What you need to begin
To begin your deployment of AuthAnvil, we recommend you collect and prepare the following items before installation:
- Download the latest installer files from the AuthAnvil Zero Media Install website at http://www.scorpionsoft.com/downloads/sso.
- The AuthAnvil Single Sign On Installation Guide. Consider printing out this guide or having it available during your installation session.
- Administrative access to a supported operating system on which you wish to install AuthAnvil SSO. It is strongly recommended that during evaluation you test AuthAnvil SSO in a non-production environment.
Installing AuthAnvil Single Sign On
- Download and run the latest installer files from the SSO Downloads page at http://www.scorpionsoft.com/downloads/sso.
- The installer will check to make sure that AuthAnvil Two Factor Auth 5.0 or later is installed on the same machine, and launch the SSO installer.
- Click Next to continue, then click Next again to begin the install.
- Click Finish to complete the install.
- Configure SQL Server to support SQL Authentication and restart the SQL Server.
(Open SQL Management Studio and connect to the server. Right-click the server and select the Security page and select SQL Server and Windows Authentication Mode.)
Configuring AuthAnvil Single Sign On
The AuthAnvil Manager web interface is used for day-to-day management of AuthAnvil SSO. It adds a new Single Sign On tab, where SSO management is handled. In order for as user to log onto the AuthAnvil Manager and access admin functions, they must have the “User is allowed to manage this AuthAnvil Site” privilege, granted when their user is created or at any time through the “Manage user” page.
- Open http(s)://<ServerName>/AuthAnvil/Manager/
- Enter your username and AuthAnvil passcode. Your passcode is comprised of your PIN and the next One-Time Password from your token. ie. 123484449545.
- Click the arrow button to attempt authentication.
- After completing the authentication, the Manager’s Dashboard appears. Click on the Single Sign On tab to manage Single Sign On Settings.
Applications and Roles
AuthAnvil SSO manages access to resources through the combination of Applications and Roles. This has changed from the previous version as we have removed Authentication Profiles. Each user is assigned to a set of roles, where each role has access to one or more applications.
An application refers to a single instance of a web application. For example, Salesforce.com runs a single SSO service for all of its accounts, so an organization will typically only have one Salesforce application. On the other hand, the AuthAnvil Password Server and AuthAnvil Manager will require a separate application for each site or organization that you manage.
Since applications are collected in roles you can group them in a way that makes sense for your workflow. For example, you may have a role that accesses all AuthAnvil Two Factor Auth Servers, or all AuthAnvil Password Servers, or you may break them down on a per-customer basis, having a role for the applications for each customer that you manage.
Finally, to set a user’s permissions you enable their account and assign them to at least one role.
Configuring Applications for Single Sign On
For individual application configurations, please refer to the guides available on the SSO documentation page.
Creating New SSO Applications
Out of the box, AuthAnvil SSO ships with support for the following applications:
- Google Apps
- Office 365
- Outlook Web Access
- New Relic
- AuthAnvil Manager
- AuthAnvil Password Server
To configure additional applications, navigate to the Applications section and select Add New Application. This will ask you for some necessary information to configure a new application.
The following fields need to be configured:
- Display Name: The Name visible in the SSO Portal
- Reply To URL: The URL where the token is sent
- Audience URI: The URI describing the application
All of these values should be provided by the application you are configuring for federation.
Once you have saved the configuration you can modify the attribute maps by selecting the application and clicking Edit Attribute Maps.
An attribute map is the configuration that tells AuthAnvil SSO to take a piece of information about an authenticating user and convert them into an attribute or Claim within the token. For instance, the AuthAnvil Two Factor Auth application contains an attribute map that creates an attribute called SiteID and grabs that value from the SiteID user property.
Using AuthAnvil SSO to Log on to Applications
To log on to the applications that a user has access, they simply need to log on to the AuthAnvil SSO site located at http(s):///SSO using their AuthAnvil Two Factor Auth username and passcode.
This will present them with a list of the applications that they have been authorized to access. If they click on the application tile, the SSO site will open up a new window or tab and log them into that application. To sign out, they just sign out of the application using its sign out mechanism.
Backing up the AuthAnvil Single Sign On Database
All that is left is to back up your newly configured SSO system settings. SSO Settings are backed up separate from AuthAnvil Two Factor Auth.
- Open a command window and go to C:Program FilesScorpion SoftwareAuthAnvilAuthAnvilToolsSSOBackupTool
- To run the backup, run the command ScorpionSoft.IdentityServer.Backup.exe followed by the filename.
i.e. ScorpionSoft.IdentityServer.Backup.exe -b “ssobackup.xml”
- Your file is created and saved in the same directory. If the backup is successful, the tool will complete silently. If you receive an error confirm the instance name, make sure your user account has privileges to access the database and run the backup again.
