Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Setup Integrated Windows Authentication For Cloud Apps


How Does The MiniOrange IWA Module Work?

This guide will give you an overview of how to set up Integrated Windows Authentication for Cloud Applications.

miniOrange Single Sign-On (SSO) server allows you to log into your application without having to re-enter your credentials. You will first need to successfully achieve windows authentication into the Windows domain, after having logged into a system integrated with an Active Directory domain. miniOrange achieves Windows integrated authentication by installing a component on a Windows Server linked to the Active Directory domain. This setup basically acts as a SAML 2.0 Identity Provider. When the user tries to access a cloud application like Salesforce, the request is forwarded to the miniOrange SSO Server. This Server forwards the request to the on-premise miniOrange SAML module installed on the Windows authentication machine. SSO is performed based on the response received from the module. This is how Windows authentication is used to achieve Windows integrated security.

Prerequisites

  • Windows Server 2008 R2/2012/2016/2019
  • Internet Information Services (IIS) v7+ for Windows Server
  • Active Directory installed and configured with IIS
  • PHP v5+ installed & configured with IIS (archive link)
  • LDAP extension for PHP (you can follow these instructions to enable the extension)
  • A miniOrange account (you can register here)
  • The miniOrange Integrated Windows Authentication (IWA) module (Download Link)
 Integrated Windows Authentication: miniOrange IWA Module

1. Setting up a Service Account for Delegated   Authentication

  • Identify a Domain Service Account that you can use for delegated authentication; this account will be used by the IWA module
  • Open a command prompt window in Administrative Mode and enter the following command:
    setspn -S HTTP/##Server FQDN## ##Domain Service Account##
    For example, let’s say your server FQDN is server.contoso.com, and your domain service account name is CONTOSO\iwauser; then the command will be:
    setspn -S HTTP/server.contoso.com CONTOSO\iwauser
  • Open Active Directory Users and Computers search for the Domain Service Account used in the previous step
  • Navigate to the Delegation tab; select Trust this user for delegation to any service (Kerberos only)
    This user account can now be used for authenticating the IWA module.
  • Integrated Windows Authentication: windows authentication for cloud delegation

2. Installing the IWA module on IIS

  • Copy the module to the IIS root directory; the default path is C:\inetpub\wwwroot\
  • Open IIS Manager, expand the host entry in the left pane
  • Integrated Windows Authentication: Expand IIS Host entries

  • Add an Application Pool for the module
  • Integrated Windows Authentication: Add Application Pool

  • Right-click on this newly created Application Pool and click on Advanced Settings
  • Integrated Windows Authentication: Application Pool - Advanced Settings

  • Scroll down to Identity under the heading Process Model
    Click on the 3 dots and select Custom Account, enter the credentials of the Domain Service Account and click Set
  • Integrated Windows Authentication: windows authentication for cloud apppool

  • Convert the module to an application; assign it to the Application Pool created in Step 3
  • Integrated Windows Authentication: set Application Pool name

  • Navigate to the Authentication section of the site, disable Anonymous Authentication and enable Windows Authentication
  • Integrated Windows Authentication: windows authentication for cloud kernel mode false

  • If the Windows Authentication option is not visible, your IIS installation may be missing the Windows Authentication role. You can install it using the steps outlined in this document.
  • Navigate to the Configuration Editor section of the site, search for
    system.webServer/security/authentication/windowsAuthentication
    Integrated Windows Authentication: Application - Configuration Editor

  • Set useKernelMode as False and useAppPoolCredentials as True
  • Integrated Windows Authentication: windows authentication for cloud use app pool credentials

3. Configuring LDAP connection in the IWA module

  • Navigate to the root directory of the IWA module,
    for example C:\inetpub\wwwroot\saml-xecurify\
  • Open the file ldapconfig.php for editing
  • Set the values of the following fields in the manner shown in this table
  • Parameter Description Sample Value
    $this->ldap_server_url Full URL of your LDAP server, with port ldap://server.contoso.com:389
    $this->ldap_bind_account_dn Distinguished Name of your LDAP Service Account CN=Service User,CN=Users,DC=contoso,DC=com
    $this->ldap_bind_account_password Password of your LDAP Service Account -
    $this->search_base Search base in which to look for users CN=Users,DC=contoso,DC=com
    $this->search_filter Search filter (|(userprincipalname=?)(samaccountname=?))
    $this->user_attributes List of attributes that you want to fetch from AD & send in response array("givenname", "sn", "mail", "department", "userprincipalname")
  • Save and close the file

