RDWeb WS-Fed SAML Single Sign-On (SSO) integration

This topic contains procedures to configure AppName for Single Sign-On (SSO) in CyberArk Identity.

With CyberArk Identity, you can choose single-sign-on (SSO) access to the RDWeb application with IdP-initiated WS-Fed SSO (for SSO access through the Identity User Portal) or SP-initiated WS-Fed SSO (for SSO access through the RDWeb application), or both. Providing both methods gives you and your users maximum flexibility.

AppName SSO supported features

This application template supports the following features:

• SP-initiated SSO

• IDP-initiated SSO

Prerequisites for AppName SSO

On a server running Windows Server 2012 or above, launch Server Manager > Add Roles and Features and ensure the following features are available.

• Windows Identity Federation (WIF)

• Remote Desktop Services (RDS)

• Internet Information Services (IIS)

You must be connected to the corporate network (on site or VPN) to access RDWeb.

Configure Claims to Windows Token Service on your Windows server

Step 1: Enable and set Claims to Windows Token Service (C2WTS).

1. Open services.msc > Claims to Windows Token Service > Right-click Properties.

• Set Startup type to Automatic.

• Make sure the service is started.

2. Go to the command prompt, type sc config c2wts depend= CryptSvc and press Enter.

3. In the C2WTS Properties window, go to the Dependencies tab and ensure that Cryptographic Service is listed.

4. Click OK.

Step 2: Modify the C2WTShost.exe config file.

1. Run notepad as an administrator.

2. Open C:\Program Files\Windows Identity Federation\v3.5\c2wtshost.exe.config.

3. Add the line below:

 <allowedCallers>

 <clear />

 <add value= "IIS APPPOOL\RDWebAccess"/>

 </allowedCallers>

4. Save the file.

Configure the AppName app template in the Identity Administration portal

The following procedure describes the steps in the Identity Administration portal needed to configure the AppName app template for SSO.

Step 1: Add the AppName web app template.

1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

   

2. On the Search page, enter the application name in the Search field and click the search button.

3. Next to the application name, click Add.

4. On the Add Web App page, click Yes to confirm.

5. Click Close to exit the Application Catalog.

   The application opens to the Settings page.

Step 2: Configure the Settings page.

Set an app name, description, category, and logo if you want to change them.

Enter the Resource application URL.

Step 3: Configure the Advance page.

Replace the existing script with the script below and click Save.

setVersion('1');

setIssuer(Issuer);

setServiceUrl(ServiceUrl);

setSubjectName(LoginUser.Username);

setAuthenticationMethod('urn:federation:authentication:windows');setAudience(ServiceUrl);

setRecipient(ServiceUrl);

setSignatureType('Assertion');

setHttpDestination(ServiceUrl);

var email = LoginUser.Get('mail');

if (!email || email == '') {

setClaim('EmailAddress', LoginUser.Get('userprincipalname'));

} else {

setClaim('EmailAddress', email);

}

addSubjectToAttrStatement("True");

setCustomAttribute("upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", LoginUser.Get("userprincipalname"));

Step 4: Configure the Permissions page to grant AppName users SSO access.

Grant SSO access to AppName by assigning permissions to users, groups, or roles.

1. On the Permissions page, click Add.

2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

   The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

3. Select the permissions you want and click Save.

   Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

   Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 5: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure RDWeb single sign-on

The following procedure describes the steps in the RDWeb Admin Portal needed to configure the RDWeb app template for SSO.

Step 1: Update RDWeb Access Application Pool.

1. Open the Internet Information Services (IIS) Manager where the RDWeb server is running, select Application Pools.

2. Right-click RDWeb Access pool, select Advanced Settings.

3. Select True from the Load User Profile options.

4. Click OK.

   

Step 2: Update LoginURL to Default.aspx.

1. Open IIS Manager on the RDWeb server.

2. Navigate to RDWeb Server > Sites > Default Web Site > RDWeb > Pages > Configuration Editor.

3. Click the drop-down box at the top of the screen and select system.web/authentication.

4. Expand Forms and make sure both defaultUrl and loginURL are set to default.aspx, then click Apply.

   

Step 3: Update the RDWeb Access web.config file.

