Installing SSO using WS-Federation for ADFS implementations (HTTPS required)
Pre-installation steps for SSO
Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO)
Collect configuration parameters
Determine the actual values for the following items; these will be used as replacement parameters during configuration.
Ensure that the ADFS_Server_URI is in the Intranet zone of the end-user's browser
Note: By default Changepoint is configured to automatically update the public keys that are used to sign security tokens by using the published federation metadata document. In ADFS this is https://ADFS_FederationServiceName/F...onMetadata.xml. If the ADFS server cannot be reached from the web server, you must manually update the configuration after running the configuration script. For details see Updating the public keys for ADFS manually.
Parameter |
Description |
Enterprise_URI |
The domain identifier that you use for , for example: |
Enterprise_Path |
The location of the web application files. Default: <cp_root>\Enterprise\ |
ReportDesigner_URI |
The domain identifier that you use for Report Designer, for example: |
ReportDesigner_Path |
The location of the Report Designer application files. Default: <cp_root>\ReportDesigner\ |
Account |
The name of the account that IIS runs under. Default: IIS_IUSRS |
Changepoint_RSA_Cookie_Transform |
The name of the certificate that you use for Cookie encryption. Default: the "CN=ChangepointCookieCertificate" Certificate Name. |
Enterprise_SigningCertificate_Name |
The name of the certificate that you use for signing messages. Default: the "CN=ChangepointSigningCertificate" Certificate Name is used. |
Enterprise_SigningCertificate_Thumbprint |
The thumbprint of the certificate that you use for signing messages. Default: "78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5" |
ADFS_FederationServiceName |
Enter the Federation Service Name, for example: FederationServiceName |
ClaimType |
Enter the SSO Claim Type. Default: http://schemas.xmlsoap.org/ws/2005/0...ity/claims/upn |
Getting the federation service name
- From the ADFS server, Launch ADFS 2.0 Management console.
- From the left menu, select "ADFS 2.0".
- From the Action pane select Edit Federation Service Properties.
- The Federation Service Name can be found on the General tab.
Create application
- In IIS, under Enterprise, convert the RP-STS_ADFS folder to an application:
- Alias name: RP-STS_ADFS
- Physical path:
\<cp_root>\Enterprise\RP-STS_ADFS
- Authentication: Only Anonymous Authentication
- Application pool: Application Pool
- Add Default.aspx to the Default Documents for the application.
Execute configuration scripts
Using the information collected from stage 1 modify the configuration of the websites.
- Open a PowerShell prompt.
Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.
- Navigate to the configuration directory, default:
<cp_common>/Configuration/Enterprise
- Execute:
./Configuration_SSO_ADFS.ps1
- Follow the prompts.
- Navigate to the Report Designer configuration directory, default:
<cp_common>/Configuration/ReportDesigner
- Execute:
./Configuration_SSO_ADFS.ps1
- Follow the prompts.
Create the relying party trust
- On the ADFS server, launch the ADFS 2.0 console.
- Select Action Add Relying Party Trust.
- Click Start.
- Select Enter data about the relying party manually, then click Next.</;o>
- in the Display name field, enter a name for the relying party trust, for example: RP‑STS_ADFS, and then click Next.
- Select ADFS 2.0 profile, and then click Next, then Next again.
- Select Enable support for the WS-Federation Passive protocol, and then enter the Relying party WS-Federation Passive protocol URL.
https://Enterprise_URI/RP-STS_ADFS/
Replace Enterprise_URI with the domain identifier for Changepoint.
- Click Next, Next, Next, Next, then Close.
- Add a Claim Rule for the Changepoint Relying Party.
For Changepoint, the default Claim rule name is "UPN".
- Map the LDAP Attribute "User-Principal-Name" to Outgoing Claim Type "* UPN" or "UPN".
Increase lifetime of security token
Increase the value of TokenLifetime property for the above relying party object to prevent users from getting a popup message and having to re-launch the Changepoint session when the security token using ADFS 2.0 expires. The default lifetime of a security token using ADFS 2.0 is 60 minutes.
Set the default lifetime of a security token to 8 hours (480 minutes):
- On the ADFS server, open a Windows PowerShell prompt.
- Add the ADFS 2.0 snap-in:
Add-PSSnapin Microsoft.Adfs.PowerShell
- Display the relying party TokenLifetime.
Get-ADFSRelyingPartyTrust -Name "relying_party"
where "relying_party" is the display name that you created, above.
- Set the TokenLifetime value to 480 minutes:
Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480