Indeed AM SAML idp is configured for Windows authentication by default. For out of domain scenarios, you have to enable anonymous authentication in IIS for iidsamlidp.

Files of indeed AM SAML idp reside in: indeed AM\Indeed AM SAML IDP \<Version number>\

  • AM.SAML.IDP-x64.msi is the installation package of indeed SAML IDP.
  • /Misc/Server2012/ Indeed.SAML.IIS.Install.MSServer2012.ps1 is the script file to install the required components of IIS server for Windows Server 2012.

Installation

  1. Install Indeed SAML idp by running AM.SAML.IDP-x64.msi installer.
  2. Add HTTPS binding in Default Web Site settings of IIS Manager.

    Indeed SAML idp is a web application on the basis of IIS. “Require SSL” is a default installation setting, which, in turn, requires active HTTPS binding.

    If you do not plan to use HTTPS protocol, then deactivate SSL requirement in IIS settings for SAML  idp. 

    1. Run IIS Manager and expand the Sites item.
    2. Select the Default Web Site site and click Bindings item in the Actions section.
    3. Click Add:
      1. Type - https.
      2. Port - 443.
      3. Select the SSL Certificate.
    4. Save the binding.
  3. Configure Kerberos delegation.
  4. Add SAML application to local Internet. 

Modifying a configuration file

  1. Open the SAML IDP configuration file named Web.config (C:\inetpub\wwwroot\iidselfservice\Web.config).
  2. Specify the URL to connect to Indeed server for Url parameter in amAuthServer tag.
    1. Url parameter is url address of Indeed server in the following format: http(s)://full_dns_name_of_server/easerver/

      To ignore server certificate errors, change the "isIgnoreCertErrors" parameter to "true" in "applicationSettings. config" file ( iidsamlidp\Config ).

      Exemple
      <amAuthServer Url="https://amserv.indeed-id.local/easerver"/>
  3. Specify the provider ID in amAuthMethods tag in the following format:
    1. If only one provider is used for authentication.

      Exemple
      <amAuthMethod id="SMSOTP"> 
      	<amAuthProviders> 
      		<amAuthProvider id="ebb6f3fa-a400-45f4-853a-d517d89ac2a3" /> 
      	</amAuthProviders> 
      </amAuthMethod>
    2. If several providers are used in “chain” for authentication.

      If Windows Password + any other provider chain is used:

      • Windows Password is entered correctly, a provider of your choice entered incorrectly - the “Logon history” for the user shows successful logon to  SAML Identity Provider with Windows Password.
      • Windows Password is entered correctly, a provider of your choice entered correctly - the “Logon history” for the user shows successful logon with user selected provider.
      Exemple
      <amAuthMethod id="HOTP_Passcode_SMS">
      	<amAuthProviders>
      		<amAuthProvider id="AD3FBA95-AE99-4773-93A3-6530A29C7556" />
      		<amAuthProvider id="F696F05D-5466-42b4-BF52-21BEE1CB9529" />
      		<amAuthProvider id="ebb6f3fa-a400-45f4-853a-d517d89ac2a3" />
      	</amAuthProviders>
      </amAuthMethod>
  • id parameter of amAuthMethod tag is unique value. 
  • id parameter of amAuthProvider tag is ID of the provider used.

    id parameter of amAuthProvider have different provider ID

    {EBB6F3FA-A400-45F4-853A-D517D89AC2A3} - SMS OTP

    {093F612B-727E-44E7-9C95-095F07CBB94B} - EMAIL OTP

    {F696F05D-5466-42b4-BF52-21BEE1CB9529} - Passcode

    {0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0} - Software OTP

    {AD3FBA95-AE99-4773-93A3-6530A29C7556} - HOTP Provider

    {CEB3FEAF-86ED-4A5A-BD3F-6A7B6E60CA05} - TOTP Provider

    {DEEF0CB8-AD2F-4B89-964A-B6C7ECA80C68} - AirKeyProvider

Example of extension operation

  1. Open http(s)://full_dns_name_of_server /iidsamlidp/ for authentication in SAML.
  2. Click “Back” in the SAML authentication window that opens to select authentication method. The last one used is selected by default.

    If “Windows authentication” is available and “Anonymous authentication” is disabled in IIS authentication methods, the username is supplied automatically and is not configurable, and user domain password is pasted in automatically.

    If “Anonymous authentication” is available and “Windows authentication” is disabled, then username can be changed and domain password should be entered manually.

  3. Select an authentication method and click "Select".

    If a user does not have an authenticator, then select "Windows Password” method.

  4. Enter the password and click “Sign in”. If data entered correctly, then logging in is performed.


  • No labels