Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleConfiguration Steps

Anchor
WIF
WIF

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleWindows Identity Foundation (WIF) Configuration Steps

Windows Identity Foundation (WIF), a Microsoft framework for building identity-aware applications, is a core component in this installation and must be installed on the SecureAuth IdP server (if it hasn't already been installed)

1. To install WIF on the SecureAuth IdP server, download WIF from Microsoft's Download Center

NOTE: On Windows 2012 and later, install WIF via Server manager > Add / Remove Roles and Features.

2. Install the update and perform an IISRESET on the appliance

Anchor
SecureAuth
SecureAuth

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleSecureAuth IdP Web Admin Configuration Steps
Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleData
Section
Column
width50%

Column

 

1. In the Profile Fields section, map the userPrincipalName to a SecureAuth IdP Property (e.g. Email 2)

Warning

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titlePost Authentication
Section
Column
width50%

Column

 

2. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication section

3. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx)

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleUser ID Mapping
Section
Column
width50%

Column

 

4. Select the SecureAuth IdP Property that corresponds to the directory field that contains the userPrincipalName (Email 2)

5. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

6. Select False from the Encode to Base64 dropdown

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleSAML Assertion / WS Federation
Section
Column
width50%

Column

 

7. Set the WSFed/SAML Issuer to https://SecureAuthIdPFQDN/SecureAuthIdPRealm#/ and replace the values with the actual Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance and the OWA integration realm number, e.g. SecureAuth2

For example, https://secureauth.company.com/secureauth2

8. Set the SAML Audience to https://mail.companyname.com/owa/ and replace "mail.companyname.com" with the actual DNS value

Info

No configuration is required for the WSFed Reply To/SAML Target URL, SAML Consumer URL, SAML Recipient, or SP Start URL fields

Section
Column
width50%

Column

 

9. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion

If using a third-party certificate, click Select Certificate and choose the appropriate certificate

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleSAML Attributes / WS Federation
Section
Column
width50%

Column

 

10. Set the Name of Attribute 1 to UPN

11. Set the Namespace (1.1) to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

12. Select Email 2 (or the field that contains the userPrincipalName) from the Value dropdown

Info

The Value here and the User ID Mapping selections will be the same


Warning

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Panel
borderColor#009fd9
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#009fd9
borderStylesolid
titleForms Auth / SSO Token
Section
Column
width50%

Column

 

13. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for SSO

Info

These are optional configurations


Excerpt Include
Account Management (Help Desk) Page Configuration Guide
Account Management (Help Desk) Page Configuration Guide
nopaneltrue

Anchor
OWA
OWA

Excerpt Include
81docs:Outlook Web Access (OWA) 2013 SP1 & 2016 Integration Guide
81docs:Outlook Web Access (OWA) 2013 SP1 & 2016 Integration Guide
nopaneltrue

...

Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleTips & Warnings

Set up SecureAuth IdP workflows as they normally would be. To utilize Windows Desktop SSO, WindowsSSO.aspx will need to be set as the default document and coded to retain the referral string. If Desktop SSO will be redirecting external users to another realm, the secureauth.aspx.vb page in that realm will need code that strips out the "?403;https://<SecureAuth-FQDN>/SAOWARealm". Refer toWindows Desktop desktop SSO Configuration Guideconfiguration for more information on enabling Windows Desktop SSO for SecureAuth IdP realms.

When setting URLs in the web.config files and SecureAuth IdP, it is essential to be consistent and not forget something as simple as a trailing slash "/".