SSO is now Automatically Installed
Going forward, the AuthAnvil Two Factor Auth installer will automatically install AuthAnvil Single Sign On for you. If you choose to prevent the 2FA installer from doing so, this guide will help you install SSO on to your existing 2FA server.
Note: See this article for installation requirements
What you need to begin
To begin your deployment of AuthAnvil, we recommend you collect and prepare the following items before installation:
- Download the latest installer files from http://www.scorpionsoft.com/downloads/sso.
- Administrative access to an existing AuthAnvil Two Factor Auth server.
Installing AuthAnvil Single Sign On
- Download and run the latest installer files from the SSO Downloads page at http://www.scorpionsoft.com/downloads/sso.
- The installer will check to make sure that AuthAnvil Two Factor Auth 5.5 or later is installed on the same machine, and launch the SSO installer.
- Click Next to continue, then click Next again to begin the install.
- Click Finish to complete the install.
Configuring AuthAnvil Single Sign On
The AuthAnvil Manager web interface is used for day-to-day management of AuthAnvil SSO. It adds a new Single Sign On tab, where SSO management is handled. In order for as user to log onto the AuthAnvil Manager and access admin functions, they must have the "User is allowed to manage this AuthAnvil Site" privilege, granted when their user is created or at any time through the "Manage user" page.
- Open http(s)://<ServerName>/AuthAnvil/Manager/
- Enter your username and AuthAnvil passcode. Your passcode is comprised of your PIN and the next One-Time Password from your token. ie. 123484449545.
- Click the arrow button to attempt authentication.
- After completing the authentication, the Manager's Dashboard appears. Click on the Single Sign On tab to manage Single Sign On Settings.
Applications and Roles
AuthAnvil SSO manages access to resources through the combination of Applications and Roles. This has changed from the previous version as we have removed Authentication Profiles. Each user is assigned to a set of roles, where each role has access to one or more applications.
An application refers to a single instance of a web application. For example, Salesforce.com runs a single SSO service for all of its accounts, so an organization will typically only have one Salesforce application. On the other hand, the AuthAnvil Password Server and AuthAnvil Manager will require a separate application for each site or organization that you manage.
Since applications are collected in roles you can group them in a way that makes sense for your workflow. For example, you may have a role that accesses all AuthAnvil Two Factor Auth Servers, or all AuthAnvil Password Servers, or you may break them down on a per-customer basis, having a role for the applications for each customer that you manage.
Finally, to set a users permissions you enable their account and assign them to at least one role.
Configuring Applications for Single Sign On
For individual application configurations, please refer to the guides available on the SSO documentation page.
Creating New SSO Applications
Out of the box, AuthAnvil SSO ships with support for the following applications:
- Google Apps
- Office 365
- Outlook Web Access
- New Relic
- AuthAnvil Manager
- AuthAnvil Password Server
To configure additional applications, navigate to the Applications section and select Add New Application. This will ask you for some necessary information to configure a new application.
The following fields need to be configured:
- Display Name: The Name visible in the SSO Portal
- Reply To URL: The URL where the token is sent
- Audience URI: The URI describing the application
All of these values should be provided by the application you are configuring for federation.
Once you have saved the configuration you can modify the attribute maps by selecting the application and clicking Edit Attribute Maps.
An attribute map is the configuration that tells AuthAnvil SSO to take a piece of information about an authenticating user and convert them into an attribute or Claim within the token. For instance, the AuthAnvil Two Factor Auth application contains an attribute map that creates an attribute called SiteID and grabs that value from the SiteID user property.
Using AuthAnvil SSO to Log on to Applications
To log on to the applications that a user has access, they simply need to log in to the AuthAnvil SSO site located at http(s)://<YourAuthAnvilDomain.com>/SSO using their AuthAnvil Two Factor Auth username and passcode.
This will present them with a list of the applications that they have been authorized to access. If they click on the application tile, the SSO site will open up a new window or tab and log them into that application. To sign out of AuthAnvil Single Sign On the "Sign Out" button is in the top-right corner.
SSO Tabs and Favorites
In SSO v4 we have enhanced the SSO User Portal to allow for tabbed browsing. With SAML 1.1 support and the ability to launch Web and RDP passwords stored in AuthAnvil Password Server there will be even more icons showing up in your portal and you need a way to organize them.
