Installing SSO using SAML for ADFS implementations (HTTPS required)
(Draft - to be confirmed)
Pre-installation steps for SSO
Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO).
Collect configuration parameters
Determine the values for the following items, which will be used as replacement parameters during configuration.
Note: Ensure that the SAML_Indentity_Provider is in the Intranet zone of the end-user's browser.
Parameter |
Description |
Enterprise_URI |
The domain identifier that you use for Changepoint, for example: |
Enterprise_Path |
The location of the web application files. Default: <cp_root>\Enterprise\ |
ReportDesigner_URI |
The domain identifier that you use for Report Designer, for example: |
ReportDesigner_Path |
The location of the Report Designer web application files. Default: <cp_root>\ReportDesigner\ |
Changepoint_RSA_Cookie_Transform |
The name of the certificate that you use for Cookie encryption. Default: the "CN=ChangepointCookieCertificate" Certificate Name |
Enterprise_SigningCertificate_Name |
This is the name of the certificate that you use for signing messages. Default: the "CN=ChangepointSigningCertificate" Certificate Name |
Enterprise_SigningCertificate_Thumbprint |
The thumbprint of the certificate that you use for signing messages. Default: "78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5" |
SAML_Identity_Provider |
The SAML Identity Provider URI, for example: |
SAML_Identity_Provider_Type |
The type of the SAML Identity Provider: ADFS20 |
SAML_Issuer |
The SAML Issuer required by the IDP. Leave blank. |
SAML_Identity_Provider_Signing_Key |
This is the SAML Identity Provider Signing Key required by the IDP. Leave blank. |
ClaimType |
Enter the SSO Claim Type. Default: http://schemas.xmlsoap.org/ws/2005/0...ity/claims/upn |
Create application
- In IIS, under Enterprise, convert the RP-STS_SAML folder to an application:
- Alias name: RP-STS_SAML
- Physical path: \<cp_root>\Enterprise\RP-STS_SAML
- Authentication: Anonymous and Forms Authentication
- Application pool: Application Pool
- Add Default.aspx to the Default Documents for the application.
Execute configuration scripts
Using the information collected from stage 1 modify the configuration of the websites
- Open a PowerShell prompt.
Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.
- Navigate to the configuration directory, default:
<cp_common>\Configuration\Enterprise
- Execute:
./Configuration_SSO_SAML.ps1
- Follow the prompts.
Create relying party trust
- On the ADFS server, launch the ADFS 2.0 console
- Action > Add Relying Party Trust.
- Click Start.
- Select Enter data about the relying party manually, then click Next.
- Enter a Display name, for example, RP-STS_SAML, and then click Next.
- Select "ADFS 2.0 profile" and click Next, then Next.
- Select Enable support for the SAML 2.0 WEBSSO protocol and enter the Relying party SAML 2.0 SSO service URL:
https://Enterprise_URI/RP-STS_SAML/
Replace Enterprise_URI with the domain identifier for Changepoint.
- Click Next.
- Add a Relying party trust identifier.
https://Enterprise_URI/RP-STS_SAML/
Replace Enterprise_URI with the domain identifier for Changepoint.
- Click Next, Next, Next, then Close.
- Add a Claim Rule for the above Relying Party. For Changepoint, the default Claim rule name is "UPN".
- SelectClaim rule template
- "Send LDAP Attributes as Claims".
- SelectAttribute store
- Map the LDAP Attribute "User-Principal-Name" to Outgoing Claim Type "UPN".
- Specify that the Secure Hash Algorithm for this Relying Party Trust uses 'SHA-256':
- Double-click the newly created relying party and select the Advanced tab.
- Select the SHA-256 secure hash algorithm.
- Click OK.
Increase security token lifetime
Increase the value of TokenLifetime property for the above relying party object to prevent user from getting a popup message and having to re-launch the session when the security token using ADFS 2.0 expires. The default lifetime of a security token using ADFS 2.0 is 60 minutes.
Set the default lifetime of a security token to 8 hours (480 minutes):
- On the ADFS server, open a Windows PowerShell prompt.
- Add the ADFS 2.0 snap-in:
Add-PSSnapin Microsoft.Adfs.PowerShell
- Display the relying party TokenLifetime:
Get-ADFSRelyingPartyTrust -Name "relying_party"
where "relying_party" is the display name from "Create relying party trust" above.
- Set the TokenLifetime value to 480 minutes:
Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480
- Set the signing certificate revocation check to none:
Set-ADFSRelyingPartyTrust -Targetname "relying-party" -SigningCertificateRevocationCheck none
- Set the encryption certificate revocation check to none:
Set-ADFSRelyingPartyTrust -Targetname "relying-party"-EncryptionCertificateRevocationCheck none
Encrypt messages from identity provider (optional)
- Determine the actual values for the following items. These will be used as replacement parameters during configuration.
- Enterprise_EncryptingCertificate_Name – The name of the certificate that you use for signing messages. Default: the "CN=ChangepointSigningCertificate" Certificate.
- Edit \RP-STS_SAML\Web.config.
Replace Enterprise_EncryptingCertificate_Name with the actual value.
- Specify the Encrypting Certificate used for this Relying Party Trust:
- Copy ChangepointSigningCertificate.cer from the Changepoint configuration directory to a local folder on the SAML Provider Server.
- Double-click the newly created relying party and select the Encryption tab.
- Click the Browse button and select the certificate that you copied above.
- Click OK.