Configuring secure communications with SSL (IIS 7)
It is HIGHLY recommended that all communications between users and the SSO Site be done over a secure socket layer (SSL) connection. To accomplish this, a SSL certificate must be installed on the IIS server where the SSO Site resides.
We recommend using a trusted public CA – such as Verisign, Inc – to obtain the certificate. This solution is particularly good if you want to enable secure communications for authentication agents over the public Internet, where your SSO Site will be exposed publicly.
To enable SSL for the AuthAnvil website after you have a certificate installed in IIS, follow these steps:
- Launch the IIS Manager, and expand “Sites”.
- Click on the website where AuthAnvil SSO is installed and click “Bindings…” under the actions menu.
- Click “Add…”
- Change the type from “http” to “https”, set your IP address and port, and chose a certificate from the “SSL certificate” dropdown menu.
- Click “OK” and then “Close” to apply the binding.
- Now test if secure communications with SSL are working by attempting to connect to the SSO website (https://www.yourdomain.com/sso) and making sure that you can successfully connect with no certificate errors.
If you have any problems during your installation process, please check out our support site. We would be happy to help.
Appendix A – Install and Configure Certificate Services
You install Certificate Services using the Windows Component Wizard. You can install the CA, the Web enrollment component, or both from the wizard. To complete the installation, follow these steps:
- Launch the Windows Component Wizard by opening Add/Remove Programs in the Control Panel. Then select the Add/Remove Windows Components option offered on the left side of the dialog box.
- When the wizard opens, select Certificate Services from the component list. The installer warns you that after the CA software is installed, you can’t change the name of the server or move it into or out of an Active Directory domain. If you have a server you want to use as the enterprise CA, make sure it is a member of the domain BEFORE you start. If the server will also be a domain controller, run dcpromo to promote it to a domain controller status before installing Certificate Services.
- If you want to install only one of the components (for example, if you want to set up a CA with no Web-enrollment capacity), click Details and clear any component you don’t want to install. Click Next.
- The CA Type page appears. Select the option that corresponds to the CA type you want: enterprise root, enterprise subordinate, stand-alone root, or stand-alone subordinate. (If your machine is not domain joined, your available selections will be limited). Select Stand-alone root CA. Click Next.
- The CA Identifying Information page appears. Type a common name for the CA. An example would be YourDomainCA. Type in the distinguished name suffix. An example would be DC=YourDomain,DC=local. By default, newly generated CA certificates are valid for five years; you can adjust that period in the Validity Period drop-down list. Click Next.
- Accept the default settings for Certificate Database Settings. Click Next.
- The installer will tell you to it must stop the service to complete the installation.
- When the wizard finishes the installation, Certificate Services is available.
Appendix B – Changing AuthAnvil SSO Service URLs
By default, AuthAnvil SSO uses the computer’s hostname, or the FQDN defined in the SSL certificate assigned to the website where AuthAnvil SSO is installed for communication and authentication between the AuthAnvil Manager web site, the AuthAnvil SSO web site and the AuthAnvil SSO web service. If your certificate, DNS name, or server name are modified you will need to update the following locations with the proper URL.
NOTE: If AuthAnvil SSO has automatically detected an incorrect URL these steps can be used to verify the proper resolution of its internal services.
Updating the SSO Web Service
This service is tied to the Single Sign On tab in the AuthAnvil Manager
- Open an escalated Notepad (run as administrator)
- Open the AuthAnvil Manager’s web.config file, located at C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilSAS\Manager\web.config
- Find the line (around line 32) that reads:
<endpoint address=”http://<your FQDN or server name>/SSO/Services/Admin.svc” binding=”basicHttpBinding” bindingConfiguration=”BasicHttpBinding_AdminService” contract=”SsoAdminService.AdminService” name=”BasicHttpBinding_AdminService”/>
- Change the URL in the endpoint address key to reflect the new name of the AuthAnvil SSO server and save the changes to the file.
(NOTE: If your URL is configured for “https” (SSL) you will have to change the line <security mode=”None”> to read <security mode=”Transport”> in the section highlighted below)
- Run an IISReset to reload the service configuration and apply the new changes.
Updating the SSO Authentication Service URL
AuthAnvil SSO has an SAS URL configured in the database to point to the 2FA authentication service. This is used when logging into the SSO User Portal. There is also a secondary service URL to allow for a failover in the event the first cannot be reached.
- Open SQL Management Studio (full or express) and connect to the AuthAnvil SQL instance
- Expand Databases > Anvil > Tables
- Right-click on the dbo.SSO_ServerSetting table and select either “Open Table” or “Edit Top 200 Rows” depending on your version of Management Studio
- Modify the values for StrongAuthPrimaryServiceEndpoint and StrongAuthSecondaryServiceEndpoint to point to http(s)://<YourAuthAnvilDomain.com>/AuthAnvil/SAS.asmx
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to firstname.lastname@example.org.