This guide gives a brief overview for Setting up Windows Integrated Authentication for Cloud Applications.
miniOrange Single sign on (SSO) server allows you to login to your applications without re-entering your credentials after you authenticate yourself into the Windows domain by login into a system joined to the Active Directory domain. miniOrange achieves this by, installing a component on a Windows Server joined to the Active Directory (AD) domain that, basically acts as a SAML 2.0 Identity Provider. When the user tries to access a cloud application like Salesforce, the request is sent to the miniOrange SSO Server which in turn forwards the request to the on-premise miniOrange SAML module installed in the Windows machine which determines the user logged in, and performs SSO based on the response from the module.
This, involves 3 steps basically:
1. Enable Windows Authentication and configure SSO applications of interest in the Windows Machine.
2. Installing the miniOrange SAML module in Windows and configuring it with the miniOrange SSO server.
3. Add the miniOrange SAML module ( installed on the Windows Machine ) as an Identity Source in the miniOrange SSO server
Step 1: Setup IIS for Windows Authentication.
- Open up command prompt in Administrative mode.
- Execute the following command on it:$setspn -a HTTP/## Server FQDN## ##Domain Service Account#
- Open up Active Directory Users and Computers.
- Search for the service account which was used to create the Service Principal Name(SPN).
- Navigate to the Delegation tab.
- Select Trust this user for delegation to any service (Kerberos only).
7. Click Apply.
8. Open up IIS Manager.
9. Select the site which you want to apply Windows Authentication to.
10. Select the Application Pool for that website. Right click on it and select Advanced Settings.
11. Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.
12. Navigate to the Authentication section for the website.
13. Enable Windows Authentication and disable Anonymous Authentication.
14. In the Configuration Editor, search for system.webServer/security/authentication/windowsAuthentication.
15. Set useKernelMode as False and useAppPoolCredentials as True.
16. Click Apply.
17. Open up Internet Explorer and open Internet Options.
18. Add the FQDN of IIS Server to the list of sites in Local Intranet.
19. Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.
Step 2: Configure On-Premise SAML Module with miniOrange Identity Provider
A SAML 2.0 module needs to be installed on an IIS Server joined to the Active Directory Domain. This module will be responsible for identifying the user logged in to a domain joined system and generating a SAML response to the connected application. When the user is trying to access a cloud application like Salesforce, the request is received by miniOrange which forwards the request to this SAML module installed on-premise, which generates a SAML response based on the user logged in and forwards it to miniOrange, which in turn forwards an authentication response to the application.
The configuration of the SAML Module is as follows:
- Put in the URLs in the samlsso.php in the SAML Module.
Parameter Value ACS URL Of the format: https://login.xecurify.com/moas/rest/saml/acs/<CustomerID> Issuer The hostname of the server Audience https://login.xecurify.com/moas
- Save the file.
Step 3: Configure On-Premise SAML Module as an Identity Source in miniOrange
- Login to the admin dashboard.
- Navigate to Identity Providers in the left navigation bar.
- Click on Add Identity Source.
- Add a SAML Identity Source in miniOrange with the details of the on-premise SAML Module.
Parameter Value IdP Entity ID / Issuer As set in the above step SAML SSO Login URL Of the format http://< hostname_of_server >/saml/samlsso.php X.509 Certificate The SP Certificate in the SAML Module
- Save the Identity Source and make it as the Default Identity Source by clicking on Make Default.
At this point, the connection between miniOrange IdP and on-premise SAML Module is completed. If a user tries to access a connected application, miniOrange will send a SAML request to the on-premise SAML module, which will generate an assertion based on the user logged in into a domain-joined system and send it to miniOrange. miniOrange will forward an authentication response to the connected application and the user will get signed in.