Remote Windows Identity Provider

Through the Remote Windows Identity Provider (IdP) application, EmpowerID allows organizations to extend authentication to partner organizations without requiring that partner to have a Federation server or be licensed to use EmpowerID. The EmpowerID Remote Identity Provider is a small lightweight component that can be installed on a remote IIS server in AD domains where EmpowerID is not installed. The Remote IdP works by allowing users in external domains to browse to a page on a local Web server that authenticates them against their on-premise Active Directory and then redirects them to an external EmpowerID site with a SAML claim containing their Active Directory username. The external EmpowerID site validates that the information was signed with the appropriate trusted certificate and then authenticates the user as the Person owning the Active Directory user account. Once authenticated, EmpowerID seamlessly forwards the user to the requested destination Service Provider application they requested when browsing their local Web page for authentication. This Service Provider application could be the EmpowerID Web site or another SSO application, such as SalesForce.com, depending on how the SSO connection is configured. If the Service Provider application specified is not EmpowerID, the necessary method for performing single sign-on into that system will be invoked.

To set up the Remote Windows Identity Provider, you need to create a SAML IdP connection for it and then install the application. This article takes you through the process and also demonstrates how to test the IdP.

Create an IdP connection

1. On the navbar, expand Single Sign-On > SSO Connections and then click SAML.

2. On the SAML Connections page, click the Add New button above the grid.

   Open

   

    

3. In the Connection Details form that appears, enter the following information:

   • Connection Type — Select Identity Provider

   • SAML Identity Provider Template — Select Default SAML IdP Connection Settings

   • Name — Name of the connection, such as RemoteWindowsIDP

   • Display Name — Display name for the connection

   • Name Identifier Format — Unspecified

   • SAML Submission Method — HTTPPost

   • Level of Assurance (LoA) — Enter the desired number of LoA points

   • Issuer — Blank

   • Initiating URL — https://<Your-EmpowerID-Server>/EmpowerIDRemoteIdP/Login/EmpowerIDWebSite/<Name of the SAML connection>

   • Tile Image URL — Leave the value of the field at the default value

   • Description — Description of the connection

   • External Identity Provider URL —Leave the value of the field at the default value (about:blank)

   • Logout URL — Blank

   • Logout SAML Protocol — HTTPArtifact

   • Create a New Account Directory — Select this option

   • Verifying Certificate — Select the certificate for verifying the SAML assertion sent to EmpowerID by the EmpowerID Remote IdP. This certificate must have the public key for the certificate used by the remote server to sign the SAML assertions being sent to EmpowerID.

4. Save the connection.

Install the Remote Windows Identity Provider

1. On the remote server, open the installer for the Remote Windows Identity Provider you received from EmpowerID and click Next.

   Open

   

2. Accept the terms of the license agreement and click Next.

3. Choose your installation path and click Next.

4. Click Install.

5. When the command window appears, press any key to continue.

6. Click Finish to exit the installer.

7. In the EmpowerID Remote IDP Configuration window that appears, enter the following information:

   • Remote EmpowerID Server URL — Enter the URL to the EmpowerID Web server hosting the Remote Identity Provider connection, being sure to use Hypertext Transfer Protocol over Secure Socket Layer. The URL should look similar to "https://sso.empoweriam.com," where sso.empoweriam.com is the FQDN or resolvable DNS alias of your EmpowerID Web server.

   • Username — User name of the app pool identity. This identity must be a local admin on the machine or a registry denial error will occur when running the IDP.

   • Password — Password for the app pool identity

   • IIS Web Site — Select the appropriate site

   • Response Type — SAML

   • Signing Certificate — Select the certificate to be used to sign the SAML assertions sent to the EmpowerID Web server. The verification certificate set for the Remote Identity Provider SSO connection on the EmpowerID server must have the public key for this certificate, as it is used to verify that the assertions are coming from the remote server.

8. Click Apply.

9. Click OK to close the Success message box.

10. Close the configuration window.

Test the connection

1. On the remote machine, prompt for Windows credentials by opening a browser and navigating to the URL you specified for the Remote Identity Provider connection on the EmpowerID server.

2. Type the credentials of a remote user in the Windows Authentication dialog and click OK.

3. This starts the Login workflow and directs your browser to the EmpowerID login check, which asks if you already have an EmpowerID login. Since this is your first login as the remote user click No.

4. In the Create User Account Form that appears, fill in the required First Name and Last Name fields, as well as any other fields for which you have information and click Submit.

5. Click OK to close the submission confirmation message.

6. Log in to the EmpowerID Web application as an administrator and from your dashboard click the link from an anonymous user requesting an EmpowerID Person account.

7. From the Task Details page that appears, select Approve.

8. Type a comment for the approval and then click OK.

9. Once the process completes log out of the Web application.

10. From the remote server, navigate your browser to the URL for the Remote Identity Provider connection on the EmpowerID server and when prompted enter the Windows credential for that person and click OK.

11. Answer the Password Self-Service Reset questions and click Submit.