1. From the Windows server, run Notepad as administrator and open

   C:\Windows\Web\RDWeb\Pages\web.config

2. At the top of the file, below <configuration>, add the following lines:

   <!-- Idaptive -->

   <configSections>

   <section name= "microsoft.identityModel" type= "Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection,

   Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral,

   PublicKeyToken=31bf3856ad364e35" />

   </configSections>

   <!-- /Idaptive -->

3. Under the <system.web> tag, add the following lines:

   <!-- Idaptive -->

   <httpRuntime targetFramework="4.5" requestValidationMode="2.0"/>

   <pages validateRequest= "false"/>

   <!-- /Idaptive -->

4. Under the <system.web> tag, add the following lines:

   Make sure to add comment to any other <authorization> and <authentication> tags in the file. Also, note that the Authentication mode should be Windows and not Forms.

   <!-- Idaptive --><authorization>

   <deny users= "?"/></authorization>

   <authentication mode="Windows">

   <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />

   </authentication>

   <!-- /Idaptive -->

5. Ensure that the <modules> tag is set to <modules runAllManagedModulesForAllRequests="true">.

6. In the <modules> section, add the following lines:

   The following lines must be placed above any existing lines that start with <add name=.

   <!-- Idaptive -->

   <add name= "WSFederationAuthenticationModule" type= "Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />

   <add name= "SessionAuthenticationModule" type= "Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />

   <!-- /Idaptive -->

7. Above the </system.web> tag, ensure that the following code is commented out.

   <!-- Idaptive -->

   <!--<httpRuntime targetFramework="4.5" />-->

   <!-- /Idaptive -->

8. Under </runtime> tag, add the following lines:

   <!--Idaptive-->

   <microsoft.identityModel>

   <service

   ><audienceUris>

   <add value= "urn:microsoft:rdweb" />

   <add value= "<Value1>" />

   </audienceUris>

   <securityTokenHandlers>

   <remove type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

   <add type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >

   <sessionTokenRequirement useWindowsTokenService= "true" />

   </add>

   <add type= "Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >

   <samlSecurityTokenRequirement mapToWindows= "true" useWindowsTokenService= "true" />

   </add>

   </securityTokenHandlers>

   <federatedAuthentication>

   <wsFederation passiveRedirectEnabled= "true" issuer= "<Value2>" realm= "<Value1>" requireHttps= "true" />

   <cookieHandler requireSsl= "false" />

   </federatedAuthentication>

   <applicationService>

   </applicationService>

   <issuerNameRegistry type= "Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >

   <trustedIssuers>

   <add thumbprint= "<Value3>" name= "<Value4>" />

   </trustedIssuers>

   </issuerNameRegistry>

   <certificateValidation certificateValidationMode= "None" /></service>

   </microsoft.identityModel>

   <!--/Idaptive-->

9. Change the values mentioned in the above code as follows:

   • Change all instances of <Value1> to https://<RDWeb Server>/RDWeb/Pages/Default.aspx.

   • Change <Value2> to the Identity Provider Sign-in URL received in the <step no>.

   • Change <Value3> to the Thumbprint value received in <step no>.

     Ensure that all letters of the Thumbprint value are in BLOCK letters.

   • Change <Value4> to the Issuer value received in <step no>.

   • Save the web.config file.

Test the RDWeb SSO configuration

Follow the steps below to verify that you have successfully configured RDWeb for SSO through CyberArk Identity.

To test SP-initiated SSO

1. Open the RD Web Access Server page URL. CyberArk Identity appears.

2. Authenticate as a user who has access to RDWeb.

3. Once authenticated, you can view and launch available applications.

   

To test IdP-initiated SSO

1. Log in to CyberArk Identity user portal as a user who has access to RDWeb.

2. Launch the RDWeb app.

   

3. Once authenticated, you can view and launch available applications.