Installing EmpowerID Silently
When installing EmpowerID, you have two options, you can install EmpowerID using the MSI or you can use the EmpowerID Configurator to create a batch file that is configured with the installation settings for your environment. Then when ready, you can execute the batch file and silently install EmpowerID on any network-reachable dedicated EmpowerID Web server.
Please note that when installing EmpowerID with the silent installer, you have less configuration options than when using the MSI.
The User Account Control (UAC) in Windows must be turned off for the installation of EmpowerID. All settings should be disabled in secpol.msc before proceeding.
To ensure a smooth install, make sure EmpowerID files, including websites and programs, are excluded from anti-virus scanning software settings.
To silently install EmpowerID
- From the EmpowerID installation folder, copy the EmpowerID Database .bak file to the server hosting your SQL Server.
- From SQL Server, restore the EmpowerID Database. The user account must have the right to restore a SQL database.
- Back in the EmpowerID installation folder, navigate to the Configurator directory and double-click the EmpowerID.Configurator.exe application file.
This opens the EmpowerID Configurator Utility. You use this utility to add the EmpowerID configuration settings that will be used in the installation batch file. - From the General Settings tab of the EmpowerID Configurator, do the following:
- In the SMTP Server field, type the FQDN of the Exchange server EmpowerID should use for sending any automated emails generated by the system.
- In the Email Address field, type the default email address EmpowerID should use for sending any automated emails generated by the system.
- Type the licensing key you received from EmpowerID in the License Key field and then click the Add License File (...) button.
- In the Open File dialog that appears, locate and select the EmpowerID License File (.eidlic) you received from EmpowerID and then click Open.
- Click the SQL Connection tab of the EmpowerID Configurator and do the following:
- Type the name or IP address of the SQL server you are using to host the EmpowerID Identity Warehouse in the Server Name field.
- Underneath Authentication, select Windows Authentication.
- Select the EmpowerID Identity Warehouse from the Database Name drop-down.
- Test the connection by clicking Test Connection.
- You should see a message box with a "Connection Passed" message. Click OK to close the message box.
- Click the Web Server tab of the EmpowerID Configurator and do the following:
- Type the FQDN of your EmpowerID Web server in the Web Server URL field. Be sure to use the https scheme.
- Select an existing Web site to host the EmpowerID Web application from the IIS Website drop-down or enter a name to create a new site. By default, EmpowerID selects the Default Web site.
- Under SSL Certificate, click Browse, choose whether you want to select the SSL certificate from the local certificate store or browse for the certificate PFX file, and then click OK.
- Locate and select the SSL certificate you want to use to encrypt and decrypt EmpowerID communications and click Open. In the below image, we selected a PFX file stored on the local machine.
Type the certificate password in the Password field of the Enter Certificate Password dialog and click OK.
You can generate a test certificate by clicking the Generate button. Certificates generated in this way should not be used in production.
- Type the user name and password for the account running the application pools in the Username and Password fields, respectively. This account must have the appropriate access levels to read from and write to the EmpowerID Identity Warehouse.
- Click the Web Applications tab of the EmpowerID Configurator and do the following:
- Underneath Internal Web Applications, select each EmpowerID Web application you want to install on the Web server. These applications include the following:
- API Exchange Services — This application manages all Exchange-related requests.
- API Workflow — This application manages all traffic related to workflow requests made to EmpowerID.
- API Web Garden — This application manages any EmpowerID processes that need to scale based on load, spooling up multiple worker threads to distribute the load and provide high availability.
- Underneath External Web Applications, select each EmpowerID Web application you want to install on the Web server. These applications include the following:
- Service Provider — This application manages all EmpowerID Service Provider traffic for the EmpowerID Web application.
- API — This application provides the functionality for making Web API calls to EmpowerID.
- Web CDN — This application contains the CSS, Image and script files used by the EmpowerID Web application.
Reporting Services — This application provides the functionality for integrating and managing Microsoft Reporting Services with EmpowerID.
If desired, you can edit the default Web Application Name for each external web application to match your branding. To do so, double-click the field that corresponds to the web application you want to change and enter the new name.
- Underneath Identity Providers, select each identity provider application you want to install on the Web server. These applications include the following:
- OAuth — Provides support for OAuth.
