What you need to begin
To begin your deployment of AuthAnvil, we recommend you collect and prepare the following items before installation:
- Download the latest installer files from http://www.scorpionsoft.com/downloads/sso.
- The AuthAnvil Single Sign On Installation Guide.
- Administrative access to an existing AuthAnvil Two Factor Auth server.
- Administrative access to a supported operating system on which you wish to install AuthAnvil SSO. It is strongly recommended that during evaluation you test AuthAnvil SSO in a non-production environment.
Installing AuthAnvil Single Sign On
- Download and run the latest installer files from the SSO Downloads page at http://www.scorpionsoft.com/downloads/sso.
- The installer will check to make sure that AuthAnvil Two Factor Auth 5.0 or later is installed on the same machine, and launch the SSO installer.
- Click Next to continue, then click Next again to begin the install.
- Click Finish to complete the install.
- Configure SQL Server to support SQL Authentication and restart the SQL Server.
(Open SQL Management Studio and connect to the server. Right-click the server and select the Security page and select SQL Server and Windows Authentication Mode.)
Configuring AuthAnvil Single Sign On
The AuthAnvil Manager web interface is used for day-to-day management of AuthAnvil SSO. It adds a new Single Sign On tab, where SSO management is handled. In order for as user to log onto the AuthAnvil Manager and access admin functions, they must have the User is allowed to manage this AuthAnvil Site privilege, granted when their user is created or at any time through the Manage user page.
- Open http(s)://<ServerName>/AuthAnvil/Manager/
- Enter your username and AuthAnvil passcode. Your passcode is comprised of your PIN and the next One-Time Password from your token. ie. 123484449545.
- Click the arrow button to attempt authentication.
- After completing the authentication, the Managers Dashboard appears. Click on the Single Sign On tab to manage Single Sign On Settings.
Applications and Roles
AuthAnvil SSO manages access to resources through the combination of Applications and Roles. This has changed from the previous version as we have removed Authentication Profiles. Each user is assigned to a set of roles, where each role has access to one or more applications.
An application refers to a single instance of a web application. For example, Salesforce.com runs a single SSO service for all of its accounts, so an organization will typically only have one Salesforce application. On the other hand, the AuthAnvil Password Server and AuthAnvil Manager will require a separate application for each site or organization that you manage.
Since applications are collected in roles you can group them in a way that makes sense for your workflow. For example, you may have a role that accesses all AuthAnvil Two Factor Auth Servers, or all AuthAnvil Password Servers, or you may break them down on a per-customer basis, having a role for the applications for each customer that you manage.
Finally, to set a users permissions you enable their account and assign them to at least one role.
Configuring Applications for Single Sign On
For individual application configurations, please refer to the guides available on the SSO documentation page.
Creating New SSO Applications
Out of the box, AuthAnvil SSO ships with support for the following applications:
- Google Apps
- Office 365
- Outlook Web Access
- New Relic
- AuthAnvil Manager
- AuthAnvil Password Server
To configure additional applications, navigate to the Applications section and select Add New Application. This will ask you for some necessary information to configure a new application.
The following fields need to be configured:
- Display Name: The Name visible in the SSO Portal
- Reply To URL: The URL where the token is sent
- Audience URI: The URI describing the application
All of these values should be provided by the application you are configuring for federation.
Once you have saved the configuration you can modify the attribute maps by selecting the application and clicking Edit Attribute Maps.
An attribute map is the configuration that tells AuthAnvil SSO to take a piece of information about an authenticating user and convert them into an attribute or Claim within the token. For instance, the AuthAnvil Two Factor Auth application contains an attribute map that creates an attribute called SiteID and grabs that value from the SiteID user property.
Using AuthAnvil SSO to Log on to Applications
To log on to the applications that a user has access, they simply need to log in to the AuthAnvil SSO site located at http(s)://<YourAuthAnvilDomain.com>/SSO using their AuthAnvil Two Factor Auth username and passcode.
This will present them with a list of the applications that they have been authorized to access. If they click on the application tile, the SSO site will open up a new window or tab and log them into that application. To sign out of AuthAnvil Single Sign On the Sign Out button is in the top-right corner.
SSO Tabs and Favorites
In SSO v4.0 we have enhanced the SSO User Portal to allow for tabbed browsing. With SAML 1.1 support and the ability to launch Web and RDP passwords stored in AuthAnvil Password Server there will be even more icons showing up in your portal and you need a way to organize them.
Using tabs is easy. Log in to AuthAnvil SSO and click the Add Tab button on the left panel to create a new tab. Simply drag the apps you want to that new tab and they will be tucked away until you click on the other tab to display those apps.
There is also a grayed-out star in the top-right corner of each icon to identify whether an app is in your Favorites. Mouse-over and click on the star to mark an icon as one of your favorites. Favorite apps will always show up on the top tab when you first log in, even if they belong to another tab. You can also drag an app up to the front tab in order to make it a favorite.
To un-favorite, simply uncheck the star and it will only display in the tab to where it was moved, or on the front tab if it has not been moved.
Backing up the AuthAnvil Single Sign On Database
All that is left is to back up your newly configured SSO system settings. SSO Settings are backed up separate from AuthAnvil Two Factor Auth.
