SSO Setup for Cloud Sites

Applies To

  • UniversitySite Cloud (vs Behind the firewall installations)

Intended Audience

  • Profiscience
  • System administrators

Background

This document is intended to provide an overview of Single-Sign-On (SSO) for UniversitySite cloud, how to install it, and how to make use of it. SSO is a single page website installed on a customer's internal web server. 

Time Commitment

On average, it takes about 10 minutes to setup SSO after the server requirements listed below are satisfied.

Authentication Process Overview 

(also see diagram at bottom)

  1. Client requests UniversitySite resource
  2. UniversitySite detects user is not logged in
  3. UniversitySite determines if SSO is enabled
  4. UniversitySite attempts to contact SSO server appending originally requested resource to URL as ?ReturnUrl=x
  5. SSO server authenticates user in client's environment using windows authentication
  6. SSO server performs a HTTP POST request to UniversitySite along with the TOKEN and the ReturnUrl that was passed to the SSO server. The TOKEN form parameter is an AES encrypted value that contains the username. The URL form parameter is the value of the ReturnUrl query string parameter passed to the SSO page. The SSO.KEY value in the SSO server’s web.config are used to encrypt the SSO ticket.
  7. UniversitySite decrypts the token. If decryption is successful the username is extracted and user is logged in if the username is found in UniversitySite’s database as an active valid user.
  8. Finally the user is redirected to the originally requested resource.

Security Measures

  • Everything communicated between the SSO server and UniversitySite is AES-256 encrypted
  • Form parameters keep TOKENs off of query string (to avoid persistence in web server logs)

Potential Gotchas

  • SSO is not supported on Windows 2003
  • SSO is not supported with IE8

Supported Operating systems

  • Windows Server 2008 R1
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Supported Browsers

 Internet Explorer 9 or newer

Server Requirements

Windows Server 2008 R2
  • RAM: 2GB or greater
  • Processor speed:  2hz or better
  • Install Internet Explorer 9 or higher
  • Install Microsoft .NET Framework 4.5.1
  • Use Server Manager to add Role: "Web Server (IIS)"
  • Use Server Manager to add Role Service: "Web Server (IIS)/Web Server/Application Development/ASP.NET" role to server
Windows Server 2012
  • RAM: 2GB or greater
  • Processor speed:  2hz or better
  • Use Server Manager to add Role: "Web Server (IIS)"
  • Use Server Manager to add Role: "Web Server (IIS)/Web Server/Application Development/ASP.NET 4.5"

SSO Installation on server hosted by Customer

  1. Install IIS as shown below (run appwiz.cpl)
  2. Download the SSO app (Also contains the User Sync)
  3. Unzip the contents of UniversitySiteSSO in folder c:\inetpub\wwwroot\UniversitySiteSSO
  4. Launch IIS Manager
  5. Create an App Pool UniversitySiteSSO for use with this app
  6. Assign it .NET CLR to Version 4.x framework 
  7. Assign Managed pipeline mode to Classic
  8. Under the Advanced Settings, change Start Mode to 'Always Running'
  9. AppPools
  10. In IIS Convert the UniversitySiteSSO folder to an Application
  11. Disable Anonymous Access, enable Windows Integrated Authentication
  12. Launch http://localhost/UniversitySiteSSO/default.aspx to check for errors. Success is indicated by the display of the currently logged in user's network alias

Setup for SSO in UniversitySite

NOTE: This portion should be done by Profiscience in your cloud site unless you already have a login and administrator rights in UniversitySite.   Daniel will help you do this.

  1. Login to UniversitySite, then navigate to Admin Tools / System Configuration / Login Settings
  2. Select “Use UniversitySite SSO”
  3. Add the URL to the SSO server that will be hosted behind customer’s firewall (eg. //InternalCompanyServer/UniversitySiteSSO/default.aspx).
  4. Click Copy KEY 
  5. Paste the KEY to “SSO.KEY” value in c:\inetpub\wwwroot\UniversitySiteSSO\web.config.
  6. <?xml version="1.0"?>
     <configuration>
       <appSettings>
              <!-- This is an example key only, do NOT use for your own install -->
              <add key="SSO.KEY" value="5AVXc3vE8sB70Vf9Z/AgtGennusVj4R2Av3eVIFq3Jk="/>
       </appSettings>
       <system.web>
         <compilation targetFramework="4.5.1"/>
       </system.web> 
    </configuration> 	

Additional Configuration if using SharePoint Learning Kit

To ensure that the page viewer web parts that load inside an iframe in SharePoint use the local intranet zone so that SSO can occur, it may be necessary to push out a change to user desktops to add the hosted UniversitySite URL e.g. https://yourdomainname.universitysite.com to the local intranet zone.  If this is not done, then users may be prompted for a login by Internet Explorer when they access SharePoint pages with page viewer web parts on them. 

If this change cannot be accommodated, your DNS Administrator may be able to create a DNS alias that will be recognized as part of the local intranet zone.  For example, an alias such as universitySite.yourdomainname.com could be setup to resolve to yourdomainname.universitysite.com.  Note the URL you will be using must resolve to UniversitySite from behind your firewall and also from outside your firewall in order to support mobile user access.

Troubleshooting

  • If you do not have .NET 4.5.1 assigned to the app pool and are using a different version you will get an error message that references the .NET framework version
  • If you don't have the app pool set to run in Classic mode you will get an error referencing classic mode
  • If you have not removed anonymous access and enabled windows authentication in IIS you will be prompted to login or get an authentication error

SSO Diagram

Read from bottom up, starting with Step 1, then Step 2, then Step3.

Still need help? Contact Us Contact Us