Skip to main content
Planview Customer Success Center

Installing SSO using WS-Federation for ADFS implementations (HTTPS required)

Pre-installation steps for SSO

Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO) 

Collect configuration parameters

Determine the actual values for the following items; these will be used as replacement parameters during configuration.

Ensure that the ADFS_Server_URI is in the Intranet zone of the end-user's browser

Note: By default Changepoint is configured to automatically update the public keys that are used to sign security tokens by using the published federation metadata document. In ADFS this is https://ADFS_FederationServiceName/F...onMetadata.xml. If the ADFS server cannot be reached from the web server, you must manually update the configuration after running the configuration script. For details see  Updating the public keys for ADFS manually

Parameter

Description

Enterprise_URI

The domain identifier that you use for , for example:

https://changepoint.abc.corp

Enterprise_Path

The location of the web application files.

Default: <cp_root>\Enterprise\

ReportDesigner_URI

The domain identifier that you use for Report Designer, for example:

https://reportdesigner.abc.corp

ReportDesigner_Path

The location of the Report Designer application files.

Default: <cp_root>\ReportDesigner\

Account

The name of the account that IIS runs under.

Default: IIS_IUSRS

Changepoint_RSA_Cookie_Transform

The name of the certificate that you use for Cookie encryption.

Default: the "CN=ChangepointCookieCertificate" Certificate Name.

Enterprise_SigningCertificate_Name

The name of the certificate that you use for signing messages.

Default: the "CN=ChangepointSigningCertificate" Certificate Name is used.

Enterprise_SigningCertificate_Thumbprint

The thumbprint of the certificate that you use for signing messages. Default: "78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5"

ADFS_FederationServiceName

Enter the Federation Service Name, for example: FederationServiceName

ClaimType

Enter the SSO Claim Type.

Default: http://schemas.xmlsoap.org/ws/2005/0...ity/claims/upn

Getting the federation service name

  1. From the ADFS server, Launch ADFS 2.0 Management console.
  2. From the left menu, select "ADFS 2.0".
  3. From the Action pane select Edit Federation Service Properties.
  4. The Federation Service Name can be found on the General tab.

Create application

  1. In IIS, under Enterprise, convert the RP-STS_ADFS folder to an application:
    • Alias name: RP-STS_ADFS
    • Physical path:

      \<cp_root>\Enterprise\RP-STS_ADFS

    • Authentication: Only Anonymous Authentication
    • Application pool: Application Pool
  2. Add Default.aspx to the Default Documents for the application.

Execute configuration scripts

Using the information collected from stage 1 modify the configuration of the websites.

  1. Open a PowerShell prompt.

    Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.

  2. Navigate to the configuration directory, default:

    <cp_common>/Configuration/Enterprise

  3. Execute:

    ./Configuration_SSO_ADFS.ps1

  4. Follow the prompts.
  5. Navigate to the Report Designer configuration directory, default:

    <cp_common>/Configuration/ReportDesigner

  6. Execute:

    ./Configuration_SSO_ADFS.ps1

  7. Follow the prompts.

Create the relying party trust

  1. On the ADFS server, launch the ADFS 2.0 console.
  2. Select Action Add Relying Party Trust.
  3. Click Start.
  4. Select Enter data about the relying party manually, then click Next.</;o>
  5. in the Display name field, enter a name for the relying party trust, for example: RP‑STS_ADFS, and then click Next.
  6. Select ADFS 2.0 profile, and then click Next, then Next again.
  7. Select Enable support for the WS-Federation Passive protocol, and then enter the Relying party WS-Federation Passive protocol URL.

    https://Enterprise_URI/RP-STS_ADFS/

    Replace Enterprise_URI with the domain identifier for Changepoint.

  8. Click Next, Next, Next, Next, then Close.
  9. Add a Claim Rule for the Changepoint Relying Party.

    For Changepoint, the default Claim rule name is "UPN".

  10. Map the LDAP Attribute "User-Principal-Name" to Outgoing Claim Type "* UPN" or "UPN".

Increase lifetime of security token

Increase the value of TokenLifetime property for the above relying party object to prevent users from getting a popup message and having to re-launch the Changepoint session when the security token using ADFS 2.0 expires. The default lifetime of a security token using ADFS 2.0 is 60 minutes.

Set the default lifetime of a security token to 8 hours (480 minutes):

  1. On the ADFS server, open a Windows PowerShell prompt.
  2. Add the ADFS 2.0 snap-in:

    Add-PSSnapin Microsoft.Adfs.PowerShell

  3. Display the relying party TokenLifetime.

    Get-ADFSRelyingPartyTrust -Name "relying_party"

    where "relying_party" is the display name that you created, above.

  4. Set the TokenLifetime value to 480 minutes:

    Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480