4. Configuring miniOrange as a SAML Service Provider (SP) in the IWA module

  • Navigate to the root directory of the IWA module; for example,
    C:\inetpub\wwwroot\saml-xecurify\
  • Open the file samlsso.php for editing
  • Integrated Windows Authentication: cloud SAML module urls

  • Set the values of the following fields in the manner shown in this table:
  • Parameter Value
    ACS URL https://<branding>.xecurify.com/moas/broker/login/saml/acs/<CustomerID>
    For example, if the branding set in your miniOrange account is iwatest, with customer ID 123456, then the value of this parameter will be:
    https://iwatest.xecurify.com/moas/broker/login/saml/acs/123456
    Issuer Hostname of the Windows Server, for example https://server.contoso.com
    Audience https://login.xecurify.com/moas
  • You can get the value of <CustomerID> by logging into your miniOrange account, and navigating to Product Settings:
  • Integrated Windows Authentication: miniOrange Customer Key

    Integrated Windows Authentication: miniOrange Customer Key

  • Save and close the file

5. Adding the IWA module as a SAML Identity Provider (IdP) in miniOrange

  • Log into your miniOrange account, and navigate to the Identity Providers section on the left
  • Click on Add Identity Provider
  • Integrated Windows Authentication: windows authentication for cloud Add identity source

  • Enter a suitable name for the IdP, as well as a suitable display name
  • Enter the values for the fields IDP Entity ID, SAML SSO Login URL, and X.509 Certificate as follows:
  • Parameter Value
    IDP Entity ID As set in the previous section under Issuer
    SAML SSO Login URL Of the format
    http://<hostname-of-server>/saml-xecurify/samlsso.php
    For example, if the FQDN of your Windows Server is server.contoso.com, then the value of this parameter will be:
    http://server.contoso.com/saml-xecurify/samlsso.php
    Audience https://login.xecurify.com/moas
    Integrated Windows Authentication: cloud identity source configuration

  • Configure Attribute Mapping if required; you can map the attributes fetched from the LDAP in Section 5 to values that will be sent to your applications
  • Scroll down to the bottom and click Save.
    The IWA module has now been successfully added as a SAML IdP in miniOrange.

6. Configuring Browsers for Integrated Windows Authentication

  • These steps need to be followed on the machines of all the users who will be using the miniOrange IWA module for authentication.
  • A] Internet Explorer

    • Open Internet Explorer
    • Navigate to Internet Options
    • Go to Security → Local Intranet; click on Sites, and (optionally) on Advanced
    • Enter the full URL of the Windows Server and click OK
      For example, http://server.contoso.com
    • Under Security Level, select Custom Level
    • In the properties window that appears, scroll down to the bottom, and select Automatic Logon only in Intranet Zone
    • Click OK to save this setting
    • Go to the Advanced Tab, and scroll down to the bottom
    • Find and enable the option Enable Integrated Windows Authentication
    • Save these settings, and restart the browser to load the changes

    B] Google Chrome

    • Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
    • Optionally, you may need to whitelist the URL of the Windows Server machine where your IIS is hosted; this can be done by adding the following parameter to your Chrome startup: --auth-server-whitelist=
      For example: --auth-server-whitelist="server.contoso.com"
    • Click enter and restart the browser to load the changes

    C] Mozilla Firefox

    • Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
    • Open a new browser tab, and enter about:config in the address bar
      Click on Accept the Risk and Continue in case you’re prompted for it
    • In the search box, type network.negotiate-auth.trusted-uris
    • Click on the edit button near the result, and add the FQDN of the Windows Server in the text box that pops up
      For example, server.contoso.com
    • Click enter and restart the browser to load the changes

    External References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products