hosting the application in your environment. Enter Andy's Beans WAM connection in the Description field. Leave Allow Anonymous Access to Unprotected paths deselected. Leave Use Target Hostname in Requests (Reverse Proxy Only) deselected. Select the certificate used in your environment for signing SAML assertions from the Certificate drop-down.
This certificate can be a self-signed certificate that you can generate using the EmpowerID Certificate Manager. The certificate must be mapped to an EmpowerID Person with the access needed to make calls to the EmpowerID API. For information on using the Certificate Manager to generate the certificate and mapping it to an EmpowerID Person, expand the below drop-down.

To generate and map a self-signed certificate
From your EmpowerID server, open the EmpowerID Certificate Manager by searching for EmpowerID Certificate Manager.
EmpowerID stores each certificate in the CertificateStore table of the EmpowerID Identity Warehouse.
In a default installation of EmpowerID, the path to the executable for the EmpowerID Certificate Manager utility is located at:

C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe
From the EmpowerID Certificate Manager, click the Generate tab and then do the following:
  • Select the X509 Certificate certificate type.
  • Enter a password for the certificate in the Password field.
  • Browse to and select an Output Folder for the certificate.
  • Check Import to EmpowerID Certificate store.
  • Check Import to Local Certificate Store.
  • Click Generate.

Next, map the certificate to an EmpowerID Person with the access to make API calls by doing the following:

  1. From the EmpowerID Web interface, navigate to the View page for the Person to whom you want to map the certificate.
  2. From the View page for the person, expand the Role, Accounts, and Login Security accordion and then click the Edit link in the Mapped Login Certificates pane.
  3. Search for and select the self-signed certificate and then click Save.


When you have finished the above, the WAM Connection Information section should look similar to the following image.

Click the Users tab and tick Create a New Account Directory so that the option is selected. In this way, EmpowerID will create a special type of account store for AndysBeans, known as a "tracking-only" account store. A tracking-only account store exists as a container within EmpowerID for storing user and group records for SSO or attestation withoutmaking a connection to the external directory associated with the application. Opting to create a new accountstore when registering applications in EmpowerID is advantageous in that doing so creates a one-to-one correlationbetween the account store and the application, as well as the SSO connection for the application.
When you create a new Account Directory, EmpowerID names the directory after the name of the application.
Click the Extension tab and enter 1111 in the AppExtensionAttribute12 field. Click Add to Cart. Click the My Cart icon and in the dialog that appears, enter a reason for creating the application and then click Submit.

Now that the WAM application has been created, the next step is to add protected application subcomponents for each of the URLs that need to be protected for unauthorized access.

To add protected application subcomponents (URLs)

From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Application page by expanding Applications and clicking Manage Applications. Search for Andy's Beans Web Site and then click the Display Name link for it. This directs you to the View One page for the application. View One pages allow to view information about an object in Empoweridand manage it as needed. From the View One page, expand the Protected Application Components accordion and then click the Add Protected Application Subcomponent (+) button. In the dialog that appears do the following to protect all pages of Andy's Beans that start withproductmanager:
  1. Select URL from the Type drop-down.
  2. EnterAB Product Manager Pages in the Name, Display Name and Description fields.
  3. Leave the Icon field as is.
  4. Check Allow Access Requests. This allows users to request access to the page from the IT Shop.
  5. Enter andysbeans/productmanager in the Starts With Path field.
  6. Leave ABAC Check deselected.
  7. Click Save.
From the Protected Application Components accordion click the Add Protected Application Subcomponent (+) button. In the dialog that appears do the following to protect the all pages in Andy's Beans beginning withemployees:
  1. Select URL from the Type drop-down.
  2. Enter AB Employee Pages in the Name, Display Name andDescription fields.
  3. Leave the Icon field as is.
  4. Check Allow Access Requests. This allows users to request access to the page from the IT Shop.
  5. Enter andysbeans/employees in the Starts With Path field.
  6. Leave ABAC Check deselected.
  7. Click Save.
From the Protected Application Components accordion then click the Add Protected Application Subcomponent (+) button. In the dialog that appears do the following to protect the all pages in Andy's Beans beginning withemployeemanager:
  1. Select URL from the Type drop-down.
  2. Enter AB Employee Manager Pages in the Name, Display Name and Description fields.
  3. Leave the Icon field as is.
  4. Check Allow Access Requests. This allows users to request access to the page from the IT Shop.
  5. Enter andysbeans/employeemanager in the Starts With Path field.
  6. Leave ABAC Check deselected.
  7. Click Save.

