SSO is now Automatically Installed
Going forward, the AuthAnvil Two Factor Auth installer will automatically install AuthAnvil Single Sign On for you. If you choose to prevent the 2FA installer from doing so, this guide will help you install SSO on to your existing 2FA server.
Note: See this article for installation requirements
What you need to begin
To begin your deployment of AuthAnvil, we recommend you collect and prepare the following items before installation:
- Download the latest installer files from https://helpdesk.kaseya.com/entries/97775277
- Administrative access to an existing AuthAnvil Two Factor Auth server.
Installing AuthAnvil Single Sign On
- Download and run the latest installer files from the SSO Downloads page at https://helpdesk.kaseya.com/forums/23062897
- The installer will check to make sure that AuthAnvil Two Factor Auth 5.5 or later is installed on the same machine, and launch the SSO installer.
- Click Next to continue, then click Next again to begin the install.
- Click Finish to complete the install.
Configuring AuthAnvil Single Sign On
The AuthAnvil Manager web interface is used for day-to-day management of AuthAnvil SSO. It adds a new Single Sign On tab, where SSO management is handled. In order for as user to log onto the AuthAnvil Manager and access admin functions, they must have the "User is allowed to manage this AuthAnvil Site" privilege, granted when their user is created or at any time through the "Manage user" page.
- Open http(s)://<ServerName>/AuthAnvil/Manager/
- Enter your username and AuthAnvil passcode. Your passcode is comprised of your PIN and the next One-Time Password from your token. ie. 123484449545.
- Click the arrow button to attempt authentication.
- After completing the authentication, the Manager's Dashboard appears. Click on the Single Sign On tab to manage Single Sign On Settings.
Applications and Roles
AuthAnvil SSO manages access to resources through the combination of Applications and Roles. This has changed from the previous version as we have removed Authentication Profiles. Each user is assigned to a set of roles, where each role has access to one or more applications.
An application refers to a single instance of a web application. For example, Salesforce.com runs a single SSO service for all of its accounts, so an organization will typically only have one Salesforce application. On the other hand, the AuthAnvil Password Server and AuthAnvil Manager will require a separate application for each site or organization that you manage.
Since applications are collected in roles you can group them in a way that makes sense for your workflow. For example, you may have a role that accesses all AuthAnvil Two Factor Auth Servers, or all AuthAnvil Password Servers, or you may break them down on a per-customer basis, having a role for the applications for each customer that you manage.
Finally, to set a user’s permissions you enable their account and assign them to at least one role.
Configuring Applications for Single Sign On
For individual application configurations, please refer to the guides available on the SSO documentation page.
Creating New SSO Applications
Out of the box, AuthAnvil SSO ships with support for the following applications:
- Google Apps
- Office 365
- Outlook Web Access
- New Relic
- AuthAnvil Manager
- AuthAnvil Password Server
To configure additional applications, navigate to the Applications section and select Add New Application. This will ask you for some necessary information to configure a new application.
The following fields need to be configured:
- Display Name: The Name visible in the SSO Portal
- Reply To URL: The URL where the token is sent
- Audience URI: The URI describing the application
All of these values should be provided by the application you are configuring for federation.
Once you have saved the configuration you can modify the attribute maps by selecting the application and clicking Edit Attribute Maps.
An attribute map is the configuration that tells AuthAnvil SSO to take a piece of information about an authenticating user and convert them into an attribute or Claim within the token. For instance, the AuthAnvil Two Factor Auth application contains an attribute map that creates an attribute called SiteID and grabs that value from the SiteID user property.
Using AuthAnvil SSO to Log on to Applications
To log on to the applications that a user has access, they simply need to log in to the AuthAnvil SSO site located at http(s)://<YourAuthAnvilDomain.com>/SSO using their AuthAnvil Two Factor Auth username and passcode.
This will present them with a list of the applications that they have been authorized to access. If they click on the application tile, the SSO site will open up a new window or tab and log them into that application. To sign out of AuthAnvil Single Sign On the "Sign Out" button is in the top-right corner.
SSO Tabs and Favorites
In SSO v4 we have enhanced the SSO User Portal to allow for tabbed browsing. With SAML 1.1 support and the ability to launch Web and RDP passwords stored in AuthAnvil Password Server there will be even more icons showing up in your portal and you need a way to organize them.
Using tabs is easy. Log in to AuthAnvil SSO and click the "Add Tab..." button on the left panel to create a new tab. Simply drag the apps you want to that new tab and they will be tucked away until you click on the other tab to display those apps.