- Forms IdP — Provides support for native forms authentication to the EmpowerID SP.
- Windows IdP — Provides support for Windows authentication to the EmpowerID SP.
- SmartCard IdP — Provides support for SmartCard certificate-based authentication to the EmpowerID SP.
WSFederation IdP — Internally handles packet traffic sent to EmpowerID from WS-Federation service providers.
If desired, you can edit the default name for each identity to match your branding. To do so, double-click the field that corresponds to the identity provider you want to change and enter the new name.
- Underneath Internal Web Applications, select each EmpowerID Web application you want to install on the Web server. These applications include the following:
Click the System Certificates tab of the EmpowerID Configurator and do the following:
The below certificates can be the same certificate as the one you selected for SSL. You do not need to use different certificates.
- To the right of the Signing Certificate field, click the Browse button and select the certificate EmpowerID should use for signing WS-Trust/WS-Federations Security tokens. The format for the certificate is PFX.
- Type the certificate password in the Password field of the Enter Certificate Password dialog and click OK.
- To the right of the Encryption Certificate field, click the Browse button and select the certificate EmpowerID should use for encrypting WS-Trust/WS-Federations Security tokens. The format for the certificate is PFX.
- To the right of the SAML Signing Certificate field, click the Browse button and select the certificate EmpowerID should use for signing SAML assertions. The format for the certificate is PFX.
- To the right of the System Access Certificate field, click the Browse button and select the certificate EmpowerID should use to authenticate the EmpowerID services. The format for the certificate is PFX.
- Click the Services tab of the EmpowerID Configurator and do the following:
- Underneath Windows Services, select each EmpowerID Windows service you want to install on the server, providing the user name and password for the identity that is to run each. These services include the following:
- EmpowerID Web Role Service — This service is required on all EmpowerID Web servers and is responsible for managing workflow-related services and global assembly cache content synchronization.
- EmpowerID Worker Role Service — This service must be on a server with IIS installed and is responsible for processing the EmpowerID Web Service Garden as well as running scheduled EmpowerID jobs and long running tasks, such as RBAC security compilation and inventory processing.
- EmpowerID Radius Service — This service provides RADIUS authentication for routers, switches and other RADIUS-compliant devices.
- If you are using Reporting Services for EmpowerID reports, underneath Reporting Services do the following:
- Type your report server web service URL in the Report Server URL field.
- Type the report server folder name in the Report Server Folder field.
- Type SAML service provider connection for SSRS in the SAML Connection field.
- Underneath Windows Services, select each EmpowerID Windows service you want to install on the server, providing the user name and password for the identity that is to run each. These services include the following:
- Click the Miscellaneous pane of the EmpowerID Configurator and decide whether you want to use a separate CDN (Content Delivery Network) in place of your default EmpowerID Web server to deliver the CSS, image and script files used by the EmpowerID Web application. If you do want to use a separate CDN, type the URL to the CDN in the CDN Server URL field. You can deploy EmpowerID's static content to a separate, resolvable server (with a different DNS), or you can deliver the content to a true CDN with replication and geographical load-balancing, such as those offered by AWS or Azure. Using a separate CDN in this way can improve response times because the browser caches the content and EmpowerID refrains from sending cookies on each call (as it does in the default configuration).
- Click the Export Options pane of the EmpowerID Configurator do the following:
- Click the EmpowerID MSI ellipses button (...) and browse to the EmpowerID MSI file location on your server.
- Select the MSI and click Open.
- If you wish to select a folder for the exported files other than the default, click the Output Folder ellipses (...) button and browse to the desired folder.
- Click OK to select the folder.
- When ready, click Save.
- Click OK to close the Saved message box.
- Click Close to close the EmpowerID Install Configuration Utility.
- Navigate to the folder you specified for EmpowerID to output the installation batch file.
You should see two files in the folder, eid.install, which is an encrypted XML file with the configuration settings you specified and install, which is the installation batch file. - When ready, execute the batch file (install.bat) to install EmpowerID.
When the installation completes, EmpowerID generates a text file named output.log with the results of the install (shown below with the results of the installation highlighted), starts the EmpowerID Web Role Windows service and begins the process of GAC'ing the EmpowerID assemblies.