Single sign-on

In this article

    SuperOffice 7 Web supports single sign-on both using windows authentication and credentials passed in URL arguments. This document describes how to configure this.

    Single sign-on with windows authentication

    The following process is carried out when a windows user is automatically signed in to SuperOffice 7.web:

    1. Authenticate the user with IIS
    2. Pass the IIS Authentication on to 7.web - Identity impersonation
    3. Authenticate the windows user with 7.web

    SuperOffice CRM 7 Web relies on forms authentication. The login form (i.e. page) is the login page displayed when logging on to CRM 7 Web. There are issues with combining Forms and Windows authentication in IIS 7.  Hence; there are differences in how IIS is configured for single sign-on with windows and SuperOffice.

    Authenticate the user with IIS

    Windows XP and Windows 2003 Server uses what is referred to in Windows Vista and Windows 2008 Server as Classic Pipeline Mode. This means that there is a distinguished difference between the Internet Information Server (IIS) authentication and the ASP.NET (e.g. SuperOffice) Authentication. 

    Windows XP and Windows 2003 Server

    1. Open Internet Information Server (IIS) Manager.
    2. Select the SuperOffice Seven Web site and right-click on properties.
    3. Select the 'Directory Security' Tab and 'Edit...' the Authentication and access control
    4. Disable anonymous access and enable windows authentication.

    Previous version of 6.web required that anonymous access was enabled for the \Services folder. This is from version 6.3 of SuperOffice 6.web no longer required.

    Windows Vista and Windows 2008 Server with Classic Pipeline Mode

    1. Open Programs and Features and select Turn Windows features on and off
    2. Make sure the authentication providers required are turned on:
    3. Open Internet Information Server (IIS) Manager.
    4. Select the SuperOffice 7.web site and identify the application pool used by 7.web:
    5. Make sure this application pool is configured to run in Classic Pipeline Mode:
    6. Select the SuperOffice 7.web site again and double-click on the 'Authentication' Feature:
    7. Make sure that Anonymous Authentication is Disabled and Basic * and Windows Authentication is enabled.

     

    Windows Vista and Windows 2008 Server with Integrated Pipeline Mode

    The tightly integration between Microsoft .NET (i.e. ASP.NET) and Internet Information Server introduced in Windows Vista and Windows 2008 Server is referred to as Integrated Pipeline Mode.  This means that the clear distinguished difference between the IIS authentication and the ASP.NET (e.g. SuperOffice) Authentication has been wiped out and the concepts are merged.  The result of this is that it is no longer possible to first perform a windows authentication followed by a forms authentication for the entire web site.  It is, however, possible to perform this on the login page alone.  Hence; anonymous access is enabled for the entire web site, except the login page. 

    Pass the IIS Authentication on to 7 Web - Identity impersonation

    Even though IIS authentication is in place, ASP.NET (and thereby 7.web) will not be made aware of who IIS has authenticated.  ASP.NET supports that this information is obtained and that the request is performed in the context of this authenticated user.  This is performed using a setting in the web.config file stating that:

    <system.web>

          <identity impersonate="true"/>
    </system.web>

    MailLink and Web Extensions

    To enable single signon for MailLink and TrayApp the bindingConfiguration must be changed to WindowsAuth.

     

    For MailLink from version 7.1 you need to verify that the following is present in web.config:

    <service name="SuperOffice.MailLink.Server.MailLinkWcfServer" behaviorConfiguration="SoWcfBehavior">
      <endpoint binding="basicHttpBinding" bindingConfiguration="binding1" contract="
    MailLinkService
    " />

     

    <service name="SuperOffice.MailLink.Server.MailLinkWcfServer" behaviorConfiguration="SoWcfBehavior">
      <endpoint binding="basicHttpBinding" bindingConfiguration="WindowsAuth" contract="MailLinkService" />

     

    <service name="SuperOffice.TrayApp.Server.TrayApp2Server" behaviorConfiguration="SoWcfBehavior">

      <endpoint binding="basicHttpBinding" bindingConfiguration="binding1" contract="TrayApp2Service" />

     

    Must be changed into

    <service name="SuperOffice.TrayApp.Server.TrayApp2Server" behaviorConfiguration="SoWcfBehavior">
      <endpoint binding="basicHttpBinding" bindingConfiguration="WindowsAuth" contract="TrayApp2Service" />

     

    If the binding WindowsAuth is not defined in bindings section, you need to declare it

    The declaration is:

     

      <binding name="WindowsAuth"  maxReceivedMessageSize="163840000">
        <readerQuotas maxArrayLength="163840000" maxStringContentLength="163840000" />
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
      </binding>

     

     

    The binding section must be placed in

    <system.serviceModel>
                     <bindings>
                              <basicHttpBinding>

     


    * Basic, Digest and Windows Authentication should be turned on as required or wanted depending on browsers in use by end-users and security considerations.