There is also a grayed-out star in the top-right corner of each icon to identify whether an app is in your "Favorites". Mouse-over and click on the star to mark an icon as one of your favorites. "Favorite" apps will always show up on the top tab when you first log in, even if they belong to another tab. You can also drag an app up to the front tab in order to make it a favorite.
To un-favorite, simply uncheck the star and it will only display in the tab to where it was moved, or on the front tab if it has not been moved.
AuthAnvil SSO Assistant
The SSO Assistant is a new browser add-on we designed for Internet Explorer and Google Chrome. It is an integration component for web-based SSO, providing a smooth user experience for logging into websites at the click of a button. This is done by filling in the username and password, automatically logging into the site with a single click. It also allows you to add applications from the SSO User Portal as a quicker alternative to manually configuring the password in AuthAnvil Password Server.
Note: The AuthAnvil SSO Assistant is compatible with Internet Explorer and Google Chrome.
Note: You MUST connect to AuthAnvil SSO using SSL (https://yourcompany.com/SSO), otherwise the SSO assistant will not allow you to launch forms-based web logins.
Installing the SSO Assistant
When you click on a form submission SSO app it will point you to the download for the SSO Assistant (web-based SSO):
Click "Download SSO Assistant" and save AuthAnvilSSOAssistantSetup.msi to your machine.
Run the MSI to begin installing the assistant.
Click the checkbox to accept the AuthAnvil License Agreement and then click Next.
If you have an administrative prompt click "Yes" to allow the software to continue installing.
Click Finish now that the installation is completed.
Adding Applications from SSO Portal
In SSO v4.1, web-based passwords can now be added from the button on the SSO User Portal. This will create a synchronizing password in PWS under a new Personal Vault called "SSO Web Passwords". Once this vault exists, all new "Add New Application" created passwords will be placed there.
- Log into the SSO User Portal and click on
- Select a web workflow from the dropdown menu
- (NOTE: More workflows can be added in the "Admin Tools" menu of AuthAnvil Password Server)
- The "Application Name" will assume the name of the workflow you selected, but you may customize it to fit your needs.
- The Username and Password values should be your current login for that application.
Modifying Web Password Applications
Move your mouse over the app you want to edit and click on the "Wrench" to modify application settings such as the application title, the icon, or even the password itself. This data is sent to PWS where a synchronization instruction is created; the password can be updated and re-synchronized directly from the SSO Portal!
You can also view information about the username, the number of times you have accessed the application, the synchronization status (In sync, Out of Sync, Not synced) and the time it was last accessed.
Appendix - Changing AuthAnvil SSO Service URLs
By default, AuthAnvil SSO will use either the server's hostname, or the FQDN defined in the SSL certificate assigned to the website where AuthAnvil SSO is installed for communication and authentication between the AuthAnvil Manager web site, the AuthAnvil SSO web site and the AuthAnvil SSO web service. If your certificate, DNS name, or server name are modified you will need to update the following locations with the proper URL.
If the installer for AuthAnvil SSO has detected an incorrect URL these steps can be used to verify the proper resolution of its internal services.
Note: If you are unable to reach the "Single Sign On" page in the AuthAnvil Manager, please verify that you are using a properly trusted browser connection (https://<yourdomain.com>/AuthAnvil/Manager). The URL in your browser defines the domain name used to communicate with the SSO admin service.
Updating the SSO Web Service
This service is tied to the Single Sign On tab in the AuthAnvil Manager
- Open an escalated Notepad (run as administrator)
- Open the AuthAnvil Manager's web.config file, located at C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilSAS\Manager\web.config
- Find the line that reads: <scorpionSoft.IdentityServer> <administration service="http://my.authanvildomain.com/sso/services/administration" /> </scorpionSoft.IdentityServer>
- Change the administration service URL to reflect the new name of the AuthAnvil SSO server (do not modify "/sso/services/administration")and save the changes to the file.
- Run an IISReset to reload the service configuration and apply the new changes.
Updating the SSO Authentication Service URL
AuthAnvil SSO has an SAS URL configured in the database to point to the 2FA authentication service. This is used when logging into the SSO User Portal. There is also a secondary service URL to allow for a failover in the event the first cannot be reached.
- Open SQL Management Studio (full or express) and connect to the AuthAnvil SQL instance
- Expand Databases > Anvil > Tables
- Right-click on the dbo.SSO_ServerSetting table and select either "Open Table" or "Edit Top 200 Rows" depending on your version of Management Studio
- Modify the values for StrongAuthPrimaryServiceEndpoint and StrongAuthSecondaryServiceEndpoint to point to http(s)://<YourAuthAnvilDomain.com>/AuthAnvil/SAS.asmx