Using tabs is easy. Log in to AuthAnvil SSO and click the "Add Tab..." button on the left panel to create a new tab. Simply drag the apps you want to that new tab and they will be tucked away until you click on the other tab to display those apps.
There is also a grayed-out star in the top-right corner of each icon to identify whether an app is in your "Favorites". Mouse-over and click on the star to mark an icon as one of your favorites. "Favorite" apps will always show up on the top tab when you first log in, even if they belong to another tab. You can also drag an app up to the front tab in order to make it a favorite.
To un-favorite, simply uncheck the star and it will only display in the tab to where it was moved, or on the front tab if it has not been moved.
AuthAnvil SSO Assistant
The SSO Assistant is a new browser add-on we designed for Internet Explorer and Google Chrome. It is an integration component for web-based SSO, providing a smooth user experience for logging into websites at the click of a button. This is done by filling in the username and password, automatically logging into the site with a single click. It also allows you to add applications from the SSO User Portal as a quicker alternative to manually configuring the password in AuthAnvil Password Server.
Note: The AuthAnvil SSO Assistant is compatible with Internet Explorer and Google Chrome.
Note: You MUST connect to AuthAnvil SSO using SSL (https://yourcompany.com/SSO), otherwise the SSO assistant will not allow you to launch forms-based web logins.
Installing the SSO Assistant
When you click on a form submission SSO app it will point you to the download for the SSO Assistant (web-based SSO):
Click "Download SSO Assistant" and save AuthAnvilSSOAssistantSetup.msi to your machine.
Run the MSI to begin installing the assistant.
Click the checkbox to accept the AuthAnvil License Agreement and then click Next.
If you have an administrative prompt click "Yes" to allow the software to continue installing.
Click Finish now that the installation is completed.
Adding Applications from SSO Portal
In SSO v4.1, web-based passwords can now be added from the button on the SSO User Portal. This will create a synchronizing password in PWS under a new Personal Vault called "SSO Web Passwords". Once this vault exists, all new "Add New Application" created passwords will be placed there.
- Log into the SSO User Portal and click on
- Select a web workflow from the dropdown menu
- (NOTE: More workflows can be added in the "Admin Tools" menu of AuthAnvil Password Server)
- The "Application Name" will assume the name of the workflow you selected, but you may customize it to fit your needs.
- The Username and Password values should be your current login for that application.
Modifying Web Password Applications
Move your mouse over the app you want to edit and click on the "Wrench" to modify application settings such as the application title, the icon, or even the password itself. This data is sent to PWS where a synchronization instruction is created; the password can be updated and re-synchronized directly from the SSO Portal!
You can also view information about the username, the number of times you have accessed the application, the synchronization status (In sync, Out of Sync, Not synced) and the time it was last accessed.
Backing up the AuthAnvil Single Sign On Database
All that is left is to back up your newly configured SSO system settings. SSO Settings are backed up separate from AuthAnvil Two Factor Auth.
- Open a command window and go to C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilTools\SSOBackupTool
- To run the backup, run the command ScorpionSoft.IdentityServer.Backup.exe followed by the filename. i.e. ScorpionSoft.IdentityServer.Backup.exe -b "ssobackup.xml"
- Your file is created and saved in the same directory. If the backup is successful, the tool will complete silently. If you receive an error confirm the instance name, make sure your user account has privileges to access the database and run the backup again.
Configuring secure communications with SSL (IIS 7)
It is HIGHLY recommended that all communications between users and the SSO Site be done over a secure socket layer (SSL) connection. To accomplish this, a SSL certificate must be installed on the IIS server where the SSO Site resides.
We recommend using a trusted public CA - such as Verisign, Inc - to obtain the certificate. This solution is particularly good if you want to enable secure communications for authentication agents over the public Internet, where your SSO Site will be exposed publicly.
To enable SSL for the AuthAnvil website after you have a certificate installed in IIS, follow these steps:
- Launch the IIS Manager, and expand "Sites".
- Click on the website where AuthAnvil SSO is installed and click "Bindings..." under the actions menu.