The Protected Application Subcomponents accordion should look like the below image:

Now that the application and the protected application subcomponents for the application have been created, the next step is to create a number of people in EmpowerID with accounts in Andy's Beans. For the full list of these user accounts see

To add user accounts to the Andy's Beans WAM application account store

Navigate to the User Accounts page by expanding Identities and clicking User Accounts. Click the Create User (Person Optional) action link.

This opens the Create User form.

Select Personal Standard from the Account Type drop-down. Enter Charles in the First Name field. Enter Stripe in the Last Name field. Enter Charles Stripe in the Display Name field.
Charles Stripe is the Employee Manager for Andy's Beans.
Underneath Account Creation Location, click the Select a Location link and in the Location Selector search for AndysBeans and then click the node for AndysBeans to select it. Click Save to close the Location Selector. Enter charles.stripe@andysbeans.com in the Logon Name field. Enter Andy's Beans user account for Charles Stripe in the Description field. Optionally, enter any comments in the Comments or Justification field. Check Create a new EmpowerID Person object. The person created will be the owner of the user account. Underneath Person Business Role, click the Select a Role and Location link to open the Business Role and Location selector. Search for the Temporary Role Business Role and then click the node for that role to select it. Click Location to open the Location panel of the Business Role and Location selector. Search for the Temporary Location Location and then click the node for that location to select it. Click Select`to select the Business Role and Location combination and close the Business Role and Location selector. Check Allow me to enter a password and then enter pass@word1 in the Password and Confirm Password fields. Ensure that Allow Joining Account to Person and Allow Provisioning a Person from Account are selected Click Save.

After EmpowerID creates the user account and the person owning the account, your browser will be directed the Account Details page for the account.

From the Account Details page, click the EmpowerID Logon link. This will direct your browser to the View page for the Charles Stripe person. From the View page for Charles Stripe, expand the Access Assignments accordion. From the Access Assignments accordion, do the following to give Charles Stripe access to the employees and employeemanager pages of the AndysBeans application.
  • Click the Add New Assignment (+) button.
  • Select Direct from the Assign direct to resource or other method drop-down.
  • Select Pages and Reports from the Resource Type drop-down.
  • In the Enter a Pages and Reports Name to Search field, enter AB Employee Manager Pages and then click the tile to select the resource.
  • Select Viewer from the Access Level drop-down.
  • Click Save to add the assignment to the Shopping Cart.
  • Repeat the above, this time giving Charles Stripe Viewer access to AB Employee Pages.

Next, change the EmpowerID Login for Charles Stripe from the click the Edit link to put the page in edit mode.

From the View page for Charles Stripe, click the Edit link to put the page in edit mode. Locate the Login field and change the value from charles.stripe@andysbeans.com to charles.stripe. Enter Self-Service User in the Management Roles field and then click the tile for the role to select it. Click Save. Finally, click the Shopping Cart and in the dialog that appears, enter a reason for the assignment and then click Submit. Repeat the above steps for the following Andy's Beans users:
  • George Varghese - George Varghese is the Product Manager for Andy's Beans and needs access to the employees and productmanager pages of Andy's Beans.
  • Barry Chandler - Barry Chandler is an employee of Andy's Beans and needs access to the employees pages of Andy's Beans.
  • Fritz Dame - Fritz Dame is an employee of Andy's Beans and needs access to the employees pages of Andy's Beans.
  • Tim Johnson - Tim Johnson is an employee of Andy's Beans and needs access to the employees pages of Andy's Beans.
  • Maria Hansen - Maria Hansen is an employee of Andy's Beans and needs access to the employees pages of Andy's Beans.
  • Rhonda Black - Rhonda Black is an employee of Andy's Beans and needs access to the employees pages of Andy's Beans.
For a full list of all Andy's Beans users and their roles, see About the Sample Web Application.

Now that you have created the WAM application for AndysBeans, the next step is to create an OAuth application for it.

  • No labels