We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

Configure Single-Signon in 8.2 Web?

Hi, we're going to configure Single-signon in Web 8.2 R06, and this is something we very rarely do. 

Looking at the documentation I can only find descriptions from 7.1/7.5 from 2010 on how to configure this.

Are there any updated documentation for 8.2? Or does anyone have any experience with setting up Single-Signon in 8.2 that they can share?

RE: Configure Single-Signon in 8.2 Web?

Hello Frode, 

SSO in 8.2 is pretty straight-forward. 
To experience you just set Windows Authentication on the Site (with both Sales and Service) and enable AD-authentication for the users in SuperOffice. 

For maillink you need to edit this in the web.config: 

<protocolMapping>
<add scheme="http" binding="basicHttpBinding" bindingConfiguration="" />
<add scheme="https" binding="basicHttpBinding" bindingConfiguration="bindingHttps" />
</protocolMapping>

to this

<protocolMapping>
<add scheme="http" binding="basicHttpBinding" bindingConfiguration="WindowsAuth" />
<add scheme="https" binding="basicHttpBinding" bindingConfiguration="WindowsAuthHttps" />
</protocolMapping>


The only 'problem' you will face is that mailings and SOAP dont work with Windows Authentication (on the IIS), so you will have to specifically set something else (e.g. anynomous) on these files/folders:


For Mailings 
customer.fcgi
/gfx
/graphics
/javascript 

For Soap
soap.exe
SoapTicket.exe
SoapCustomer.exe
SoapAdmin.exe 

Hope this helps!

//Eivind



Av: Eivind Johan Fasting 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Thanks, that is reassuring.

Does that mean we no longer need to install a separate NetServer with AD-auth, like we had to in 7.1?

Av: Frode Lillerud 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Yes, Service no longer have its own login, so from8.1 it all got a lot easier.

Av: Margrethe Romnes 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Ok, and what about on the client side? Do we need to change settings under Internet Explorer's Security tab?

Av: Frode Lillerud 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Hello Frode, 

That is correct, no need for any 'hax' when it comes to CS and SSO.

Not sure what you are asking, but having the domain set under trusted sites is a good idea. Not sure if it's needed, but i normally end up doing it at one point or another anyways :)
 
Btw, I suggest you make sure SuperOffice/NetServer is set up on a server that is in the same domain as AD, to avoid a complicated setup.

//Eivind





Av: Eivind Johan Fasting 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Do you ever need to change these settings?

Av: Frode Lillerud 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Normally I dont, as I believe the settings you posted are the default ones (?), but it depends on what browser the customer is using and if the customer has some 'weird' security-settings: 
https://wiki.shibboleth.net/confluence/display/SHIB2/Single+sign-on+Browser+configuration 

Hope this helps :)

//Eivind

Av: Eivind Johan Fasting 22. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Hi again Eivind,

when you say "To experience you just set Windows Authentication on the Site (with both Sales and Service)", what specifically do you do?

Do you enable Windows Auth for BOTH the site, and the /SuperOffice and /scripts applications?

And do you disable any of the Anonymous or Basic options?

Av: Frode Lillerud 24. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Hello Frode, 

the applications should inherit whatever you set on the Site (root), but you can also set this for each application individually if you want. I personally like to set it on the Site. 
I normally enable Windows Authentication on the site, disable everything else (to be clear, i disable both Anonymous and Basic), and make sure both the Sales and Service-application has the same. 
Then i edit the <protocolMapping> section in the web.config (explained in a previous post). 

The only files/folders NOT set up with ONLY Windows Authentication are the ones that mailling and SOAP use, but i make sure SSO works before i edit these files spesifically. 


//Eivind





Av: Eivind Johan Fasting 24. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Ok, thanks. I'm having issues, so I'll continue asking :)

On the client machine I'm using things are working just fine, but from all other computers they get a Windows-credentials login box pop up.

You make no changes to the Application Pool's, right?

And no changes to the Security settings for the folders on the disk?

Av: Frode Lillerud 24. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Hi,

If they get a pop-up dialog it might be that the siteURL is not present in Trusted sites / Local Internet Sites.

This must exist even If they use Chrome as default browser

Av: Jan Andersen 24. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Sure, fire away! :)

It depends on the environment, but normally i let the application pool run on the applicationpoolidentity. 
If i run into rights-issues i just set IUSRS with rights on the folders. Some customers have a strict setup, and prefer that we make the applicationpool run on a dedicated user, but that wont make SSO fail as long as the application is working (e.g. the application is able to read the web.config and load the login-page). 

Your problem does not sound like a rights-issue though.
Are you sure the users are set up with AD-login in SuperOffice? 
Since it works on your test-client i assume the IIS and SuperOffice is able to verify the SID/user with AD.
What happens if you insert the credentials manually? Do they log in to SuperOffice or are you unable to log in (get the same dialog again)?
Have you tried different browsers on both your test-client and a standard user? 
Maybe your test-account are not set up in the same AD-container as the rest? It could also be a good idea to set up a dedicated user to look into AD, this can be configured in the NetServer configuration (either through the standard wizard or inser it into the web.config). 
My last suggestion would be to un-link(make SuperOffice responsible for the username and password) on one of the users that is not working, then try to re-ling it. Are you able to find the given person in AD? 

I see i went all support-mode on this (old habits die hard), but this is what i would check/verify to figure out where the problem actually is :)

Edit: What Jan said! :) 

//Eivind


 

Av: Eivind Johan Fasting 24. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Hi guys,

on the two folders D:\SuperOffice\Service and D:\SuperOffice\Web we added "Everyone" with "Full access" on the Security tab, and that seems to have solved the issue. We're in the process of removing Everyone again, and adding a more appropriate AD-usergroup.

Av: Frode Lillerud 24. mai 2018

RE: Configure Single-Signon in 8.2 Web?

Ok, great :)

Then i guess IUSR and IIS_IUSRS should suffice, unless you set the applicationpool to run as a custom account. 
Glad you figured it out! 

//Eivind
 

Av: Eivind Johan Fasting 24. mai 2018