---title: Configuring the Web application for the Reverse Proxy---
From Windows Explorer, navigate to your Web application folder and open theWeb.config file with any text editor.
In the Web.config file, navigate to <appSettings> and add the following key/value pairs:
certificateThumbprintForEncryption - This is the thumbprint of the certificate that the SAML request uses to deserialize the requested URL when the agent is in SAML mode. This thumbprint must be from the certificate used when creating the SSO Connection for your Web application. This setting is not needed when using the Reverse Proxy.
EidInitializeIdentityAssemblyInfo: This allows you to override the default logic for setting the HttpContext Identity. (HttpContext is the object that contains all the information about an individual HTTP request.) To override this, you need to create your own assembly with an interface that implementsIInitializeUserIdentity and then set this value to that of your custom assembly.
EidIdpUrl: This specifies the URL to which users are redirected if they are not currently authenticated.
EidSlidingExpirationTimeout - This specifies the time in minutes that a session cookie remains valid. Users will need to reauthenticate once this time windows expires.
EventLogSourceName - This is an optional setting that allows you to specify a log source name for logging entries related to the agent. This setting is not used for the Reverse Proxy.
EventLogLogName - This is an optional setting that allows you to specify a log name for logging events related to the agent. This setting is not used for the Reverse Proxy.
EnableEventLogging - This is a Boolean that specifies whether Windows event logging is enabled or disabled for the agent. This should be set to false when the agent is running in production.
HTTPMODULEAuthorizationEncryptionSalt - This is used to encrypt and decrypt the EmpowerID cookie containing the user identity and SSO Application IDs that person has authenticated against. This value can be arbitrary.
HTTPMODULECustomAuthenticationAssembly - This is an advanced optional setting that specifies the fully qualified name of the dll/type to load to implement custom authentication and authorization logic.
HTTPMODULEIdentityPrincipalType - This determines the type of identity set by the agent. The values can be either "Forms" or "Claims" and should match the type of identity used by the Web application being protected.Since AndysBeans uses Forms authentication, the value of this key should be set to Forms.
.
HTTPMODULEEnablePathAuthorization: This is a Boolean that specifies whether the agent will enforce URL path authorization for the Protected Application URLs (PURLS) you created for the Web application. If the value is set to "false", the agent will not stop users without the appropriate delegations in EmpowerID from accessing the URL. So, for example, if you created the "employeemanager" PURL demonstrated in the Creating WAM Applications for the EmpowerID Reverse Proxy topic, but set this value to "false," then any user with knowledge of the URL will be able to access it, unless the application itself specifically sets access control parameters.
HTTPModuleTokenMode - This is used to set whether the agent operates in reverse proxy or SAML mode. In reverseproxy mode, the agent will assume the EID_USER variable inserted into the HTTP header is authenticating the user. To specify reverse proxy mode, set the value to "Forms." If you do not specify a value, the agent defaults to reverse proxy mode.
HTTPMODULEErrorUrl - This is an optional setting that you can use to specify a custom page for displayingmodule errors to your end users. If this key is not added to the config file, then the agent displays the defaulterror page.
HTTPMODULENotAuthorizedUrl - This is an optional setting that you can use to specify a custom page for displaying messages to users who do not have the delegations to view a requested page. If this key is not added to the config file, then the agent displays the default not authorized message.
RedirectUrlGuid: This specifies the GUID that EmpowerID generated for the SSO Connection linked to your Web application when you created it. EmpowerID appends this GUID to the Target URL you entered for the SSO Connection.
In the config file, navigate to the <system.webServer> section and add the following under <modules runAllManagedModulesForAllRequests="true">. Make sure the Net version matches the version of the .NET assembly you received from EmpowerID (Net35 or Net45).
Save your changes and reset IIS.
- Home
- Single Sign-On and MFA
- EmpowerID WAM
- Current: Configuring the Web application for the Reverse Proxy
Configuring the Web application for the Reverse Proxy
After creating the Reverse Proxy WAM application, the protected URLs, and the OAuth application, the last step to enable EmpowerID to protect the AndysBeans application is to add the necessary key/value pairs to the application's Web.config file as described below. Not all of these key/value pairs are used with AndysBeans. For example, the EidInitializeIdentityAssemblyInfo key is used to override the default logic of the Agent for setting the HttpContext Identity. However, we have included these optional keys here for your information.
