Versions Compared

Old Version 3

changes.mady.by.user Vladislav Fomichev

Saved on

compared with

New Version 4

changes.mady.by.user Vladislav Fomichev

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note

Indeed AM SAML idp is configured for Windows authentication by default. For out of domain scenarios, you have to enable anonymous authentication in IIS for iidsamlidp.



Info

Files of indeed AM SAML idp reside in: indeed AM\Indeed AM SAML IDP \<Version number>\

  • AM.SAML.IDP-x64.msi is the installation package of indeed SAML IDP.
  • /Misc/Server2012/ Indeed.SAML.IIS.Install.MSServer2012.ps1 is the script file to install the required components of IIS server for Windows Server 2012.

Installation

  1. Install Indeed SAML idp by running AM.SAML.idP-x64.msi installer.

  2. Add HTTPS binding in Default Web Site settings of IIS Manager.

    Info

    Indeed SAML idp is a web application on the basis of IIS. “Require SSL” is a default installation setting, which, in turn, requires active HTTPS binding.

    If you do not plan to use HTTPS protocol, then deactivate SSL requirement in IIS settings for SAML  idp. 


    1. Run IIS Manager and expand the Sites item.
    2. Select the Default Web Site site and click Bindings item in the Actions section.
    3. Click Add:
      1. Type - https.
      2. Port - 443.
      3. Select the SSL Certificate.
    4. Save the binding.
  3. Configure Kerberos delegation.
  4. Add SAML application to local Internet. 

Modifying a configuration file

  1. Open the SAML IDP configuration file named Web.config (C:\inetpub\wwwroot\iidselfservice\Web.config).
  2. Specify the URL to connect to Indeed server for Url parameter in amAuthServer tag.

    1. Url parameter is url address of Indeed server in the following format: http(s)://full_dns_name_of_server/easerver/

      Info

      To ignore server certificate errors, change the "isIgnoreCertErrors" parameter to "true" in "applicationSettings. config" file ( iidsamlidp\Config ).


      Code Block
      languageyml
      titleExemple
      <amAuthServer Url="https://amserv.indeed-id.local/easerver"/>


  3. Specify the provider ID in amAuthMethods tag in the following format:

    1. If only one provider is used for authentication.

      Code Block
      languageyml
      titleExemple
      <amAuthMethod id="SMSOTP"> 
	<amAuthProviders> 
		<amAuthProvider id="ebb6f3fa-a400-45f4-853a-d517d89ac2a3" /> 
	</amAuthProviders> 
</amAuthMethod>


    2. If several providers are used in “chain” for authentication.

      Note

      If Windows Password + any other provider chain is used:

      • Windows Password is entered correctly, a provider of your choice entered incorrectly - the “Logon history” for the user shows successful logon to  SAML Identity Provider with Windows Password.
      • Windows Password is entered correctly, a provider of your choice entered correctly - the “Logon history” for the user shows successful logon with user selected provider.


      Code Block
      languageyml
      titleExemple
      <amAuthMethod id="HOTP_Passcode_SMS">
	<amAuthProviders>
		<amAuthProvider id="AD3FBA95-AE99-4773-93A3-6530A29C7556" />
		<amAuthProvider id="F696F05D-5466-42b4-BF52-21BEE1CB9529" />
		<amAuthProvider id="ebb6f3fa-a400-45f4-853a-d517d89ac2a3" />
	</amAuthProviders>
</amAuthMethod>


  • id parameter of amAuthMethod tag is unique value. 

  • id parameter of amAuthProvider tag is ID of the provider used.

    Info

    id parameter of amAuthProvider have different provider ID

    {EBB6F3FA-A400-45F4-853A-D517D89AC2A3} - SMS OTP

    {093F612B-727E-44E7-9C95-095F07CBB94B} - EMAIL OTP

    {F696F05D-5466-42b4-BF52-21BEE1CB9529} - Passcode

    {0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0} - Software OTP

    {AD3FBA95-AE99-4773-93A3-6530A29C7556} - HOTP Provider

    {CEB3FEAF-86ED-4A5A-BD3F-6A7B6E60CA05} - TOTP Provider

    {DEEF0CB8-AD2F-4B89-964A-B6C7ECA80C68} - AirKeyProvider

 


Example of extension operation

  1. Open http(s)://full_dns_name_of_server /iidsamlidp/ for authentication in SAML.

  2. Click “Back” in the SAML authentication window that opens to select authentication method. The last one used is selected by default.

Information
  1. Info

    If

“Windows authentication”

  1. Windows authenticationis available and

“Anonymous authentication”

  1. Anonymous authenticationis disabled in IIS authentication methods, the username is supplied automatically and is not configurable, and user domain password is pasted in automatically.

    If

“Anonymous authentication”

  1. Anonymous authenticationis available and

“Windows authentication”

  1. Windows authenticationis disabled, then username can be changed and domain password should be entered manually.

    Image Added

  2. Select an authentication method and click "Select".

Information
  1. Info

    If a user does not have an authenticator, then select "Windows

Password”

  1. Passwordmethod.

    Image Added

4.
  1. Enter the password and click
“Sign in”
  1. Sign in. If data entered correctly, then logging in is performed.Image AddedImage Added
    Backtotop