- Open a command window and go to C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilTools\SSOBackupTool
- To run the backup, run the command ScorpionSoft.IdentityServer.Backup.exe followed by the filename.
i.e. ScorpionSoft.IdentityServer.Backup.exe -b ssobackup.xml
- Your file is created and saved in the same directory. If the backup is successful, the tool will complete silently. If you receive an error confirm the instance name, make sure your user account has privileges to access the database and run the backup again.
Configuring secure communications with SSL (IIS 7)
It is HIGHLY recommended that all communications between users and the SSO Site be done over a secure socket layer (SSL) connection. To accomplish this, a SSL certificate must be installed on the IIS server where the SSO Site resides.
We recommend using a trusted public CA such as Verisign, Inc to obtain the certificate. This solution is particularly good if you want to enable secure communications for authentication agents over the public Internet, where your SSO Site will be exposed publicly.
To enable SSL for the AuthAnvil website after you have a certificate installed in IIS, follow these steps:
- Launch the IIS Manager, and expand Sites.
- Click on the website where AuthAnvil SSO is installed and click Bindings under the actions menu.
- Click Add
- Change the type from http to https, set your IP address and port, and chose a certificate from the SSL certificate dropdown menu.
- Click OK and then Close to apply the binding.
- Now test if secure communications with SSL are working by attempting to connect to the SSO website (https://www.yourdomain.com/sso) and making sure that you can successfully connect with no certificate errors.
If you have any problems during your installation process, please check out our support site. We would be happy to help.
Appendix A Install and Configure Certificate Services
You install Certificate Services using the Windows Component Wizard. You can install the CA, the Web enrollment component, or both from the wizard. To complete the installation, follow these steps:
- Launch the Windows Component Wizard by opening Add/Remove Programs in the Control Panel. Then select the Add/Remove Windows Components option offered on the left side of the dialog box.
- When the wizard opens, select Certificate Services from the component list. The installer warns you that after the CA software is installed, you cant change the name of the server or move it into or out of an Active Directory domain. If you have a server you want to use as the enterprise CA, make sure it is a member of the domain BEFORE you start. If the server will also be a domain controller, run dcpromo to promote it to a domain controller status before installing Certificate Services.
- If you want to install only one of the components (for example, if you want to set up a CA with no Web-enrollment capacity), click Details and clear any component you dont want to install. Click Next.
- The CA Type page appears. Select the option that corresponds to the CA type you want: enterprise root, enterprise subordinate, stand-alone root, or stand-alone subordinate. (If your machine is not domain joined, your available selections will be limited). Select Stand-alone root CA. Click Next.
- The CA Identifying Information page appears. Type a common name for the CA. An example would be YourDomainCA. Type in the distinguished name suffix. An example would be DC=YourDomain,DC=local. By default, newly generated CA certificates are valid for five years; you can adjust that period in the Validity Period drop-down list. Click Next.
- Accept the default settings for Certificate Database Settings. Click Next.
- The installer will tell you to it must stop the service to complete the installation.
- When the wizard finishes the installation, Certificate Services is available.
Appendix B Changing AuthAnvil SSO Service URLs
By default, AuthAnvil SSO will use either the servers hostname, or the FQDN defined in the SSL certificate assigned to the website where AuthAnvil SSO is installed for communication and authentication between the AuthAnvil Manager web site, the AuthAnvil SSO web site and the AuthAnvil SSO web service. If your certificate, DNS name, or server name are modified you will need to update the following locations with the proper URL.
If the installer for AuthAnvil SSO has detected an incorrect URL these steps can be used to verify the proper resolution of its internal services.
NOTE: If you are unable to reach the Single Sign On page in the AuthAnvil Manager, please verify that you are using a properly trusted browser connection (https://<yourdomain.com>/AuthAnvil/Manager). The URL in your browser defines the domain name used to communicate with the SSO admin service.
Updating the SSO Web Service
This service is tied to the Single Sign On tab in the AuthAnvil Manager
- Open an escalated Notepad (run as administrator)
- Open the AuthAnvil Managers web.config file, located at C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilSAS\Manager\web.config
- Find the line that reads:
<administration service=http://my.authanvildomain.com/sso/services/administration />
- Change the administration service URL to reflect the new name of the AuthAnvil SSO server (do not modify /sso/services/administration)and save the changes to the file.
- Run an IISReset to reload the service configuration and apply the new changes.
Updating the SSO Authentication Service URL
AuthAnvil SSO has an SAS URL configured in the database to point to the 2FA authentication service. This is used when logging into the SSO User Portal. There is also a secondary service URL to allow for a failover in the event the first cannot be reached.
- Open SQL Management Studio (full or express) and connect to the AuthAnvil SQL instance
- Expand Databases > Anvil > Tables
- Right-click on the dbo.SSO_ServerSetting table and select either Open Table or Edit Top 200 Rows depending on your version of Management Studio
- Modify the values for StrongAuthPrimaryServiceEndpoint and StrongAuthSecondaryServiceEndpoint to point to:
If you have any questions or need some help, we would be happy to assist. Open a case at kaseya.zendesk.com .