Configuring the Web Application for the Reverse Proxy

Owned by Phillip Hanegan
Last updated: Nov 12, 2019Version comment
4 min read

After creating the Reverse Proxy WAM application and the protected URLs, the last step to enable EmpowerID to protect the AndysBeans application is to add the necessary key/value pairs to the application's Web.config file as described below. Not all of these key/value pairs are used with AndysBeans. For example, the EidInitializeIdentityAssemblyInfo key is used to override the default logic of the Agent for setting the HttpContext Identity. However, these optional keys are included for your information.

This example makes adjustments to the AndysBeans Web.config file. If you prefer, you can add these values to the registry instead.

However, when protecting multiple Web applications, avoid using the registry and instead make your adjustments for each application in the application's config file.

To alter the registry, open Registry Editor, navigate to the TheDotNetFactory\EmpowerID key and add a subkey named WebSettings. You can then add your key/value pairs there.


To configure the Web application for the EmpowerID Reverse Proxy

  1. In the navigation sidebar of the EmpowerID Web interface, expand Admin, then SSO Connections and click SAML.
  2. Search for the reverse proxy application you created for AndysBeans and locate the ACS URL and the User Entered URL.
  3. Copy the GUIDs at the end of the ACS URL and the User Entered URL. You will need to add these values to the AndysBeans Web.config file.



  4. From Windows Explorer, navigate to your Web application folder and open the Web.config file with any text editor.
  5. In the Web.config file, navigate to <appSettings> and add the following key/value pairs:

    • EidInitializeIdentityAssemblyInfo — This allows you to override the default logic for setting the HttpContext Identity. (HttpContext is the object that contains all the information about an individual HTTP request.) To override this, create your own assembly with an interface that implementsIInitializeUserIdentity and set this value to that of your custom assembly.

      The syntax for this setting is as follows:

    • EidIdpUrl — This specifies the URL to which users are redirected if they are not currently authenticated.

      The syntax for this setting is as follows, where "YourWebServer" is the FQDN of the server hosting your Web application and "YourSSOConnection" is the name of the SSO Connection you created for your protected Web application.


    • EidSlidingExpirationTimeout — This specifies the time in minutes that a session cookie remains valid. Users will need to reauthenticate once this time windows expires.

      The syntax for this setting is as follows:

    • EventLogSourceName — This is an optional setting that allows you to specify a log source name for logging entries related to the agent. This setting is not used for the Reverse Proxy.

    • EventLogLogName — This is an optional setting that allows you to specify a log name for logging events related to the agent. This setting is not used for the Reverse Proxy.

    • EnableEventLogging — This is a Boolean that specifies whether Windows event logging is enabled or disabled for the agent. This should be set to false when the agent is running in production.

      The syntax for this setting is as follows:

    • HTTPMODULEAuthorizationEncryptionSalt - This is used to encrypt and decrypt the EmpowerID cookie containing the user identity and SSO Application IDs that person has authenticated against. This value can be arbitrary.

      The syntax for this setting is as follows:

    • HTTPMODULECustomAuthenticationAssembly - This is an advanced optional setting that specifies the fully qualified name of the dll/type to load to implement custom authentication and authorization logic.

    • HTTPMODULEIdentityPrincipalType - This determines the type of identity set by the agent. The values can be either "Forms" or "Claims" and should match the type of identity used by the Web application being protected.Since AndysBeans uses Forms authentication, the value of this key should be set to Forms.

      The syntax for this setting is as follows:

    • HTTPModuleTokenMode - This is used to set whether the agent operates in reverse proxy or SAML mode. In reverseproxy mode, the agent will assume the EID_USER variable inserted into the HTTP header is authenticating the user. To specify reverse proxy mode, set the value to "Forms." If you do not specify a value, the agent defaults to reverse proxy mode. 

      The syntax for this setting is as follows:

    • HTTPMODULEErrorUrl - This is an optional setting that you can use to specify a custom page for displayingmodule errors to your end users. If this key is not added to the config file, then the agent displays the default error page.

      The syntax for this setting is as follows, where /home/error is the location of the custom page on AndysBeans for displaying errors:


    • HTTPMODULENotAuthorizedUrl - This is an optional setting that you can use to specify a custom page for displaying messages to users who do not have the delegations to view a requested page. If this key is not added to the config file, then the agent displays the default not authorized message.

      The syntax for this setting is as follows:


    • RedirectUrlGuid: This specifies the GUID that EmpowerID generated for the SSO Connection linked to your Web application when you created it. EmpowerID appends this GUID to the Target URL you entered for the SSO Connection.

      The syntax for this setting is as follows:


  6. In the config file, navigate to the <system.webServer> section and add the following under <modules runAllManagedModulesForAllRequests="true">. Make sure the .NET version matches the version of the .NET assembly you received from EmpowerID (Net35 or Net45).
  7. Save your changes and reset IIS.


Now that we have configured the AndysBeans Web.config file for use with the reverse proxy only, we can Testing Web Access Management.