- Click "Add..."
- Change the type from "http" to "https", set your IP address and port, and chose a certificate from the "SSL certificate" dropdown menu.
- Click "OK" and then "Close" to apply the binding.
- Now test if secure communications with SSL are working by attempting to connect to the SSO website (https://www.yourdomain.com/sso) and making sure that you can successfully connect with no certificate errors.
Appendix A - Install and Configure Certificate Services
You install Certificate Services using the Windows Component Wizard. You can install the CA, the Web enrollment component, or both from the wizard. To complete the installation, follow these steps:
- Launch the Windows Component Wizard by opening Add/Remove Programs in the Control Panel. Then select the Add/Remove Windows Components option offered on the left side of the dialog box.
- When the wizard opens, select Certificate Services from the component list. The installer warns you that after the CA software is installed, you can't change the name of the server or move it into or out of an Active Directory domain. If you have a server you want to use as the enterprise CA, make sure it is a member of the domain BEFORE you start. If the server will also be a domain controller, run dcpromo to promote it to a domain controller status before installing Certificate Services.
- If you want to install only one of the components (for example, if you want to set up a CA with no Web-enrollment capacity), click Details and clear any component you don't want to install. Click Next.
- The CA Type page appears. Select the option that corresponds to the CA type you want: enterprise root, enterprise subordinate, stand-alone root, or stand-alone subordinate. (If your machine is not domain joined, your available selections will be limited). Select Stand-alone root CA. Click Next.
- The CA Identifying Information page appears. Type a common name for the CA. An example would be YourDomainCA. Type in the distinguished name suffix. An example would be DC=YourDomain,DC=local. By default, newly generated CA certificates are valid for five years; you can adjust that period in the Validity Period drop-down list. Click Next.
- Accept the default settings for Certificate Database Settings. Click Next.
- The installer will tell you to it must stop the service to complete the installation.
- When the wizard finishes the installation, Certificate Services is available.
Appendix B - Changing AuthAnvil SSO Service URLs
By default, AuthAnvil SSO will use either the server's hostname, or the FQDN defined in the SSL certificate assigned to the website where AuthAnvil SSO is installed for communication and authentication between the AuthAnvil Manager web site, the AuthAnvil SSO web site and the AuthAnvil SSO web service. If your certificate, DNS name, or server name are modified you will need to update the following locations with the proper URL.
If the installer for AuthAnvil SSO has detected an incorrect URL these steps can be used to verify the proper resolution of its internal services.
NOTE: If you are unable to reach the "Single Sign On" page in the AuthAnvil Manager, please verify that you are using a properly trusted browser connection (https://<yourdomain.com>/AuthAnvil/Manager). The URL in your browser defines the domain name used to communicate with the SSO admin service.
Updating the SSO Web Service
This service is tied to the Single Sign On tab in the AuthAnvil Manager
- Open an escalated Notepad (run as administrator)
- Open the AuthAnvil Manager's web.config file, located at C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilSAS\Manager\web.config
- Find the line that reads: <scorpionSoft.IdentityServer> <administration service="http://my.authanvildomain.com/sso/services/administration" /> </scorpionSoft.IdentityServer>
- Change the administration service URL to reflect the new name of the AuthAnvil SSO server (do not modify "/sso/services/administration")and save the changes to the file.
- Run an IISReset to reload the service configuration and apply the new changes.
Updating the SSO Authentication Service URL
AuthAnvil SSO has an SAS URL configured in the database to point to the 2FA authentication service. This is used when logging into the SSO User Portal. There is also a secondary service URL to allow for a failover in the event the first cannot be reached.
- Open SQL Management Studio (full or express) and connect to the AuthAnvil SQL instance
- Expand Databases > Anvil > Tables
- Right-click on the dbo.SSO_ServerSetting table and select either "Open Table" or "Edit Top 200 Rows" depending on your version of Management Studio
- Modify the values for StrongAuthPrimaryServiceEndpoint and StrongAuthSecondaryServiceEndpoint to point to http(s)://<YourAuthAnvilDomain.com>/AuthAnvil/SAS.asmx
If you have any questions or need some help, we would be happy to assist. Open a case at kaseya.zendesk.com .