In our example, we are making adjustments to the Web.config file of AndysBeans. However, if desired, you can addthese values to the registry instead of the Web application's config file. However, when protecting multiple Web applications,you should avoid using the registry and make your adjustments for each application in that application's config file.To alter the registry, open Registry Editor, navigate to the TheDotNetFactory\EmpowerID key and add a subkey named "WebSettings."You can then add your key/value pairs there.
To configure the Web application for the EmpowerID Reverse Proxy
From the Navigation Sidebar of the EmpowerID Web interface, navigate to the SAML Connections page by expandingAdmin and clicking SAML. Search for the reverse proxy application you created for AndysBeans and locate the ACS URL as well as the User Entered URL. Copy the GUID at the end of the ACS URL as well as the User Entered URL. You will need to add these values to the AndysBeans Web.config file.
From Windows Explorer, navigate to your Web application folder and open theWeb.config file with any text editor.
In the Web.config file, navigate to <appSettings> and add the following key/value pairs:
certificateThumbprintForEncryption - This is the thumbprint of the certificate that the SAML request uses to deserialize the requested URL when the agent is in SAML mode. This thumbprint must be from the certificate used when creating the SSO Connection for your Web application. This setting is not needed when using the Reverse Proxy.
EidInitializeIdentityAssemblyInfo: This allows you to override the default logic for setting the HttpContext Identity. (HttpContext is the object that contains all the information about an individual HTTP request.) To override this, you need to create your own assembly with an interface that implementsIInitializeUserIdentity and then set this value to that of your custom assembly.
The syntax for this setting is as follows:
<add key="EidInitializeIdentityAssemblyInfo" value="AssemblyTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/<
The syntax for this setting is as follows, where "YourWebServer" is the FQDN of the server hosting your Web application and "YourSSOConnection" is the name of the SSO Connection you created for your protected Web application.
<add key="eidIdpUrl" value="https://YourWebServer/WebIDPForms/Login/YourSSOConnection"/>
The syntax for this setting is as follows:
<add key="EidSlidingExpirationTimeout" value="60"/>
The syntax for this setting is as follows:
<add key="EnableEventLogging" value="false">
The syntax for this setting is as follows:
<add key="HTTPMODULEAuthorizationEncryptionSalt" value="11021"/>
The syntax for this setting is as follows:
<add key="HTTPMODULEIdentityPrincipalType" value="Forms"/>
The syntax for this setting is as follows:
<add key="HTTPMODULEEnablePathAuthorization" value="true">
The syntax for this setting is as follows:
<add key="HTTPModuleTokenMode" value="Forms"/>
The syntax for this setting is as follows, where /home/error is the location of the custom pagae on AndysBeans for displaying errors:
<add key="HTTPMODULEErrorUrl" value="http://sso.empowerid.com:8080/AndysBeans/home/error"/>
The syntax for this setting is as follows:
<add key="HTTPMODULENotAuthorizedUrl" value="https://sso.empowerid.com:8080/AndysBeans/home/unauthorized/">
The syntax for this setting is as follows:
<add key="RedirectUrlGuid" value="42f07925-1b7b-48a0-b48b-a431cca0f133">
After you have completed the above, your <appSettings> section of your configuration file should contain the following key/value pairs and look similar to the below image.
In the config file, navigate to the <system.webServer> section and add the following under <modules runAllManagedModulesForAllRequests="true">. Make sure the Net version matches the version of the .NET assembly you received from EmpowerID (Net35 or Net45).
<add name="EidAuthenticationHeaderModule" type="TheDotNetFactory.EmpowerID.Web.Core.Modules.EidAuthenticationHeaderModule,
TheDotNetFactory.EmpowerID.Web.Net45.Modules, Version=4.0.0.0, Culture=neutral"/>
The <system.webServer> section should now look similar to the following image.
Save your changes and reset IIS.
Now that we have configured the AndysBeans Web.config file for use with the agent only, we cantest the Web agent.
- Related Topics
Concepts:
- Understanding EmpowerID Web Access Management
- Understanding the Reverse Proxy
- About the Sample Web Application
Administrative Procedures:
- Installing the EmpowerID Reverse Proxy
- Creating a Reverse Proxy WAM app for the Sample App
- Creating an OAuth app for the Reverse Proxy
- Configuring the Reverse Proxy for the Sample App
- Configuring the Sample App for the Reverse Proxy
- Testing WAM
References: